Electricity + Control November 2017

CONTROL SYSTEMS + AUTOMATION

digital information protection, while OT cybersecu- rity focuses on people and physical asset protec- tion. ICS is cyber-physical, often directly affecting the real world. This means that risk calculations include potential impacts in scope and at scales greater than in information only environments, in- cluding but not limited to loss of lives, ecological damage, intellectual property theft and revenue losses. While security solutions have been designed to deal with these security issues in typical IT sys- tems, special precautions must be taken when introducing these same solutions to ICS environ- ments. In some cases, new security solutions are needed that are tailored to the ICS environment. The traditional IT priorities of information Confi- dentiality, Integrity and Availability (CIA Triad) are shifted in ICS to system Availability, Integrity and Confidentiality (AIC Triad). To deliver cybersecuri- ty solutions specific for ICS requires an industrial mindset, purpose-built technology and specific OT security expertise. To the extent that cybersecurity events can disrupt public safety and security, ICS cybersecurity is quickly emerging as a top national priority. Cybersecurity solutions must be implemented in a way that maintains system integrity during normal operations, as well as during a cybersecu- rity attack. Many organisations recognise cyber- security challenges, but need help defining a road

map to protect critical infrastructure and valuable assets. They need an approach that draws on the success of others through manageable cyberse- curity processes and measurable improvements. One of the major constraints to protecting ICSs is a misunderstanding of the difference between IT and OT. It remains a fuzzy area in terms of how these two overlap, where they diverge, and who, with regard to internal security teams, is responsi- ble for securing what. ICS cybersecurity is a rela- tively young and very specific field. Protecting crit- ical infrastructure in Africa (South Africa) must be based on proven cybersecurity practices to exploit opportunities through a better understanding of similarities and differences in the IT and OT world, organisational cybersecurity risks that will lead to establishing cybersecurity governance, developing cybersecurity framework, and building effective cybersecurity programs. Conclusion Organisations must recognise that establishing a successful and sustainable cybersecurity pro- grams is a significant effort, but it can be and it must be done. The importance of protecting crit- ical infrastructure goes beyond one organisation, country or continent, and this will only become more evident with Industry 4.0 and Internet of Things (IoT and IIoT) as the trend of interconnect- ed systems continues to expand in the future.

abbreviations AIC – Availability, Integrity, Confidentiality CIA – Confidentiality, Integ- rity, Availability ICS – Industrial Control System IIoT – Industrial Internet of Things IT – Information Technology OS – Operational Systems OT – Operational Technology

Goran Novkovic, MSc, ITIL, CQA, CSQE, PMP, APM, Peng, is Cybersecurity Program Manager at Valiver. Goran is focused on protecting critical infrastructure and he is helping organisations to establish ICS cybersecurity governance and develop effective ICS cybersecurity programs from scratch. He is promoting cybersecurity for critical infrastructure and manufacturing through public-speaking, blogs and articles. Email: goran@valiver.com

6 Electricity + Control

NOVEMBER 2017