Trust but verify
Industrial automation and control systems (IACS) in the energy infrastructure (e.g. SCADA systems) are vulnerable to cyber security incidents. Digitalization, increased integration and convergence of Information Technology and Operational Technology (IT & OT) are opening new avenues for cyber-attacks. To counter that, asset owners and operators must be confident that available countermeasures are effective and security barriers are robust. Cyber risks must be acceptable for all systems, including future, existing, and possibly obsolete systems. Securing complex installations of distributed control systems requires a holistic approach, and robust barriers must be in place from the ground up, including secure supply chains.
Major international standards, such as the ISO 27000 series for IT security, the NIST Cyber Security Framework, and ISA/IEC 62443 family of standards for OT, are evolving and gaining acceptance. The ISA Security Compliance Institute, an operational group within ISA, set out to provide certification for IACS components and systems, as well as product development organizations, on the basis of IEC 62443 and its relevant chapters.
There have been multiple works in the past few years addressing how to apply the IEC 62443 standard in a practical way. DNV has also created recommended practices to define practical approaches, developed with the involvement of major asset owners, automation vendors and regulatory authorities.
There is still a need, however, for improving existing practices and developing new ones to secure the supply chain for large scale OT deployments and retrofits, including handover practices between suppliers and asset owners. Therefore, our aim is to help improve technical requirements and internal cyber security standards employed by asset owners, to increase trust in supplier products while enhancing verification regimes. We employ the combined expertise of functional safety experts, for instance proficient in IEC 61508, with cyber security subject matter expertise from numerous vulnerability assessments and penetration tests in critical infrastructure.
This approach starts with assessing the gaps between a company’s OT security requirements and the leading standards and best practices. It continues by defining the applicable baseline requirements and certifications, focusing on the additional measures needed to cover the company’s individual OT cyber security needs.
When the baseline and additional measures to achieve the desired level of security, including supply chain security and handover procedures are defined, companies have the possibility to assess cyber-readiness of their suppliers and vendors. This measure of cyber-readiness, or maturity, should typically focus on multiple properties, such as software development processes, manufacturing site cyber and physical security, storage areas, shipment channels, subcontractor practices, on-site deployment practices, procedures of handover to operation, and vendor support in operational phases including patching and response services.
Importantly, assessors and verifiers should work together with asset owners and suppliers to find and follow up closure of gaps, and ultimately to ensure vendor cyber-readiness, and supply chain robustness for industrial control systems.
Author:
Mate J. Csorba PhD - Global Service Line Leader, Security Architecture & Verification