SECURING INDUSTRIAL CONTROL SYSTEMS: A

A PARADIGM SHIFTNATIONAL CRITICAL FUNCTIONSThis initiative places significant emphasis on developingjoint ICS security capabilities—with partners ingovernment and the private sector—that asset ownersand operators implement directly to secure ICS. Throughthe deployment of these shared capabilities, assetowners and operators can better defend themselveswhile also helping to inform CISA’s national-level ICSpriorities. In addition to continuing to provide andimprove our current ICS security products and services,CISA will prioritize development of ICS communitydriven solutions.In 2019, CISA identified and validated a set of55 National Critical Functions following extensiveconsultation with the CI community. These are, “thefunctions of government and the private sector so vitalto the United States that their disruption, corruption, ordysfunction would have a debilitating effect on security,national economic security, national public health orsafety, or any combination thereof.” NCFs provide animportant prism through which CISA can work with ourpartners to help them understand, prioritize, and addressICS risk.NCFs are a critical focal point for CISA’s ICS securitystrategy. CISA will highlight priority NCFs and map thearchitecture of these functions and identify the degreeto which specific NCFs depend on ICS. CISA will alsoappropriately align our ICS resources to the areas wherethe destruction, disruption, or exploitation of ICS posesthe greatest risk to NCFs.Viewing these NCFs holistically provides a complement toCI sector-based approaches to risk management. CISAwill gain greater clarity into the criticality of variouselements of the Nation’s infrastructure by focusing riskanalysis on the specific ways that an entity supportsNCFs. NCFs also help CISA understand dependenciesand potential risks, including the impact that exploitationof ICS may have on the delivery of the essential productsand services upon which the American people rely. Byviewing risk through a functional lens, CISA can workwith our partners to harden ICS systems across the CIecosystem in a more targeted, prioritized, and strategicmanner. A key forum for this work is the CISA-supportedCritical Infrastructure Partnership Advisory Council(CIPAC), which enables the government and privatesector entities—organized as coordinating councils—toengage in activities to support and collaborate on CIsecurity and resilience efforts.The initiative also elevates ICS security as a priority withinCISA, coalescing CISA’s organizational attention aroundthe implementation of a unified, “One CISA” strategy.Our OT cybersecurity experts, risk managers, CI andphysical security experts, field operations, external affairsliaisons, strategists, stakeholder engagement liaisons,and technologists will collaborate on an ongoing basis toimplement important aspects of this -functions-overview6Presidential Policy Directive-21: Critical Infrastructure Security and Resilience, establishes national policy on CI security and resilience. PPD-21identifies 16 CI sectors and designates associated Federal Sector-Specific Agencies (SSAs) to lead Federal Government efforts to collaborate,coordinate, and implement actions to enhance the security and resilience of their respective CI sector. The USA Patriot Act defines CI as systemsand assets, whether physical or virtual, so vital to the United States that their incapacity or destruction would have a debilitating impact on security,national economic security, national public health or safety, or any combination of those matters (USA Patriot Act of 2001 (42 U.S.C. 5195c(e)).3

THE ICSCHALLENGEMuch of the Nation’s CI depends on ICS suchas supervisory control and data acquisition(SCADA) systems and distributed controlsystems (DCS), which rely on programmablelogic controllers (PLC) to manage essentialand complex operational processes.Risk to traditional ICS once predominantly arose fromhuman error and accidents, natural disasters, andacts of physical sabotage. Traditional ICS can have30-year lifecycles and are purpose-built, stand-alonesystems designed for reliability rather than security. Theconvergence of physical and cybersecurity processesand increasing integration of ICS with business networksand internet-based applications has vastly increasedthe prevalence and complexity of cyber threats to ICS.Unlike business enterprise networks, which manageinformation, ICS manage physical operational processes.Therefore, cyberattacks could result in significantphysical consequences, including loss of life, propertydamage, and disruption of the essential services andcritical functions upon which society relies. The use ofcyberattacks to cause physical consequences make ICSattractive targets for malicious actors seeking to causethe United States harm.Operational technologies are also increasinglycommoditized, prevalent, and used in applicationsthat may be smaller in scale than industrial processes,which further contributes to cybersecurity risk. Theseapplications are growing exponentially and migratinginto domains not previously automated or connected tothe internet (e.g., automobiles, medical devices, smartbuildings and homes, pipelines, aviation).7 Adding to theICS risk topography is the deployment of 5G networks,which reduces reliance on traditional network routers,thus limiting the ability of security providers to monitorfor and prevent malicious traffic. CI owners and operatorsmust navigate through this ICS risk landscape to deliverthe essential products and services that support societalwell-being and fuel the economy.7More than 21 billion IoT devices are expected by 2025 (Source: The futureof IoT: 10 predictions about the Internet of Things, ctions-for-the-future-of-iot.html)44

