As part of ongoing risk management, robust Change Management procedures are required to ensure that the defined IACS scope is not subject to uncontrolled modifications which could reduce the effectiveness of implemented security countermeasures or introduce new vulnerabilities.
IACS cyber security Change Management procedures can be introduced into an existing corporate Change Management System or defined specifically within an organisation’s Cyber Security Management System (CSMS).
The concept of like-for-like replacement, common in plant equipment and safety system asset management, needs to be expanded for IACS assets to avoid introduction of security risks from existing (but previously disabled) and new functionality e.g. web server capability implemented by the manufacturer during product line development. In addition to matching manufacturer and model numbers, a replacement IACS asset must be identical to the asset it is replacing in terms of:
The possibility of unwittingly introducing security risks due to dependencies on external suppliers highlights the need for organisations to understand their IACS asset supply chain and manage the risk from external suppliers as part of the CSMS.
E: email@example.com. T: 44 (0)1462 713313. W: www.methodcysec.com