No rest in efforts to thwart cyberattacks

IEC works to hinder IT security risks to industry and institutions

By Morand Fachot

Following a surge in instances of attacks targeting government, organizations and private computer systems, cybersecurity threats are emerging as a major issue for economies and societies. Through its standardization and conformity assessment (CA) work, the IEC is taking steps to mitigate the risks posed by cyberthreats.

Microsoft datacenter
Data centres strive to limit risks from cyberattacks

Multifaceted risks for government, industry and even individuals

Hardly a week goes by without news of a major security breach affecting an institution. Many of the attacks are aimed at financial services, where the most lucrative pickings are to be made. However, many other industries report security breach attempts made via their IT networks. These often concentrate on pilfering commercial or trade secrets.

Cyberattacks are seen as a growing threat for financial systems everywhere. In its 2015 annual report, the US Financial Stability Oversight Council warns that "malicious cyber activity is likely to continue in the future (…) more concerning is the prospect of a more destructive incident that could impair [US] financial sector operations".

A 2014 Information Security Breaches Survey, commissioned by the UK Department for Business, Innovation and Skills and conducted by PWC, revealed that 81% of large organizations and 60% of small businesses in the UK had been victims of an information security breach during the year. The average cost of the worst breach suffered was up significantly over the figure in the previous year, nearly doubling for small businesses as well as for large organizations. The same is reported in other countries.

Energy suppliers and power grids are seen as a target of choice for state and non-state cybercriminals, seeking to cripple a country's economy and disrupt everyday life.

Individuals are also at risk of attacks aimed at gaining access to personal or financial details or of viruses such as "ransomware" that encrypt their computers' content so as to blackmail them into making a payment to have it decrypted.

Another potential risk for institutions, companies and individuals is reputational damage when confidential information is made public.

IEC work key to protecting infrastructure IT systems

The IEC is aware of the risks cyberattacks pose and has launched a number of initiatives and developed International Standards to combat these. As cybersecurity is of prime importance for industrial safety, IEC Technical Committee (TC) 65: Industrial-process measurement, control and automation, has developed the IEC 62443 series of standards on Industrial Communication Networks – Network and System Security.

Energy installations, nuclear power plants in particular, are also seen as prime targets for state and non-state cyberattacks. To address this risk, IEC Subcommittee (SC) 45A: Instrumentation, control and electrical systems of nuclear facilities, published IEC 62645:2014, Nuclear power plants – Instrumentation and control systems – Requirements for security programmes for computer-based systems. IEC 62645 is the first IEC International Standard aimed at defining "adequate programmatic measures for the prevention of, detection of, and reaction to malicious acts by cyber-attacks".

SC 45A is also preparing an International Standard concerning requirements for coordinating safety and cybersecurity for instrumentation and control systems of nuclear power plants.

Significant international standardization in the field of IT security techniques is carried out by ISO/IEC JTC 1/SC 27, an SC of the Joint Technical Committee (JTC) set up by the IEC and the International Organization for Standardization (ISO) to work on International Standards for information technology.

The second edition of ISO/IEC 27001:2013, Information technology – Security techniques – Information security management systems – Requirements, published by the SC, "specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization".

The importance the IEC attaches to cybersecurity was highlighted by the decisions taken last year to create two entities.

IEC Standardization Management Board (SMB) agreed to set up a new Advisory Committee on Security (ACSEC) at the 2014 IEC General Meeting. Its scope includes dealing with information security and data privacy matters which are not specific to a single IEC TC; coordinating activities related to information security and data privacy; providing guidance to TC/SCs for implementation of information security and data privacy in a general perspective and for specific sectors. ACSEC held its first meeting in May 2015.

IEC Conformity Assessment Board (CAB) set up a Working Group, WG 17, on cybersecurity in June 2014. The WG, which may also involve participation by members of the IECEE WG 3: Industrial automation, held its second meeting in February 2015.

Together with IEC International Standards on cybersecurity, ISO/IEC JTC 1/SC 27 publications in the information security management systems (ISMS) family of standards and work by IEC CAB WG 17 will play a key role in enhancing cyber security in the future.

Nuclear ps controlroom New IEC Standard aims at protecting nuclear power plants from cyberattacks
Security password Hackers target firms, institutions and individuals
Microsoft datacenter Data centres strive to limit risks from cyberattacks