Examples of Cybersecurity Standards in OT

The cybersecurity standards are tools used to promote availability and fault tolerance in operation networks, but also to avoid possible cybersecurity incidents, inherent to the information technologies that are increasingly used in these networks.

In the past, cyber resilience has not been a major concern for industrial environment operators; their concerns were:

• Physical security: preventing physical access to facilities to avoid manipulation. Doors, barriers, fences, and video surveillance systems have been the most used mechanisms.
• “Safety” as opposed to “security”: the safety and integrity of people have been prioritized in possible accidents over the logical protection of communications.
• “Security by obscurity”: industrial networks have remained isolated from the outside for many years and have been created for a very particular purpose (field buses, for example).

The TCP/IP, Ethernet, and Internet protocol has changed everything. They have opened the industrial world to interconnected networks, enabled remote control and governance, and computing in general enables in-depth data analysis to automatically improve productivity/quality rates. This is where standards play an important role, as they help us consider what measures we should take to stay safe in these new scenarios.

Relevant example for the energy sector: ISO/IEC 27019:2017

The IEC 27019:2017 standard comes from IEC 27002, adding a series of specific controls for electrical control systems. The objective is to extend the ISO/IEC 27000 series to the domain of automation processes in the energy sector. Specifically, it includes:

• Control of central processes and distributed processes, monitoring and automation of processes, as well as information systems used for their operation, such as programming and parameterization devices.
• Automation components such as PLCs, digital sensors, and actuator elements.
• Other support systems used in process control, for example, data visualization, tracking, historical recording, report generation, etc.
• Communication technologies used in process control: networks, telemetry, remote control applications, and remote control technology.
• Infrastructure components for advanced metering (AMI) such as smart meters
• Measurement devices.
• Digital protection and security systems such as protection relays, safety PLCs, etc.
• Energy management systems.
• Software and Firmware of the applications installed in the systems mentioned above.
• Any premises that house the aforementioned equipment and systems.
• Remote maintenance systems for the mentioned systems.

Relevant example for information security: ISO/IEC 15408-1:2009

The IEC 15408 standard is focused on the product and not so much on the process. It establishes the general concepts and principles for the evaluation of IT products. It specifies a general model for evaluating the security properties of these products, whether hardware, firmware, or software.

The result of this evaluation can help consumers choose those products that meet the necessary security requirements for their purposes and provide confidence in their operation.

The result of the evaluation usually classifies the products into the following CC (Common Criteria) levels:

Relevant Example for Industrial Automation: ISA/IEC 62443

The ISA/IEC 62443, a benchmark in the cybersecurity of the industrial world, includes a set of standards that focus on evaluating security in ICS/OT in 4 categories:

• General: general concepts, models, and terminologies where reference architectures are defined in OT environments.
• Policies and procedures: establishes the program for cybersecurity management, patch management, and supplier management to maintain high levels of protection as time passes and technologies and threats change.
• System: establish guidelines for risk assessment, security requirements, and technologies we have at our disposal to increase the level of protection.
• Components: describes the requirements for designing products and subcomponents securely.

Conclusions

The standards are not static, they are in continuous development and refinement to adapt to the reality of the moment. They can be very useful for:

• Protecting the productive assets of our companies.
• The recommendations that arise from these standards will soon be considered as minimum requirements to be met, to keep cybersecurity risks low.
• The preliminary work of implementation helps to consider the requirements that should be integrated in the future in ICS/OT environments to keep assets protected.

You may also be interested in:

• Cybersecurity Standards: What they are and what they are for
• What is included in a risk assessment in the OT network
• Deconstructing the IEC62443
• Defense-in-depth strategy in industrial cybersecurity