A Unified Initiative: Securing Industrial Control Systems
A Unified Initiative: Securing Industrial Control Systems
SECURING INDUSTRIAL
CONTROL SYSTEMS:
A UNIFIED
INITIATIVE FY 2019—2023
i
Table of Contents:
LETTER FROM THE DIRECTOR
INTRODUCTION
i
1
Letter
CISA’S ICS VISION 2
ii iii
INTRODUCTION
Securing Industrial Control Systems: A Unified Initiative lays out a five-year plan
(Fiscal Years 2019—2023) that defines how CISA will prioritize and organize our
approach to ICS security. This document contains the following sections:
SECTIONS 1 & 2:
Introduction introduce the initiative, describe the end-state vision,
and CISA’s and provide historical context.
ICS Vision
SECTION 3:
The ICS describes the ICS risk environment in which CISA and
Challenge the ICS community must operate to secure ICS.
SECTION 4:
The Diverse ICS emphasizes CISA’s operational and strategic
Community partnerships across the ICS community.
SECTION 6:
Securing ICS defines the four guiding pillars that focus this
for the Future initiative.
SECTION 7:
Conclusion summarizes the initiative’s primary drivers and focus.
This initiative aligns directly to the National Cyber Strategy of the United
States of America, the Department of Homeland Security (DHS) Cybersecurity
2
2019 Strategic Intent document. The ICS initiative meets all ICS-specific
4
2
https://www.whitehouse.gov/wp-content/uploads/2018/09/National-Cyber-Strategy.pdf
3
https://www.dhs.gov/publication/dhs-cybersecurity-strategy
4
https://www.cisa.gov/sites/default/files/publications/cisa_strategic_intent_s508c.pdf
1
CISA’S ICS VISION
The security of ICS and other operational technologies is essential to achieving CISA’s vision of secure and resilient
infrastructure for the American people. Through implementation of this initiative, CISA and our partners will help the
ICS community reach the following critical end-state conditions.
► ICS performs within thresholds under duress. ICS networks are resilient to cyberattacks and continue to perform
within operational parameters in support of NCFs, despite malicious actions by adversaries in the control systems
environment.
► The ICS security community is faster and smarter than its adversaries. Collaborating across industries and
national borders, the ICS community raises the cost, time, and complexity thresholds for successful ICS attacks to
the point that they exceed the capabilities of even the most advanced threat actors.
► OT devices and networks are secure by design. New OT products, from industrial scale control systems and
networks to Internet of Things (IoT) devices, are secure by design. Cybersecurity becomes a preeminent
consideration in the development and design of new OT products, and operators can apply security updates without
operational disruption.
► Risk drives ICS security priorities. CI asset owners and operators distribute ICS security resources based on a
clearly defined risk posture and risk tolerances, and the Federal Government invests resources based on ICS risks
to the security and resilience of the NCFs.
► Security resources are readily accessible to all. Using broadly available and easily implemented ICS cybersecurity
tools and services, CI asset owners radically increase their baseline ICS cybersecurity capabilities.
CISA pursues this vision by executing our mission to partner with industry and government to understand and manage
risk to our Nation’s critical infrastructure. CISA will work with our partners in the ICS community toward four enduring
and cross-cutting pillars that together drive sustainable and measurable change to the Nation’s ICS security
risk posture:
Ask more of the ICS community, and Develop and use technology to mature collective
deliver more to them. ICS cyber defense.
Build “deep data” capabilities to analyze and Enable informed and proactive security
deliver information that the ICS community can investments by understanding and
use to disrupt the ICS Cyber Kill Chain. anticipating ICS risk.
