How to protect tomorrow’s critical infrastructure by Catherine Bischofberger

Imagine a city the size of London thrown into chaos, as public transport grinds to a halt and traffic lights stop functioning ...This is no longer only the stuff of nightmares or the scenario of a disaster movie but a real possibility that is getting more likely every day. Critical infrastructure facilities, whether power or nuclear plants, national railway and local underground systems or other forms of public transport, are increasingly targeted by cyber attacks. Sophisticated cyber weapons have been developed, including malware designed to disrupt the operation of industrial control systems. The growing use of connected devices in the industrial environment make cyber threats more likely. According to the report Threat Landscape for Industrial Automation Systems, published by cyber security firm Kaspersky Lab, 18 000 different malware modifications to industrial automation systems were detected in the first six months of 2017.

When machines talk to each other...

Machine-to-machine communication is a set of technologies that enables networked devices to interoperate, exchange information or perform actions, often wirelessly and without the manual assistance of humans. Sensors are embedded in a growing number of devices which are utilized to automate and manage process control systems, including transmission and distribution of electricity. While they offer undeniable advantages in terms of cost and maintenance, they are also increasingly vulnerable to hacking.

Cyber security is therefore one of the key concerns for those who manage modern manufacturing plants as well as any form of critical infrastructure. One of the only ways to safeguard these facilities now and in the future is by providing standardized protection measures.

Efficient security processes and procedures cover the whole value chain, from the manufacturers of automation technology to machine and system builders and installers as well as the operators themselves. Protection measures must address and mitigate not only current, but also pre-empt future security vulnerabilities.

Facilities need to understand and mitigate risk as well as install secure technology in order to build cyber resilience. This means implementing a holistic cyber security strategy at the organization, process and technical levels. Such a strategy must include comprehensive and standardized measures, processes and technical means, as well as preparation of people. But alongside all of this, it must also offer the recourse to an internationally recognized certification system.

A fundamental set of Standards for cyber security

The IEC has recently published IEC 62443-4-1-2018, the latest in a series of critical publications, establishing precise cyber security guidelines and specifications applicable to a wide range of industries and critical infrastructure environments. The IEC 62443 series recommends that security should be an integral part of the development process, with security functions already implemented in the machinery and systems.

These horizontal Standards are also used in the transport sector: a set of cyber security guidelines on board ships adopted by the International Maritime Organization (IMO) refer to IEC 62243. TheShift2Rail, an initiative that brings together key European railway stakeholders, is aiming to define how different aspects of cyber security should be applied to the railway sector. It has assessed applicable standards and has selected the IEC 62443 publications. The IEC 62443 Standards are also compatible with the US National Institute of Standards and Technology (NIST) cyber security framework.

Internationally recognized certification is key

Another boon is that the 62443 Standards have their own certification programme. The IEC is the only organization in the world that provides an international and standardized form of certification which deals with cyber security. It is supplied by IECEE, the IEC System for Conformity Assessment Schemes for Electrotechnical Equipment and Components. The IECEE industrial cyber security programme tests and certifies cyber security in the industrial automation sector.

The IEC is also working with the United Nations Economic Commission for Europe (UNECE) to create a common regulatory objectives document focusing on conformity assessment and cyber security. The aim of the document is to provide a methodology for a comprehensive system’s approach toconformity assessment that can be applied to any technical system in the cyber security field.

“Achieving cyber protection in a cost-effective manner results from applying the right protection at the appropriate points in the system to limit the risk and the consequences of a cyber attack. This means modelling the system, conducting a risk analysis, choosing the right security requirements which are part of IEC Standards, and applying the appropriate level of conformity assessment against the requirements, according to the risk analysis. We need to assess the components of the system, the competencies of the people designing, operating and maintaining it, and the processes and procedures used to run it. This holistic approach to conformity assessment is indispensable to protect facilities, especially critical infrastructure, from cyber crime”, explains David Hanlon, Secretary of the IEC Conformity Assessment Board.

In a world where cyber threats are becoming ubiquitous, being able to apply a specific set of International Standards combined with a dedicated and worldwide certification programme, is one of the best ways of ensuring long-term cyber protection of critical infrastructure.

By Catherine Bischofberger