Naučno-tehničeskij Vestnik Informacionnyh Tehnologij, Mehaniki i Optiki (Feb 2021)
On safety issue of industrial control systems
Abstract
There are several various methodological approaches well known for the current level safety ensuring of industrial control systems. Two worlds apart methodological approaches have been considered fundamentally over the past few years: the proposal to implement additional information security countermeasures without changing the basic IT-infrastructure, and creation of a new total isolation concept (for example, the Zero Trust Architecture). These methodological approaches do not lead to stability and security of industrial control systems as noted by the world centers of competence in Russia (Group-IB, Positive Technology) and in the world (IBM, MS, Cisco, CheckPoint). Reports of new and new critical vulnerabilities never stop, including a significant number in relation to industrial control systems. The problem of safety ensuring dates from the XX century, has passed several stages of maturity, and, presently, the approach “from functionality” is the most obvious. In general, this approach consists in the fact that the formation and solution of a problem begins when the manufacturer creates a solution based on a specification consisting of functional safety requirements. Then the safety assessment based on trust requirements is carried out. For the overall process of the safety ensuring of industrial control systems, unfortunately, it is typical, that, so far, the industry has not yet developed a holistic culture of consumption of secure IT-components with security evidence that can be traced to the required level. Only a few suppliers in the world and in Russia are ready to offer components that have a proven level of Safety Integrity Level in accordance with the requirements of IEC 61508 and/or 61511 series. The present publication considers the issue of the safety ensuring of industrial control systems in such technical aspects as: the required resources, the specified speed, the management quality, the validation methods, estimation of residual risks and other computable estimates. A brief overview of existing approaches is presented and some possible solutions for the defined problem are given.
Keywords