Industrial Control Systems Security: Recommendations for Europe & Member States
BRUSSELS and HERAKLION, Greece, December 19, 2011 /PRNewswire/ –
ENISA, the EU’s ‘cyber security’agency, has today issued the results of a study on
Industrial Control Systems (ICS) security. The report
describes the current situation on
ICS security and proposes seven recommendations for improving it.
Industrial Control Systems (ICS) are command and control networks and systems designed
to support industrial processes. These systems are usedfor monitoring and controlling a
variety of processes and operation, such as gas and electricity distribution, water, oil
refining and railway transportation.
In the last decade, these systems have faced a notable number of incidents. These
include the “Stuxnet
attack, which is believed to have used bespoke malware to target nuclear control systems
in Iran, and the recent DuQu
-’upgraded variant’ of this malware. These incidents caused great security concerns among
In 2011, ENISA has worked on the main concerns regarding ICS security, and national,
pan European and international initiatives on ICS security. The stakeholders involved
include ICS security tools and services providers, ICS software/hardware manufacturers,
infrastructure operators, public bodies, standardisation bodies, academia and R&D.
This final report
proposes sevenpractical, useful
recommendations to public and private sector ICS-actors, as to improve current initiatives
and enhance co-operation. The recommendations call for the creation of national and
pan-European ICS security strategies, a Good Practice Guide on ICS security, research
activities, the establishment of a common test bedand ICS-computer emergency response
“Real security for Industrial Control Systems can be only achieved with a common
effort, characterised by cooperation, knowledge exchange and mutual understandingof all
involved stakeholders,” says Rafal Leszczyna, editor of the report.
Professor Udo Helmbrecht
Executive Director of ENISA added;
“Stuxnet brought the problem of security of industrial control systemsto prominence.
Our study clearly shows that there is still a lot to be done in this area by all relevant
stakeholders. We hope that our seven recommendations will lead to significant
Background: To address ICS security, in April 2007, the Council of the European Union
[http://www.consilium.europa.eu/homepage?lang=en ] adopted a European Programme for
Critical Infrastructure Protection (EPCIP
[http://eur-lex.europa.eu/LexUriServ/site/en/com/2006/com2006_0786en01.pdf ]). The key
element of EPCIP is the Directive
[http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2008:345:0075:0082:EN:PDF ] on
the identification and designation of European Critical Infrastructures. In parallel, the
information security issues for vital infrastructures in Europe are addressed by The
Digital Agenda for Europe
(DAE) and the CIIP Action Plan
[http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2009:0149:FIN:EN:PDF ]. The
ENISA study results were validated during a workshop
in Barcelona, in September, 2011.
For full report
SOURCE ENISA – European Network and Information Security Agency