Each pillar drives CISA toward specific objectives that require incremental, evolutionary, or disruptive actions. Through
implementation of each pillar’s objectives, milestones, and activities contained in this initiative, CISA will:
Coordinate “whole community” response and mitigation capabilities to respond to the most significant ICS threats and incidents;
Vastly improve the community’s capability to ingest, synthesize, and provide actionable intelligence to ICS asset owners;
Bring to bear the unified capabilities and resources of the Federal Government;
Inform ICS investments and drive proactive risk management of National Critical Functions;
Drive positive, sustainable, and measurable change to the ICS risk environment; and
2
A PARADIGM SHIFT NATIONAL CRITICAL FUNCTIONS
This initiative places significant emphasis on developing In 2019, CISA identified and validated a set of
joint ICS security capabilities—with partners in 55 National Critical Functions following extensive
government and the private sector—that asset owners consultation with the CI community. These are, “the
and operators implement directly to secure ICS. Through functions of government and the private sector so vital
the deployment of these shared capabilities, asset to the United States that their disruption, corruption, or
owners and operators can better defend themselves dysfunction would have a debilitating effect on security,
while also helping to inform CISA’s national-level ICS national economic security, national public health or
priorities. In addition to continuing to provide and safety, or any combination thereof.” NCFs provide an
improve our current ICS security products and services, important prism through which CISA can work with our
CISA will prioritize development of ICS community- partners to help them understand, prioritize, and address
driven solutions. ICS risk.
NCFs are a critical focal point for CISA’s ICS security Viewing these NCFs holistically provides a complement to
strategy. CISA will highlight priority NCFs and map the CI sector-based approaches to risk management. CISA
architecture of these functions and identify the degree will gain greater clarity into the criticality of various
to which specific NCFs depend on ICS. CISA will also elements of the Nation’s infrastructure by focusing risk
appropriately align our ICS resources to the areas where analysis on the specific ways that an entity supports
the destruction, disruption, or exploitation of ICS poses NCFs. NCFs also help CISA understand dependencies
the greatest risk to NCFs. and potential risks, including the impact that exploitation
of ICS may have on the delivery of the essential products
The initiative also elevates ICS security as a priority within
and services upon which the American people rely. By
CISA, coalescing CISA’s organizational attention around
viewing risk through a functional lens, CISA can work
the implementation of a unified, “One CISA” strategy.
with our partners to harden ICS systems across the CI
Our OT cybersecurity experts, risk managers, CI and
ecosystem in a more targeted, prioritized, and strategic
physical security experts, field operations, external affairs
manner. A key forum for this work is the CISA-supported
liaisons, strategists, stakeholder engagement liaisons,
Critical Infrastructure Partnership Advisory Council
and technologists will collaborate on an ongoing basis to
(CIPAC), which enables the government and private
implement important aspects of this initiative.
sector entities—organized as coordinating councils—to
engage in activities to support and collaborate on CI
security and resilience efforts.
5
https://www.cisa.gov/national-critical-functions-overview
6
Presidential Policy Directive-21: Critical Infrastructure Security and Resilience, establishes national policy on CI security and resilience. PPD-21
identifies 16 CI sectors and designates associated Federal Sector-Specific Agencies (SSAs) to lead Federal Government efforts to collaborate,
coordinate, and implement actions to enhance the security and resilience of their respective CI sector. The USA Patriot Act defines CI as systems
and assets, whether physical or virtual, so vital to the United States that their incapacity or destruction would have a debilitating impact on security,
national economic security, national public health or safety, or any combination of those matters (USA Patriot Act of 2001 (42 U.S.C. 5195c(e)).
3
THE ICS
CHALLENGE
Much of the Nation’s CI depends on ICS such cyberattacks to cause physical consequences make ICS
attractive targets for malicious actors seeking to cause
as supervisory control and data acquisition
the United States harm.
(SCADA) systems and distributed control
systems (DCS), which rely on programmable Operational technologies are also increasingly
commoditized, prevalent, and used in applications
logic controllers (PLC) to manage essential that may be smaller in scale than industrial processes,
and complex operational processes. which further contributes to cybersecurity risk. These
applications are growing exponentially and migrating
Risk to traditional ICS once predominantly arose from
into domains not previously automated or connected to
human error and accidents, natural disasters, and
the internet (e.g., automobiles, medical devices, smart
acts of physical sabotage. Traditional ICS can have
buildings and homes, pipelines, aviation).7 Adding to the
30-year lifecycles and are purpose-built, stand-alone
ICS risk topography is the deployment of 5G networks,
systems designed for reliability rather than security. The
which reduces reliance on traditional network routers,
convergence of physical and cybersecurity processes
thus limiting the ability of security providers to monitor
and increasing integration of ICS with business networks
for and prevent malicious traffic. CI owners and operators
and internet-based applications has vastly increased
must navigate through this ICS risk landscape to deliver
the prevalence and complexity of cyber threats to ICS.
the essential products and services that support societal
Unlike business enterprise networks, which manage
well-being and fuel the economy.
information, ICS manage physical operational processes.
