Strategic Security Protection For Industrial Control Systems

Even though serious accidents such as explosion or leakage of poisonous substances have not occurred yet, several cyber-attacks, e.g. Stuxnet, Havex and etc. have been developed to attack industrial control systems (ICS) and succeeded to hinder the operation of industries for long term. These malwares utilized zero-day exploits and concealment. Although countermeasures against them have been developed, new kinds of cyber-attacks will be developed. It looks a vicious spiral. Especially for ICS, safety should be maintained even if the cyber-attacks utilize unknown vulnerability. In this paper, a systematic approach to design protection systems against cyber-attacks for ICS is proposed. Not only the vulnerabilities of the control network but also properties of the process safety are considered to design and evaluate them. The investment for cyber-security should be proposed according to the seriousness of possible hazards, required security level and budgets. The proposed approach enables the strategic decision making. Moreover, the scenarios of incident responses to care safety and security are discussed.