Overarching: Location: How should ICS and their workers be located?
Option 1: ICS and workers are co-located at secured facilities.
Option A: Infrastructure not secured
Option B: Infrastructure physically secured
Option C: Infrastructure logically secured (encrypted tunnels)
Workers may also be "ICS-critical" and "ICS Non-Critical".
ICS and work co-located at secured facilities.
ICS and work co-located at non-secured facilities.
ICS at secured facilities, workers not.
ICS at secured facilities, workers at a distant secured facility.
ICS not secured, workers at secured facility.
ICS not secured, workers not secured.
Decision:IF Standards, regulations, or policy mandates locations,
THEN Follow the standards, regulations, or policy mandates.
ALSO Where no conflict exists, choose from the alternatives per below:
Different enterprises locate content and work differently, and this has a wide ranging effect on how information protection is to be done.
Non-habitable locations require no local secured ICS facility (from an information security standpoint), since there is no relevant threat, other than nature. In this case, the facility protection afforded to the ICS due to nature is is not substantially different from that required from an information protection perspective.
Habitable location ICS facility security should meet the standards of the risk levels involved, thus secured facilities are required at the High and Medium risk levels.
Infrastructure is, de-facto, insecure outside of a facility. Thus if loss of infrastructure services has serious negative consequences, workers must be co-located with the ICS so that such failures don't realize those consequences. Of course this cannot apply when the workers cannot survive...
Similarly, as risk goes up and time till harm goes down, except for remote facilities with only local consequences not producing serious harm to people or the environment, control becomes more critical, and workers must be located close enough to meet response times to mitigate High consequences and should be so located to mitigate Medium consequences.
For ICS environments, high risk with short time frames and complex decision-making processes implies the need for local control and the co-location of some content, controls, and the people who operate them. However, for other content, controls, and people, co-location may not be required. Some lights out facilities (e.g., automated warehouses and car parks) may fail safe and await human assistance, while others (e.g., chemical processing facilities) may produce hazards if not addressed in a more timely fashion with human intervention.
For non-critical workers, co-location introduces added risk. There is no reason for them to be co-located with the ICS except when it brings enough advantage to compensate for the added risks of more people closer to ICS. Thus, except for low risk situations, non-critical workers should not be co-located with the ICS. And in Medium and High risk situations, all workers should be in secured facilities when interacting with ICS.