Generally speaking, a supply chain is the journey that products and services make from supplier to customer. It is a system that encompasses organizations, people, activities, information and resources. Supply chains are especially vulnerable because of their complex interactions with plant operations, employees, customers and shippers, among others. It can be difficult to know, let alone control, the security procedures that are in use along the chain.
Another issue identified by a US Department of Defense report is that security in the manufacturing industry tends to focus on cloud services, data management and other types of information technology (IT), while overlooking security of the supply chain, much of which runs on operational technology (OT). The Pentagon’s primary concern is of course the American defence industry, but the issues covered in the report apply to all industrial sectors and critical infrastructure worldwide.
The crux of the problem identified in the 146-page publication is that cyber security programmes are too often IT-led. In reality, the operational constraints in industry sectors such as manufacturing, as well as in others including energy, healthcare and transport, mean that the approach employed in terms of cyber security also needs to safeguard OT.
The primary focus of IT is data and its ability to flow freely and securely. It exists in the virtual world, where data is stored, retrieved, transmitted and manipulated. IT is fluid and has many moving parts and gateways, rendering it vulnerable to, and offering a large basis for a wide variety of constantly evolving attacks. Defending against attacks is about safeguarding every layer as well as continuously identifying and correcting weaknesses so as to keep data flowing.
OT, in contrast, belongs to the physical world. While IT has to safeguard every layer of the system, OT is about maintaining control of systems: on or off, closed or open. OT ensures the correct execution of all actions. Everything in OT is geared to the physical movement and control of devices and processes to keep systems working as intended, with a primary focus on security and increased efficiency. For example, OT helps ensure that a generator comes online when there is an increase in electricity demand or that an overflow valve opens when a chemical tank is full, so as to avoid hazardous substances spilling.
In the past IT and OT had separate roles. OT teams were used to working with closed systems that relied heavily on physical security mechanisms to ensure integrity. With the emergence of the industrial internet of things (IIoT) and the integration of physical machines with networked sensors and software, the lines between the two are blurring. As more and more objects connect, communicate and interact with each other, there has been a surge in the number of endpoints and of potential ways for cyber criminals to gain access to networks and infrastructure systems.
This brings us back to supply chains, where it seems likely that the vast majority of cyber breaches originate. Again, there are important differences between IT and OT.
The IT supply chain is defined as consisting of “a set of organizations with linked sets of resources and processes, each of which acts as an acquirer, supplier, or both to form successive supplier relationships established upon placement of a purchase order, agreement, or other formal sourcing agreement”.
A definition of supply chain for smart manufacturing plants would encompass not only IT but also the OT supply chain. This includes people (developers, suppliers, vendors and staff working on OT) and processes as well as products: components and systems central to OT, such as industrial automation and control systems (IACS), and, increasingly, internet of things (IoT) elements.
When it comes to protecting the supply chain, installing secure technology is of crucial importance. Legacy technology is an acute problem, especially when compromised devices become gateways into industrial control or supervisory control and data acquisition (SCADA) systems. Researchers recently used a fax line to access network devices connected to an all-in-one printer.
Secure technology only represents part of the challenge; on its own it will not ensure resilience. The safest approach involves understanding and mitigating risks in order to apply the right protection at the appropriate points in the system. This applies to both IT and OT.
It is vital that this process is very closely aligned with organizational goals because mitigation decisions may have a serious impact on operations. Ideally, the process would be based on a systems approach that involves stakeholders from throughout the organization.
Once an organization has understood the system and identified what is valuable and needs most protection, there are three steps to take in order to deal with the risk and consequences of a cyber attack:
A risk-based systems approach increases the confidence of all stakeholders by demonstrating not only the use of security measures based on best practices, but also that an organization has implemented the right measures efficiently and effectively.
The IEC has developed many Standards to protect industrial and critical infrastructure assets, including broad Standards that apply to many different situations and specialized Standards, for instance, for nuclear power plants or healthcare. At the same time, the IEC also works on conformity assessment (CA) and global certification schemes through Working Groups (WGs) set up by its Conformity Assessment Board (CAB) and by the Certification Management Committee (CMC) of IECEE, the IEC System for Conformity Assessment Schemes for Electrotechnical Equipment and Components.
In addition to the ISO/IEC 27000 family of Standards for IT service management and the IEC 62443 series of horizontal publications for industrial communication networks and IACS, a number of IEC technical committees (TCs) and subcommittees (SCs) have developed Standards, Technical Specifications (TSs) and Requirements for specific sectors.
IEC CAB has set up WG 17 to investigate market needs and a timeframe for CA services (global certification schemes) for products, services, personnel and integrated systems in the domain of cyber security. However, it excludes the scope of industrial automation applications covered by IECEE CMC WG 31. CAB WG 17 also communicates to other industry sectors the generic cyber security approach taken by IECEE CMC WG 31 and how this may apply to those other sectors.
The main task of IECEE CMC WG 31 is to “make a unique approach for CA to the IEC 62443 series”. To this end, it has prepared OD-2061, a guidance Operational Document published in June 2018, to describe how the conformity assessment can be handled and applied to certain Standards in the IEC 62443 series.
OD-2061 also explains under which conditions IECEE Cyber Certificates of Conformity – Industrial Cyber Security Capability – can be delivered. They are valid only when “signed by an approved Certification Body (CB) Testing Laboratory and appended to a Certificate issued by a National CB (NCB)”.
Currently these certificates are defined for the following assessments, each applying to one or more Standards in the IEC 62443 series:
Together with IEC cyber-related security Standards, the recent introduction of comprehensive CA certification schemes should ensure that systems which rely on industrial communication networks and IACS, including supply chains, are better protected against cyber threats.