ICS Security Compendium

In publishing the ICS Security Compendium, the Federal Office for Information Security (BSI)provides a basic reference guide for IT security in ICS.
The first part was published in 2013 and is intended for operators of industrial control systems. It explains some general basics of automation and draws attention to unique aspects and standards in this area. The topic is rounded out by a collection of safeguards and a procedure for reviewing their implementation.

• ICS Security Compendium

The second part is intended for manufacturers of ICS components. This part builds on the basics established in the first by describing requirements for ICS components and framework conditions that should be considered during development. To support secure development, it also includes questions that were formulated as a means of testing components.

• ICS Security Compendium Test recommendations and requirements for product suppliers of components

Secure passwords on Embedded Devices

Embedded Devices are used in all areas of daily life, including in industrial control components (e.g. programmable logic controllers), network technology (routers and switches), office equipment (printers, scanners, copiers), consumer electronics (set-top boxes), and automotive and aircraft construction.

• Secure passwords on Embedded Devices

Open Platform Communications Unified Architecture (OPC UA)

The Open Platform Communication Unified Architecture (OPC UA) is an open communication standard enabling the communication between arbitrary industrial machines. From individual sensors to complete productions lines plants, they can be represented in a server-side information model and controlled by a client application. OPC UA is a vendor independent standard and a key technology for Industry 4.0 applica-tions. The client-server architecture of OPC UA provides, compared to other industrial communication pro-tocols, built-in security mechanisms to ensure the authenticated, integrity-protected and encrypted com-munication, as well as mechanisms for the authorised access of information in the OPC UA address pace for applications and users. The specified security mechanisms are sufficient to ensure a high level of security. This was already examined and confirmed in a study conducted on behalf of the BSI for OPC UA version 1.02 in 2016. Since the study of 2016, there have been major changes both in the OPC UA specification and in the ANSI C implementation provided by the OPC Foundation. In the meantime, OPC UA version 1.04 has been adopted and the OPC Foundation’s ANSI C implementation is now only available in a legacy version. Simultaneously, more and more products and applications with OPC UA support have been developed and deployed.
In context of this publication, an update of the OPC UA security analysis from 2016 was conducted, based on OPC UA version 1.04 and the open source C implementation open62541. The methodology of the 2016 analysis was mostly maintained and was limited to the Server/Client use case. In addition, a user survey was carried out to determine the security of OPC UA products and applications in real world environments, and to help identify the problems and challenges that the developers face when implementing the OPC UA specification.

• OPC UA Security Analysis 1.04 (2021)
• Open Platform Communications Unified Architecture Security Analysis

Dealing with "End of Support" in industrial control and automation systems

Industrial control and automation systems (ICS) often have a very long service life. Service lives of ten or more years are not uncommon. However, the trend towards using systems from the classic IT environment is increasingly causing problems in the industrial environment, because these are usually designed for shorter life cycles.

• Dealing with "End of Support" in ICS

Recommendations for further education and qualification measures in the ICS environment

The urgent need for action to protect industrial control systems (ICS), i.e. in the field of factory automation and process control, against cyber threats is increasingly recognised by the industry. In this respect, the BSI offers an abundance of information materials, best practices and other resources. However, it is essential, in addition to these offers, that companies train and qualify their employees accordingly. Whereas specific awareness-raising measures are suitable for employees, such as system operators, other target groups must obtain more in depth training. This applies in particular to those employees who are responsible for planning, development, integration or installation, operation and maintenance or are significantly involved in these activities and thus actively shape cyber security in this respect. The management or persons responsible for production should also be qualified to an appropriate extent which goes beyond typical sensitising.

• Recommendations for further education and qualification measures in the ICS environment