Protection from cyber threats and beyond

New IECQ schemes tackle information security and nuclear safety

By Claire Marchand

In many countries, the networked connection of physical objects is the norm today, in homes and businesses, transport, healthcare, entertainment and sports.

Control room of nuclear power generation plant IECQ has established new schemes that tackle products and services important to nuclear safety (ITNS)

Innovative technologies at risk?

Artificial intelligence (AI) technologies, robotics, biometrics, virtual reality (VR) and augmented reality (AR), smart transportation, digital health, 5G connectivity and the Internet of Things (IoT) all rely heavily on electronic components, without which they would not exist, and they share a common risk: security. Cyber security involves every sector of industry, individuals and companies.

One problem experts face is the evolving nature of security risks. Keeping up with new technologies, trends and threat intelligence is a challenge that businesses must tackle if they want to prevent information security breaches that cost vast amounts every year in stolen intellectual property and confidential data.

Enhancing information security

As explained on the TechTarget website, “the traditional approach has been to focus resources on crucial system components and protect against the biggest known threats, which meant leaving components undefended and not protecting systems against less dangerous risks.”

To help organizations enhance their information security, the joint technical committee on information established by IEC and ISO, ISO/IEC JTC 1, through one of its subcommittees, SC 27, published ISO/IEC 27001:2013,  Information technology— Security techniques — Information security management systems — Requirements

The Standard specifies requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of an organization, as well as the assessment and treatment of information security risks tailored to the organization’s needs. The requirements are generic and intended to be applicable to all organizations, regardless of type, size or nature. It makes recommendations regarding leadership, commitment and policies, as well as actions to address risks and opportunities. It also covers support matters such as resources, competence, awareness, communication, operational planning and control, information security risk assessment and issues including treatment and performance.

Multiple aspects of ISO/IEC 27001

ISO/IEC 27001 goes further than cyber security and covers how an organization manages the security of information it holds, both for its own operations and from external sources, such as suppliers, customers, etc.

A management system that meets ISO/IEC 27001 will look at overall security such as:

  • Are there locks on the front doors?
  • Who can have keys and how is the allocation of keys/passwords to enter the building managed?
  • Under what conditions can external organizations have access into the building, e.g. cleaners, service organizations, essential services, etc.?
  • Is there a policy to lock up files overnight to prevent security staff and cleaners from seeing sensitive information on desks?
  • How are old records – paper and electronic – disposed of?
  • What happens with the hard drives of computers that are discarded and replaced?

ISO/IEC 27001 also addresses threats that come from deliberate cyber attacks.

IECQ is part of the solution

The ever-growing need for organizations to provide independent proof of compliance with ISO/IEC 27001 for their information security management system (ISMS) has led industry to request that certification bodies (CBs) of IECQ, the IEC Quality Assessment System for Electronic Components, be able to cover the assessment and certification to ISO/IEC 27001 under the approved process scheme (AP scheme) while conducting other IECQ assessments, for example avionics or hazardous substance process management.

Certification to ISO/IEC 27001 has existed since the standard was published in 2013. What drove industry to approach IECQ recently was the lack of harmonization among the many certification bodies that offer their own individual certificates and apply their own individual interpretations of ISO/IEC 27001. Over time, this has resulted, in different approaches and differences in what is accepted by the various certification bodies. Thus, industry felt that IECQ was able to offer a single approach to the application of ISO/IEC 27001. All certificates can be found on the IECQ website.

IECQ is a worldwide approval and certification system that covers the supply, assembly, associated materials and processes of a large variety of electronic components used in millions of devices and systems. It provides manufacturers with independent verification that the requirements in IEC International Standards and other specifications were met by suppliers.

Avionics Users Forum

IECQ has run the IECQ aerospace, defense and high performance (ADHP) component management scheme (IECQ ADHP) and the IECQ counterfeit avoidance programme (IECQ AP-CAP) for several years. In response to a need from the avionics sector, in 2018, IECQ launched the IECQ Avionics Users Forum (AUF) via its IECQ Hub, a discussion platform that aims to bring together professionals working in avionics and in counterfeit avoidance. .

Several technical forums operate under the IECQ AUF:

  • TF 1: Audit programmes
  • TF 2: Harmonization standards
  • TF 4: Electronic component management plan (ECMP) and commercial off-the-shelf (COTS) assemblies, including uprating
  • TF 5: Lead-free/REACH
  • TF 6: Anti-counterfeit/obsolescence management
  • TF 8: Microcircuits, diodes, transistors, passive and semiconductor wear-out
  • TF 9: LED lighting
  • TF 11: Atmospheric single-event effect (SEE) radiation
  • TF 12: Mechanical parts

This year,  IECQ AUF held a meeting in Singapore which included cyber-physical systems security and cyber security-embedded security.

Nuclear industry

IECQ has also explored the application of its schemes within the nuclear industry in conjunction with the recent publication of the international standard ISO 19443:2018, Quality management systems — Specific requirements for the application of ISO 9001:2015 by organizations in the supply chain of the nuclear energy sector supplying products and services important to nuclear safety (ITNS). The system is now providing ITNS certification through its CBs under the AP scheme.

Training

IECQ provides industry with a supply chain verification tool for seeking assurance that electronic components, assemblies, processes and related materials conform to declared technical standards and specifications. Because technically-competent personnel are an integral part of the IECQ System, training workshops and standards training course materials are offered for the different  schemes/programmes.

Gallery
Technology in avionics In October 2018, IECQ launched the IECQ Avionics Users Forum (AUF) via its IECQ Hub
Control room of nuclear power generation plant IECQ has established new schemes that tackle products and services important to nuclear safety (ITNS)