Why a different approach is needed
A cyber attack on critical infrastructure such as a power plant or a hospital can bring down the whole system and affect people's physical well-being, and their ability to run a business or obtain basic services such as water, food, or healthcare.
All companies today have IT systems; suppliers of critical services also have OT systems.
Cyber security is often associated with IT and often led by IT with a focus to protect data flow in the virtual world. However, critical infrastructure and the automated environment in factories, or refineries have security requirements that are part of the real world. They rely on operational technologies (OT) to ensure the correct execution of automated actions such as shutting down a valve to avoid the overflow of chemicals or bringing a generator online to avoid a blackout.
OT includes both hardware and software. Its aim is to keep systems in the real world working as intended, safely, and efficiently.
With the emergence of the industrial internet of things (IIoT) and the integration of physical machines with networked sensors and software, the lines between IT and OT are blurring.
As more and more objects are connected, communicate and interact with each other, there has been a surge in the number of endpoints and potential ways for cyber criminals to gain access to networks and infrastructure systems. A multilayered defence-in-depth security strategy must address both the IT and OT environments.
Information Technology (IT) and Operational Technology (OT)
IEC International Standards such as ISO/IEC 27001 and IEC 62443, together with testing and certification (conformity assessment) are important tools for a successful and holistic cyber security programme. Such an approach increases the confidence of stakeholders by demonstrating not only the use of security measures based on best practices but also that an organization has implemented the measures efficiently and effectively. This needs to be incorporated into an overarching strategy that includes people, processes, and technology.
A risk-based systems approach
The aim of any cyber security strategy is to protect as many assets as possible and especially the most important. Since it is not feasible or realistic to try to protect everything in equal measure, it is important to identify what is most valuable and warrants the greatest protection.
A systems approach works by prioritizing and mitigating risks to an acceptable level, which requires a neutral approach that accommodates different kinds of conformity assessment — ranging from self-assessment to independent, third-party testing — according to the different levels of risk.
The ISO/IEC Joint Technical Committee (JTC1 ) develops the ISO/IEC 27000 family of Standards for information technology (IT) systems. IEC Technical Committee 65 (TC 65) publishes IEC 62443 for operational technology found in industrial and critical infrastructure, including but not restricted to power utilities, water management systems, healthcare, and transport systems.
These horizontal standards, also known as base standards, are technology independent. They can be applied across many technical areas.
Vertical Standards are designed to meet specific technical needs, for example in the energy sector, manufacturing, healthcare or shipping, among others. Several technical committees (TCs) and subcommittees (SCs) prepare international standards that protect specific domains and keep industry and critical infrastructure assets safe.
Here is a short selection:
Nuclear power plants (NPPs)
protection of microprocessor-based information and control systems in nuclear power plants
framework for managing the interactions between safety and cyber security.
series for maritime navigation and radiocommunication equipment and systems
Standards provide written instructions. Testing and certification (conformity assessment) verifies that these instructions are properly applied in real-world technical systems.
The IEC runs four Conformity Assessment (CA) Systems with up to 54 member countries. In the area of cyber security, IECEE currently plays the lead role in providing services based on the IEC 62443 series of standards. IECEE Industrial Cyber Security Programme was created to test and certify cyber security in the industrial automation sector.
The IECEE “operational document” OD-2061 describes how conformity assessment can be applied to the IEC 62443 series.
IECQ provides a worldwide certification system for ISO/IEC 27001, which specifies the requirements for implementing, maintaining and continually improving an information security management system (ISMS). It includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization