third Cyber Security Assessment Netherlands - NCSC
third Cyber Security Assessment Netherlands - NCSC
third Cyber Security Assessment Netherlands - NCSC
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Detailed section » 9 Industrial Control Systems<br />
9 Industrial Control Systems<br />
<strong>Security</strong> of ICS continues to be a major problem because<br />
industrial systems are vulnerable and there is still too little<br />
being done to effectively resolve this. Fortunately, the<br />
known actors still lack both motives and capacity, but will<br />
that continue to be the case? So the warning is repeated,<br />
because things will go wrong one day.<br />
9.1 Introduction<br />
During the reporting period of the second <strong>Cyber</strong> <strong>Security</strong> <strong>Assessment</strong>,<br />
a number of vulnerabilities in ICS ( including SCADA) reached the<br />
media. Not only was there an increase in the number of vulnerabilities,<br />
the threat of a targeted disruption to these systems became<br />
more real. During this reporting period, a number of new<br />
vulnerabilities in ICSs became known. Although there were no<br />
major incidents, the threat continues to be high.<br />
The current security status of ICS is getting worse but only gradually,<br />
so there is a lack of awareness of the increasing seriousness of the<br />
situation, and many organisations are taking insufficient action.<br />
It should be noted here that in particular large operators of vital<br />
infrastructures and some (large) providers of ICS/SCADA applications<br />
do thoroughly comprehend the seriousness of the situation<br />
and act accordingly.<br />
9.2 The potential impact of cyber incidents<br />
involving ICSs<br />
ICSs are used in vital and (other) industrial sectors to control physical<br />
processes. This means that if these systems are not operating as they<br />
should, things can also go wrong in the physical world. It is this<br />
physical impact of digital incidents that make it important for that<br />
ICSs’ security to be in order.<br />
Because ICSs are used in different ways and in different sectors, the<br />
type and size of the impact per incident varies. An incident could<br />
cause serious harm to the economy, the environment and/or the<br />
lives of people and animals. To better explain the seriousness<br />
of incidents involving ICSs, a distinction is made between the three<br />
following levels at which these systems are used.<br />
SOHO and individual applications<br />
(for example climate control systems, access control)<br />
Digital incidents at the Small Office/Home Office (SOHO) level are<br />
irritating for those concerned but the damage is limited and<br />
primarily practical and financial in nature. An example is a situation<br />
where a company’s heating system is paralysed or the barriers to the<br />
»<br />
What are ICS?<br />
Terms such as computers, digitalisation and the internet often<br />
bring to mind the traditional IT environment: desktop computers<br />
and laptops for home and office use. Information security and<br />
cyber security soon bring the same ideas to mind. Within the<br />
vital and (other) industrial sectors, however, a different type<br />
of system is used for digitalisation: process control systems or<br />
industrial control systems. These systems not only have a<br />
different function and effect from traditional IT systems, there<br />
are also different risks associated with them.<br />
ICS are used in vital and (other) industrial sectors to automatically<br />
monitor and control physical processes. ICS are used for<br />
production, transport and distribution in the supply of energy<br />
and drinking water. Production processes in refineries, the<br />
chemical, pharmaceutical and food industry are also (largely)<br />
controlled by ICS. Furthermore, ICS are increasingly being used in<br />
the traffic infrastructure (traffic control, bridges, locks, tunnels)<br />
in building management systems (climate control, fire alarms,<br />
lighting) and for access control (barriers, electronic fencing).<br />
In the past ICS communicated directly with one another in a<br />
closed network, and the systems were not connected to the<br />
internet or other networks. Nowadays, however, ICS are often<br />
connected to the company’s office computers and also accessible<br />
on the internet. This brings along certain risks, which are<br />
not always taken into account.<br />
The media frequently equates SCADA (Supervisory Control<br />
And Data Acquisition) with ICS. For example, the news talks<br />
about ‘security issues with SCADA software’ or about ‘SCADA<br />
leaks’. However ICS is a general term that covers different types<br />
of control systems, including SCADA. This <strong>Cyber</strong> <strong>Security</strong><br />
<strong>Assessment</strong> discusses the umbrella term ICS.<br />
SCADA systems (computers with SCADA software on them) are<br />
used to operate and visualise (industrial) processes. Monitoring<br />
can take place from a single location (for example the control<br />
room). Using the process data collated and saved, reports can<br />
be generated which in turn can be analysed and used to optimise<br />
the process.<br />
Other important sub-groups of ICSs are DCSs (Distributed<br />
Control Systems) and PLCs (Programmable Logic Controllers).<br />
95