Staying one step ahead

Cyber security and the role of International Standards

Innovation brings new challenges – or, put another way, every silver lining has a cloud. While the Internet has given us connected, smart and interactive technologies, it has also spawned the murky, underground world of cyber crime.

Las Vegas
Hackers stole 10 GB of data from a casino in Las Vegas (Photo: Pixabay)

Challenges in cyber security are evolving continuously as an ever growing number of connected devices and smart technologies are incorporated into our homes and workplaces. In the past decade we have gone from worrying about protecting our computers and smartphones to being aware of the risks that refrigerators, thermostats, industrial machines and other systems pose to network security.

As defined by ISO/IEC JTC 1/SWG 5 in 2014, the internet of things (IoT) is “an infrastructure of interconnected objects, people, systems and information resources together with intelligent services to allow them to process information of the physical and the virtual world and react.” It covers everything from household appliances to connected cars to widgets in nuclear power plants (NPPs).

In industrial environments, the growth of connected devices has accelerated the convergence of the once separate domains of information technology (IT) and operational technology (OT), resulting in industrial IOT (IIOT). This has made cyber security intrusions and threats more difficult to detect and prevent.

IHS Markit expects the number of connected IoT devices worldwide to jump from nearly 27 billion in 2017 to 125 billion in 2030. An increase in the number of connected devices means more potential vulnerabilities for cyber criminals to exploit.

According to a recent report, 978 million victims lost USD 172 billion to cyber crime in 2017. Most risk professionals believe that a data breach or cyber attack caused by insecure IoT devices could be “catastrophic” for their organization. 

Fishy goings-on

Tools like the IoT search engine Shodan have made it easier than ever before for hackers to pinpoint vulnerable devices in a network. They might be looking for refrigerators, heating systems, or in the case of hackers targeting a casino in North America, a fish tank.

The casino hackers were able to transfer 10 GB of data out of the network, via a smart thermostat and up to the cloud, including the bank account details of wealthy patrons. The crux of the matter is that when connected to a network, any device with weak security poses a risk to the whole organization.

Malware gives hackers an even quicker route into a network if their targets can be tricked into opening infected documents. Secret papers leaked last year revealed that CIA agents regularly use malware to turn connected televisions into bugging devices.

Sometimes called industrial IoT, operational technology (OT) refers to hardware and software that controls physical processes, industrial devices and infrastructure. For example, the manufacturing industry is fast proving a popular target for hackers as it becomes better connected.

Elsewhere, protecting energy security and critical energy infrastructure against cyber attacks is rapidly emerging as an absolute priority. A May 2017 report by the FBI and Homeland Security warned that hackers were penetrating the computer networks of nuclear power stations and other energy facilities in the US and around the world.

Seven months later, in December 2017, a cyber attack shut down a power plant, believed to be in Saudi Arabia. Attacks targeting nuclear power plants (NPPs) could have devastating consequences for the entire power network and the ability to trigger an environmental catastrophe.

The IEC has issued 235 OT and IT security-related publications. Some 160 have been developed in cooperation with ISO, including the ISO/IEC 27000 family of Standards.

The need for Standards

In the fight against cyber crime it is of critical importance to understand when, if and how an intrusion into a network, system or application occurs. Security systems must be able to identify what vulnerability was exploited in order to implement the right checks and controls so as to prevent similar intrusions in the future.

While organizations must continue to be vigilant, they can at least count on the standardization work of the ISO/IEC Joint Technical Committee (JTC) 1 for help. For example, ISO/IEC 27039 provides guidelines for preparing and deploying an intrusion detection and prevention system (IDPS).

JTC 1 has produced a series of Standards for information technology (IT) security techniques which define a common language for IT-related threats, help protect information in the cloud, offer integrated solutions for services and more. The widely known ISO/IEC 27000 family of Standards provides a powerful framework for benchmarking against best practices in the implementation, maintenance and continual improvement of controls.

ISO/IEC 27001 identifies potential risks to client and stakeholder data and ensures that organizations implement the relevant controls to mitigate them. It takes in encryption, ongoing testing and risk assessment.

Inter-sector and inter-organizational communications

Within the ISO/IEC 27000 toolbox, ISO/IEC 27010  guides the initiation, implementation, maintenance and improvement of information security in inter-organizational and inter-sector communications. It helps to encourage the growth of global information-sharing communities, and includes general principles on how to meet these requirements using established messaging and other technical methods.

