ENISA outlines seven measures to improve ICS security

EU security body's report details the potential threats to Industrial Control Systems, and what should be done to protect them

The European Network and Information Security Agency (ENISA) has called for the creation of a Europe-wide strategy to protect Industrial Control Systems (ICS), fearing another Stuxnet-style attack of the type that stymied Iran's nuclear programme last year.

A new report from the agency said "Even though there are multiple available good practices, technical reports and standards, security staff feel that they lack guidance from a trustworthy and objective reference authority."

The report makes a series of recommendations designed to improve the security of ICS:

• It argued for the creation of Pan-European and National ICS Security Strategies.
• The creation of a Good Practices Guide for ICS security.
• The creation of ICS security plan templates.
• That member states should foster awareness and training.
• For the creation of a common test bed, or alternatively, an ICS security certification framework.
• For the creation of national ICS-computer emergency response capabilities.
• To foster research in ICS security leveraging existing Research Programmes.

"Awareness of this problem is not only about being aware of the risks involved in using the electronic communication systems, but far more about making the users aware of how to protect themselves online and how to use their information systems and products in a secure manner," the report said.

Cooperation and knowledge sharing within the EU is necessary for ICS security to be improved, according to the report's editor, Rafal Leszczyna.

"Real security for Industrial Control Systems can be only achieved with a common effort, characterised by cooperation, knowledge exchange and mutual understanding of all involved stakeholders," he added.

Last year's Stuxnet attack brought the vulnerability of ICS into focus, as this sophisticated piece of malware was able to cause physical damage to Iran's nuclear programme.

Professor Udo Helmbrecht, executive director of ENISA, argued that this increased attention has not yet resulted in an acceptable level of security among the EU's ICS.

"Stuxnet brought the problem of security of industrial control systems to our attention. But our study clearly shows there is a lot to be done in this area by all relevant stakeholders."

Kaspersky Lab founder and CEO Eugene Kaspersky recently said he expected to see more Stuxnet style attacks.

"I'm sure Stuxnet will happen again and again," he said. "It's extremely complicated and expensive to redesign industrial systems...and we depend on them for electricity, transport, information - everything depends on industrial systems."

Fears of further potential attacks on ICS appeared to be well-founded in October this year when security researchers found evidence of a new piece of malware, apparently closely related to Stuxnet, designed to infiltrate ICS to learn more about their useage and vulnerabilities.