THE DIVERSEICS COMMUNITYCISA’S OPERATIONALPARTNERSHIPSCISA’S STRATEGICPARTNERSHIPSAt an operational level, CISA works with the following partnersto enhance the community’s ICS technical, analytical, andresponse capabilities: CI asset owners; ICS vendors andintegrators; ICS-focused cybersecurity providers; researchersand academia; government at all levels; and internationalcounterparts. CISA maintains operational relationships withnumerous resident8 and non-resident government and privatesector organizations. Key operational partners include:In addition to those partners with whom CISAmaintains ongoing operational relationships, CISA alsomanages longstanding strategic partnerships withorganizations within the ICS community to supportsecurity and resilience activities across the riskmanagement spectrum.89 DHS (including the Federal Emergency Management Agency,National Operations Center, Office of Intelligence and Analysis,the Science and Technology Directorate [including DHSCenters of Excellence], Transportation Security Administration,U.S. Coast Guard, and U.S. Secret Service); Department of Justice (Federal Bureau of Investigation [FBI]); Department of Defense (DOD) (U.S. Cyber Command andNational Security Agency); Department of Energy (DOE) (including theNational Laboratories); Federal Cybersecurity Centers; FBI’s National Cyber Investigative Joint Task Force National Security Agency/Central Security Service ThreatOperations Center DOD’s U.S. Cyber Command and Cyber Crime Center Intelligence Community Incident Response Center, InformationSharing and Analysis Centers (ISACs) (including the AviationISAC, Communications ISAC, Electricity Sector ISAC, FinancialServices ISAC, Information Technology ISAC, and Multi-StateISAC), and Information Sharing and Analysis Organizations(ISAOs); and Individual CI owners and operators, including majortelecommunications and internet service providers, ICSvendors and integrators, ICS cybersecurity providers, andother CI partners.These vital strategic partnerships create trust withinthe ICS community, foster open communication,establish processes and procedures for action,and facilitate effective operational integration andcoordination. The following are CISA’s corestrategic partners.Control Systems Interagency Working Group (CSIWG):CSIWG is an interagency working group focused ondefining a whole-of-community, strategic approachto control systems security. In coordination withthe private sector, CSIWG is working to ensure U.S.Government priorities in the control system spacemeet the needs of the community. The working groupserves as the strategic foundation for a unified effortto improve cybersecurity for control systems across theU.S. Government and private sector.Industrial Control Systems Joint Working Group(ICSJWG): ICSJWG9 represents a foundational publicprivate partnership through which CISA supportsinformation exchange and development of riskmanagement capabilities, products, and services.ICSJWG facilitates communication among federal,state, and local governments; asset owners andoperators; vendors; system integrators; internationalpartners; and academic professionals in all 16CI sectors.“Resident” organizations have liaison officers that sit on CISA’s Integrated Coordination and Operations Center watch floor.See tems-Joint-Working-Group-ICSJWG5

