Security assessment methodology for industrial control system products

Abstract

Industrial control systems (ICS) are at the heart of critical infrastructures and security is therefore important for such systems. In order to determine the security level of existing and planned systems, ICS products should be efficiently and comprehensively assessed. In this paper we present a methodology for assessing the security of a product or a system that can be used by security experts and non-experts alike. The methodology contains specific and concrete security recommendations (what), a rationale for each recommendation (why) as well as concrete implementation guidance (how). The methodology aims to help product teams to quickly and efficiently assess the security level of their products, prioritize resources on future development efforts, and generate security requirements for future products. We validate the approach by applying a concrete instantiation of the methodology to a fictitious ICS product.