Safeguarding critical infrastructure
A UN report highlights the vulnerability of the healthcare sector and suggests a cybersecurity code of conduct for nation states
The United Nations has adopted a landmark report on cybersecurity after a unanimous vote in favour. For the first time, all 193 member states have voted to approve a set of rules, norms and principles for responsible state behaviour in cyberspace.
The report notes that in recent years nation states have been turning increasingly to cyber warfare to achieve political, economic and military goals. It highlights the “potentially devastating security, economic, social and humanitarian consequences” of malicious attacks on the critical infrastructures that keep modern society safe and functioning. One of the most widely reported cyber-attacks on critical infrastructure took place in Ukraine, in 2015, when hackers disrupted the electricity supply to consumers. It left nearly a quarter of a million people without power, in the middle of winter, for up to six hours.
The attack was possible because power plants and other critical infrastructures are cyber physical systems, where operational technologies (OT) have integrated with computation and communication (ICT). This has multiplied the number of endpoints and potential ways for cybercriminals to gain access to networks and infrastructure systems.
The UN cyberspace report specifically mentions the healthcare sector, which is an increasingly popular target for cyber-criminals. It does not suggest that nation states are in any way responsible for the attacks, but calls on countries to work together more closely to stymie cybercriminals. The last two months of 2020 saw cyber-attacks increase by a massive 45% at a particularly vulnerable time for the sector, when hospitals in many countries were struggling to cope with the rise in COVID-19 patients.
Unfortunately, those responsible for security often overlook the operational constraints in health and other critical infrastructure sectors. From a cyber security perspective, the challenge is that, unlike business systems, operational technologies are actually designed to facilitate ease of access from different networks. That is because cyber physical systems have to cope with different kinds of risk. Where ICT security focuses in equal measure on protecting the confidentiality, integrity and availability of data — the so-called “C-I-A triad” — for cyber physical systems availability is of foremost importance. The convergence of IT and OT technologies places the focus on protecting the safety, integrity, availability and confidentiality (SIAC) of a diverse range of traffic, ranging from life-critical patient data requiring immediate delivery and response to general administrative data.
The priorities for cyber physical environments are safety, health and protecting the environment. In the event of an emergency, in order to be able to protect personnel or to minimize the impacts of natural disasters, it is therefore vital that operators can receive accurate and timely information and can quickly take appropriate actions.
Hospitals are relatively easy targets for cyber-criminals. Many have obsolete IT systems and medical devices with weak or no protection. In addition, they rely on third-party services, which exposes them to supply chain vulnerabilities, and they store a wide range of personal data from their patients. The challenge, from a cybersecurity perspective, is that hospital networks, in common with other critical infrastructures, are designed to facilitate ease of access from different networks.
International standards provide solutions to many of these challenges. The IEC 80001 series of publications was developed for the application of risk management for hospital networks incorporating medical devices. The series addresses how medical devices can be connected to IT networks to achieve interoperability without compromising the organization and delivery of health care.
The recently updated cybersecurity standard IEC 80001–1 defines the roles, responsibilities and activities that are necessary for the risk management of IT-networks incorporating medical devices. It deals with safety and effectiveness, as well as data and system security, in the context of healthcare organizations, manufacturers of medical devices and providers of other information technology.
The widely used IEC 62443 series is designed to keep cyber physical systems running. It can be applied to manufacturing plants, power utilities and the transport sector, for example, as well as healthcare facilities.
The industrial cybersecurity programme of the IECEE — the IEC System for Conformity Assessment Schemes for Electrotechnical Equipment and Components — tests and certifies cybersecurity in the industrial automation sector. The IECEE Conformity Assessment Scheme includes a programme that provides certification to standards within the IEC 62443 series.
The Swiss diplomat, Jurg Lauber, who chairs the UN Committee responsible for the safer cyberspace report, acknowledges that nation states are not the only threat actors. Ambassador Lauber calls for multi-stakeholder cooperation and partnerships to build a more resilient and secure cyber environment. The report underlines the importance of international norms and standards.
The United Nations Economic Commission for Europe (UNECE) has already integrated the IEC 62443 series of standards into Common Regulatory Framework on Cybersecurity. UNECE also established a partnership with the IEC Conformity Assessment Board and IECEE.
