Identification of Information Technology Security Issues Specific to Industrial Control Systems

Abstract

The paper presents current cybersecurity issues in industrial automation and control systems (IACS). It also reviews the state of the art in literature, standards and frameworks used to evaluate and certify industrial control devices. Nowadays the Common Criteria (CC) security assurance methodology is commonly used for the vast majority of information technology (IT) products but not for IACS components. The paper proposes a security evaluation method of IACS to be based on the CC approach. The CC standard has not been used in industry so far and this is why it became the main motivation of the author’s doctoral research work in that field. The implementation of CC security requirements can enhance the “safety” of functional features in control devices by adding “security” measures typical of IT products. The paper delivers input information to the first stage of the author’s research whose goal is the identification of design needs and requirements for building the security evaluation method. As a result, in the next stage, the evaluation method can be built according to the model of a control system and to the criteria taken from the CC standard adjusted to IACS needs. Coupling both “security” and “safety” for industrial control systems is a promising way of using the CC assurance methodology for a new kind of devices.