Therefore, cyberattacks could result in significant
physical consequences, including loss of life, property
7
damage, and disruption of the essential services and More than 21 billion IoT devices are expected by 2025 (Source: The future
of IoT: 10 predictions about the Internet of Things, https://us.norton.com/
critical functions upon which society relies. The use of internetsecurity-iot-5-predictions-for-the-future-of-iot.html)
44
THE DIVERSE
ICS COMMUNITY
8
“Resident” organizations have liaison officers that sit on CISA’s Integrated Coordination and Operations Center watch floor.
9
See https://www.us-cert.gov/ics/Industrial-Control-Systems-Joint-Working-Group-ICSJWG
5
CISA plays a unique role as the lead federal civilian The diverse ICS community comprises entities with
agency responsible for advising CI partners on how to equities in ICS security, including federal, state, and local
manage ICS risk. Fulfilling this role successfully requires governments; asset owners and operators; vendors;
both operational and strategic partnerships across the system integrators; international partners; and academic
ICS community. Such collaborative partnerships often professionals in all 16 CI sectors. This section highlights
succeed in resolving intractable issues where unilateral the major ICS community groups with whom CISA must
efforts of government or private industry cannot. collaborate to manage ICS risk successfully.
Federal Advisory Committees: On behalf of DHS, CISA is security efforts and assist on specific ICS-focused initiatives.
the designated federal agency responsible for supporting
several federal advisory bodies that involve expertise in Sector-Specific Agencies and other Federal Departments
ICS and OT. These include numerous councils operating and Agencies: SSAs are federal departments and agencies
under CIPAC (which provides a mechanism for CI Sector and that collaborate with government and the private sector to
government coordinating councils, sector-specific agencies coordinate security initiatives for their designated CI sector.
[SSAs], and working groups such as the Enduring Security CISA works closely with SSAs that rely significantly on
Framework to collaborate on CI security issues), the National control systems for operation of CI, particularly in sectors
Security Telecommunications Advisory Committee (NSTAC), that may have an elevated risk of cyberattack (e.g., Energy
and the National Infrastructure Advisory Council (NIAC). Sector, Critical Manufacturing Sector). CISA is also
responsible for the security of the Federal Government’s
Other Non-Governmental Partners: CISA works extensively civilian networks and works with other federal agencies and
with ICS community leaders and influencers, the CI owners several National Labs (under the umbrella of the
and operators that use and depend on ICS, ICS/OT vendors, Department of Energy) to help them protect against ICS
researchers, security providers and consultants, ISACs and threats as well as to coordinate ICS security efforts for their
ISAOs, IT and cybersecurity professionals (chief information constituencies.
officers [CIOs], chief information security officers [CISOs],
etc.), and non-governmental organizations such as aca- States and Localities: CISA partners with a range of state,
demia and standards setting bodies. CISA leverages these local, tribal, and territorial (SLTT) governments, oversight
partnerships to support unified strategic planning, technol- and regulatory bodies, community leaders, law enforce-
ogy development, preparedness planning and exercises, ment, homeland security advisors, state CIOs and CISOs,
operational procedures and processes, training, research intelligence fusion centers, and emergency responders.
and development, security and threat awareness, develop- CISA also coordinates with the Multi-State Information
ment and promotion of ICS standards and best practices, Sharing & Analysis Center (MS-ISAC), which supports cyber
information exchange, strategic risk and interdependency threat prevention, protection, response, and recovery for the
analyses, and numerous additional activities. Nation’s SLTT governments.
