Organizational Policies & Procedures for ICS & SCADA Systems: Overview & Examples

Instructor: Giorgos-Nektarios Panayotidis

George-Nektarios has worked as a tutor and student consultant for five years and has a 4-year university degree in Applied Informatics.

In this lesson, we are going to look into the security policies and processes enforced in industrial networks (ICS/SCADA) organizations. Multiple such elements will be critically reviewed and we'll look into some specific examples as well.

Paving the Road to Robust Industrial Network Security

There is a quotation that is attributed to one of the most well-known prime ministers that Canada has ever had, Pierre Trudeau: ''there has to be a visible hand of politicians whose objective is to have the kind of society that is caring and humane''. Pierre Trudeau was speaking against the notion that things will always somehow fix themselves without an administrative effort. Similar is the case when it comes to security of industrial networks: a considerable amount of work is required from the administration of the network (not to mention the state authorities), in order to impose the correct policies and processes concerning security. And when that happens, alertness is required for possible changes that will be needed. This is really the objective of this lesson, where we will be reviewing all types of security policies and procedures: from the senior management's devotion to security to determining roles and responsibilities within the industrial network.

Security policies and processes

In this paragraph, we will provide an overview of the most important elements of industrial networks (ICS/SCADA) systems protection. We will begin with applicable security policies.

Security Policies

There is a rather broad set of different security policies which are to be applied to an industrial network, due to their enforcement by certain state/federal agencies, such as the Federal Energy Regulation Commission (FERC). Some of the most important security policies of the kind are:


NERC CIP-003-3 has been especially utilized and it concerns power grids.

  • Chemical Facility Anti-Terrorism Standards (CFATS)

CFATS are standards of performance for chemical facilities, which are risk-based.

Furthermore, there are other standards that are considered applicable due to their renowned status within the industry. These standards are:

  • ISO 27000 (Information Security standards)
  • ISA 62443 (standards for Automation and Control System Components)

Senior Management

Senior management has to play a decisive role in creating, implementing, applying, monitoring a multitude of things such as:

  • Creating and applying specific rules concerning Information Security
  • The creation and implementation of a specific policy that is able to tackle sensitive data protection (Information Security Management System)
  • Keeping up with bulletins issued by federal and state (for example, ICS-CERT) agencies, as well as publications of private entities on security

Risk Management

Regarding Risk Management, the shape of things is quite similar to the security policies, as reviewed before. There are quite a few standards and best practices in terms of risk management, which are widely acknowledged for their merit and utility, so these are put to use. It seems that these standards are more related to Information Security though. Such famous publications in the field are:

  1. OCTAVE by the above-mentioned Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), which has got mostly to do with reviewing threats and vulnerabilities on an operational level.
  2. All publications by the European Union Agency for Network and Information Security (ENISA) have to do with methodologies and specific tools for carrying out Risk Management/Assessment
  3. The 800-30 publication by National Institute of Standards and Technology (NIST) provides guidelines for Risk Assessment purposes.


A security audit is essentially a test, which is implemented in order to verify whether a specific system within ICS/SCADA industrial networks is able to resist previously known and already documented threats and vulnerabilities. The documentation of these threats and vulnerabilities has already captured, as mentioned, in either state/federal regulations or established common best practices within the industry.

To unlock this lesson you must be a Member.
Create your account

Register to view this lesson

Are you a student or a teacher?

Unlock Your Education

See for yourself why 30 million people use

Become a member and start learning now.
Become a Member  Back
What teachers are saying about
Try it risk-free for 30 days

Earning College Credit

Did you know… We have over 200 college courses that prepare you to earn credit by exam that is accepted by over 1,500 colleges and universities. You can test out of the first two years of college and save thousands off your degree. Anyone can earn credit-by-exam regardless of age or education level.

To learn more, visit our Earning Credit Page

Transferring credit to the school of your choice

Not sure what college you want to attend yet? has thousands of articles about every imaginable degree, area of study and career path that can help you find the school that's right for you.

Create an account to start this course today
Try it risk-free for 30 days!
Create an account