In response to a question about which cybersecurity practices present the most significant implementation challenges, the National Grid, an international electric and national gas company, wrote that since many utilities have legacy systems that weren’t built with those security practices in mind, even something as basic as user identification and authorization can be difficult to implement as can incident monitoring and detection. And the challenge of implementing encryption and key management is “significant.”
That doesn’t mean nothing can be done, however. In fact, notes ICS-ISAC, utility systems may be easier than other systems to monitor for abnormal conditions because changes are rare and controlled. Network traffic for these entities follows predictable cycles “explicitly known to system designers and operators.” Moreover, it explains, whether the industrial control system is for “manufacturing, energy, transportation, water, or other sector-specific area, the operational process in place has been designed with the singular attention to continuous awareness of the state of the physical process.”
That means that existing situational awareness technologies likely could be used to detect attack attempts with “less customization and operational attention in ICS environments than in IT.”
The key would be an accurate inventory of software and hardware and an initial baseline of normal activity to lay the groundwork for detecting divergence from the norm. This might be achieved via a “mirroring” process to avoid any potential impact with actual operations, states ICS-ISAC.
In addition to monitoring for abnormalities within a discrete system, the framework should seek to facilitate improved situational awareness about the “aggregate state of national infrastructure,” notes ICS-ISAC. Like many others, it notes that no current means exists for stakeholders to know if there is an active attack underway anywhere in the infrastructure, which might serve as an early warning to others. In this regard, ICS-ISAC makes an interesting point not often raised in connection with information sharing: It can’t rely on human-to-human efforts alone.