Cyber security
Putting in place a holistic approach to building cyber resilience by implementing an overarching strategy that includes people, processes, technology, and IT and OT security standards
Protecting critical infrastructure

Why a different approach is needed

A cyber attack on critical infrastructure such as a power plant or a hospital can bring down the whole system and affect people's physical well-being, and their ability to run a business or obtain basic services such as water, food, or healthcare.

All companies today have IT systems; suppliers of critical services also have OT systems.

Cyber security is often associated with IT and often led by IT with a focus to protect data flow in the virtual world. However, critical infrastructure and the automated environment in factories, or refineries have security requirements that are part of the real world. They rely on operational technologies (OT) to ensure the correct execution of automated actions such as shutting down a valve to avoid the overflow of chemicals or bringing a generator online to avoid a blackout.

OT includes both hardware and software. Its aim is to keep systems in the real world working as intended, safely, and efficiently.

With the emergence of the industrial internet of things (IIoT) and the integration of physical machines with networked sensors and software, the lines between IT and OT are blurring. 

As more and more objects are connected, communicate and interact with each other, there has been a surge in the number of endpoints and potential ways for cyber criminals to gain access to networks and infrastructure systems.  A multilayered defence-in-depth security strategy must address both the IT and OT environments.

Information Technology (IT) and Operational Technology (OT)

IEC International Standards such as ISO/IEC 27001 and IEC 62443, together with testing and certification (conformity assessment) are important tools for a successful and holistic cyber security programme. Such an approach increases the confidence of stakeholders by demonstrating not only the use of security measures based on best practices but also that an organization has implemented the measures efficiently and effectively. This needs to be incorporated into an overarching strategy that includes people, processes, and technology.

A risk-based systems approach

The aim of any cyber security strategy is to protect as many assets as possible and especially the most important. Since it is not feasible or realistic to try to protect everything in equal measure, it is important to identify what is most valuable and warrants the  greatest protection.  

A systems approach works by prioritizing and mitigating risks to an acceptable level, which requires a neutral approach that accommodates different kinds of conformity assessment  — ranging from self-assessment to independent, third-party testing  —  according to the different levels of risk.

Cyber security
The aim of any cyber security strategy is to protect as many assets as possible and especially the most important – the “crown jewels”.
IEC and cyber security
Among the most critical challenges is the security of connected cyber-physical systems.
ABC of cyber security
Multiple security counter measures needed
Horizontal and vertical standards

The ISO/IEC Joint Technical Committee (JTC1 ) develops the ISO/IEC 27000 family of Standards for information technology (IT) systems. IEC Technical Committee 65 (TC 65) publishes IEC 62443 for operational technology found in industrial and critical infrastructure, including but not restricted to power utilities, water management systems, healthcare, and transport systems.

These horizontal standards, also known as base standards, are technology independent. They can be applied across many technical areas.

Vertical Standards are designed to meet specific technical needs, for example in the energy sector, manufacturing, healthcare or shipping, among others. Several technical committees (TCs) and subcommittees (SCs) prepare international standards that protect specific domains and keep industry and critical infrastructure assets safe.

Here is a short selection:

nuclear

Nuclear power plants (NPPs)

IEC SC 45A

IEC 62645

protection of microprocessor-based information and control systems in nuclear power plants

IEC 62859

framework for managing the interactions between safety and cyber security.

_________________________

 

ship

Shipping

IEC TC 80

IEC 61162

series for maritime navigation and radiocommunication equipment and systems

Electric power utilities

Electric power utilities

IEC TC 57

IEC 61850

series of publications for communication networks and systems for power utility automation

IEC 60870

series for telecontrol equipment and systems

IEC 62351

series on power systems management and associated information exchange

 

healthcare

Healthcare

IEC SC 62A

ISO/IEC 80001
(via Joint Working Group with ISO)

risk management for IT-networks incorporating medical devices

__________________

 

industry

Industry

IEC TC 65

IEC 62443

series of publications that specify security requirements for industrial automation and control systems (IACS)

 

Conformity assessment

Standards provide written instructions. Testing and certification (conformity assessment) verifies that these instructions are properly applied in real-world technical systems.

The IEC runs four Conformity Assessment  (CA) Systems with up to 54 member countries. In the area of cyber security, IECEE currently plays the lead role in providing services based on the IEC 62443 series of standards. IECEE Industrial Cyber Security Programme was created to test and certify cyber security in the industrial automation sector.

The IECEE “operational document” OD-2061 describes how conformity assessment can be applied to the IEC 62443 series.

IECQ provides a worldwide certification system for ISO/IEC 27001, which specifies the requirements for implementing, maintaining and continually improving an information security management system (ISMS). It includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization

Cyber security and resilience
This IEC Technology Report provides guidelines to help executives in the smart energy operational environment
Cyber security
Overview of IEC Standards and conformity assessment for cyber security