The perception of which parts of critical infrastructures are most vulnerable to cyber attacks varies between regions. However, many of them include electricity generation plants, transportation systems and manufacturing facilities controlled and monitored by Industrial Control Systems (ICS) such as Supervisory Control and Data Acquisition (SCADA) in the critical infrastructure category. This holds true for the European network and information security agency (ENISA) and for the US Government.
Energy infrastructures have been targeted in a number of countries in recent years, or are reported to be vulnerable.
Ukrainian power distribution companies were the targets of a wave of cyber attacks that resulted in widespread power outages in late December 2015-early January 2016.
In January 2014, The Nuclear Threat Initiative (NTI), a non-profit, nonpartisan organization, warned that nuclear facilities in 20 countries might be easy targets for cyber attacks.
In the early 2000s, a number of US nuclear power plants were the targets of cyber attacks: Ohio in 2003, Alabama in 2006 and Georgia in 2008, according to a late 2015 special report by the London-based Chatham House think tank.
The EnergyPact Foundation conference, held at the Austrian National Defence Academy, was co-organized by the Austrian Cyber Security Platform (CSP) and the Austrian Institute of Technology (AIT), and was supported by IEC, the UN Office on Drugs and Crime (UNODC) and the International Telecommunication Union (ITU).
It was attended by officials and representatives from industry, academia and think tanks. Topics discussed included modern data science to protect critical infrastructures of tomorrow, legal and regulatory frameworks, critical infrastructures, and business enablement.
Eyal Adar, a member of IEC TC 65/WG 10: Security for industrial process measurement and control – Network and system security, and of IEC Conformity Assessment Board (CAB) Working Group (WG) 17: Cyber security, and CEO of White Cyber Knight Ltd. (WCK), gave details of IEC activities in the cyber security sphere.
Global vulnerability to malicious acts in cyber space is growing, Adar said, adding that the exploitation of cyber vulnerabilities of infrastructure systems represents a mounting threat to the security of businesses and societies overall.
The IEC has published over 200 International Standards that address cyber security and the privacy of health, business and critical infrastructure systems directly, Adar said, telling participants that “implementing the right Standards for your needs is a challenge, but with many benefits especially for complex infrastructures with Information/Operational Technology and Internet of Things (IT/OT/IoT) technologies.”
Adar also added that IEC Conformity Assessment Systems were included in this area.
As an example of the significance of IEC Standards and CA in the IT security domain, Adar focused on the advantages of the IEC 62443 series, which to date includes seven available Standards, Technical Requirements and Specifications, out of a total of 14 eventual deliverables. These publications:
- What standard to implement in different use cases
- How to implement it step by step
- How to make gap analyses
- And finally – how to be approved by regulators
A number of IEC CA systems are in place. Adar explained that CAB/WG 17 was investigating the market need and timeframe for CA services (global certification schemes) for products, services, personnel and integrated systems in the domain of cyber security. However CAB/WG 17 work will exclude the scope of Industrial Automation Applications covered by IECEE CMCTask Force (TF) cyber security.
Adar’s presentation to the conference attracted considerable interest and many questions from participants as the wide range of International Standards developed by IEC and by the Joint Technical Committee created by the International Organization for Standardization (ISO) and IEC, ISO/IEC JTC 1 make a major contribution to the protection of critical energy infrastructure.