Helping prevent a cyber nightmare

With daily cyber attacks on the increase and reaching all areas, IEC work is essential to prevent or, fails this, mitigate their impact

Standardization work by the IEC technical committees (TCs) and subcommittees (SCs), and by the Joint Technical Committee (ISO/IEC JTC 1) set up by the IEC and the International Organization for Standardization (ISO), is meant to prevent and mitigate the catastrophic impact of cyber attacks on parts of the critical infrastructure everywhere. In addition, IECEE, the IEC System for Conformity Assessment Schemes for Electrotechnical Equipment and Components, is working on a generic conformity assessment (CA) model which can be applied to cyber security. 

Maersk cargo
The AP Moller-Maersk shipping group disclosed that the June 2017 NotPetya cyber attack, which disrupted its operations, could end up costing it USD 200-300 million (Photo: AP Moller-Maersk)

Objectives, actors and tools

The number of cyber attacks on countries, companies, organizations and individuals is increasingly constantly.

Many actors are behind these, they are often difficult to identify, let alone catch. Their motives are often intertwined and they are loosely organized. They include, among others:

  • Individuals or organized groups determined to steal money – through embezzlement or ransomware, which encrypts a computer’s files which can only be unlocked after payment – or information, or to block personal or corporate IT systems
  • Companies ready to steal competitors’ confidential information, either technical or trade-related to gain competitive advantage
  • Individuals or groups bent on disrupting operations of an organization, government or bringing them into disrepute
  • State and non-state actors (the latter acting on their own or on behalf of a state) bent on wreaking havoc on another country’s infrastructure or on companies of which they disapprove

The IT tools employed to mount cyber attacks are varied and depend on the target. They can be combined to achieve maximum effectiveness and often rely on insufficient protection of systems, including failure to update software and a general lack of awareness from users in the targeted systems.

Very damaging and costly

Attacks on corporate IT systems can have a very adverse impact on businesses (loss of corporate information, reputational damage, etc.) in addition to possible significant financial losses.

A recent example shows that the potential cost may reach into hundreds of millions. The AP Moller-Maersk shipping group disclosed on 16 August 2017 that the June 2017 NotPetya cyber attack, which disrupted its operations, could end up costing it USD 200-300 million. The company reported on 16 August 2017 that its underlying profit for the second quarter of 2017 was USD 389 million...

The current economic cost of cyber attacks is already shockingly high and is set to double within a few years, according to a 2016 report by the Cybersecurity Ventures research company, which forecast that annual costs related to cyber incidents will be as high as USD 6 000 million in 2021, up from USD 3 000 million in 2016.

Economic losses may be staggering, but potentially more serious would be a catastrophic failure of parts of a country’s critical infrastructure.

Critical infrastructure is generally seen as including all or most of the following:

  • Energy supply (generation, transmission and distribution)
  • Financial services
  • Industrial controls systems
  • Healthcare
  • Telecommunications
  • Information technology (IT)
  • Insurance

Critical installations such as power networks are often insufficiently protected in many countries.

Top down and horizontal approach and protection

International Standards are key to the protection of critical infrastructure systems.

Many organizations rely on the ISO/IEC 27000 family of International Standards for information security management systems (ISMS) to keep their information assets secure. This family of Standards is being developed by ISO/IEC JTC 1/SC 27: IT security techniques.

As of September 2017 there were some 45 publications in the ISO/IEC 27000 family of International Standards for ISMS.

For its part the IEC, through a number of its TCs and SCs, develops many cyber security-related International Standards and other publications for specific systems and applications. Some may apply to different areas, others are relevant to one domain only.

IEC cyber security-related International Standards are implemented in many different critical infrastructure areas such as:

  • Power systems
  • Industrial automation
  • Nuclear power plants
  • Healthcare
  • Transportation (maritime, road and railways)

As more and more components in the home and industrial environments get connected and communicate with each other, in what is known as the internet of things (IoT) more security concerns emerge as larger systems may be targeted through their connected components. In addition to the deployment of existing Standards a new holistic approach is required in many instances.