CISA plays a unique role as the lead federal civilianagency responsible for advising CI partners on how tomanage ICS risk. Fulfilling this role successfully requiresboth operational and strategic partnerships across theICS community. Such collaborative partnerships oftensucceed in resolving intractable issues where unilateralefforts of government or private industry cannot.The diverse ICS community comprises entities withequities in ICS security, including federal, state, and localgovernments; asset owners and operators; vendors;system integrators; international partners; and academicprofessionals in all 16 CI sectors. This section highlightsthe major ICS community groups with whom CISA mustcollaborate to manage ICS risk successfully.Federal Advisory Committees: On behalf of DHS, CISA isthe designated federal agency responsible for supportingseveral federal advisory bodies that involve expertise inICS and OT. These include numerous councils operatingunder CIPAC (which provides a mechanism for CI Sector andgovernment coordinating councils, sector-specific agencies[SSAs], and working groups such as the Enduring SecurityFramework to collaborate on CI security issues), the NationalSecurity Telecommunications Advisory Committee (NSTAC),and the National Infrastructure Advisory Council (NIAC).security efforts and assist on specific ICS-focused initiatives.Sector-Specific Agencies and other Federal Departmentsand Agencies: SSAs are federal departments and agenciesthat collaborate with government and the private sector tocoordinate security initiatives for their designated CI sector.CISA works closely with SSAs that rely significantly oncontrol systems for operation of CI, particularly in sectorsthat may have an elevated risk of cyberattack (e.g., EnergySector, Critical Manufacturing Sector). CISA is alsoresponsible for the security of the Federal Government’scivilian networks and works with other federal agencies andseveral National Labs (under the umbrella of theDepartment of Energy) to help them protect against ICSthreats as well as to coordinate ICS security efforts for theirconstituencies.Other Non-Governmental Partners: CISA works extensivelywith ICS community leaders and influencers, the CI ownersand operators that use and depend on ICS, ICS/OT vendors,researchers, security providers and consultants, ISACs andISAOs, IT and cybersecurity professionals (chief informationofficers [CIOs], chief information security officers [CISOs],etc.), and non-governmental organizations such as academia and standards setting bodies. CISA leverages thesepartnerships to support unified strategic planning, technology development, preparedness planning and exercises,operational procedures and processes, training, researchand development, security and threat awareness, development and promotion of ICS standards and best practices,information exchange, strategic risk and interdependencyanalyses, and numerous additional activities.States and Localities: CISA partners with a range of state,local, tribal, and territorial (SLTT) governments, oversightand regulatory bodies, community leaders, law enforcement, homeland security advisors, state CIOs and CISOs,intelligence fusion centers, and emergency responders.CISA also coordinates with the Multi-State InformationSharing & Analysis Center (MS-ISAC), which supports cyberthreat prevention, protection, response, and recovery for theNation’s SLTT governments.International Partners: Cybersecurity is a global issue, andreducing cyber risk must involve a unified global effort.Cybersecurity incidents occurring in other countries—particularly those involving novel or persistent cyber threats—mayhave significant implications for ICS security in the UnitedStates. These and other considerations require stronginternational collaboration—including operational collaboration and integration—to support DHS’s cybersecurity missionto protect our Nation’s CI from cyber threats.Congress and the White House: When called upon, CISAserves as a subject matter expert and advisor to Congressand the White House, helping to inform proposed cybersecurity laws and policy decisions.Department of Homeland Security: CISA serves as the leadadvisor to the Secretary of Homeland Security on CI andcybersecurity (including ICS security) matters. CISA alsoworks closely with other DHS organizations to coordinate ICS6

DEFENDINGICS TODAYEvery day, CISA works with CI asset owners and operatorsto help them identify, protect against, and detectcybersecurity threats and respond to and recover fromsignificant incidents to both IT and OT networks (seefigure 1).Although ICS owners and operators manage theirown security, when the potential exploitation of ICStechnologies poses existential threats to people orproperty—or undermines confidence in CI safety andreliability and NCFs—it is CISA’s mission to assist throughdelivery of a broad portfolio of ICS security products andservices. CISA’s current offerings include:Figure 1RECOVERWatchOperations:IDENTIFYCISA maintains an around-the-clock alerting and reportingfunction that helps maintain situational awareness acrossthe ICS risk landscape. This includes receiving, monitoring,triaging, tracking, coordinating, and reporting on ICS cyberthreats and events and, where possible, monitoring andtracking the tactics, techniques, and procedures (TTPs) ofspecific threat actors. The center also serves as the primaryentry point for incoming reporting and service requestsfrom CISA’s partners as well as ICS task routing anddissemination within CISA.UnifiedICS StrategyRESPONDDETECTPROTECTBalanced Risk ManagementIntegrated PartnershipsHunt and IncidentResponse:Enabling TechnologiesFigure 1: CISA provides full-spectrum ICS securitycapabilities to CI owners and operators. Incident Response: CISA serves as the FederalGovernment’s primary mechanism for providing assetresponse capabilities to nationally significant cybersecurityincidents in U.S. CI, including ICS-specific incidents. CISA’sgoal is to assist victims, upon their request, to mitigate andminimize the duration and severity of ICS incidents. Incidentresponse efforts focus on identifying the root cause of anincident by searching for adversary TTPs, behaviors, andassociated artifacts in the victim network. CISA continues toexpand our capacity for managing incident responses as wellas our technical response tools and capabilities.Exercisesand Training:CISA supports continued improvement in cyber preparedness and resilience through ICS-focused cyber exercisedesign, development, and execution. CISA offers a rangeof exercise types, from tabletop discussions to full-scale,national-level exercises. ICS training capabilities includeICS security fundamentals as well as more advanced onlineand in-classroom training available for learners with a rangeof technical expertise. CISA also offers regional coursesand workshops, as well as a recurring five-day, hands-onadvanced training event. Hunt: At the invitation of our partners, CISA also providesvoluntary assistance to identify adversary presence in ICSenvironments via proactive hunt missions (conducted inthe absence of a known incident). CISA’s hunt capabilitiesare specifically focused on identifying sophisticated threats,often beyond the capacity and capability of traditional cybersecurity tools and techniques.7

