ESTABLISHING THE ICS CYBERSECURITY PROGRAM

Leading an ICS Security Program

ICS Safety could be at risk if information technology (IT) or traditional

business systems are prioritized over industrial engineering
control systems. Likewise, safety is at risk if the responsible
This example makes it clear: organizations should prioritize the
incidents to ensure the safety of people, the environment, and
the organization overall.

Cybersecurity
reporting structure for industrial control systems (ICSs) or
To effectively lead ICS/OT cyber risk and defense strategies
operational technology (OT) security fails to fully embrace the
accordingly:
differences between IT and ICS/OT.
• ICS incident response teams must understand the control
Consider this example: two security incidents occur

Leadership
system processes, industrial protocols, safety factors, ICS-
simultaneously; one on the IT business email system and
specific cyber threats, and be able to tailor incident response.
another on the supervisory control and data acquisition (SCADA)
system of a power grid. Which incident should be prioritized • ICS leaders must manage a new type of ICS-specific
to receive the needed resources to investigate, respond, and security team to work with engineering staff to find and
defend? What pace and rigor will the organization give to the report meaningful control system-specific key performance
priority incident? Specifically, what drives the decision to manage indicators to effectively manage ICS/OT cyber risk and

P O S T E R
these very different risks and very different impacts? defense strategies accordingly.

IT Security is
NOT ICS Security
Industrial engineering control system assets are often
ics.sans.org inaccurately compared to traditional IT assets. IT and ICS
Poster created by Dean Parsons—co-author of SANS ICS418 course. systems have different missions, objectives, and impacts
©2023 SANS Institute. All Rights Reserved SAFETY
during an incident. They also have different devices, ICS systems prioritize safety, engineering
ICSPS_ICS418_0923 including but not limited to embedded operating systems system command integrity, engineering device
and engineering devices speaking nontraditional industrial availability, and control system data confidentiality.
protocols. Adversaries targeting ICSs must use different SKILLSETS
attack tactics and techniques for access, Effective cybersecurity threat detection, incident

Safety Prioritization and Security in ICS execution, collection, and persistence to

degrade safety, manipulate control, and
response, engineering recovery, and proactive defense
requires skills beyond traditional IT security.
damage physical engineering assets or property. SYSTEM DESIGNS
The priority in IT security tends to be data confidentiality, integrity, and availability. Approximately 20% of ICS environments may include traditional off-the-shelf
The priority in ICS is safety and is accomplished by operating a control system with a IT SECURITY – MOVING AND
process that maintains safety, integrity, availability, and confidentiality. This involves: ICS PRIORITIES SECURING DATA
operating systems. 80% of the ICS may be embedded proprietary engineering operating
systems, industrial-specific protocols, and hardware such as field devices.

• Safe engineering operations, Traditional IT security focuses on digital data at rest SUPPORT
• Integrity of the engineering IT PRIORITIES SAFETY or data in transit and the pillars of confidentiality,
ICS environments depend on external-specific
engineering vendors as well as technologies for troubleshooting,
process and commands, integrity, and availability. maintenance, and safe control system operation.
• Availability of the operational CYBERSECURITY CONTROLS
processes and safety systems, and ICS/OT SECURITY – ENABLING AND Traditional IT security controls can have serious
CONFIDENTIALITY INTEGRITY SECURING PHYSICAL INPUT AND ACTIONS negative impacts to safety and engineering operations.
• Confidentiality of sensitive ICS security controls must be ICS-specific to be effective.
ICS engineering information ICS/OT systems manage, monitor, and control real-time
that may exist in the engineering systems for physical input values and control CYBERSECURITY INCIDENT RESPONSE
output for physical actions in the real world. Generally, Industrial incident response plans, technologies,
ICS network(s).
INTEGRITY AVAILABILITY the order of priorities in ICS environments is:
processes, and teams are expanded and focused
on engineering-informed steps.
1. Safety of operations
2. Integrity of operations
3. Availability of engineering systems
AVAILABILITY CONFIDENTIALITY 4. Confidentiality of control system data
The graphic to the right details six areas where the differences between
IT and OT/ICS systems results in different requirements.

