Imagine a city the size of London thrown into chaos, as public transport grinds to a halt and traffic lights stop functioning. This is no longer the stuff of nightmares or the scenario of a disaster movie but a prospect that is getting more likely every day. Critical infrastructure facilities, whether power or nuclear plants, national railway and local underground systems or other forms of public transport, are increasingly targeted by cyberattacks. Sophisticated cyberweapons have been developed, including malware designed to disrupt the operation of industrial control systems.
The growing use of connected devices in the industrial environment make cyberthreats more likely. According to the report, “Threat Landscape for Industrial Automation Systems,” published by cybersecurity firm Kaspersky Lab, 18,000 different malware modifications to industrial automation systems were detected in the first six months of 2017.
When Machines Talk to Each Other
Machine-to-machine communication is a set of technologies that enables networked devices to interoperate, exchange information or perform actions, often wirelessly and without the manual assistance of humans. Sensors are embedded in a growing number of devices to automate and manage process control systems, including transmission and distribution of electricity. While they offer undeniable advantages in terms of cost and maintenance, they are also increasingly vulnerable to hacking.
Cybersecurity is therefore one of the key concerns for those who manage modern manufacturing plants as well as any form of critical infrastructure. One of the only ways to safeguard these facilities now and in the future is by providing standardized protection measures.
Efficient security processes and procedures cover the whole value chain, from the manufacturers of automation technology to machine and system builders and installers as well as the operators themselves. Protection measures must address and mitigate not only current, but also pre-empt future security vulnerabilities.
Facilities need to understand and mitigate risk as well as install secure technology to build cyber-resilience. This means implementing a holistic cybersecurity strategy at the organization, process and technical levels. Such a strategy must include comprehensive and standardized measures, processes and technical means, as well as preparation of people. But alongside all of this, it must also offer the recourse to an internationally recognized certification system.
A Fundamental Set of Standards for Cybersecurity
The IEC has recently published IEC 62443-4-1-2018, the latest in a series of critical publications, establishing precise cybersecurity guidelines and specifications applicable to a wide range of industries and critical infrastructure environments. The IEC 62443 series recommends that security should be an integral part of the development process, with security functions already implemented in the machinery and systems.
These horizontal standards are also used in the transport sector: A set of cybersecurity guidelines on board ships adopted by the International Maritime Organization (IMO) refer to IEC 62243. The Shift2Rail, an initiative that brings together key European railway stakeholders, is aiming to define how different aspects of cybersecurity should be applied to the railway sector. It has assessed applicable standards and has selected the IEC 62443 publications. The IEC 62443 standards are also compatible with the U.S. National Institute of Standards and Technology (NIST) cybersecurity framework.
Internationally Recognized Certification is Key
Another boon is that the 62443 standards have their own certification program. The IEC is the only organization in the world that provides an international and standardized form of certification that deals with cybersecurity. It is supplied by IECEE, the IEC System for Conformity Assessment Schemes for Electrotechnical Equipment and Components. The IECEE industrial cybersecurity program tests and certifies cybersecurity in the industrial automation sector.
The IEC is also working with the United Nations Economic Commission for Europe (UNECE) to create a common regulatory objectives document focusing on conformity assessment and cybersecurity. The aim of the document is to provide a methodology for a comprehensive system’s approach to conformity assessment that can be applied to any technical system in the cybersecurity field.
“Achieving cyber protection in a cost-effective manner results from applying the right protection at the appropriate points in the system to limit the risk and the consequences of a cyber attack. This means modelling the system, conducting a risk analysis, choosing the right security requirements which are part of IEC Standards, and applying the appropriate level of conformity assessment against the requirements, according to the risk analysis. We need to assess the components of the system, the competencies of the people designing, operating and maintaining it, and the processes and procedures used to run it. This holistic approach to conformity assessment is indispensable to protect facilities, especially critical infrastructure, from cyber crime,” said David Hanlon, secretary of the IEC Conformity Assessment Board.
In a world where cyberthreats are becoming ubiquitous, being able to apply a specific set of International Standards combined with a dedicated and worldwide certification program is one of the best ways of ensuring long-term cyberprotection of critical infrastructure.