Standardization work across the IEC

The following IEC TCs and SCs prepare International Standards that protect specific domains and make industry and critical infrastructure assets more secure:

IEC TC 57: Power systems management and associated information exchange, develops, among many others, the IEC 61850 series of publications for communication networks and systems for power utility automation, and the IEC 60870 series for telecontrol equipment and systems. These Standards are particularly important for critical infrastructure. Two cyber attacks on Ukrainian power networks in December 2015 and 2016 targeted Standards in both series. Likewise, at the recent BlackHat USA event, vulnerabilities in Standards from these series that make it possible to hack into wind turbines control systems and take down entire installations were exposed. TC 57 is aware of this issue and constantly reviews Standards to ensure all potential vulnerabilities are dealt with.

IEC TC 65: Industrial-process measurement, control and automation, prepares publications that specify security requirements for industrial automation and control systems (IACS) in the IEC 62443 series. The IEC 62443 family has been identified as a generic series for cyber security which can be applied to nearly all electrotechnical products and systems and not only to industrial automation products and systems.

IEC SC 45A: Instrumentation, control, and electrical systems of nuclear facilities, has issued two publications on requirements for security programmes for computer-based systems and on requirements for coordinating safety and cyber security. It is developing more publications connected to cyber security for nuclear facilities.

IEC TC 62: Electrical equipment in medical practice, and its SCs, develops Standards that are intended to protect medical data security, integrity and privacy.

Healthcare service providers and insurances have been increasingly targeted by criminals who try to get hold of medical records for fraud and identity theft. In the US more than a third of all data breaches in five industry sectors surveyed concern the healthcare sector, according to the US Identity Theft Resource Center (ITRC).

IEC TC 80: Maritime navigation and radiocommunication equipment and systems, has developed IEC 61162-450:2016, which states that “a shipboard security architecture should comply with information security industry’s best practices”. It has also published an add-on to this Standard, IEC 61162-460:2015. In addition to the ISO/IEC 27000 family, the “Guidelines on Cyber Security Onboard Ships”, which were adopted recently by the Maritime Safety Committee (MSC) of the International Maritime Organization (IMO), refer specifically to the IEC 62443 series of Standards.

The newly created ISO/IEC JTC 1/SC 41: Internet of things and related technologies, has initiated a study period on IoT trustworthiness. Trustworthiness is a user-oriented systems engineering concept that encompasses all the attributes that would make a system trustable. These include security, availability, sustainability, safety, resilience and privacy. As the number of IoT devices is expected to increase from 8,3 billion units in 2017 to 20,4 billion in 2020, more potential cyber risks are emerging. Work by ISO/IEC JTC 1/SC 41 should help mitigate these risks.

Conformity assessment crucial too

In addition to standardization work by various IEC TCs and SCs and ISO/IEC JTC 1 aimed at protecting systems from cyber attacks, CA is also seen as the next step needed to strengthen cyber defences.

As part of the IEC systems approach, Conformity Assessment Board (CAB) Working Group (WG) 17 is working on drawing up plans for a generic CA model which can be applied to cyber security. IEC CA doesn’t protect as such, but it gives assurances that best practices based on standard requirements have been used and that conformity has been verified and assessed by a third party.

IECEE set up a task force (TF) for cyber security. It has evaluated IEC 62443 for certification purposes and has started work on a CA system based along these requirements. Further developments can be expected on this front in the not too distant future.

Heavy workload ahead

The frequency and extent of cyber attacks, which now affect individuals as well as businesses and even countries, mean that protection will become necessary across a growing range of domains, the more so as more connected systems and IoT devices gain ground. As a result standardization work by IEC TCs and SCs and by ISO/IEC JTC 1 SCs that focuses on cyber protection is set to expand. The same applies to the emerging IECEE CA model for cyber security.