Technical & Operational Policies & Procedures for ICS & SCADA Systems: Overview & Examples

Instructor: Giorgos-Nektarios Panayotidis

George-Nektarios has worked as a tutor and student consultant for five years and has a 4-year university degree in Applied Informatics.

What are the security policies and processes concerning ICS and SCADA systems at the technical and operational levels? This is what we will discuss in this lesson and provide specific examples along the way.

How to Isolate Precious ICS/SCADA Systems Assets

Let us consider a person wanted for publicly criticizing a military dictatorship which has suddenly come to power. Assume this person hides at a refuge where they are helped by friends. How should their freedom and other lawful rights be protected? The best option seems to be to avoid publicity at all costs or at least as much as it is possible.

Similarly, when it comes to ICS/SCADA systems and the respective assets, the best option for the most critical of assets is for them to remain secluded: physically, logically, network-wise. Does this sound strange? Well, it seems to be the main idea behind providing protection for ICS/SCADA systems in industrial networks. This is what we will be analyzing in this lesson, by learning about separate infrastructures, password policies, physical security, limiting internet exposure and more technical and operational related policies and procedures.

Separate Infrastructure

There is a lot of debate going on concerning the separation of infrastructure in industrial networks. Specifically, this heated discussion among experts seems to take place at a greater degree, when it comes to the so-called ''Air Gap''. The Air Gap Principle suggests, among other things, a physical isolation of the systems to be protected. This practice is called physical-layer separation.

There is also a logical separation of systems that is sometimes put to use, which implies that the two groups of assets/systems of ICS/SCADA are separated on Level 2 (logical level), for example via a switch.

Lastly, the rather similar physical segmentation term implies that the segmentation of systems is carried out at the Level 3, that is, by a network device. Such network devices are a router or a Level 3 switch; the latter is able to perform IP routing, while a Level 2 switch is only able to switch ports, when it comes to data packets. In fact, this is considered as the founding principle of segmentation of an industrial network into security zones and security conduits, where a security conduit contains network level devices of the above-mentioned functionality (separating security zones and filtering information flow).

Limited Internet Exposure

When it comes to critical industrial network assets, connectivity to Internet is considered to introduce a degree of risk that is regarded as unacceptable. This is why there assets are never to be directly connected to the Internet and technologies are utilized in order to avoid this. Such a technology is a Demilitarized Zone (DMZ) or a proxy server. The former is a set of semi-secured systems which may receive connections from the Internet, although continually monitored and filtered via a firewall or other similar tool. The latter is a server, which receives and forwards various requests from the Internet, after it has exercised filtering. Both are additional layers of security which keep the critical assets isolated.

Password Policy

Really everyone knows what a password is, don't they? What a password does is to provide authentication. But what does a password policy consist of, when it comes to industrial networks? Three things overall:

  • Specification of circumstances when password creation is acceptable/required
  • A minimum length
  • What types of characters are acceptable/required in the password creation process

A password policy should also consider other types of regulations, such as changing manufacturer default passwords. Lastly, there are specific assets in industrial networks, such as those belonging to HMI (Human-Machine Interface) zones, which are not password-protected, due to a requirement for continual availability.

To unlock this lesson you must be a Member.
Create your account

Register to view this lesson

Are you a student or a teacher?

Unlock Your Education

See for yourself why 30 million people use

Become a member and start learning now.
Become a Member  Back
What teachers are saying about
Try it risk-free for 30 days

Earning College Credit

Did you know… We have over 200 college courses that prepare you to earn credit by exam that is accepted by over 1,500 colleges and universities. You can test out of the first two years of college and save thousands off your degree. Anyone can earn credit-by-exam regardless of age or education level.

To learn more, visit our Earning Credit Page

Transferring credit to the school of your choice

Not sure what college you want to attend yet? has thousands of articles about every imaginable degree, area of study and career path that can help you find the school that's right for you.

Create an account to start this course today
Try it risk-free for 30 days!
Create an account