Unless you have been living in an underground bunker for the last decade, you are probably aware that cybersecurity for industrial control systems is a thing now. The U.S. government has ordered the DoD and DHS to make cybersecurity of critical infrastructure a national priority. More recently, the hack of a live Safety Instrumented System (SIS) using the highly engineered Trisis malware has perhaps awakened the process industries to the fact that this is a real threat with real consequences.
As an experienced SIS engineer, you are likely also aware that the latest edition of IEC 61511 has some requirements related to the assessment and mitigation of SIS security risks. How do you get started understanding and implementing these requirements?
The good news is that there is a huge amount of information, training, and tools available online. That’s also the bad news, as the sheer amount of information can be intimidating. This post will attempt to cut through some of that noise and give some practical guidance. Sure, there is also commercially available training available, but this post will concentrate on free resources that get you started and help you get the most out of any future paid training.
Standards and References
There is no shortage of standards and guidance documents in the cybersecurity arena. Unfortunately, a couple of the most relevant documents that are not free, unless you are an ISA member (why aren’t you?):
- Security for Industrial Automation and Control Systems (IEC/ISA 62443)
- Cybersecurity Related to the Functional Safety Lifecycle (ISA TR84.00.09)
IEC 62443 is an impressive (and still growing) series of documents, but it is a lot to digest. If you don’t have access to these standards, or you want an easier starting point, the following taxpayer-funded guidance documents are freely available from organizations including NIST, ICS-CERT, and the UK HSE. I have subjectively ordered them in priority order for reading:
- Framework for Improving Critical Infrastructure Cybersecurity (NIST)
- Guide to Industrial Control Systems (ICS) Security (NIST 800-82)
- Common Cybersecurity Vulnerabilities in Industrial Control Systems (ICS-CERT)
- Annual Assessment Report FY2016 (ICS-CERT)
- Cyber Security for Industrial Automation and Control Systems (UK HSE)
- Security for Industrial Control Systems (UK NCSC)
- Catalog of Control Systems Security: Recommendations for Standards Developers (ICS-CERT)
- ICS-CERT List of Standards and References (ICS-CERT)
Other useful whitepapers from private organizations include:
- Cyber Security Implications of SIS Integration with Control Networks (LOGIIC)
- The Industrial Control System Cyber Kill Chain (SANS)
The guidance above is specifically targeted at Industrial Control System (ICS) Cybersecurity. There are many other useful guidelines covering cybersecurity in general. Like I said, there is plenty of guidance available. But how do you move from theory to practice?
FREE General Cybersecurity Training
[Note: Some of the links below are my affiliate partners, and I receive a small commission if you make a purchase. However, the links below are all for free resources. No purchase required! Some courses offer the option to purchase a completion certificate.]
Several organizations provide free online cybersecurity training that is generally applicable to ICS cybersecurity. I have sorted by subject matter category:
- Cybersecurity Fundamentals (EdX)
- Microsoft Enterprise Security Fundamentals (EdX)
- Cyber Security Basics: A Hands-on Approach (EdX)
- Introduction to Cyber Security Specialization (4 courses) (Coursera)
- Cybersecurity Specialization (5 courses) (Coursera)
- Microsoft Networking Essentials (EdX)
- TCP/IP Configurations (Cybrary)
- TCP/IP and Advanced Topics (Coursera)
- Introduction to Windows PowerShell (EdX)
- Python for Security Professionals (Cybrary)
- The UNIX Workbench (Coursera)
Advanced Cybersecurity Skills
- Social Engineering Certification Course (Cybrary)
- Cryptography Certification Course (Cybrary)
- Penetration Testing and Ethical Hacking (Cybrary)
U.S. veterans and government contractors also have access to free training at the Federal Virtual Training Environment.
FREE ICS Cybersecurity Training
Free training targeted specifically at ICS Cybersecurity is harder to find, but it is available! To get the most out of the ICS cybersecurity training, I would recommend getting up to speed on general cybersecurity tools and standards first.
- Cybersecurity for Control Systems in Process Automation (ISA Webinar)
- How to Identify and Overcome Cyber Security Challenges (ISA Webinar)
- The Road to Digitalization Leads Through Cybersecurity (ISA Webinar)
- Others are available here and free to ISA members (you’re still not a member??)
- IEC 61511 & Cybersecurity (exida)
- Cybersecurity Program Management (exida)
- Deep Packet Inspection for ICS Devices (exida)
The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) is part of the U.S. Department of Homeland Security. All training, including the 5-day instructor-led training, is provided free of charge.
- ICS-CERT Virtual Learning Portal
- Course 100W – Operational Security (OPSEC) for Control Systems (1 hour)
- Course 210W – Cybersecurity for Industrial Control Systems (15 hours)
- ICS-CERT Instructor-Led Training
- Course 101 – Introduction to Control Systems Cybersecurity (8 hours)
- Course 201 – Intermediate Cybersecurity for Industrial Control Systems (8 hours)
- Course 202 – Intermediate Cybersecurity for Industrial Control Systems (8 hours)
- Course 301 – Industrial Control Systems Cybersecurity (5 days)
To Be Continued…
The best way to learn is by doing. In part 2 of this post, we will look at options for hands-on learning, including open source tools and cybersecurity war games!
I know this is a bit different from our usual content, but cybersecurity is a hot topic in the SIS world these days and deserves discussion. I hope you enjoyed the read!