Security Magazine logo
  • Sign In
  • Create Account
  • Sign Out
  • My Account
  • NEWS
  • MANAGEMENT
  • PHYSICAL
  • CYBER
  • BLOG
  • COLUMNS
  • EXCLUSIVES
  • SECTORS
  • EVENTS
  • MEDIA
  • MORE
  • EMAG
  • SIGN UP!
cart
facebook twitter linkedin youtube
  • NEWS
  • Security Newswire
  • Technologies & Solutions
  • MANAGEMENT
  • Leadership Management
  • Enterprise Services
  • Security Education & Training
  • Logical Security
  • Security & Business Resilience
  • Profiles in Excellence
  • PHYSICAL
  • Access Management
  • Fire & Life Safety
  • Identity Management
  • Physical Security
  • Video Surveillance
  • Case Studies (Physical)
  • CYBER
  • Cybersecurity News
  • More
  • COLUMNS
  • Cyber Tactics
  • Leadership & Management
  • Security Talk
  • Career Intelligence
  • Leader to Leader
  • Cybersecurity Education & Training
  • EXCLUSIVES
  • Annual Guarding Report
  • Most Influential People in Security
  • The Security Benchmark Report
  • Top Guard and Security Officer Companies
  • Top Cybersecurity Leaders
  • Women in Security
  • SECTORS
  • Arenas / Stadiums / Leagues / Entertainment
  • Banking/Finance/Insurance
  • Construction, Real Estate, Property Management
  • Education: K-12
  • Education: University
  • Government: Federal, State and Local
  • Hospitality & Casinos
  • Hospitals & Medical Centers
  • Infrastructure:Electric,Gas & Water
  • Ports: Sea, Land, & Air
  • Retail/Restaurants/Convenience
  • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
  • Industry Events
  • Webinars
  • Solutions by Sector
  • Security 500 Conference
  • MEDIA
  • Videos
  • Podcasts
  • Polls
  • Photo Galleries
  • Videos
  • Cybersecurity & Geopolitical Discussion
  • Ask Me Anything (AMA) Series
  • MORE
  • Call for Entries
  • Classifieds & Job Listings
  • Continuing Education
  • Newsletter
  • Sponsor Insights
  • Store
  • White Papers
  • EMAG
  • eMagazine
  • This Month's Content
  • Advertise
Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
Cybersecurity NewsInfrastructure:Electric,Gas & Water

Control System Cybersecurity Is Shifting Away from Corporate Thinking

By Andrew Ginter
cyber responsive default
May 26, 2015

The hardware and software on corporate and control system networks are similar, but other characteristics of the two networks differ. The essential difference is, not surprisingly, control. Control system networks control the physical world. Corporate systems manage data.

ICSs, especially in critical industrial infrastructures, control powerful, costly and often dangerous industrial processes, such as refineries, water purification systems and power plants. Modern societies depend on these processes to maintain standards of living and are generally protected by “guns, guards and gates” because any unauthorized/unqualified operation of these powerful systems, however briefly, represents an unacceptable risk.

Contrast this with the standard approach to information technology. Modern businesses rely on employees accessing email and the Internet, so corporate networks and firewalls must, by design, permit users to receive content from the Internet – content which may contain attacks. Worse, once past the firewall, corporate networks are computers and software. All software has defects; some defects are security vulnerabilities, so, in practice, all software can be hacked. Corporate security teams regard compromise as inevitable.

Corporate security practitioners deploy anti-virus systems and other “hardening” measures to protect vulnerable networks, but no such measures can stop all attacks. This is why the pinnacle of corporate security systems is intrusion detection systems staffed by cybersecurity experts.

While control system networks are also full of software, there are important differences. Corporate network perimeters must permit Web pages and email, but control system perimeters permit no such traffic. On both networks, security experts need hours minimally, and sometimes days or weeks, to detect and repair compromised computers. On control networks, attackers can remotely operate equipment for all of this time. The simplest damage an intruder could inflict is activating an emergency shutdown. Refineries, power plants and other large installations can take days or longer to return to full capacity after a shutdown. More sophisticated mis-operation can physically damage furnaces, turbines, transformers and other costly equipment. Worst case attacks can cause public safety hazards, such as releasing sewage into drinking water distribution systems.

Cybersecurity best practices are evolving to recognize these critical differences. The latest North American Electric Reliability Corporation Critical Infrastructure Protection Version 5 (NERC CIP V5) standards for the North American power grid and the 2014 French Agence nationale de la sécurité des systèmes d’information(ANSSI) standards encourage or require stronger network protections for control system networks.

