IT and OT are increasingly complementary, but also very different. IT exists in the virtual world, where data is stored, retrieved, transmitted and manipulated. OT, in contrast, belongs to the physical world and deals with real time processes. While IT has to safeguard every layer of the system, OT is about maintaining control of systems: on-off, closed-open, and so forth. IT is about confidentiality; OT is about availability.
All this has made cyber security intrusions and threats more difficult to detect and prevent. At the same time, tools like the IoT search engine Shodan have made it easier for hackers to pinpoint vulnerable devices in a network, whether they are refrigerators, heating systems, or IoT-enabled garage-doors. The fact is that when connected to a network, any device with weak security poses a risk to the whole organization.
Only as strong as the weakest link
Malware gives hackers an even quicker route into a network if their targets can be tricked into opening infected documents. Secret papers leaked in 2017 revealed that CIA agents regularly use malware to turn connected televisions into bugging devices. Malware currently threatening businesses and consumers includes VPN filter malware, banking Trojans and ransomware. It is also evolving. Spear phishing, for example, targets specific individuals or companies, in contrast to the random, untargeted approach of traditional phishing.
The aim of any cyber security strategy is to protect as many assets as possible; certainly the most important assets. Since it is not feasible, sensible or even efficient to try to protect everything in equal measure, it is important to identify what is valuable and needs greatest protection. The next step is to identify vulnerabilities in order to prioritize and to erect a defence-in-depth architecture that ensures business continuity.
Resilience is not achieved simply by installing secure technology. It is mostly about understanding and mitigating risks in order to apply the right protection at the appropriate points in the system. It is vital that this process is very closely aligned with organizational goals because mitigation decisions may have a serious impact on operations. Ideally, it should be based on a systems-approach that involves stakeholders from throughout the organization.
A key concept of defence-in-depth is that security requires a set of coordinated measures. There are four steps that are essential in dealing with the risks and consequences of a cyber attack:
- Understanding the system, what is valuable and what needs most protection
- Understanding the known threats through threat modelling and risk assessment
- Addressing the risks and implementing protection with the help of international standards, which are based on global best practices
- Applying the appropriate level of conformity assessment — testing and certification — against the requirements.
ABC of cyber security
This is the ABC of cyber security:
A. for assessment
B. for best practices to address the risk
C. for conformity assessment for monitoring and maintenance
A risk-based systems-approach increases the confidence of all stakeholders by demonstrating not only the use of security measures based on best practices, but also that an organization has implemented the measures efficiently and effectively. This means combining the right standards with the right level of conformity assessment, rather than treating them as distinct areas.
The aim of the conformity assessment is to assess the components of the system, the competencies of the people designing, operating and maintaining it, and the processes and procedures used to run it. This may mean using different kinds of conformity assessment — ranging from corporate self-assessment to relying on suppliers’ declarations or independent, third-party assessment and testing — whichever seems most appropriate according to the different levels of risk.
In a world where cyber threats are becoming increasingly common, being able to apply a specific set of international standards combined with a dedicated and worldwide certification programme is a proven and highly effective approach to ensuring long-term cyber resilience.
Horizontal and vertical standards
The most robust defences rely on both "horizontal" and "vertical" standards. Horizontal standards are generic and flexible, applicable over a broad area and covering fundamental principles, concepts, definitions, terminology and similar general information. In contrast, vertical standards address application-specific areas.
Two examples of horizontal standards stand out. The ISO/IEC 27000 family helps to protect purely information systems (IT) and ensures the free flow of data in the virtual world. It provides a powerful, horizontal framework for benchmarking against best practices in the implementation, maintenance and continual improvement of controls. IEC 62443, the other horizontal standards series, is designed to keep OT systems running in the real world. It can be applied to any industrial environment, including critical infrastructure facilities, such as power utilities or nuclear plants, as well as in the health and transport sectors.
Complementing the horizontal standards are custom solutions designed to meet the needs of specific sectors. There are vertical standards covering the specific security needs of the nuclear sector, industrial communications networks, industrial automation and the maritime industry, for example.
Testing and certification
The industrial cyber security programme of the IECEE — the IEC System for Conformity Assessment Schemes for Electrotechnical Equipment and Components — tests and certifies cyber security in the industrial automation sector. The IECEE Conformity Assessment Scheme includes a programme that provides certification to standards within the IEC 62443 series.
Cyber security is a key strategic focus of both the IEC Standardization Management Board (SMB) and the IEC Conformity Assessment Board (CAB). They take a systems-approach to their coordination activities by involving all IEC stakeholders. The SMB has set up an Advisory Committee on Security (ACSEC) with a scope that includes:
- Dealing with information security and data privacy matters which are not specific to a single IEC Technical Committee
- Coordinating activities related to information security and data privacy
- Providing guidance to technical committees/subcommittees (TCs/SCs) for the implementation of information security and data privacy in a general perspective and for specific sectors
The IEC CAB is working with the United Nations Economic Commission for Europe (UNECE) to create United Nations Common Regulatory Objectives Guidelines for Cybersecurity that describe a generic process integrating the four essential steps given above. It also focuses on the often-overlooked aspect of appropriate conformity assessment.
A holistic approach to cyber security
The best way to prepare for all these challenges is by implementing a holistic strategy that combines best practices with testing and certification. Holistic means addressing everything from systems and processes to people.