Research Analysis | Information Security Risk Assessment of Industrial Control Systems in the Context of New Industrialization

Research Analysis | Information Security Risk Assessment of Industrial Control Systems in the Context of New Industrialization

★ Zhongheng Telvi Testing Technology (Beijing) Co., Ltd. Cai Lili

Abstract:With the digital transformation and intelligent upgrade of industrial enterprises, as well as the use of new technologies, industrial control systems have become more open, leading to new risk factors. This article introduces the risks faced by industrial control systems in the context of new industrialization and outlines the assessment basis, finally proposing considerations.

Keywords:Digitalization; Intelligence; Industrial Control Systems; Risk Assessment

1 Introduction

The report of the 20th National Congress of the Communist Party of China proposed that by 2035, new industrialization will be basically realized. In promoting the new stage of industrialization, digitalization and intelligence have become important levers for the technological transformation and upgrading of industrial enterprises. Following the empowerment of the industrial internet, industrial enterprises are strengthening the integrated application of a new generation of information technology with industrial production around “digital transformation” and “intelligent upgrade”, accelerating the development of new productive forces. Networking is the basic resource guarantee and data element source for digitalization and intelligence. The classic model of industrial control systems has changed in the context of networking. Whether information security risk control can be implemented for industrial control systems to prevent and mitigate network and data security risks has become a key factor for industrial enterprises to successfully achieve transformation and upgrading.

2 Risks of Industrial Control Systems in the Context of New Industrialization

The classic hierarchical structure of industrial control systems includes the enterprise resource layer, production management layer, process monitoring layer, field control layer, and field device layer from top to bottom. With the development of the industrial internet and the acceleration of digital transformation and intelligent upgrades, this hierarchy is no longer fully applicable. The use of new technologies and equipment, as well as the migration of industrial enterprises to the cloud, have changed the assets, vulnerabilities, and threats corresponding to risk assessment.

(1) Current Status of Risks in Industrial Control Systems under New Industrialization

Classic industrial control systems typically include SCADA (Supervisory Control and Data Acquisition), DCS (Distributed Control System), and PLC (Programmable Logic Controller), operating in closed and independent environments, where information security risks are minimal. Most industrial control systems in China were built early, with little consideration for information security during the era of underdeveloped information technology, and they have not been upgraded with technological advancements, resulting in insufficient security capabilities. With the application of new technologies such as cloud computing, big data, artificial intelligence, and edge computing in industrial production, as well as the increasing number of hardware and software facilities, including smart terminals and collection devices, connecting to the network, the relatively closed and trusted traditional industrial control system environment has been disrupted. The integration of OT (Operational Technology), IT (Information Technology), DT (Digital Technology), and CT (Communication Technology) has blurred security boundaries, allowing internet threats to penetrate industrial control systems, making them vulnerable to hackers. Meanwhile, the integration of edge computing platforms and cloud platforms into industrial control systems has aggregated massive amounts of heterogeneous data, promoting digitalization and intelligence but also introducing data security risks. Therefore, the applicability and effectiveness of traditional information security risk assessments for industrial control systems have significantly decreased under the new circumstances, leading to the emergence of information security risk assessments for industrial control systems in the context of new industrialization, thereby providing reliable guarantees for intelligent upgrades.

(2) Risks Caused by Industrial Enterprises Migrating to the Cloud

The “2023 First Half Cloud Security Situation Report” shows that industrial cloud is one of the three industries most frequently attacked. During the digital transformation process, industrial enterprises use industrial internet platforms and edge computing platforms to store and process data. For industrial internet platforms, this involves the cloud deployment of systems such as MES (Manufacturing Execution System) and PLM (Product Lifecycle Management), as well as the migration of data from conventional industrial control systems to the cloud. For edge computing platforms, a large number of field devices, machine tools, or production lines are connected through controllers, gateways, or servers, enabling storage and computation to be decentralized. The risk assessment of industrial internet platforms and edge computing platforms, the security risks of access, and the management of public cloud security risks will all become factors in the information security risk assessment of industrial control systems.

