Industrial control system is different from traditional IT system. Compared with IT systems, industrial control systems have the following characteristics:
The system has low tolerance for delay and high reliability requirements, and most of them need to work continuously throughout the year.
Some industrial control systems still use the old operating system (OS), so the safety management requirements of such systems are higher;
Because the industrial control system involves software, hardware, firmware and process flow, its change management is more complicated.
The system communication protocols are more mixed, including various industrial buses, industrial Ethernet, wireless access, radio frequency and satellite;
The overall system architecture is more complex, and the enterprise security awareness and security awareness are relatively low;
From the point of view of risk, in addition to traditional information security, industrial control system security also needs to pay attention to personal, environmental, production and physical safety;
The system life cycle is longer, and the requirements for system design completeness and process integration are higher.
To sum up, compared with the IT system, the establishment of an information security system covering all levels of the industrial control system is more complicated, and requires the attention and supervision of the enterprise management, as well as the cooperation of cross-departments within the enterprise.
Industrial control system safety status
For a long time, the protection measures of enterprise information security mainly focus on traditional IT systems, especially public-facing systems and services. In view of the information security problem of industrial control system, enterprises often take a passive way of security by obscurity, and do not give enough attention and attention.
According to statistics from CVE (Common Vulnerabilities and Exposures) (see Figure 2), the number of exposures to industrial control systems has increased significantly since 2011, and security incidents targeting industrial control systems have occurred, of which the impacts are large: The Stuxnet virus attack on Iran’s nuclear power plant in 2010 led to the failure of uranium enrichment equipment, a massive power outage in Ukraine in 2015, an attack on TSMC’s production site in 2018, and an attack on Venezuela’s power grid in 2019 that left much of the country without electricity. These incidents have had very serious consequences.