ICS CYBERSECURITY SKILLSETS AND ROLES

ICS
Knowledge
Levels Expert Knowledge –
Leader –
LEVEL 4
As an ICS team’s skillsets and Mastery Knowledge – LEVEL 3 ICS cybersecurity leadership
training should focus on technical
Foundational Knowledge – LEVEL 2 Expert knowledge training should
roles are considered, the ICS Base Knowledge – LEVEL 1 Mastery knowledge training should focus on coordinated industrial
team development and leadership,
risk management, approaches
Knowledge Levels can be used LEVEL 0 Foundational knowledge training should be role-specific and focus on advanced incident response and
for building relationships with
ensure the workforce involved in supporting individuals and organizational needs improving team capabilities and
Base knowledge training should focus other teams, tracking meaningful
to guide the development on security behaviors for individuals and defending industrial control systems are to advance ICS cybersecurity defense toolsets. Expert training typically
metrics, maturing the overall
trained to keep the operational environment knowledge, skills, and ability in a consists of joint exercises and
plans for team members, tasks, who interact with, operate, or support
safe, secure, and resilient against current and specific field, architect proper ICS projects with engineering and
ICS cybersecurity program, and
industrial control systems. A training communicating technical concepts
network architecture, and conduct other facility teams.
roles, and responsibilities. Each program may introduce ICSs, the risks emerging ICS cyber threats. Across a diverse
incident response and recovery
to non-technical audiences,
or types of ICS attacks, basic system and audience, this training level should build, including reporting to the board.
knowledge level can be used to network defenses and controls, as well develop, and ensure a common language practices with engineering teams.
in control systems and an understanding of
build a strong ICS security team as typical ICS governance and policy
the underlying engineering processes while
best practices. The training program’s
and establish and mature an goal should be to change human providing an overview of the basic tools
behavior in an ICS environment and specific to ICS security across a wide range of
ICS security program. reduce risk at a fundamental level. industry sectors and applications.

JOB DESCRIPTIONS
The differences between traditional IT and ICS are many: mission, safety, system design, support, cybersecurity controls, incident response. So, it isn’t surprising that
roles and tasks are also different. The following job descriptions are specific to ICS and OT security and increasingly recognized across multiple ICS sectors.

ICS Security ICS Security Architect ICS Security Incident ICS Cybersecurity Leader Process Control Engineer
Analyst Ensures ICS network security is established, maintained, and Responder Leadership role. Secures engineering and control system Designs, tests, troubleshoots, and oversees
Daily engineering systems meets compliance and other requirements necessary to protect Monitors, detects, analyzes, and responds to environment, tracks industrial security events, manages tactical implementation of new engineering processes.
practitioner. Cybersecurity the engineering systems in the operational environments at both industrial cybersecurity incidents caused by teams, reports metrics, and matures the ICS security program. In facilities with established control systems,
responsibility over some local and remote sites. Designs and supports a defensible control traditional malware, specific control system Builds and maintains inter-departmental, organizational, and the engineers may design and install retrofits
piece of the control system system network architecture for secure internal, external, and malware, or human adversaries who threaten vendor relationships across operations, risk, safety, and security to existing systems and troubleshoot
environment (could be remote connectivity, aligned with ICS specific network security engineering operations. Works closely with at senior levels. Possesses IT and ICS/OT security experience to engineering hardware, embedded systems,
server, access, applications, best practice with industrial incident response in mind. Prioritizes engineering teams and management to ensure address industry pressures to manage cyber risk to prioritize control system software, and engineering/
cyber threat intel, network the mission of the safety of people and reliability of operations safety and the resilience of engineering the business—with the safety and reliability of operations top instrumentation problems in a manner that
monitoring, remote access, and adequately addresses all aspects of the control system system hardware, industrial protocols, of mind. Builds and maintains business relationships with also preserves the cybersecurity integrity
etc.) while prioritizing safety network architecture and integrity. safety protocols, external ICS support, and all stakeholders to communicate and reduce cybersecurity of the engineering system signals, sensing,
and reliability of engineering engineering applications are maintained for risk to engineering operations. Requires a firm understanding commands, and control environment.
EXAMPLE TASKS:
processes. recovery to a trusted restoration point for all of drivers and constraints that exist in these cyber-physical
• Appropriately segments engineering systems, field devices, and related network EXAMPLE TASKS:
engineering processes. environments and ability to manage the processes,
EXAMPLE TASKS: traffic flows based on the Purdue model aligned to the SANS ICS410 SCADA Reference • A pplies engineering system knowledge within all new technology
Architecture (e.g., Levels 0–4) or similar. technologies, and ICS/OT security practitioners.
• E stablishes and maintains ICS network EXAMPLE TASKS: initiatives that require or rely on the control system or any
and engineering field device asset • Involved in all phases of network technology deployments and changes such as all EXAMPLE TASKS: subsystem at the design phase through to implementation.
• L everages ICS cyber threat intelligence to drive proactive threat
inventory. Factory Acceptance Testing (FAT) and Site Acceptance Testing (SAT) phases to ensure detection and scope possible impacts to control system assets •U
 nderstands and continuously communicates the value of ICS/OT-specific security • P rograms and manages the programmable logic controller
industrial network equipment feature-sets are available and can be enabled, including and networks and overall engineering processes and safety. to maintain safety and manage engineering risk. modules and logic code including managing trusted known good
• E stablishes and maintains ICS network
but not limited to ICS traffic capture and threat monitoring across Levels 0–4 to drive logic files, code compare tools, and device recovery procedures.
visibility and monitoring. • C haracterizes and analyzes network traffic to identify •M
 anages the people, processes, and technologies necessary to create and sustain a
the Active Cyber Defense Cycle (ACDC) for industrial-specific incident response.
• Performs tactical ICS incident response. anomalous engineering activity and potential threats to control long-term ICS cyber risk program that considers business and safety culture. • S upports technical engineering system configurations, including
• Performs security reviews to identify gaps in control system network architecture, devices, network resources, or control system command security settings and troubleshooting.
• E xecutes threat Intelligence internal and external connectivity, including wired, wireless, and remote access, to • A ligns with compliance standards and best practices to empower ICS/OT security
integrity that may include the abuse of legitimate industrial practitioners and engineering staff to appropriately conduct industrial incident •W
 orks with incident response teams before, during, and after
consumption and proactive threat ensure integrity of control system protocols and commands. control protocols and critical engineering assets. response and recovery. cyber incidents.
hunting.
 ICS CYBERSECURITY TEAM DEVELOPMENT
ICS Engineering
Traditional IT Knowledge Physical,
The ICS Security Cybersecurity Environmental
Safety ICS Team Development Pathway
Skillset Recipe Use this chart to map each job ICS Security
Analyst
ICS Security
Architect
ICS Security
Incident
ICS Security
Manager
Process Control
Engineering
role within the ICS security area to Acquires and manages
resources, supports, and
Ensures control
system network
Responder Builds and maintains
business relationships
Tests, programs,
troubleshoots, and
Human defenders use ICS security technologies a training path for control system performs key industrial security compliance
Executes specific
industrial incident with engineering staff oversees changes of
security protection while and best practices for response for incidents and C-suite stakeholders existing processes
and work with the engineering, safety, business, and cyber-specific knowledge and adhering to safety and
engineering goals
control networks that threaten or by communicating and
managing cyber-to-
or implements new
engineering processes
impact control system
IT security, and other teams. These ICS defenders practical hands-on skills. networks and assets
while maintaining the
physical risks while
reducing security risk to
through the deployment
and operations of
understand the ICS mission, possible impacts, safety and reliability
of operations
engineering operations
and simultaneously
engineering systems and
automation devices

