← Home

Introduction to IACS Security

Industrial cybersecurity focuses on protecting Industrial Automation and Control Systems (IACS) from cyber threats while maintaining the safe, reliable, and continuous operation of industrial processes. Unlike traditional information technology (IT), industrial environments directly interact with physical equipment and processes, meaning a successful cyberattack can have consequences far beyond data loss.

ISA/IEC 62443-1-1 clause 4 is partially aligned to the information presented here but key concepts have been expanded upon.


IACS Cybersecurity Summary
Figure 1 - IACS Cybersecurity Overview

The Situation

IACS operate within complex environments. An increasing amount of information is shared between IACS and business (IT / corporate) systems. Because IACS directly control processes and equipment, cyber breaches can cause not only confidentiality impacts (stolen secrets), but also:

Threats are both external and internal, and may be malicious or non-malicious (accidental). Many business changes or improvements also increase the potential risk of compromising security.

Industrial cybersecurity is a shared responsibility. Effective security cannot be achieved through technology alone; it requires people, processes, and technology working together throughout the lifecycle of an industrial system.

Weakness in any one of these areas can undermine the effectiveness of the others.


Current Systems

IACS were historically isolated. Most systems today are made up of commercial off-the-shelf (COTS) software and hardware, are often connected to the internet, run on multiple platforms and operating systems, and include legacy equipment that was not designed for security.

Increased integration and interdependency have brought clear benefits:

While beneficial, these changes also increase the potential for security breaches and vulnerabilities.

IACS are often built upon legacy systems, with designs that extend existing designs and conform to the constraints of current infrastructure. This creates complex configurations that make it difficult to understand the system entirely, for example:


Current Trends

Modern industrial systems have become increasingly interconnected and dependent on standard computing and networking technologies. While these advances improve efficiency and productivity, they also expose industrial systems to many of the same cyber threats faced by traditional IT environments.

Key trends increasing cyber risk include:

As a result, cybersecurity needs for IACS are increasing.


Potential Impacts

Unlike traditional IT incidents, cyberattacks on industrial systems can have direct physical consequences. Potential impacts include:

Societal Consequences

Organisational Consequences


Common IACS Security Myths

"We aren't connected to the Internet."

False.

Many industrial environments contain indirect or unintended connections that provide potential pathways into the control system.

Common examples include:

"We're protected by a firewall."

False.

A firewall is only effective when it is correctly designed, configured, and maintained. Poor firewall configuration remains one of the most common weaknesses in industrial environments.

Effective firewall management requires:

"Hackers don't understand control systems."

False.

Knowledge of industrial systems is now widely available through publicly available exploits, Cybercrime-as-a-Service, research publications, and online communities.

"Our facility isn't a target."

False.

Every industrial sector is a potential target. Critical infrastructure, manufacturing, mining, utilities, food production, and other industries have all experienced cyberattacks.

For many organisations, the question is no longer if an attempted compromise will occur, but when.

"Safety systems will protect us."

False.

Malware such as TRITON demonstrated that attackers may deliberately target Safety Instrumented Systems (SIS). Safety systems should therefore be considered another critical asset requiring cybersecurity protection.


Summary


Related Topics
Industrial Cybersecurity – Introduction
ISA/IEC 62443 Overview
IEC 62443-3-2 Cyber Risk Concepts
Defence in Depth