The ABC of cyber security
Michael A. Mullane says there are three essential steps in order to build defence-in-depth.
The Chinese general Sun Tzu is revered as one of the greatest military strategists of all time. Much of his philosophy is also relevant for cyber security, which is after all is a continuous struggle or series of battles . Sun Tzu and cyber security is probably worth a separate post, but for now let’s consider the following advice: “If you know the enemy and know yourself,” he writes in The Art of War, “you need not fear the result of a hundred battles.”
Knowing yourself and your enemy is exactly where the ABC of cyber security starts. Cutting to the chase, for those who don’t want to read any further, here it is:
- A is for assessing the risk
- B is for using best practices to address the risk
- C is for conformity assessment (certification and testing) for monitoring and maintenance.
There is more about the three essential steps below, but first a few words about building defence-in-depth.
The aim of any cyber security strategy is to protect as many assets as possible and certainly the most important. Since it is not feasible or even sensible to try to protect everything in equal measure, it is important to identify what is valuable and needs greatest protection, identifying vulnerabilities, then to prioritize and to erect defence-in-depth architecture that ensures business continuity.
You do not achieve resilience simply by installing secure technology. It is mostly about understanding and mitigating risks in order to apply the right protection at the appropriate points in the system.
It is vital that this process is very closely aligned with organizational goals because mitigation decisions may have a serious impact on operations. Ideally, it should be based on a systems-approach that involves stakeholders from throughout the organization.
A key concept of defence-in-depth is that security requires a set of coordinated measures. There are three essential steps in order to deal with the risk and consequences of a cyber attack:
- The assessment phase, which involves
i. Understanding the system, what is valuable and what needs most protection
ii. Understanding the known threats through threat modelling and risk assessment
2. Address the risks and implement protection with the help of International Standards, which are based on global best practices
3. Apply the appropriate level of conformity assessment — assessment, testing and certification — against the requirements
A risk-based systems-approach increases the confidence of all stakeholders by demonstrating not only the use of security measures based on best practices, but also that an organization has implemented the measures efficiently and effectively. This means combining the right standards with right level of conformity assessment, rather than treating them as distinct areas.
The aim of the conformity assessment is to assess the components of the system, the competencies of the people designing, operating and maintaining it, and the processes and procedures used to run it. This may mean using different kinds of conformity assessment — ranging from corporate self-assessment to relying on supplier’s declarations to independent, third-party assessment and testing — whichever are most appropriate according to the different levels of risk.
In a world where cyber threats are becoming increasingly common, being able to apply a specific set of International Standards combined with a dedicated and worldwide certification programme, is a proven and highly effective approach to ensuring long-term cyber resilience.
The industrial cyber security programme of the IECEE — the IEC System for Conformity Assessment Schemes for Electrotechnical Equipment and Components — tests and certifies cyber security in the industrial automation sector. The IECEE Conformity Assessment Scheme includes a programme that provides certification to Standards within the IEC 62443 series.
Cyber security is a key strategic focus of both the IEC Standardization Management Board (SMB) and the IEC Conformity Assessment Board (CAB). They take a systems-approach to their coordination activities by involving all the IEC stakeholders. The SMB has set up an Advisory Committee on Security (ACSEC) with a scope that includes:
- Dealing with information security and data privacy matters which are not specific to a single IEC Technical Committee;
- Coordinating activities related to information security and data privacy;
- Providing guidance to TCs/SCs for the implementation of information security and data privacy in a general perspective and for specific sectors.
The IEC CAB is working with the United Nations Economic Commission for Europe (UNECE) to create a United Nations Common Regulatory Objectives Guidelines for Cybersecurity that describes a generic process that integrates the four essential steps given above and focuses on often overlooked aspect of appropriate conformity assessment.