Industrial Control System Security Extension
Industrial Control Systems (ICS) encompass various types of control systems such as Supervisory Control and Data Acquisition (SCADA) and Distributed Control Systems (DCS). They are an essential part of many critical industries, including power supply, water resources and wastewater treatment, oil and gas extraction, chemical industry, transportation, pharmaceuticals, pulp and paper, food and beverage processing, and discrete manufacturing (covering automotive, aerospace, and durable goods manufacturing). These systems are crucial for continuous and stable operation and efficient management, hence they are often regarded as objects of protection with extremely high availability requirements.
The hierarchical structure of industrial control systems is clear, divided from top to bottom into enterprise resource layer, production management layer, process monitoring layer, field control layer, and field device layer. Each layer has different real-time requirements, and depending on the classification object, the ICS objects that need protection may span multiple levels across these layers.
When constructing a security protection system for industrial control systems, it is necessary to comprehensively cover all levels.Given that the enterprise resource layer, production management layer, and process monitoring layer are primarily composed of computer devices, they implement protection according to general security requirements. However, for the field control layer and field device layer, the industrial control system security extension requirements propose more specific and stringent security standards. These special requirements complement the general security requirements, together ensuring the integrity and effectiveness of the overall security framework of the ICS.
Specifically, the control points covered by the industrial control system security extension requirements are extensive, including but not limited to protective measures for outdoor control devices, strict control over dial-up and wireless usage, enhancement of the security of control devices themselves, as well as additional regulations in network architecture design, communication transmission security, access control policy formulation, product procurement and usage specifications, and outsourcing software development management. These requirements aim to comprehensively enhance the resilience of the ICS system, ensuring it can operate stably and securely in complex and changing environments.
The basic requirements for the security extension of industrial control systems at levels one to four (from left to right) are detailed in the table below:
Source: An Xiaoqi
