Fri Apr 8 06:49:41 PDT 2016

Overarching: Location: How should ICS and their workers be located?


Options:

Option 1: ICS and workers are co-located at secured facilities.
Option 2: ICS and workers are co-located at non-secured facilities.
Option 3: ICS is located at secure facilities and workers are not.
Option 4: ICS and workers are at distant secured facilities.
Option 5: Workers are located at secured facilities and ICS is not.
Option 6: Neither ICS nor workers are located at secured facilities.


Option A: Infrastructure not secured
Option B: Infrastructure physically secured
Option C: Infrastructure logically secured (encrypted tunnels)

Workers may also be "ICS-critical" and "ICS Non-Critical".

ICS and work co-located at secured facilities.

ICS and work together and secured

ICS and work co-located at non-secured facilities.

ICS and work together and not secured

ICS at secured facilities, workers not.

ICS secured Infrastructure not secured Infrastructure logically secured Infrastructure physically secured Workers not secured

ICS at secured facilities, workers at a distant secured facility.

ICS secured Infrastructure not secured Infrastructure logically secured Infrastructure physically secured Workers secured

ICS not secured, workers at secured facility.

ICS not secured Infrastructure not secured Infrastructure logically secured Infrastructure physically secured Workers secured

ICS not secured, workers not secured.

ICS not secured Infrastructure not secured Infrastructure logically secured Infrastructure physically secured Workers not secured

Decision:

IF Standards, regulations, or policy mandates locations,
THEN Follow the standards, regulations, or policy mandates.
ALSO Where no conflict exists, choose from the alternatives per below:
Habitable Consequence ICS-Critical Workers ICS Non-Critical Workers
No High
Workers at a distant secured facility:
ICS not secured Infrastructure Logically Secured Workers secured
Yes High
Co-locate everything
ICS, infrastructure, and workers co-located at secured facilities
Workers at a distant secured facility
IF Physical infrastructure protection is feasible THEN
ICS secured Infrastructure Physically Secured AND Logically secured Workers secured

OTHERWISE
Workers at a distant secured facility
ICS secured Infrastructure Logically Secured Workers secured
No Medium
Workers at a distant secured facility.
ICS not secured Infrastructure Logically secured Workers secured
Yes Medium
Everything co-located at secured facilities.
ICS, infrastructure, and workers co-located at secured facilities
IF workers can be at a distant secured facility THEN
ICS secured Infrastructure logically secured Workers secured
ELSE
ICS, infrastructure, and workers co-located at secured facilities
No Low
Workers at a distant facility.
ICS not secured Infrastructure logically secured Workers not secured
Yes Low
Workers at a distant facility
ICS not secured Infrastructure logically secured Workers not secured
OR ICS, infrastructure, and workers co-located.
ICS and work together and not secured
Locations of ICS systems and their workers

ICS system name Habitable Consequence Worker function Locations
..High..
..High..
..High..
..High..
..High..
..High..
..Medium..
..Medium..
..Medium..
..Medium..
..Medium..
..Medium..
..Low..
..Low..
..Low..
..Low..
..Low..
..Low..
Systems identified and their specifics
Fill in the table as appropriate. Workers include "ICS-Critical", "Observers", or "Changers". Habitability is "Yes" or "No".

Basis:

Different enterprises locate content and work differently, and this has a wide ranging effect on how information protection is to be done.

Non-habitable locations require no local secured ICS facility (from an information security standpoint), since there is no relevant threat, other than nature. In this case, the facility protection afforded to the ICS due to nature is is not substantially different from that required from an information protection perspective.

Habitable location ICS facility security should meet the standards of the risk levels involved, thus secured facilities are required at the High and Medium risk levels.

Infrastructure is, de-facto, insecure outside of a facility. Thus if loss of infrastructure services has serious negative consequences, workers must be co-located with the ICS so that such failures don't realize those consequences. Of course this cannot apply when the workers cannot survive...

Similarly, as risk goes up and time till harm goes down, except for remote facilities with only local consequences not producing serious harm to people or the environment, control becomes more critical, and workers must be located close enough to meet response times to mitigate High consequences and should be so located to mitigate Medium consequences.

For ICS environments, high risk with short time frames and complex decision-making processes implies the need for local control and the co-location of some content, controls, and the people who operate them. However, for other content, controls, and people, co-location may not be required. Some lights out facilities (e.g., automated warehouses and car parks) may fail safe and await human assistance, while others (e.g., chemical processing facilities) may produce hazards if not addressed in a more timely fashion with human intervention.

For non-critical workers, co-location introduces added risk. There is no reason for them to be co-located with the ICS except when it brings enough advantage to compensate for the added risks of more people closer to ICS. Thus, except for low risk situations, non-critical workers should not be co-located with the ICS. And in Medium and High risk situations, all workers should be in secured facilities when interacting with ICS.

Copyright(c) Fred Cohen, 1988-2015 - All Rights Reserved