ICS SecurityPartnerships:The operational and strategic partnerships CISA maintains with the global ICS community are the underpinning for enduring ICSsecurity. ICSJWG is a critical foundational element to CISA’s public-private partnerships. This working group supports informationexchange and ICS risk-reduction strategies by fostering collaboration within industry and between industry and the FederalGovernment. CISA also hosts CSIWG, which works with interagency partners and the private sector to help drive the national strategicdirection for control systems cybersecurity. Strategic RiskAssessment: At the strategic level, CISA’s National Risk ManagementCenter (NRMC) is a planning, analysis, and collaborationcenter focused on addressing the Nation’s highest prioritycritical infrastructure risks, originating from cyberattacks andother hazards. NRMC serves as the end-to-end integratorof risk management activities for NCFs and leveragesthat risk expertise to support overall execution of the CISAmission. NRMC leads CISA efforts on supply chain riskmanagement, engaging partners and performing analysis toidentify and secure the supply chain of critical components.Further, NRMC provides CISA with expertise in methodologydevelopment, risk assessment, modeling, and datamanagement and visualization.InformationExchange:CISA shares the outputs of our analysis with the ICS community through a wide range of cybersecurity informationproducts, including ICS-focused alerts, advisories, analysisreports, and best practices. CISA’s information productsprovide either raw data—usually IOCs—or analysis productsthat help asset owners and operators prevent, detect, andmitigate threats and vulnerabilities.Technical andThreat Analysis:To understand and identify ICS threats, CISA conducts awide range of analysis with the intelligence community,researchers, vendors, CI owners and operators, and otherpartners to develop, contextualize, and share indicators ofcompromise (IOCs). CISA also conducts analysis on malware,digital media, and ICS hardware. CISA ICS analysts focuson digital artifacts from devices specific to industrial controlsystems such as PLCs and remote terminal units. CISA’s ICSadvanced malware laboratory specializes in malware threatsto ICS environments and provides asset owners with onsiteor remote support.OTAssessments:CISA offers our partners a range of asset-based assessments,including Validated Architecture Design Reviews (VADR), whichinvolve an architecture design review, system configurationand log review, and network traffic analysis. We also providethe Cybersecurity Evaluation Tool (CSET)—a downloadableself-assessment tool with an ICS focus—at no cost to customers. In addition, CISA’s protective security advisors can conductevaluations of physical security protections for ICS, includingRegional Resiliency Assessment Program (RRAP) assessments, which help contextualize the role of ICS in enabling CIfunctions and provide information about the potential regionalconsequences of their disruption. Such assessments alsoconsider the resilience of essential services (e.g., electricpower, communications) that enable ICS to function. In turn,this information informs ICS preparedness and planningefforts regarding redundancies, service backup, and alternateoperating modes. Lastly, CISA’s chemical security inspectorsconduct compliance assistance and regulatory inspections forcertain ICS.VulnerabilityManagement:CISA works with trusted partners in the public and privatesector to coordinate timely and responsible disclosure of ICScybersecurity vulnerabilities. CISA publicizes vulnerabilitiesand (when known) shares mitigation measures with usersand administrators. CISA also works with ICS vendors andintegrators to test new product lines to identify vulnerabilitiesbefore they go to market. CISA also works with our partnersto understand hardware and software vulnerabilities in theICS supply chain.8

SECURING ICSFOR THE FUTUREPILLAR ONE:ASK MOREOF THE ICSCOMMUNITY,AND DELIVERMORE TOTHEM.PILLAR TWO:DEVELOPAND UTILIZETECHNOLOGYTO MATURECOLLECTIVEICS CYBERDEFENSE.PILLAR THREE:BUILD “DEEP DATA”CAPABILITIESTO ANALYZEAND DELIVERINFORMATION THEICS COMMUNITYCAN USE TODISRUPT THE ICSCYBER KILL CHAIN.It is important that CISA continues to invest in and improvethe capabilities, products, and services described inSection 5. However, when evaluating the Nation’s emergingsecurity challenges, CISA must—in partnership with the ICScommunity—move well beyond what we are doing toda

Using broadly available and easily implemented ICS cybersecurity tools and services, CI asset owners radically increase their baseline ICS cybersecurity capabilities. . and cross-cutting pillars that together drive sustainable and measurable change to the Nation’s ICS security : . of ICS