Congress and the White House: When called upon, CISA International Partners: Cybersecurity is a global issue, and
serves as a subject matter expert and advisor to Congress reducing cyber risk must involve a unified global effort.
and the White House, helping to inform proposed cybersecu- Cybersecurity incidents occurring in other countries—partic-
rity laws and policy decisions. ularly those involving novel or persistent cyber threats—may
have significant implications for ICS security in the United
Department of Homeland Security: CISA serves as the lead States. These and other considerations require strong
advisor to the Secretary of Homeland Security on CI and international collaboration—including operational collabora-
cybersecurity (including ICS security) matters. CISA also tion and integration—to support DHS’s cybersecurity mission
works closely with other DHS organizations to coordinate ICS to protect our Nation’s CI from cyber threats.
6
DEFENDING
Every day, CISA works with CI asset owners and operators
to help them identify, protect against, and detect
cybersecurity threats and respond to and recover from
Watch
Operations:
RECOVER IDENTIFY
CISA maintains an around-the-clock alerting and reporting
function that helps maintain situational awareness across
Unified the ICS risk landscape. This includes receiving, monitoring,
ICS Strategy triaging, tracking, coordinating, and reporting on ICS cyber
threats and events and, where possible, monitoring and
RESPOND DETECT tracking the tactics, techniques, and procedures (TTPs) of
specific threat actors. The center also serves as the primary
entry point for incoming reporting and service requests
from CISA’s partners as well as ICS task routing and
PROTECT dissemination within CISA.
7
ICS Security
Partnerships:
The operational and strategic partnerships CISA maintains with the global ICS community are the underpinning for enduring ICS
security. ICSJWG is a critical foundational element to CISA’s public-private partnerships. This working group supports information
exchange and ICS risk-reduction strategies by fostering collaboration within industry and between industry and the Federal
Government. CISA also hosts CSIWG, which works with interagency partners and the private sector to help drive the national strategic
direction for control systems cybersecurity.
►
Strategic Risk Information
Assessment: ► Exchange:
At the strategic level, CISA’s National Risk Management CISA shares the outputs of our analysis with the ICS com-
Center (NRMC) is a planning, analysis, and collaboration munity through a wide range of cybersecurity information
center focused on addressing the Nation’s highest priority products, including ICS-focused alerts, advisories, analysis
critical infrastructure risks, originating from cyberattacks and reports, and best practices. CISA’s information products
other hazards. NRMC serves as the end-to-end integrator provide either raw data—usually IOCs—or analysis products
of risk management activities for NCFs and leverages that help asset owners and operators prevent, detect, and
that risk expertise to support overall execution of the CISA mitigate threats and vulnerabilities.
mission. NRMC leads CISA efforts on supply chain risk
management, engaging partners and performing analysis to
identify and secure the supply chain of critical components.
Further, NRMC provides CISA with expertise in methodology
development, risk assessment, modeling, and data Technical and
management and visualization. Threat Analysis:
8
SECURING ICS
It is important that CISA continues to invest in and improve
the capabilities, products, and services described in
Section 5. However, when evaluating the Nation’s emerging
PILLAR ONE: VISION: CISA will reinvigorate and deepen our existing partnerships while also expanding
ASK MORE the scope of engagements with the broader ICS community to empower CISA’s partners
to mitigate ICS risk.
OF THE ICS
COMMUNITY, CISA’S FOCUS: No single entity can successfully manage the scope and complexity
of the entire ICS risk landscape. The ICS community’s path to security lies in a truly
AND DELIVER integrated government-industry alliance, founded on trust and transparency and
MORE TO focused on strategic and operational collaboration across the community. Such an
alliance engages private sector CI owners and operators; ICS manufacturers, vendors,
THEM. and integrators; researchers; cybersecurity firms; academia; international partners;
government agencies; law makers and regulators; and other stakeholders in a global
effort to understand and mitigate ICS risk. By combining its collective security resources
and expertise, the ICS community can radically amplify ICS risk-management capabilities
and shape joint security investments that shift the cybersecurity paradigm.
PILLAR TWO: VISION: CISA will develop and promote easily accessible, deployable, and inexpensive
DEVELOP ICS tools and capabilities to help asset owners secure ICS against all adversaries.