(3) Risks from Intelligent Assets

In the process of intelligent upgrades, the widespread use of intelligent equipment such as CNC machine tools and intelligent devices like industrial robots and smart vehicles introduces new risk factors to industrial control systems. Intelligent asset systems may have vulnerabilities and backdoors, allowing attackers to control devices through vulnerabilities or steal data through backdoors, resulting in losses for industrial enterprises. Additionally, if the network area where intelligent assets are located does not use boundary security devices such as firewalls and network gateways, and if intelligent terminals are monitored remotely via the internet, the boundaries between IT and OT disappear, making them susceptible to network attacks from the IT side. Therefore, the information security risk assessment of intelligent assets becomes part of the risk assessment of industrial control systems.

(4) Risks from Supply Chain Security

In the context of new industrialization, industrial enterprises increasingly apply firmware, software, components, and systems, with higher levels of software or system packaging, leading to a sharp increase in attacks targeting various links in the supply chain, resulting in greater overall supply chain security threats. The number of security attack incidents targeting the supply chain is rapidly increasing. Gartner has predicted that by 2025, at least 45% of enterprises globally will experience software supply chain attacks. Furthermore, if malicious code is implanted in software development tools, it can compile defective code. There were suspicions that the iOS development tool Xcode was implanted with malicious code, causing apps compiled with this tool to leak mobile privacy information. Therefore, conducting supply chain security risk assessments is a refinement of the requirements for industrial control systems in the context of new industrialization, helping enterprises identify supply chain security weaknesses, implement control measures, and enhance the security protection capabilities of critical links.

3 Basis for Information Security Risk Assessment of Industrial Control Systems in the Context of New Industrialization

China places great importance on the information security risk assessment of industrial control systems. Many laws and regulations have proposed risk assessment requirements, and several national standards provide guidance for the implementation process of risk assessments, confirming existing security measures for risk assessments. The risk assessment of industrial enterprises in the new stage should not only comply with the relevant risk assessments of industrial control systems but should also adapt to the development trends of networking, digitalization, and intelligence, providing security guarantees for the intelligent upgrades of enterprises.

(1) Legal Regulations on Risk Assessment of Industrial Control Systems

The “Cybersecurity Law of the People’s Republic of China” stipulates that the state implements a cybersecurity grading protection system, and the national internet information department coordinates relevant departments to establish and improve the cybersecurity risk assessment and emergency response mechanism, promoting the construction of a social service system for cybersecurity, and encouraging relevant enterprises and institutions to carry out cybersecurity certification, testing, and risk assessment services. The “Data Security Law of the People’s Republic of China” stipulates that the state supports relevant departments, industry organizations, enterprises, educational and research institutions, and relevant professional institutions to collaborate on data security risk assessment, prevention, and disposal; important data processors should regularly conduct risk assessments of their data processing activities as required and submit risk assessment reports to the relevant supervisory departments.

The “Guidelines for Cybersecurity Protection of Industrial Control Systems” propose that before the launch of new or upgraded industrial control systems, and before connecting industrial control networks to enterprise management networks or the internet, a security risk assessment should be conducted. The “Guidelines for Cybersecurity Classification and Grading of Industrial Internet Enterprises (Trial)” stipulate that level three industrial internet enterprises should conduct at least one network security risk assessment and audit annually. The “Interim Measures for Data Security Management in the Field of Industry and Information Technology” stipulate that important data and core data processors in the field of industry and information technology should conduct at least one risk assessment of their data processing activities annually, either independently or by entrusting a third-party assessment agency, promptly rectifying risk issues, and submitting risk assessment reports to local industry regulatory departments; central enterprises should supervise and guide their subordinate enterprises to fulfill local management requirements in important data and core data directory filing, risk assessment of core data cross-entity processing, risk information reporting, annual data security incident handling reports, and risk assessments of important data and core data.

