Becolve Digital
Select Page

Cybersecurity standards. What they are and what they are for.

We tell you about cybersecurity standards, what they are and what they are for, and why they are a great help in OT.

Becolve Digital
Blog cover

What is a standard?

Standardization aims to develop a series of technical specifications – STANDARDS – that are used voluntarily. Legislation (Article 8 of Law 21/1992 on Industry) defines a standard as “the technical specification of repetitive or continuous application, the observance of which is not mandatory, established with the participation of all interested parties, which is approved by a recognized body, at national or international level, for its regulatory activity.”

Who makes them?

The standards and contents of the standards in general -and cybersecurity standards in particular- are approved by recognized bodies through technical committees that are responsible for defining and justifying which standards to include in the different versions of the standards. As time passes and threats and technologies evolve, these committees are responsible for reviewing the standards to adapt them to the current reality.

To cite some examples of recognized bodies:

  • UNE – The Spanish Association for Standardization is the only standardization body in Spain, designated by the Ministry of Economy, Industry and Competitiveness before the European Commission.
  • ISA – International Society of Automation.
  • IEC – International Electrotechnical Commission.
  • SO – International Organization for Standardization.
  • NIST – National Institute of Standards and Technology.
  • UAE National Electronic Security Authority.
  • API – American Petroleum Institute.
  • AWWA – American Water Works Association.
  • NERC – North American Electric Reliability Council

among others…

cybersecurity entities

 

The working groups of these bodies are responsible for studying, analyzing, proposing, reviewing, defining and deciding the different aspects of the standards they create and that can help us to be competitive, to comply with regulations and obligations of our sector and/or help us to define the design of the architecture of our systems.

Why does it help us in OT?

The evolution of industry and the type of technologies it uses for its processes leads us to the concept of “Industry 4.0” where we are currently. This concept is characterized by the massive incorporation of information technology (IT) to the entire value chain of processes related to the manufacturing industry and critical infrastructures.

The underlying idea is that the integration of this technology will result in the optimization of the processes of research, development, design, production, logistics and the provision of associated services:

  • Enable the collection of data on the actual use of products in customers and obtain valuable information that can feed back into the development processes of new products more adapted to real needs.
  • Optimize processes by eliminating downtime, slow manual interventions, adding flexibility to manufacturing processes, in short, allowing a transition from manufacturing large batches of identical products to manufacturing individual and personalized products at a competitive price.

The transition to Industry 4.0 is a complex challenge. To begin with, it is necessary to focus on those technological aspects that are fundamental to the success of its implementation, in addition to the fact that the integration of new technologies are not only advantages but also incorporate other risk factors to consider, for example, cybersecurity.

The massive use of IT in industrial processes will bring enormous advantages, but it brings with it the need to guarantee the protection of information and privacy. The use of Cloud Computing, models of collaborative development, IoT, new forms of payment and other new technologies mean that part of the company’s vital information is in the hands of third parties. Guaranteeing confidentiality, integrity and availability in a hyperconnected world is a challenge in itself.

This is precisely where cybersecurity standards can help us. These challenges have already been faced in other sectors where they have already incorporated IT and there are international standards that help to start on the right foot:

  • ISO/IEC 27000: Information security management (ISMS).
  • ISO/IEC 27032: Guidelines for cybersecurity.
  • ISO/IEC 27033: Network security.
  • ISO/IEC 27034: Application security.
  • ISO/IEC 27035: IT security incident management.
  • ISO/IEC 27036: Information security management in relations with third parties.
  • ISA/IEC 62443-1-1: Industrial communication networks: network and system security.
  • ISA/IEC 62443-2-1: Establishing a cybersecurity management program for IACS (control and automation systems).
  • ISA/IEC 62443-2-3: Patch management in IACS environment.
  • ISA/IEC 62443-2-4: Security program requirements for IACS service providers.
  • ISA/IEC 62443-3-1: Security technologies for IACS.
  • ISA/IEC 62443-3-2: Security risk assessment and system design.
  • ISA/IEC 62443-3-3: Security requirements for IACS.
  • IEC 61158: Industrial communications. Specifications for fieldbuses and real-time networks.
  • IEC 61784-3: Functional safety of fieldbuses.
  • ISO 10219-1: Safety requirements for industrial robots.
  • ISO 20218-2: Safety requirements for the integration of industrial robots.

There is extensive documentation detailing WHAT needs to be done to achieve acceptable levels of cybersecurity or how to improve our level of maturity in cybersecurity.

What remains in your hand is to define the HOW :). In the following link we propose a series of activities to know how to start:

How to start?

Related articles