Cyber-security and governance for industrial control systems (ICS) in South Africa.

Abstract

Industrial control systems (ICS) and supervisory, control, and data acquisition (SCADA) systems have evolved from operating in a relatively trusting environment to the current prevalence of public networks. Cyber-threats are evolving to become more sophisticated. The Stuxnet malware brought home how vulnerable ICS/SCADA systems potentially are. There is no or limited information available as to the current state of ICS/SCADA in South Africa including the factors influencing ICS/SCADA and how they are secured and governed. Due to the nature of the systems, ICS/SCADA cyber-security and governance faces additional challenges compared to the corporate networks, and critical systems may be left exposed. There exists control frameworks internationally, however there are new South African legislation that needs to be taken into account. South Africa is also falling behind in cyber-security, therefore there is a concern in securing ICS controlling key infrastructure critical to the South African economy as there are little known facts about this. This aim of the study is to assess the current state of ICS/SCADA in South Africa, determine the main governance frameworks employed, and to develop a control framework addressing the shortfalls. Elements of the Technology Acceptance Model (TAM) and the Protection Motivation Theory (PMT) are used to guide the study. Quantitative methods are used to determine the perceived susceptibility, security confidence, and governance for ICS/SCADA environment. Qualitative methods were used to review the current control frameworks, standards and legislation relevant to this environment. The study found that the top threat/risk for ICS/SCADA are malware and the top vulnerability is unpatched systems. Furthermore, the framework used most in South Africa to secure and govern ICS/SCADA environments are Control Objectives for Information and Related Technology (COBIT) and from the document analysis the best suited framework overall is Centre for the Protection of National Infrastructure (CPNI). Taking these frameworks into account as well as relevant risks, threats and vulnerabilities, a consolidated framework aligned to South Africa were developed suggesting leading practices for securing and governing ICS/SCADA systems in South Africa.