Development of effective horizontal and vertical operating standards
the ISO / IEC 27000 The family of standards helps to purely protect information systems (IT) and guarantees the free flow of data in the virtual world. It provides a powerful and horizontal framework for comparatively evaluating best practices in the implementation, maintenance and continuous improvement of controls.
IEC 62443The other series of horizontal standards is designed to keep OT systems running in the real world. It can be applied in any industrial environment, including critical infrastructure facilities, such as energy services or nuclear power plants, as well as in the health and transport sectors. IECEE, the IEC System of conformity assessment systems for electrotechnical equipment and components, has created global certification services based on the IEC 62443 series.
As a complement to horizontal standards, there are customized solutions designed to meet the needs of specific sectors. There are vertical standards that cover the specific security needs of the nuclear sector, industrial communications networks, industrial automation and the maritime industry, among others.
Achieve cybernetic resistance through risk mitigation
The goal of any cybersecurity strategy is to protect as many assets as possible and, without a doubt, the most important assets. Since it is not feasible to protect everything in equal measure, it is important to identify what is valuable and needs greater protection, identify vulnerabilities, then prioritize and erect an in-depth defense architecture that guarantees business continuity.
The achievement of resilience is largely about understanding and mitigating risks to apply adequate protection at appropriate points in the system. It is vital that this process be closely aligned with the organization's objectives because mitigation decisions can have a serious impact on operations. Ideally, it should be based on a systems approach that involves the stakeholders of the entire organization.
A key concept of defense in depth is that security requires a set of coordinated measures. There are four steps that are essential to take to face the risk and consequences of a cyberattack:
1. Understand the system, what is valuable and what most needs protection.
2. Understand known threats through threat modeling and risk assessment.
3. Address risks and implement protection with the help of international standards, which are based on global best practices
4. Apply the appropriate level of conformity assessment (testing and certification) against the requirements.
Another way of looking at it is like the ABC of cybersecurity:
A is for evaluation
second is for best practices to address risk
do It is for conformity evaluation for monitoring and maintenance.
A risk-based systems approach increases the confidence of all stakeholders by demonstrating not only the use of security measures based on best practices, but also that an organization has implemented the measures efficiently and effectively. This means combining the correct standards with the correct level of conformity assessment, instead of treating them as distinct areas.
The objective of conformity assessment is to evaluate the components of the system, the competencies of the people who design, operate and maintain it, and the processes and procedures used to execute it. This can mean the use of different types of conformity assessment, ranging from corporate self-assessment or confidence in the statements of a supplier to the independent evaluation and testing of third parties, and the selection of the most appropriate according to the different levels of risk.
International collaboration drives the safe design approach
In a world where cyber threats are becoming increasingly common, being able to apply a specific set of international standards combined with a dedicated and global certification program is a proven and highly effective approach to developing long-term cyber resistance. However, standards and conformity assessment can only have a maximum impact as part of a risk-based approach based on a comprehensive assessment of threats and vulnerabilities. This approach incorporates not only technology and processes, but also people, recognizing the essential role of training.
The 121 members of IEC Working Group 15 from 21 countries have been collaborating in the development of end-to-end cybersecurity standards for several years. Moreno Carullo, co-founder and CTO of Nozomi Networks, has been part of the group since 2015.
During Vienna Cybersecurity Week in 2019, Moreno shared his thoughts on building resilience in energy systems. To learn more about why safe design energy systems are so essential, download a copy of your presentation. "Cybernetic resistance of energy systems: Design for tomorrow while taking action today ".
The original article "Cyber attacks targeting critical infrastructure" by IEC Defense Officer Michael Mullane, was published in IEC e-tech, and has been adapted with its approval for publication on the Nozomi Networks blog. Mike is an experienced journalist, technologist and manager. He has worked for the BBC, the Swiss Broadcasting Corporation, European Broadcasting Union and Rai, specializing in news and digital and online media. Mike's work in the IEC focuses on AI and cybersecurity, including the representation of the IEC in OCEANIS (https://ethicsstandards.org/).