(2) Reference Standards for Risk Assessment of Industrial Control Systems

GB/T 20984-2022 “Information Security Technology – Information Security Risk Assessment Methods” is the core basis for industrial internet enterprises to implement risk assessments for industrial control systems. It identifies risks from four aspects: assets, vulnerabilities, threats, and existing security measures, calculating the likelihood of events occurring, assessing the losses of the assessment objects, and determining the risk values faced by system assets, ultimately calculating the business risk value. GB/T 36466-2018 “Information Security Technology – Guidelines for Risk Assessment of Industrial Control Systems” analyzes threats, vulnerabilities, and protective capabilities based on the asset security characteristics of industrial control systems, completing comprehensive analysis and evaluation through risk calculations, and finally conducting residual risk disposal based on the judgment results and the enterprise’s own situation. GB/T 31722-2015 “Information Technology Security Technology – Information Security Risk Management” provides guidance for information security risk management, applicable to industrial enterprises. This standard is currently being upgraded, with the new standard titled “Information Security Technology – Guidance for Information Security Risk Management”.

(3) Standards for Confirming Existing Security Measures

Standards for evaluating the cybersecurity of industrial control systems cover the cybersecurity grading protection 2.0 standard system, including GB/T 22239-2019 “Basic Requirements for Cybersecurity Grading Protection” and GB/T 28448-2019 “Evaluation Requirements for Cybersecurity Grading Protection”; the series of standards for cybersecurity of industrial internet enterprises includes GB/T 44462.1-2024 “Cybersecurity for Industrial Internet Enterprises – Part 1: Protection Requirements for Industrial Enterprises Using Industrial Internet” and GB/T 44462.2-2024 “Cybersecurity for Industrial Internet Enterprises – Part 2: Protection Requirements for Platform Enterprises”. These standards can be used by enterprises to confirm the effectiveness of existing security measures for industrial control systems. The protective measures taken by enterprises include firewalls, intrusion detection, data encryption, and access control, which are means to reduce vulnerabilities and resist threats, and can be verified for effectiveness through configuration checks, vulnerability scanning, and penetration testing.

4 Conclusion

Due to the diversity of enterprises involved in risk assessments and differences in personnel, the results have a certain degree of uncertainty. Therefore, when conducting comprehensive risk assessments of industrial control information systems, it is essential to consider all aspects and implement them regularly.

(1) Issues Faced by Risk Assessment of Industrial Control Systems

First, industrial control systems are applied in various types of industrial enterprises, such as steel, non-ferrous metals, petrochemicals, etc. The types and sizes of enterprises differ, leading to varying focuses in their risk assessments. Second, risk assessments are subjective; whether relying on third parties or conducting them internally, there are blind spots, and the perspectives and experiences of assessors can influence the results. Third, the methods of risk assessment are not consistent; if intelligent assets, cloud platforms, or critical components are assessed separately, the consistency of assessment methods is a crucial factor for the accuracy of information security risk assessment results for industrial control systems.

(2) Regular Conduct of Information Security Risk Assessments for Industrial Control Systems

Since the assets, vulnerabilities, and threats related to industrial control systems are not static, industrial enterprises need to conduct regular information security risk assessments to comprehensively understand their network and data security levels. Based on the assessment results, they should optimize protective measures, promptly eliminate unacceptable risk hazards, and keep risks within acceptable limits, providing guarantees for the intelligent upgrades of enterprises and laying a foundation for achieving the goals of new industrialization.

References omitted.

| Author Biography |

Cai Lili(1990-), female, from Zhangjiakou, Hebei, assistant engineer, bachelor’s degree, currently employed at Zhongheng Telvi Testing Technology (Beijing) Co., Ltd., mainly engaged in research on information system security maintenance, information system testing, quality management, etc.

