Securing IT and OT supply chains with international standards and conformity assessment

During the course of 2020, the United States government came under attack in one of the world’s biggest-ever security breaches. Cyber-criminals gained access to a number of federal agencies, including the Treasury and the departments of commerce and homeland security. It is believed they also targeted the energy sector with what could have been potentially devastating consequences.

Photo by American Public Power Association on Unsplash
Photo by American Public Power Association on Unsplash

The attacks have served as a powerful warning shot and the new US administration has reacted by making it a top priority to secure the power grid. A successful cyber-attack against the electric grid could bring the country to a standstill, severely disrupting critical infrastructure and services, such as traffic lights, hospitals, water systems and manufacturing. The US Energy Department has brought together industry experts to advise the government on strategies for maintaining grid resilience. One of the most pressing issues they will have to deal with is the vulnerability of the supply chain, while digital transformation and the coronavirus pandemic are adding to the complexity of the situation.

It is now known that the cyber-criminals responsible for the 2020 attacks infiltrated a third-party vendor that supplies the government and corporate clients with network management software. Analysts suspect the hackers may have targeted the supply chain to avoid detection by the US government’s more powerful security systems. This type of attack is a growing concern. Research by the cybersecurity company BlueVoyant suggests that more than 80% of organizations have experienced a data breach as a result of security vulnerabilities in their supply chains. Already in 2018, the US Department of Defense recommended strengthening the supply chain resiliency of the US.

Understanding supply chains

Supply chains encompass organizations, people, activities, information and resources. They are especially vulnerable because of their complex interactions with plant operations, employees, customers and shippers, among others. It can be difficult to know, let alone control, the security procedures that are in use along the chain. From a legal standpoint, this makes life very difficult for buyers, as they take the security practices of vendors into their own risk profiles. In a famous, high-profile case from a few years ago, the US retail giant, Target, was forced to pay tens of millions of dollars in legal settlements and other costs when cyber-criminals used the network credentials of an air-conditioning company to steal personal data from tens of millions of credit and debit card holders. 

Sometimes it may be difficult for utility leaders and security professionals to know where to begin. International standards and conformity assessment provide a framework based on best practices and the consensus views of leading experts from around the world. It is of critical importance, though, to choose the right ones to mitigate the risks. For example, IT systems, such as those found in government agencies or company headquarters, require different solutions to cyber-physical systems, such as the electric grid, which uses operational technology (OT).

IT vs OT

The growth of the Industrial Internet of Things (IIoT) has accelerated the convergence of the once separate domains of IT and OT. The smart grid is connected to an array of sensors and monitors that gather, analyse and communicate data with other devices and systems with the aim of improving output, quality, and consistency. The gains in efficiency come at a price, however, as increased connectivity creates a bigger attack surface for threat actors. Remote work spurred by the coronavirus pandemic is further complicating the situation by providing cyber-criminals with more weaknesses and vulnerabilities to exploit, such as unsecured or poorly secured home networks.

IT security focuses in equal measure on protecting the confidentiality, integrity and availability of data. In contrast, the priority for OT is availability. Cyber-physical systems must be able to keep running, even at the price of losing data. Shutting down — often the first line of defence for IT systems — is not an option for OT and in worse case scenarios may threaten the safety of personnel or cause catastrophic damage to the environment. In the cyber-physical world, everything is geared to the physical movement and control of devices and processes to keep systems working as intended, with a primary focus on security and increased efficiency. For example, OT helps ensure that a generator comes online when there is an increase in electricity demand, or that an overflow valve opens when a chemical tank is full, in order to avoid hazardous substances spilling. 

Protecting IT supply chains

Government agencies and most private businesses can defend themselves by implementing an information management security system (ISMS), as described in ISO/IEC 27001. The well-known international standard defines a cyber risk management-based approach to managing people, processes, services and technology. Another standard in the ISO/IEC 27000 family, the four-part publication ISO/IEC 27036, provides guidance on information security for third-party relationships.

Using ISO/IEC 27001 helps organizations to manage their information security risks, including threats, vulnerabilities and impacts. It shows them how to create controls for protecting the confidentiality, integrity and availability of data and for regulating access to critical information systems and networks. In addition, ISO/IEC 27001 is now part of the approved process scheme that provides for the independent assessment and issuing of an international IECQ certificate of conformity for organizations that have demonstrated compliance with the relevant publications. IECQ ISMS facility assessments under the IECQ AP scheme ensure a focus on the key technical and administrative elements that provide confidence that the requirements of ISO/IEC 27001 have been met.

Protecting OT supply chains

IEC 62443 is designed to keep cyber-physical systems running. It can be applied to any industrial environment, including critical infrastructure facilities, such as power utilities or nuclear plants, as well as in the health and transport sectors, for example.

Used together, IEC 62443-2-4, IEC 62443-3-3, IEC 62443-4-1, and IEC 62443-4-2 can provide an effective solution for industrial supply chains, especially when combined with the IECEE Conformity Assessment Scheme. The industrial cyber security programme of the IEC System for Conformity Assessment Schemes for Electrotechnical Equipment and Components tests and certifies cyber security in the industrial automation sector.

End-to-end security

Mitigating third-party risk means securing a business process from the inbound to the outbound supply chains to avoid disruption and manage risk, including financial risk. In the final analysis, though, there is no sustainable way to protect all assets all the time. Organizations, whether they use IT or OT technologies, must be able to identify their critical assets, without which they would not be able to function. Ensuring those assets are protected is the best way to achieve cyber resilience. It is what international standards refer to as a risk-based approach to cyber security.