Critical infrastructure: target of choice for cyber attacks
The perception of which parts of critical infrastructures are most vulnerable to cyber attacks varies between regions. However, many of them include electricity generation plants, transportation systems and manufacturing facilities controlled and monitored by Industrial Control Systems (ICS) such as Supervisory Control and Data Acquisition (SCADA) in the critical infrastructure category. This holds true for the European network and information security agency (ENISA) and for the US Government.
Energy infrastructures have been targeted in a number of countries in recent years, or are reported to be vulnerable.
Ukrainian power distribution companies were the targets of a wave of cyber attacks that resulted in widespread power outages in late December 2015-early January 2016.
In the early 2000s, a number of US nuclear power plants were the targets of cyber attacks: Ohio in 2003, Alabama in 2006 and Georgia in 2008, according to a late 2015 special report by the London-based Chatham House think tank.
International multistakeholder conference
The EnergyPact Foundation conference, held at the Austrian National Defence Academy, was co-organized by the Austrian Cyber Security Platform (CSP) and the Austrian Institute of Technology (AIT), and was supported by IEC, the UN Office on Drugs and Crime (UNODC) and the International Telecommunication Union (ITU).
It was attended by officials and representatives from industry, academia and think tanks. Topics discussed included modern data science to protect critical infrastructures of tomorrow, legal and regulatory frameworks, critical infrastructures, and business enablement.
Outline of IEC activities in cyber security
Eyal Adar, a member of IEC TC 65/WG 10: Security for industrial process measurement and control – Network and system security, and of IEC Conformity Assessment Board (CAB) Working Group (WG) 17: Cyber security, and CEO of White Cyber Knight Ltd. (WCK), gave details of IEC activities in the cyber security sphere.
Global vulnerability to malicious acts in cyber space is growing, Adar said, adding that the exploitation of cyber vulnerabilities of infrastructure systems represents a mounting threat to the security of businesses and societies overall.
The IEC has published over 200 International Standards that address cyber security and the privacy of health, business and critical infrastructure systems directly, Adar said, telling participants that “implementing the right Standards for your needs is a challenge, but with many benefits especially for complex infrastructures with Information/Operational Technology and Internet of Things (IT/OT/IoT) technologies.”
Adar also added that IEC Conformity Assessment Systems were included in this area.
IEC cyber security framework advantages
As an example of the significance of IEC Standards and CA in the IT security domain, Adar focused on the advantages of the IEC 62443 series, which to date includes seven available Standards, Technical Requirements and Specifications, out of a total of 14 eventual deliverables. These publications:
- provide an ecosystem of Standards for different needs.
- provide Standards for unique needs. Adar gave as an example the "Extended Set of Standards that support Smart Grids deployment" document, prepared by the European Committee for Standardization, the European Committee for Electrotechnical Standardization and the European Telecommunications Standards Institute (CEN-CENELEC-ETSI) Smart Grid Coordination Group. This document lists a number of IEC Standards that cover power systems, information systems and industrial automation and apply to vendors, integrators and operators
- ensure international recognition: the IEC brings together 170 countries which represent nearly the entire world population and account for virtually all electricity generated
- guarantee that devices built to IEC International Standards are accepted in most countries in the world. They fully satisfy the requirements of the World Trade Organization Technical Barriers to Trade (TBT) Agreement.
- ensure coexistence with other standards by building the right hybrid of standards in selecting the best standard for each need
- guarantee compatibility with leading standards: e.g. implementing IEC 62443 means compatibility with the US (NIST) cyber security framework
- integrate market needs: Adar gave as an example the International Association of end-users of components, systems and IT related items in the Process Industries (WIB). WIB needed a standard for industrial automation and control system (IACS) solution suppliers; it wrote the original standard based on industry needs; IEC adopted it as IEC 62443-2-4:2015, Security program requirements for IACS service providers
- are adopted by vendors: most of the world’s leading multinationals and countless many small and medium-size companies actively participate in IEC work via their National Committees
- represent a knowledge base for developing countries: certification bodies and evaluators are available worldwide, they can support energy organizations in providing the following key pieces of information:
- What standard to implement in different use cases
- How to implement it step by step
- How to make gap analyses
- And finally – how to be approved by regulators
Working on CA Schemes
A number of IEC CA systems are in place. Adar explained that CAB/WG 17 was investigating the market need and timeframe for CA services (global certification schemes) for products, services, personnel and integrated systems in the domain of cyber security. However CAB/WG 17 work will exclude the scope of Industrial Automation Applications covered by IECEE CMC Task Force (TF) cyber security.
Keen interest from participants
Adar’s presentation to the conference attracted considerable interest and many questions from participants as the wide range of International Standards developed by IEC and by the Joint Technical Committee created by the International Organization for Standardization (ISO) and IEC, ISO/IEC JTC 1 make a major contribution to the protection of critical energy infrastructure.