In 2013 alone, the U.S. Department of Homeland Security (DHS) and its Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) responded to more than 256 cyber-incident reports—more than half of them in the energy sector. Such attacks were prevalent in 2014 as well: DHS investigated 245 incidents last year, including documented attacks targeting local water authorities in the United States.

The National Institute of Standards and Technology (NIST), which develops information security standards and guidelines to protect the nation’s critical infrastructure, recently published its second revision to Guide to Industrial Control Systems (ICS) Security. The guide highlights the unique cybersecurity risks and vulnerabilities to which ICSs are increasingly exposed and steps organizations utilizing ICSs should take to mitigate them.

Industrial control systems are used to control critical infrastructure processes in industries such as electric power, water, wastewater, oil, gas, transportation, chemical, pharmaceutical, food and beverage, and discrete manufacturing (such as automotive, aerospace, and durable goods).

Historically, ICSs were isolated systems running proprietary hardware and software that were not connected to IT networks or the Internet. As industries matured and became more geographically dispersed, the control systems increasingly adopted connectivity and remote access capabilities by incorporating industry-standard operating systems and low-cost Internet Protocol devices. Consequently, ICSs are increasingly becoming susceptible to cybersecurity vulnerabilities and incidents. Due to the "critical" nature of the systems being controlled by ICS technology, a cyber attack could have catastrophic consequences, including loss of electric power or water for large populations, loss of lives, and threats to national security.

The NIST guide serves as a pointed reminder to manufacturing and energy companies and other providers of critical infrastructure that securing the ICS should be made a top priority and systematically addressed before irreversible consequences are suffered. 

The revised guide recommends commencing with an “information security risk assessment” to identify threats and vulnerabilities, the harm they might cause, and the likelihood to occur at the organization level, mission/business process level, and information system level (IT and ICS). The conclusions drawn from the risk assessment should be developed and incorporated into a comprehensive information security policy or used to update or review existing policies, as needed. Compliance with the policy will best be facilitated by assembling a team, including key members of the C-suite, and by rolling out extensive awareness and training programs.

Companies are encouraged to incorporate cybersecurity considerations when launching new systems, carrying out acquisitions, or engaging service providers. The defenses implemented should involve multiple overlapping security mechanisms to minimize the impact of a failure in any one mechanism. The more sensitive the information or system, the more robust the protection should be.

One way to address the risk is to limit the surface area for a potential attack. This can be accomplished by, among other things, separating corporate and ICS networks, implementing secure communications, prohibiting computerized devices used for ICS purposes from leaving the ICS area, restricting physical access and access to the IT systems by implementing role-based access controls utilizing the principles of least privilege, and implementing multifactor authentication.

The guide also stresses the importance of implementing appropriate controls to detect and protect against data intrusions. Preparing for the consequences of a data breach is another focus of the guide. Companies need to ensure redundancies for critical components, implement a business continuity plan that includes third-party providers, and devise an incident response plan.

The highly technical NIST guide, while not targeted at senior management or in-house counsel, sends a clear message that ICS cybersecurity issues are a serious governance matter that should be duly considered and addressed, first by conducting a cybersecurity risk assessment to understand the scope and nature of the risks and then by amending the company's information security plan as needed.

Attorneys at Ballard Spahr have represented manufacturing, utility, and energy companies, and have a deep understanding of these industries and their unique needs. Members of Ballard Spahr’s Privacy and Data Security Group have designed and led enterprise-wide information security risk assessments and plan implementations and have assisted clients with cybersecurity breach incidents. Combining our industry knowledge with our cybersecurity experience, we can help organizations with any step of the design and implementation of an information security program.

Copyright © 2015 by Ballard Spahr LLP.
(No claim to original U.S. government material.)

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, including electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of the author and publisher.

This alert is a periodic publication of Ballard Spahr LLP and is intended to notify recipients of new developments in the law. It should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult your own attorney concerning your situation and specific legal questions you have. 

Related Practices

Privacy and Data Security
Energy and Project Finance