The IEC advocates a holistic approach to building cyber resilience, combining best practices with testing and certification. A holistic approach incorporates not only technology and processes, but also and especially people. “People going about their normal operational duties are the biggest threat,” says IEC cyber security expert Frances Cleveland. “It’s important to realize that even when you have cyber security implemented and training, you still have to worry about the insider and in particular, the disgruntled employee. She or he has knowledge of the company, passwords and critical power system processes.”
The new IEC Technology Report outlines five critical concepts for addressing cyber security. They are: resilience; security by design; the fundamental importance of understanding the difference between information technology (IT) and operational technology (OT); risk assessment, risk mitigation, and continuous update of processes; and the role of international standards.
The new report recommends prioritizing cyber resilience over traditional cyber defence approaches. Achieving resilience is largely about understanding and mitigating risks, but also detecting and coping with the inevitable security event. The aim is to apply the right protection at the appropriate points in the system, while paying attention to safety, security and the reliability of processes. It is vital that this process is closely aligned with organizational goals because mitigation decisions can have a serious impact on operations. “Resilience is not just a technical issue,” warns the report, “but must involve an overall business approach that combines cyber security techniques with system engineering and operations to prepare for and adapt to changing conditions, and to withstand and recover rapidly from disruptions.”
2. Security by design
The report identifies security by design as the most cost-effective approach, which means designing security into systems and operations from the beginning, rather than applying them after the systems have been implemented. The thinking is that trying to patch on security after the fact is at best a quick fix and at worst a case of closing the stable door after the horse has bolted. Patches too easily come unravelled. According to a report by Deloitte, “Security needs to become embedded into the DNA of operational programs to enable organizations to have great products and have peace of mind.”
3. IT and OT are similar but different
The growth of connected devices has accelerated the convergence of the once separate domains of information technology (IT) and operational technology (OT), resulting in industrial IoT (IIOT). The IEC Technology Report suggests that cyber security is too often understood only in terms of IT, while the operational constraints in sectors such as energy, manufacturing, healthcare or transport, are often overlooked. Cyber security, it says, needs to address both. First, though, it is necessary to understand the differences between IT and OT.
The primary focus of IT is confidentiality of data, with integrity and availability secondary. It exists in the virtual world, where data is stored, retrieved, transmitted and manipulated. IT is fluid and has many moving parts and gateways, rendering it vulnerable to, and offering a large basis for a wide variety of constantly evolving attacks. Defending against attacks is about safeguarding every layer as well as continuously identifying and correcting weaknesses so as to keep data confidential. In fact, the primary action of IT to an attack is to turn off the offending computer systems to protect the data.
OT, in contrast, belongs to the physical world, where availability of data is the most critical so that the physical systems can continue to operate. OT is about maintaining control of systems: on or off, closed or open. OT ensures the correct execution of all actions. Everything in OT is geared to the physical movement and control of devices and processes to keep systems working as intended, with a primary focus on security and increased efficiency. For example, OT helps ensure that a generator immediately increases its output when there is an increase in electricity demand, or that an overflow valve opens when a chemical tank is full, so as to avoid hazardous substances spilling. In the OT world, it could be dangerous to turn off computer systems in response to a security problem.
In the past IT and OT had separate roles. OT teams were used to working with closed systems that relied heavily on physical security mechanisms to ensure integrity. With the emergence of IIoT and the integration of physical machines with networked sensors and software, the lines between the two are blurring. As more and more objects connect, communicate and interact with each other, there has been a surge in the number of endpoints, and the increased possibility of computer failures, human mistakes, and natural disasters to affect physical systems. And of course, there is now an increase in potential ways for cyber criminals to gain access to networks and infrastructure systems.
4. Risk assessment, risk mitigation, and continuous update of processes are fundamental to improving security
A key concept of defence-in-depth is that security requires a set of coordinated measures. Chief among these are the need to understand the system and know what is most valuable and needs the most protection. The report says that a risk-based approach to cyber security is the most effective, especially when based on an assessment of existing, or potential, internal vulnerabilities and identified or possible external threats. Of great importance during risk assessments is the balancing of the cost of security threat mitigations against the potential impact of a successful cyber attack. It is important that any solutions implemented are monitored over time to ensure their continued effectiveness and to ascertain whether possible attacks have potentially overcome the control solutions.
5. Cyber security standards and best practice guidelines
The new IEC Technology Report recommends the use of international cyber security standards for energy sector environments to support the risk management process and establish security programs and policies. In particular, there are some key cyber security standards that detail “what” should be done to secure systems, and there are other cyber security standards that provide the “how” technologies can be implemented to provide that security. Just as doctors prescribe medicines with proven benefits to their patients, it is wisest to base cyber security measures on best practices. Using the right standards for the right purposes at the right time, says the report, will improve resilience, security and interoperability throughout the energy environment.
IEC Technology Report
Protecting our critical infrastructure is essential. Such is our reliance on the efficient and continuous supply of power that any loss of electricity would carry heavy implications for a wide range of vital services. The new IEC report advocates using a risk-based systems approach based on best practices, as well as the ability to demonstrate the effective and efficient implementation of the security measures. This means combining the right international standards with conformity assessment to assess the components of the system, the competencies of the people designing, operating and maintaining it, and the processes and procedures used to run it. In a world where cyber threats are becoming increasingly common, being able to apply a specific set of international standards combined with a dedicated and worldwide certification programme, is a proven and highly effective approach to ensuring long-term cyber resilience.
It may appear as the third concept in the report but the fundamental advice, which arguably underpins everything else, is that in order to be effective security measures must encompass both IT and OT — information and operational technologies. Cleveland puts it more succinctly: “Cyber is very tightly intertwined with engineering. They shouldn’t be viewed as separate.”