Protecting tomorrow's critical infrastructure

International standards and certification are the best ways to ensure the long-term cyber protection of critical infrastructure.

Imagine a city the size of Sydney thrown into chaos, as public transport grinds to a halt and traffic lights stop functioning. This is no longer the stuff of nightmares or the scenario of a disaster movie but a prospect that is becoming more likely every day.

Critical infrastructure facilities, from power plants to many forms of public transport, are increasingly targeted by cyber attacks. Sophisticated cyber weapons have been developed, including malware designed to disrupt the operation of industrial control systems.

The growing use of connected devices in the industrial environment make cyber threats more likely. According to the report ‘Threat Landscape for Industrial Automation Systems’, published by Kaspersky Lab, 18,000 different malware modifications to industrial automation systems were detected in the first six months of 2017.

When machines talk

Machine-to-machine communication enables networked devices to interoperate, exchange information or perform actions, often wirelessly and without the manual assistance of humans. Sensors are embedded in a growing number of devices which are used to automate and manage process control systems, including transmission and distribution of electricity. While they offer undeniable advantages in terms of cost and maintenance, they are also increasingly vulnerable to hacking.

Cybersecurity is therefore one of the key concerns for those who manage any form of critical infrastructure. One of the only ways to safeguard these facilities now and in the future is by providing standardised protection measures.

Efficient security processes and procedures cover the whole value chain, from the manufacturers of automation technology to machine and system builders and installers as well as the operators themselves. Protection measures must address and mitigate not only current, but also pre-empt future security vulnerabilities.

Facility operators need to understand and mitigate risk as well as install secure technology in order to build cyber resilience. This means implementing a holistic cybersecurity strategy at the organisation, process and technical levels. Such a strategy must include comprehensive and standardised measures, processes and technical means, as well as preparation of people. But alongside all of this, it must also offer the recourse to an internationally recognised certification system.

Standards for cybersecurity

The International Electrotechnical Commission (IEC) has recently published IEC 62443-4-1-2018, the latest in a series of critical publications, establishing precise cybersecurity guidelines and specifications applicable to a wide range of industries and critical infrastructure environments. The IEC 62443 series recommends that security should be an integral part of the development process, with security functions already implemented in the machinery and systems.

These horizontal Standards are also used in the transport sector: a set of cybersecurity guidelines for ships adopted by the International Maritime Organisation (IMO) refer to IEC 62243. Shift2Rail, an initiative that brings together key European railway stakeholders, is aiming to define how different aspects of cybersecurity should be applied to the railway sector. It has assessed applicable standards and has selected the IEC 62443 publications. The IEC 62443 Standards are also compatible with the US National Institute of Standards and Technology (NIST) cybersecurity framework.

Certification is key

Another boon is that the 62443 Standards have their own certification program. The IEC is the only organisation in the world that provides an international and standardised form of certification which deals with cybersecurity. It is supplied by IECEE, the IEC System for Conformity Assessment Schemes for Electrotechnical Equipment and Components. The IECEE industrial cybersecurity program tests and certifies cybersecurity in the industrial automation sector.

The IEC is also working with the United Nations Economic Commission for Europe (UNECE) to create a common regulatory objectives document focusing on conformity assessment and cybersecurity. The aim of the document is to provide a methodology for a comprehensive system’s approach to conformity assessment that can be applied to any technical system in the cybersecurity field.

According to David Hanlon, Secretary of the IEC Conformity Assessment Board, achieving cyber protection in a cost-effective manner results from applying the right protection at the appropriate points in the system to limit the risk and the consequences of a cyber attack. This means modelling the system, conducting a risk analysis, choosing the right security requirements which are part of IEC Standards and applying the appropriate level of conformity assessment against the requirements, according to the risk analysis.

Hanlon says we need to assess the components of the system, the competencies of the people designing, operating and maintaining it, and the processes and procedures used to run it. This holistic approach to conformity assessment is indispensable to protect facilities, especially critical infrastructure, from cybercrime.

In a world where cyber threats are becoming ubiquitous, being able to apply a specific set of International Standards, combined with a dedicated and worldwide certification program, is one of the best ways of ensuring long-term cyber protection of critical infrastructure.

Image credit: ©sanderstock/Dollar Photo Club

Please follow us and share on Twitter and Facebook. You can also subscribe for FREE to our weekly newsletter and quarterly magazine.