Protecting data and critical assets against cyber attacks
Why cyber-security relies on understanding the differences between IT and cyber physical systems
Federal agencies and a cyber-security service provider that counts the government and Fortune 500 companies among its clients are all victims of recent cyber attacks in the United States. There are fears that the hackers may also be targeting the private sector. Analysts suspect that a foreign power is behind the security breaches.
Nation states are turning increasingly to cyber warfare to achieve political, economic and military goals. The attacks do not stop at government agencies, but also target critical infrastructure and private corporations to steal sensitive data that can be sold for profit.
Cyber warfare enables nation states to inflict serious damage on rival powers. It is not only agile and cost-effective, but also less likely to trigger military retaliation. It is almost impossible to pinpoint the origin of sophisticated attacks, especially when nation states employ cyber mercenaries based in other countries.
Government agencies and most private businesses can defend themselves by implementing an information security management system (ISMS), as described in ISO/IEC 27001. The well-known international standard defines a cyber risk management-based approach to managing people, processes, services and technology.
Using ISO/IEC 27001 helps organizations to manage their information security risks, including threats, vulnerabilities and impacts, as well as designing controls to protect the confidentiality, integrity and availability of data and for regulating access to critical information systems and networks.
In addition, ISO/IEC 27001 is now part of the approved process scheme that provides for the independent assessment and issuing of an international IECQ certificate of conformity for organizations that have demonstrated compliance with the relevant publications. IECQ ISMS facility assessments under the IECQ AP scheme ensure a focus on the key technical and administrative elements that provide confidence that the requirements of ISO/IEC 27001 have been met.
Cyber physical systems, including the power grid and industrial plants face a different set of challenges. Cyber physical systems are smart systems that integrate computational components, engineering, networking and physical process. The power grid is a physical system with an information infrastructure overlaid on it, which is a cyber system. This makes cyber physical systems quite different from just plain computers, which IT typically deals with.
Unfortunately, those responsible for security often overlook the operational constraints in sectors such as energy, health, manufacturing, or transport. From a cyber-security perspective, the challenge is that unlike business systems, industrial automation and control systems (IACS) are actually designed to facilitate ease of access from different networks.
That is because industrial environments have to cope with different kinds of risk. Where IT security focuses in equal measure on protecting the confidentiality, integrity and availability of data — the so-called “C-I-A triad” — for cyber physical systems, availability is of foremost importance. Priorities for cyber physical environments focus on health and safety and protecting the environment. In the event of an emergency, in order to be able to protect personnel or to minimize the impacts of natural disasters, it is vital that operators can receive accurate and timely information and can quickly take appropriate actions, such as shutting off power or shifting to backup equipment.
Supervisory control and data acquisition (SCADA) systems, which are used to oversee electric grids as well as plant and machinery in industrial installations, often have widespread communication networks. They reach, directly or indirectly, into thousands of facilities, with increasing threats (both deliberate and inadvertent) potentially causing serious harm to people and to equipment.
Probably the best-known cyber-attack on critical infrastructure was in the Ukraine in 2015, when hackers suspected of working for a nation state infiltrated the electric utility’s SCADA system. Key circuit breakers were tripped, and the SCADA system was turned into a “brick”, causing a system-wide power blackout. It left nearly a quarter of a million people without electricity, in the middle of winter, for up to six hours.
International standards provide solutions to many of these challenges. For example, IEC 62443, is designed to keep cyber physical systems running. It can be applied to any industrial environment, including critical infrastructure facilities, such as power utilities or nuclear plants, as well as in the health and transport sectors.
The industrial cyber-security programme of the IECEE — the IEC System for Conformity Assessment Schemes for Electrotechnical Equipment and Components — tests and certifies cybersecurity in the industrial automation sector. The IECEE Conformity Assessment Scheme includes a programme that provides certification to standards within the IEC 62443 series.