and engineering recovery. They understand the prioritizing safety

ICS ICS/SCADA Security Essentials

industrial process, protocols, normal vs. abnormal FOUNDATIONAL 410
Gain foundational skills to protect critical
infrastructure from cyber threats
engineering operations network traffic patterns,
safety with context, and the commonly targeted ICS ICS Security Essentials for Managers

418
Manage the people, processes, and
assets in control systems, etc. MANAGEMENT technologies for OT cyber risk programs

Modern trained ICS cybersecurity staff understand Essentials for NERC Critical

the nuances between traditional IT and ICS

ICS Infrastructure Protection
456 Maintain a defensible compliance program
up to NERC CIP standards
security. As ICS risk management leaders work to
build their ICS security teams, they can consider TACTICAL ICS ICS Visibility, Detection, and Response

515
Monitor threats, perform incident response,
the following ICS cybersecurity skillset recipe. For and enhance network security

the team to be effective, team members would do

well to have the following skills and experience. ICS ICS Cybersecurity In-Depth

612
Identify threats in a real-world ICS environment to
(See figure to the right). ADVANCED protect against adversary attacks

MATURING THE ICS CYBERSECURITY PROGRAM

Report to Seek,
senior level establish, Build your ICS
and board at maintain cybersecurity
least every executive team
quarter support

Host a facilitated
Measure
useful ICS-specific
cybersecurity KPIs
The ICS Cybersecurity NIST CSF

Leadership Cycle
The only defense against well-funded nation-state attacks
on power systems (and the rest of the critical infrastructure
that keeps us and the economy alive and free) are people
Obtain NIST CSF current
with extraordinary cyber talent and skills. profile maturity
Deploy GOES as a
governance model for ICS —Mike Assante, ICS Cybersecurity Pioneer
cybersecurity program

Ensure ICS
Obtain achievable
cyber-to-physical Understand the
NIST CSF target
events are mapped facility’s risk
profile maturity
to the facility’s appetite
using S.M.A.R.T.
risk register

