How to mitigate cyber threats

Latest publication in a critical series of cyber security International Standards

IEC Technical Committee (TC) 65: Industrial process measurement, control and automation, has recently published IEC 62443-4-1 on the life-cycle requirements for secure product development in industrial automation and control systems. The publication is the latest in the IEC 62443 series of Standards, a comprehensive set of guidelines that can be implemented in any professional environment, including those covering critical infrastructure, such as power plants or transport networks. These Standards are also increasingly used in the medical sector to protect patient data.

critical infrastructure
The IEC 62443 series helps to protect critical infrastructure such as power plants, avoiding the risk of massive electricity cuts (Photo: Wikicommons David Tribble)

Protecting critical infrastructure

The IEC 62443 series recommends that security should be an integral part of the development process, incorporating security functions in the equipment and systems from the outset. These transversal Standards establish efficient security processes and procedures that cover the whole value chain, from the manufacturers of automation technology to machine and system builders and installers as well as the operators. They address and mitigate current security vulnerabilities as well as pre-empt future ones.

The Shift2Rail is an initiative that brings together key European railway stakeholders. It aims to define how different aspects of cyber security should be applied to the railway sector. In the course of its research, it has assessed applicable standards and has selected the IEC 62443 publications. The IEC 62443 Standards are also compatible with the US National Institute of Standards and Technology (NIST) cyber security framework.

IEC 62443-4-1 provides guidance on how to develop the cyber security managements systems (CSMS) for industrial automation control systems (IACS). According to IEC TC 65 Secretary Rudy Belliardi: “Cyber security is a large challenge  which needs to address the entire set of IACS as well as the policies, procedures, practices and personnel that surround and utilize those IACS. Implementing such a wide-ranging management system may require a cultural change within the organization”.

The Standard defines a secure development life-cycle for products and systems. It includes security requirement definitions, secure design and implementation (including coding guidelines), verification and validation, defect management, patch management and product end-of-life criteria. Applying such a framework is intended to provide the confidence that the product or system has a level of security commensurate with the degree of risk throughout its life-cycle.

Attack is sometimes the best form of defence

A key concept used throughout the publication is threat modelling.  Among other things, this will help to identify potential attack vectors including attacks on the hardware and how to mitigate them. The threat model is expected to be reviewed periodically (at least once a year).

One of the ways to mitigate threats is by incorporating a layered defence strategy (also called defence in depth) into the design of the product or system. Each different layer provides an additional defence mechanism that has both responsibility for and reduces the risk of attack on the next layer. Each layer assumes that the layer in front of it can be compromised.

Penetration testing is used to check this layered defence strategy, by defeating multiple aspects of it, bypassing authentication and compromising confidentiality by breaking encryption, for instance. The idea is to act like an attacker and identify the chained vulnerabilities in the product or system. The supplier can then decide to address them by changing the design, adding security requirements or even removing features.

A holistic approach to conformity assessment

The IEC 62443 Standards also have their own certification programme. The IEC is the only organization in the world to provide an international and standardized form of certification which deals with cyber security. It is supplied by IECEE, the IEC System for Conformity Assessment Schemes for Electrotechnical Equipment and Components. The IECEE Industrial Cyber Security Programme tests and certifies cyber security in the industrial automation sector.

The IEC Conformity Assessment Board (CAB) has also set up Working Group 17, to investigate the need for and timeframe of global certification schemes for products, services, personnel and integrated systems in the area of cyber security. “Achieving cyber protection in a cost-effective manner results from applying the right protection at the appropriate points in the system to limit the risk and the consequences of a cyber attack. This means modelling the system, conducting a risk analysis, choosing the right security requirements which are part of IEC Standards, and applying the appropriate level of conformity assessment against the requirements, according to the risk analysis. We need to assess the components of the system, the competencies of the people designing, operating and maintaining it, and the processes and procedures used to run it. This holistic approach to conformity assessment is indispensable to protect facilities, especially critical infrastructure, from cyber crime”, explains CAB secretary David Hanlon.