CREST says that cyber-security in ICS needs a kick up backside

News by Roi Perez

The not-for-profit accreditation body CREST says a lack of "standards-based technical security testing" is putting industrial control system environments at risk.

CREST has announced that there is a “pressing need to improve cyber-security in Industrial Control System (ICS) environments”, claiming in a recent statement that such work could negate potential future breaches that would impact critical national infrastructure.

The not-for-profit accreditation body, which represents a significant amount of the information security penetration testing industry, said in its latest paper ‘Industrial Control Systems: Technical Security Assurance' that “security testing has a significant role to play in ensuring higher levels of security assurance are met.”

A key finding in the report, according to CREST, is “the absence of periodic standards-based technical security testing that is commonplace in many other industries”. Because of this, professionals who run ICS environments have no objective way of assessing and managing their level of risk. There is also no definitive industry standard of testing ICS environment that is “ mandated by regulatory bodies”.

CREST adds: “The fact that ICS environments are rapidly changing also leads to a higher degree of exposure.”

Drawing on a diverse range of views from technical security communities, the report proposes a “model for gaining greater assurance in ICS environments”which it says is says “based on the findings of a research project - which looked to set out the main challenges and possible solutions for protecting Industrial Control Systems, many of which are based on legacy technologies.”

“ICS environment owners require assurances that risk is being identified, assessed and evaluated. Above all else they need to know that there are appropriate measures in place to manage and mitigate risk,” explained Ian Glover, president of CREST.

“Research on the project has helped to identify the high-level characteristics of a practical technical security testing approach and organisations should consider how this could add value and protection.  It is clear that ICS environments are more sensitive than conventional IT environments and any penetration testing of systems needs to be planned and undertaken with a high degree of trust, skill and caution.”

CREST says it now wishes to expand on the research to develop detailed guidance material that can be used by specialists to help secure ICS environments and in particular, those that make up the Critical National Infrastructure.

The UK National Cyber Security Centre (NCSC), commented on the paper: “We believe this paper provides a valuable contribution to the current thinking on this challenging topic and we look forward to working with CREST, as well as ICS operators and the cyber-security industry in order to make the UK the safest place to live and do business online.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews