Information security of automated systems (ACS)
The information security of an automated control system is becoming a serious challenge for an IT specialist, since a violation of the safe operation of an automated control system for a hazardous production facility or an object of a critical information infrastructure promises big problems. The solution to the problem will be effective if we rely on international safety standards.
Difference of ACS from other information systems
ACS are designed to control physical objects - machines, equipment - and must solve problems of systematic, cyclical work, avoiding accidents. In English, the term ACS sounds like Industrial Control Systems (ICS) or Industrial Automation and Control Systems (IACS). The industrial nature of the system forces us to consider security issues separately from other systems, recommendations for them can be found in NIST SP 800-82.
The main differences are:
- unlike conventional IS, ACS works in real time;
- rebooting as a problem-solving method is unacceptable for the ACS;
- in risk management, ACS operates with physical processes, IS - data;
- for ACS, specialized operating systems are often used with carefully calibrated compatibility parameters and update control;
- communication protocols for ACS are always professional, sometimes dedicated communication channels are used;
- ACS support is carried out only by the manufacturer and supplier;
- ACS, unlike IC, often does not have memory reserves for the implementation of the safety function;
- the life cycle of an ACS is 15-30 years, for an IC this period is 3-5;
- ICS components are often located in physically inaccessible places, such as on an oil rig in the tundra.
These features show that the information security of the ACS is an independent task.
IS for ACS
Information security for automated control systems should be based on approved standards. The most popular is the ISO / IEC 27000 Information Technology standard, on the basis of which the Russian GOST was developed and implemented. The standard of the International Energy Commission, ISA / IEC 62443 Security for Industrial Automation and Control Systems, is also applied, a number of parts of which also work in terms of GOSTs.
Partially, the problem of ACS security is solved at the state level, they are licensed and certified without fail, the solution of this problem accounts for up to 10% of the cost of software. The main task in ensuring IS for ACS is to control risks with their preliminary ranking. Risks are distributed by levels:
- enterprise management;
- operational management of production;
- control and monitoring of physical processes;
- local control of equipment and processes;
- control of sensors and warning system.
At each of the levels, its own risks are identified, which must be blocked from information attacks or software failures to ensure security. In a full-fledged model of protection of ACS from risks, the following should be implemented:
- identity and authentication management;
- control over the use of equipment resources;
- guarantee of the integrity of the system and connections;
- data availability;
- control of data flows, avoidance of leaks;
- limited response time to incidents.
If these requirements are met, we can say that the information security of the automated control system is ensured.