Industrial Control Systems might be controlling multiple machines and materials, but above them there is another layer of control. Adapting the famous Watchmen quote to this context, “Who controls the controllers?”. Unlike the original version, this one has an answer: auditors and legislation.
I talked briefly about auditing in the previous post as a countermeasure against sabotaging and unallowed remote accesses. However, the truth is that these are just two small examples of what auditory does for ICS. Those audits are done to find out what has happened and which ones are the vulnerabilities of the deployment. Some companies, let’s say the big ones that manage high risk stuff, are required to pass periodical independent controls and are required to have certain certifications to work with the public administration.
Imagine that there is a company that has suffered a loss of data because something happened during the transmission between the car manufacturing plant and the Data Center. Unfortunately, no one notices it until one day the robot arm starts drilling pieces incorrectly, causing irregularities on the otherwise perfect product. An inspection by the IT staff proves that a malware blocked the communication between the sensors of the device and the local controller, so no one knew that the machine needed to be recalibrated. Due to the monetary losses derived from this incident, the parent company has decided to hire a team of auditors. As internal auditors, they are not going to check the accounts of the company, but the countermeasures deployed to protect the production line against hostile actions originated outside or inside the plant.
Every audit is different, but the Institute of Internal Auditors (IIA) has defined a general process for internal auditor that, I think, fits fairly well for ICS‑SCADA. The main difference between auditing ICS and other systems is that IT has not become just the backbone of the processes. IT is not “providing a service” to operational technology (OT), it has become an indivisible part of what is sometimes called “XT”. Although the “X” refers to the fusion between those two terms, I prefer to read it as the “eXtra” in “XL”.
Understanding the business. Auditors are usually computer engineers, which sets them quite near the rest of the engineers. Some of the auditors might even have experience working on this field. In conclusion, there is a previous knowledge auditors can use to understand the needs and risks of the business.
Define the IT universe. The role of IT inside an ICS context is linked to OT systems. However, this should not let other IT tools (like a CRM or a Kanban tool) aside. They usually share the same networks, firewalls, users… and so are the risks.
Perform risk assessment. The risk assessment is different for every context. ISACA offers a framework for SCADA Cybersecurity that could be the basis for the risk assessment. I would like to point out that, unlike in other audits, could directly lead to someone losing their life due to a machine or a malfunctioning final product.
Formalize audit plan. The only difference (which is not due to the ICS context) is that the creation of this audit plan has been reactive, so the business strategy will not contemplate these tasks. This opportunity should be used to introduce the idea of auditing to the different managers of the company.
As the factory is located in the European Union, the analysis of the controls will have to follow European regulations (with some modifications due to regional laws). Luckily, the EU provides companies with tools that allow them to discover and follow the best practices of their markets while being aligned with European legislation. One of these documents, “Certification of Cyber Security skills of ICS/SCADA professionals” from ENISA, explains which are the certifications, roles and knowledge areas of the (cyber and physical) security for ICS. If the internal auditors were an integral part of the company, it would be on the interest of the organization to provide them training on certifications like Global Industrial Cyber Security Professional (GICSP) or the Certified ICS/SCADA Security Architect (CSSA) so future audits would increase their quality.
Setting controls is an integral part of auditors’ work. They protect and inspect the processes so the company can rely on them and inspect whether something is wrong and where. In fact, I have been talking about controls the whole post: industrial controls. IT controls could be controlling ICSs, which means that some security has already been implemented. Those existing controls should be identified, reanalyzed and aligned with the new security objective. Once again, the reality of ICS systems has moved from pure OT to an integration with IT.
Victor Papanek opened Design for the Real World with one of my favourite quotes: “There are professions more harmful than industrial design, but only a few of them”. I would like to add to that list the auditors, whose good work makes good industrial designers able of using their ingenuity for the common good, while bad auditors make good industrial design dangerous.
 Kirk Rehage, Steve Hunt & Fernando Nikitin, Developing the IT Audit Plan, (Altamonte Springs:The Institute of Internal Auditors, 2008), PDF edition, 3.
 Samir Malaviya, «SCADA Cybersecurity Framework», ISACA Journal Volume 1, (2014), accessed 27 November 2019, https://www.isaca.org/Journal/archives/2014/Volume-1/Pages/SCADA-Cybersecurity-Framework.aspx
 «Critical Infrastructures and Services», European Union Agency for Cybersecurity, accessed 27 November 2019, https://www.enisa.europa.eu/topics/critical-information-infrastructures-and-services/
 «Certification of Cyber Security skills of ICS/SCADA professionals», European Union Agency for Cybersecurity, accessed 27 November 2019, https://www.enisa.europa.eu/publications/certification-of-cyber-security-skills-of-ics-scada-professionals
 «Cyber Security Certification: GICSP», GIAC Certifications, accessed 27 November 2019, https://www.giac.org/certification/global-industrial-cyber-security-professional-gicsp
 «Certified SCADA Security Architect (CSSA)», Information Assurance Certification Review Board, accessed 27 November 2019, http://www.iacertification.org/cssa_certified_scada_security_architect.html
 Victor Papanek, Design for the Real World (Chicago: Academy of Chicago Publishers, 1971), ix.