AND UTILIZE CISA’S FOCUS: Current ICS security technology focuses on reactive defense against
TECHNOLOGY known threats with limited capabilities to detect threats based on behavior rather
than pre-defined indicators. CISA will work with the ICS community to drive technology
TO MATURE developments that harden the cybersecurity defenses of legacy control systems, build
COLLECTIVE security into new ICS devices while in the development stage, and increase lower-level
data visibility. CISA will approach development of ICS cybersecurity technologies by
ICS CYBER leveraging the inventiveness and the wisdom of the ICS community to ensure CISA
products do not inhibit ICS functionality. CISA will also make a broader range of CISA-de-
DEFENSE. veloped capabilities readily available to CI asset owners and operators. In addition, CISA
will incentivize partners to develop and implement ICS security technologies to protect
themselves and their customers.
PILLAR THREE: VISION: CISA will diversify data partnerships, further define ICS data needs, and support
BUILD “DEEP DATA” efforts to increase the ingestion of additional data differentiated by source, type, and
consequence to increase visibility into ICS threats and vulnerabilities.
CAPABILITIES
TO ANALYZE CISA’S FOCUS: With greater access to data and better quality and fidelity of data, CISA
AND DELIVER will vastly improve our analytic capabilities and can provide better threat and vulnera-
INFORMATION THE bility information to our partners. As CISA matures our ICS vulnerability management
program, we will map discovered vulnerabilities to product lines and configurations
ICS COMMUNITY to understand with accuracy the vulnerability’s impact and potential consequences.
CAN USE TO CISA will use the information we collect—not only to improve the depth and value of the
threat and vulnerability data we provide partners—but also to develop configuration
DISRUPT THE ICS gold standards and to enable third parties to leverage CISA capabilities to perform hunt,
CYBER KILL CHAIN. malware analysis, and other ICS analytic functions.
9
PILLAR FOUR: VISION: CISA will improve visibility into the risk landscape and use that knowledge to
ENABLE inform investments into proactive initiatives that move the ICS community ahead of the
threat curve.
INFORMED AND
PROACTIVE CISA’S FOCUS: CISA will work to understand the severity of ICS cyber risks (including
threats, vulnerabilities, and consequences) and the effect our actions—both those
SECURITY currently undertaken in defense of ICS and those implemented through this initiative—
INVESTMENTS BY have on the ICS risk to NCFs. CISA will use the best information available to perform risk
analysis that informs investments across the ICS stakeholder community. CISA will also
UNDERSTANDING gain better understanding of CI and NCF dependencies on ICS and use risk and con-
sequence analysis models to understand the full impacts of ICS cyberattacks. Further,
AND ANTICIPATING CISA will dedicate resources to future studies and trend analysis that help the ICS
community understand impact of new innovations on ICS cybersecurity environments,
ICS RISK. anticipate emergent risk, drive preemptive action, and inform risk investment priorities.
CISA will ensure that our understanding of strategic risks informs our priorities for
assessments and that what is learned from assessments informs our understanding of
strategic ICS risks.
10
CONCLUSION
As CISA implements this initiative over the next several years, the ICS threat
environment will surely evolve. CISA will adapt to changes in the environment and
manage specific ICS risk management activities accordingly; the foundational
pillars around which this initiative builds will endure.
Sustainable success for ICS security requires CISA to understand the ICS
community’s priorities and work with them to close security gaps. To do this
effectively, CISA will expand and deepen trusted partnerships across the ICS
community so that more organizations and technical experts contribute the data,
expertise, and ideas CISA requires to succeed in our mission. Similarly, CISA
will work with ICS technology leaders to jointly develop, incentivize, and share
innovative ICS cybersecurity technologies that lower implementation barriers
for CI owners and operators. CISA will also enhance the quality and fidelity of
the data we collect, which will enable us to provide high quality, action-focused
analytical products that are tailored to the unique requirements of specific
customers.
Most importantly, CISA and the ICS community must know the impact our actions
have on the national ICS risk landscape, particularly with respect to NCFs. With
this knowledge, together we will work as a single, unified organization that
achieves sustainable and enduring ICS security and drives wise, risk-informed ICS
security investments.
11