ICS Cybersecurity Leadership ICS Cybersecurity LEVELING-UP ICS/OT

Defense Move Tactical CYBERSECURITY AND
Move forward with an established team while considering each concept below:
Defense Move
SAFETY IS NUMBER 1
In control system environments, safety is the top priority. Cybersecurity and other functions support safe and reliable operations. For example, tools Work with an established ICS cybersecurity team to implement
LEADERSHIP SKILLS
like intrusion detection systems (IDSs) are preferred due to side effects of false positives in intrusion prevention systems (IPSs) which render an unsafe or verify your ICS security program against the SANS Five ICS
condition that could hurt or kill people. Cybersecurity Critical Controls. The role of the ICS/OT Cybersecurity Manager requires knowledge of risk management,
engineering operations, IT cybersecurity, and ICS cybersecurity. This role bridges the
EMBRACE IT AND ICS DIFFERENCES These five controls are the most important technical ICS
Understand and embrace the differences between IT and ICS by prioritizing the ICS business mission to secure and enable physics and engineering gap between the disciplines to manage unique challenges and puts forth required
cybersecurity controls and were designed to be an ICS/
controls that monitor for and make physical changes in the real world that are safe for people and the environment. resources, technologies, and practices to protect critical infrastructure.
OT-specific cybersecurity strategy flexible enough to align
ICS/OT ASSET INVENTORY with most organizations’ risk models. These controls can SANS ICS418 students may come to class with different backgrounds, all coming
A prerequisite for ICS active defense is a formal ICS/OT asset inventory. The four main methodologies of creating an ICS asset inventory (1) physical be mapped to existing standards and frameworks such as together to address and progress workforce development, governance, ICS risk
inspection, 2) configuration analysis, 3) passive traffic analysis, and 4) active scanning) can be combined for increased accuracy while prioritizing safety. IEC62443 and NIST CSF. Each of the five ICS Cybersecurity management, program maturity measurement, and culture. Common pathways into
Critical Controls are described below. ICS Leadership are as follows:
DEPLOY ICS-SPECIFIC ACDC
Empower technical ICS security staff to maintain the human-driven ICS/OT ACDC while leveraging sector-specific ICS/OT threat Manager Responsibility Shift: Step Over—IT Security Manager who must create an
intelligence. Staff should be dedicated, ICS/OT-trained security resources who understand the engineering process well enough to
I CS-SPECIFIC INCIDENT RESPONSE
determine if control network activity is anomalous or malicious in nature.
Operations-informed ICS incident response plan with focused control system ICS security program.
integrity and engineering recovery capabilities during an attack on an aspect
VALIDATE THE ICS/OT INCIDENT RESPONSE PLAN of the engineering systems. ICS-specific incident response exercises must be Practitioner to Manager: Step Up—ICS, IT, Engineering practitioner stepping up to an
designed to reinforce risk scenarios specific to the ICS engineering operations ICS security leadership position.
Validate and gain the benefits of conducting regularly scheduled, specific ICS/OT incident response plan
and control systems.
tabletop exercises and apply the lessons learned.
Existing Manager: In Place—An existing leader who has ICS security practitioners
D
 EFENSIBLE CONTROL SYSTEM NETWORK ARCHITECTURE reporting to them.
Network architectures that support effective segmentation, visibility of control
system traffic for analysts, log collection, asset identification, industrial DMZs,

SANS ICS418: ICS Security

and enforcement for process communication integrity and reliability.

I CS NETWORK VISIBILITY AND MONITORING

Continuous network security monitoring of the ICS environment with protocol
aware toolsets and system-to-system interaction analysis capabilities used to
inform engineering of potential risks to the control, view, and safety of operations.
Essentials for Managers
S
 ECURE REMOTE ACCESS The ICS418 course fills the identified gap amongst leaders working across critical
Identification and inventory of all remote access points and allowed destination infrastructure and operational technology environments. It equips ICS managers with the
environments, on-demand access, and MFA authentication where possible, and experience and tools to address the business and industry pressures to manage cyber
jump host platforms to provide control and monitoring points within segments. threats and defenses to prioritize the business, safety, and reliability of ICS operations.
ICS leaders will leave the course with a firm understanding of the drivers and constraints
R
 ISK-BASED VULNERABILITY MANAGEMENT
Understanding of cyber digital controls deployed and device operating conditions that exist in cyber-physical environments and obtain a nuanced understanding of how to
that aid in risk-based vulnerability management decisions to patch vulnerabilities, manage the people, processes, and technologies throughout their organizations. ICS418
enable appropriate safety-informed mitigations to impacts, or monitor for possible empowers new and established ICS security managers. www.sans.org/ICS418
attack exploitation internal to the control network.
0923