A belt and braces approach to cyber security

A holistic strategy, combining best practices with testing and certification, is the best way to build cyber resilience.

We use the expression “belt and braces” to mean that we are being extra careful about something. The idea is that if our belt breaks unexpectedly, our braces will ensure that our trousers stay up.

Organizations, factories and critical infrastructure must be protected against cyber attacks (Photo: www.motioncontrolonline.org)

While taking a belt and braces approach may be regarded as being excessively cautious in some circumstances, there is no such thing as being too careful when it comes to cyber security. According to a recent report, a staggering 978 million victims lost an astonishing USD 172 billion to cyber crime in 2017. 

Challenges in cyber security are evolving continuously, as we employ an ever growing number of connected devices and smart technologies in our homes and workplaces. In the past decade, we have gone from worrying about protecting our computers and smartphones to being aware of the risks that refrigerators, thermostats and other systems pose to network security in the internet of things (IoT).

At the same time, there has been an alarming rise in the number of cyber attacks against systems, facilities, technologies, networks, assets and services essential to the health, safety, security or economic well-being of citizens. Attacks targeting critical infrastructure have provoked power outages and compromised sensitive data, as well as evoking nightmare scenarios involving operations technology (OT) environments, such as water supply systems, petrochemical plants, nuclear power plants (NPP) and transport infrastructure systems.

In response to the growing threat, many organizations have based their cyber security strategies on compliance with mandatory rules and regulations. IEC and ISO International Standards are increasingly adopted by countries at the regional and national level, either in full, without any variation, or in part, with supplementary requirements contained in national standards. This may lead to improved security, but cannot address the needs of individual organizations in a comprehensive manner.

A risk-based approach to security is more effective, especially when based on an assessment of existing, or potential, internal vulnerabilities and identified, or possible, external threats. This works best as part of a holistic, belt and braces approach that combines standards with testing and certification (conformity assessment), rather than treating them as distinct areas.

Such an approach increases the confidence of stakeholders by demonstrating not only the use of security measures based on best practices, but also that an organization has implemented the measures efficiently and effectively. A systems approach works by prioritizing and mitigating risks to an acceptable level, which requires a neutral approach that accommodates different kinds of conformity assessment — ranging from self-assessment to independent, third-party testing — according to the different levels of risk.

Horizontal standards

The most effective defences rely on both ‘horizontal’ and ‘vertical’ standards. Horizontal standards are generic and flexible, while vertical standards cater to very specific needs. Two examples stand out.

The ISO/IEC 27000 family of Standards helps to protect purely information systems (IT) and ensures the free flow of data in the virtual world. It provides a powerful, horizontal framework for benchmarking against best practices in the implementation, maintenance and continual improvement of controls.

IEC 62443, the other horizontal Standards series, is designed to keep OT systems running in the real world. It can be applied to any industrial environment, including critical infrastructure facilities, such as power utilities or nuclear plants, as well as in the health and transport sectors. IECEE, the IEC System of Conformity Assessment Schemes for Electrotechnical Equipment and Components, has created global certification services based on the IEC 62443 series.

Vertical standards

Complementing the horizontal standards are bespoke solutions designed to meet the needs of specific sectors. There are vertical standards covering the specific security needs of the nuclear sector, industrial communications networks, industrial automation and the maritime industry, among others. For example, IEC Subcommittee (SC) 45A: Instrumentation, control and electrical systems of nuclear facilities, is developing specific Standards for NPPs by adapting ISO/IEC 27001 and ISO/IEC 27002 to fit the nuclear context and coordinating with the IEC 62443 series.

SC 45A has developed IEC 62645Nuclear power plants — Instrumentation and control [I&C] systems — Requirements for security programmes for computer-based systems, to protect microprocessor-based information and control systems.  A second Standard, IEC 62859Nuclear power plants — Instrumentation and control systems — Requirements for coordinating safety and cyber security, provides a framework for managing the interactions between safety and cyber security.

Protecting critical infrastructure

Several other IEC technical committees (TCs) and SCs prepare International Standards that protect specific domains and keep industry and critical infrastructure assets safe. Here is a selection of them:

IEC TC 57: Power systems management and associated information exchange, develops, among many others, the IEC 61850 series of publications for communication networks and systems for power utility automation, and the IEC 60870 series for telecontrol equipment and systems.

IEC TC 65: Industrial-process measurement, control and automation, prepares publications that specify security requirements for industrial automation and control systems (IACS) in the IEC 62443 series.

IEC TC 80: Maritime navigation and radiocommunication equipment and systems, has developed IEC 61162-450:2016. In parallel, TC 80 has developed IEC 61162-460:2018 to expand requirements when there is a need for enhanced safety and security Standards.

Audit and certification

The IEC is the only organization in the world that provides an international and standardized form of testing and certification for cyber security, which is supplied by the IECEE.

The IECEE Industrial Cyber Security Programme tests and certifies cyber security in the industrial automation sector, in accordance with the IEC 62443 series.

Increasing numbers of organizations are turning to third-party certification audits to ensure that they have a solid information security management system (ISMS) in place which conforms to ISO/IEC 27001. ISO/IEC 27006 provides the requirements that certification and registration bodies need to meet in order to offer ISO/IEC 27001 certification services. 

A secure framework

The IEC provides a framework incorporating multiple Standards covering a variety of IoT and OT technologies. More than 200 cyber security Standards enable organizations to increase their resilience and robustness in the face of a rapidly-evolving threat.

The framework integrates horizontal Standards that are suitable for all sectors, such as ISO/IEC 27000 or IEC 62443, with vertical Standards written for specific sectors. This is a systems-based approach, reflecting the interactive nature and interdependence of external and internal factors and based on the core idea that individual Standards are only really effective when they form part of a holistic strategy.

A systems-based approach is about sustainability, which is a vital component of any cyber defence strategy. Only through accurate risk assessment is it possible to strike the right balance between the level of protection and testing, and the overall cost.