In 2013 alone, the U.S. Department of Homeland Security (DHS) and its Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) responded to more than 256 cyber-incident reports—more than half of them in the energy sector. Such attacks were prevalent in 2014 as well: DHS investigated 245 incidents last year, including documented attacks targeting local water authorities in the United States.

The National Institute of Standards and Technology (NIST), which develops information security standards and guidelines to protect the nation’s critical infrastructure, recently published its second revision to Guide to Industrial Control Systems (ICS) Security. The guide highlights the unique cybersecurity risks and vulnerabilities to which ICSs are increasingly exposed and steps organizations utilizing ICSs should take to mitigate them.

Industrial control systems are used to control critical infrastructure processes in industries such as electric power, water, wastewater, oil, gas, transportation, chemical, pharmaceutical, food and beverage, and discrete manufacturing (such as automotive, aerospace, and durable goods).

Historically, ICSs were isolated systems running proprietary hardware and software that were not connected to IT networks or Internet. As industries matured and became more geographically dispersed, the control systems increasingly adopted connectivity and remote access capabilities by incorporating industry-standard operating systems and low-cost Internet Protocol (IP) devices. Consequently, ICSs are increasingly becoming susceptible to cybersecurity vulnerabilities and incidents. Due to the "critical" nature of the systems being controlled by ICS technology, a cyber attack could have catastrophic consequences, including loss of electric power or water for large populations, loss of lives, and threats to national security.

The NIST guide serves as a pointed reminder to manufacturing and energy companies and other providers of critical infrastructure that securing the ICS should be made a top priority and systematically addressed before irreversible consequences are suffered.

The revised guide recommends commencing with an “information security risk assessment” to identify threats and vulnerabilities, the harm they might cause, and the likelihood to occur at the organization level, mission/business process level, and information system level (IT and ICS). The conclusions drawn from the risk assessment should be developed and incorporated into a comprehensive information security policy or used to update or review existing policies, as needed. Compliance with the policy will best be facilitated by assembling a team, including key members of the C-suite, and by rolling out extensive awareness and training programs.

Companies are encouraged to incorporate cybersecurity considerations when launching new systems, carrying out acquisitions, or engaging service providers. The defenses implemented should involve multiple overlapping security mechanisms to minimize the impact of a failure in any one mechanism. The more sensitive the information or system, the more robust the protection should be.

One way to address the risk is to limit the surface area for a potential attack. This can be accomplished by, among other things, separating corporate and ICS networks, implementing secure communications, prohibiting computerized devices used for ICS purposes from leaving the ICS area, restricting physical access and access to the IT systems by implementing role-based access controls utilizing the principles of least privilege, and implementing multi-factor authentication.

The guide also stresses the importance of implementing appropriate controls to detect and protect against data intrusions. Preparing for the consequences of a data breach is another focus of the guide. Companies need to ensure redundancies for critical components, implement a business continuity plan that includes third-party providers, and devise an incident response plan.

The highly technical NIST guide, while not targeted at senior management or in-house counsel, sends a clear message that ICS cybersecurity issues are a serious governance matter that should be duly considered and addressed, first by conducting a cybersecurity risk assessment to understand the scope and nature of the risks and then by amending the company's information security plan as needed.