ISO/IEC 27010 is particularly relevant for the protection of critical national infrastructure, where exchanging sensitive information securely is of paramount importance. Security incident response teams also make use of this Standard.

Integrated solutions for services

Some organizations are choosing to combine ISO/IEC 27001 with ISO/IEC 20000-1, a service management system. The resulting integrated system enables organizations to manage the quality of their services efficiently while keeping data safe.

ISO/IEC 27013 offers a systematic approach to facilitating the integration of an information security management system with a service management system. This lowers implementation costs and avoids duplication efforts, as only one audit is needed for certification.

Communication networks, control systems and power installations

Other IEC series of Standards are relevant to the protection of communication networks, control systems and power installations against cyber threats. They include:

  • IEC 62443, Industrial communication networks — Network and system security
  • IEC 61850, Communication networks and systems for power utility automation
  • IEC 60870, Telecontrol equipment and systems
  • IEC 62351, Power systems management and associated information exchange

Addressing the specific needs of nuclear power plants (NPPs)

IEC develops bespoke solutions whenever needed. For example, IEC Subcommittee (SC) 45A: Instrumentation, control and electrical systems of nuclear facilities, is developing specific Standards for NPPs by adapting ISO/IEC 27001 and ISO/IEC 27002 to fit the nuclear context and coordinating with the IEC 62443 series.

SC 45A has developed IEC 62645Nuclear power plants — Instrumentation and control [I&C] systems — Requirements for security programmes for computer-based systems,to protect microprocessor-based information and control systems.  A second Standard, IEC 62859Nuclear power plants — Instrumentation and control systems — Requirements for coordinating safety and cyber security, provides a framework to manage the interactions between safety and cyber security.

In common with other IEC SC 45A Standards, IEC 62645 and IEC 62859 take into account the safety principles for NPPs of the International Atomic Energy Agency.

Protecting critical infrastructure

Several other IEC technical committees (TCs) and SCs prepare International Standards that protect specific domains and keep industry and critical infrastructure assets safe. Here is a selection of them:

IEC TC 57: Power systems management and associated information exchange, develops, among many others, the IEC 61850 series of publications for communication networks and systems for power utility automation, and the IEC 60870 series for telecontrol equipment and systems.

IEC TC 65: Industrial-process measurement, control and automation, prepares publications that specify security requirements for industrial automation and control systems (IACS) in the IEC 62443 series.

IEC TC 62: Electrical equipment in medical practice, and its SCs, develop Standards to protect medical data security, integrity and privacy.

IEC TC 80: Maritime navigation and radiocommunication equipment and systems, has developed IEC 61162-450:2016.  In parallel, TC80 has developed IEC 61162-460:2018 to expand requirements when there is a need for enhanced safety and security standards.

Audit and certification

Increasing numbers of organizations are turning to third-party certification audits to demonstrate that they have a solid information security management system (ISMS) in place which conforms to the requirements of ISO/IEC 27001. ISO/IEC 27006 provides the requirements that certification and registration bodies need to meet to be accredited, so they can offer ISO/IEC 27001 certification services. 

The IEC Advisory Committee on Security (ACSEC) deals with information security and data privacy matters which are not specific to a single IEC Technical Committee. ACSEC also coordinates activities related to information security and data privacy and provides advice to the SMB on these topics and guidance to TCs and SCs for the implementation of information security and data privacy.

Cyber security is the focus of the IEC Conformity Assessment Board (CAB) Working Group (WG) 17 and IEC Conformity Assessment for Electrotechnical Equipment and Components (IECEE) Certification Management Committee Task Force.

Staying one step ahead

“Technology breeds crime and we are constantly trying to develop technology to stay one step ahead of the person trying to use it negatively,” says Frank Abagnale, a man who knows a thing or two about the criminal psyche. Abagnale, whose life story became the subject of a film by Steven Spielberg, worked for the FBI and a host of organizations as a security consultant, but in his youth was one of America's most wanted criminals.

Adhering to International Standards is the most effective way to stay one step ahead. They provide a robust and reliable framework for cyber security, based on best practices identified by the leading industry and technology experts around the world.