The French standards are the strongest; they ban firewalls and Internet-based remote control for the most societally sensitive networks, such as railway-switching networks or chemical-plant safety networks. These new rules are “old news” to control system teams with a history of dealing with safety, equipment-protection and reliability issues. For example, such teams have long banned remote configuration of safety systems; often the only way to reprogram a life-critical system is to stand in front of the system with a key in hand to enable programming.

The new rules, though, can come as a surprise to corporate security teams with little awareness of control, safety or reliability issues, and a long history of remotely reconfiguring corporate networks. The clear lesson in the new rules is that, unlike porous-by-design corporate networks, intrusion prevention is vital to the operation of critical ICS networks.

Rather than firewalls, the ANSSI rules require, and the NERC CIP rules encourage, hardware-enforced unidirectional security gateways. The gateways are fiber-optic hardware that physically enables information to flow in only one direction. The gateways gather control system data from databases on control networks and populate corporate databases with that data in real time. Unidirectional gateway deployments generally have no impact on business operations, other than to dramatically reduce risks by preventing network attacks from corporate insiders and the Internet. Corporate users can still access the latest plant information in real time by querying the replica databases on the corporate network.

The NERC CIP V5 standards encourage the use of unidirectional security gateways by providing exemptions from up to 30 percent of CIP compliance requirements for networks protected by strong, unidirectional perimeters.

With hardware-enforced unidirectional gateways as the new control-system security best practice, system security teams globally are re-evaluating and enhancing control-system security programs. Today’s best practices demand that all of us responsible for the security of control-system networks examine our industrial sites and answer the question: “Which of these sites is expendable enough to leave protected by firewalls?”

KEYWORDS: control systems security infrastructure cyber security security compliance

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Andrew Ginter is vice president of Industrial Security at Waterfall Security Solutions. He has managed the development of commercial products for computer networking, industrial control systems, control system to enterprise middleware, and industrial cyber security. Andrew is currently the co-chair of the ISA SP-99 WG1 working group and represents Waterfall Security Solutions to NIST, NERC-CIP and other ISA SP-99 working groups and other standards bodise. He frequently writes and speaks frequently on industrial control system cyber security topics. Andrew has degrees in Applied Mathematics and Computer Science from the University of Calgary, as well as ISP, ITCP and CISSP accreditations.

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Security Leadership and Management
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Cyber Tactics Column
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Cybersecurity
    By: Charles Denyer
Manage My Account
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

The Money Laundering Machine: Inside the global crime epidemic - Episode 24

The Money Laundering Machine: Inside the global crime epidemic - Episode 24

Middle East Escalation, Humanitarian Law and Disinformation – Episode 25

Middle East Escalation, Humanitarian Law and Disinformation – Episode 25

Security’s Top 5 – 2024 Year in Review

Security’s Top 5 – 2024 Year in Review

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Sureview screen
    Sponsored bySureView Systems

    The Evolution of Automation in the Command Center

  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

Popular Stories

Rendered computer with keyboard

16B Login Credentials Exposed in World’s Largest Data Breach

Verizon on phone screen

61M Records Listed for Sale Online, Allegedly Belong to Verizon

Security’s 2025 Women in Security

Security’s 2025 Women in Security

Red spiderweb

From Retail to Insurance, Scattered Spider Changes Targets

blurry multicolored text on black screen

PowerSchool Education Technology Company Announces Data Breach

2025 Security Benchmark banner

Events

July 17, 2025

Tech in the Jungle: Leveraging Surveillance, Access Control, and Technology in Unique Environments

What do zebras, school groups and high-tech surveillance have in common? They're all part of a day’s work for the security team at the Toledo Zoo.

August 7, 2025

Threats to the Energy Sector: Implications for Corporate and National Security

The energy sector has found itself in the crosshairs of virtually every bad actor on the global stage.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • Securing the Next Generation Business Network

    See More
  • Access card reader, ominous

    Is Your Access Control System a Gateway for Hackers?

    See More
  • smartphone2-900px.jpg

    Workplace Emergency Planning is Shifting, But Employees Don't Feel It's a Priority

    See More

Related Products

See More Products
  • 9781138378339.jpg

    Surveillance, Crime and Social Control

  • 9780367221942.jpg

    From Visual Surveillance to Internet of Things: Technology and Applications

  • Whitepaper-Social-Media-3.gif

    Optimizing Social Media from a B2B Perspective

See More Products
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing

Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!