· end ·

Source | “Automation Expo” 2025 First Issue and “Special Issue on Information Security of Industrial Control Systems (Volume 11)”

Editor | He Min

Research Analysis | Information Security Risk Assessment of Industrial Control Systems in the Context of New Industrialization

For cooperation or consultation, please contact the WeChat ID of the Industrial Safety Industry Alliance platform secretary: ICSISIA20140417

Recommended Readings

Heavyweight | “Automation Expo” 2025 First Issue and “Special Issue on Information Security of Industrial Control Systems (Volume 11)” Online

Must-Read for the 2025 Two Sessions |These Industrial Information Security Proposals Will Rewrite Industry Rules

Ministry of Industry and Information Technology |Risk Warning on Preventing Network Attacks Targeting Local Deployment of DeepSeek

Insights |Security Protection of Long-Distance Oil and Gas Pipeline Control: Strategies, Practices, and Prospects

DeepSeek Analysis |The Development Status and Future Prospects of Zero Trust Security Architecture in the Industrial Field

White Paper |Northeast University: 2024 Industrial Control Network Security Situation White Paper (Download Attached)

Recommended Reading |The Five Network Security Technologies That Are About to Become Obsolete

Insights |Research on Encryption Technology for Industrial Programmable Control Systems

Recommended Reading |DeepSeek Insights and Reflections from the Perspective of Security Professionals

Ministry of Industry and Information Technology |In 2024, China’s Information Security Sector Revenue Will Reach 229 Billion Yuan

Attention |Results of Security Testing of Key Network Devices (19th Batch)

Power Safety |2024 New Power System Security Construction Guidelines Report (Download Attached)

Ministry of Industry and Information Technology and Thirteen Departments |2024 List of Typical Projects for Cybersecurity Technology Applications

Attention |Joint Issuance of the Implementation Plan for Improving Data Circulation Security Governance by the National Development and Reform Commission, National Data Bureau, and Six Other Departments

Research Analysis | Information Security Risk Assessment of Industrial Control Systems in the Context of New IndustrializationResearch Analysis | Information Security Risk Assessment of Industrial Control Systems in the Context of New IndustrializationResearch Analysis | Information Security Risk Assessment of Industrial Control Systems in the Context of New IndustrializationResearch Analysis | Information Security Risk Assessment of Industrial Control Systems in the Context of New IndustrializationResearch Analysis | Information Security Risk Assessment of Industrial Control Systems in the Context of New Industrialization

Related posts

  1. Successful Conclusion of the 2025 Annual Academic Committee Meeting of the Key Laboratory for Safety and Reliability Assessment of Industrial Control Systems
  2. Expert Insights on Physical Intrusion Threat Models and Protection Methods for Industrial Control Systems
  3. Siemens SPPA-T3000 Control System Exposes Critical Vulnerabilities, Leaving Global Power Plants at Risk!
  4. Successful Conclusion of the 2025 Annual Academic Committee Meeting of the Key Laboratory for Safety and Reliability Assessment of Industrial Control Systems
  5. A Decade of Vigilance: Safeguarding Industrial Control System Security Against the Resurgence of Stuxnet
  6. Challenges in PLC Programming: Understanding Positive and Negative Edges
  7. Indonesia Accelerates Semiconductor and Artificial Intelligence Industry Layout, Targeting 2045 Digital Economy Growth
  8. Design of Security Protection Technology System for Industrial Control Systems
  9. Classification of Information Security Threats in Industrial Control Systems
  10. Appreciation of MG Gundam
  11. Smart Speaker Concept – Performance Overview: Zhaochi Co., Ltd., Amlogic Co., Ltd., Zhongke Lanyun, GoerTek Inc., and Zhidu Co., Ltd.
  12. Overview Of Seven Major Process Industry Instrument Control Systems
  13. Overview of Common CNC Systems for Machine Tools
  14. Risk Assessment of State Machine Programming: A Safety Analysis Framework for Industrial Control Systems
  15. Basic Introduction to Siemens S7-1200 Storage Card
  16. Understanding Industrial Control System Security Standards (GB/T 36324-2018)
  17. How to Prevent Memory Leaks in Embedded Programming?
  18. Six Common Data Structures in Embedded Programming
  19. Summary of HttpClient Usage and Utility Class Encapsulation

Leave a Comment