Cyber Security – How is ICS different from IT? (Part 1)
Cyber security has always been a concern in the general Information Technology (IT) environment, but not so in the Industrial Control Systems (ICS) until recent years (IEC 61511  requested a security risk assessment in its 2016 edition). This is because traditionally, ICS was built using bespoke hardware and software (immune from malware) and separated from outside world with air gaps (not susceptible to remote cyber attacks). Cyber security has increasingly become an issue for ICS due to
- the increasing use of Commercial Off The Shelf (COTS) software and hardware
- the increasing connectivity between ICS and the enterprise network
- the adoption of standard network protocols such as TCP/IP
How is ICS different from IT?
For ICS, much can be learned from IT on cyber security. However, there are significant differences between IT and ICS in terms of cyber security. Firstly, in IT, cyber security is concerned about data; whilst in ICS, cyber security is concerned about critical assets (see Figure to the right). In the event of a security breach, the major risk in IT would be delay of business operations (financial impact), while in ICS the major risk would be potential loss of lives, environmental impacts, or/and asset (equipment, production and reputation) damage (see Figure below).
The figure below  illustrates how security breaches could lead to hazardous consequences in ICS. This is also the reason why the latest edition of IEC 61511 (edition 2 issued in 2016)  explicitly requests a security risk assessment.
In a series of blogs, I’ll examine the major differences between IT and ICS in terms of cyber security.
ESC offers a range of cyber security services in supporting the functional safety of ICS, including cyber security training, cyber security risk assessment and cyber security management system, see ESC’s Industrial Control Systems Cyber Security page for more details.