Joint provision of cybersecurity guidelines in the various sectors

  Joint Provision of Cybersecurity Advisory Services in Various Sectors

Re-published by Eric C. Cosman, ARC Advisory Group

With permission from ARCWeb

Overview

While cybersecurity for both hardware and software Improving industrial control It has only been known since about 2001 that the need for this has been known for decades. The use of commercial off-shelf (COTS) technology in industrial applications has steadily undermined traditional "security-by-obscurity" predictions.

The answer to this imperative has evolved in several stages. Increasing awareness initially led to compensatory measures. This led to the development of security requirements for new and existing systems and the creation of normative and regulatory standards. Many of the early standards (eg NERC CIP) addressed specific industrial sectors, such as energy and other areas of critical infrastructure.

More recently, we are seeing an increasing acceptance of the fact that many of the various sectors that are employed Industrial control systems have many common requirements when it comes to cybersecurity. This has led to efforts to apply and adapt standards developed for one sector or industry to others. The ARC Advisory Group expects this trend to continue as industry groups, suppliers and asset owners seek to streamline their response. It starts with the acceptance of basic information security practices as a starting point and extends and expands them into more suitable industrial applications.

Standards, Practices and Guidelines

Lack of proven and effective standards for effective cybersecurity in industrial systems is no longer the main issue, although improvements will always be needed. Several standards development organizations (eg ISA, IEC, ISO) and other organizations have tackled the issue very effectively. Unfortunately, many players have realized that more standards are not necessarily the best answer. Many often quote Andrew Tanenbaum from the Vrije Universiteit Amsterdam in the Netherlands: "The beauty of standards is that you have so many to choose from."

To varying degrees, currently available standards and practices such as ISO-27001 IEC 62443, NERC CIP, the NIST Cybersecurity Framework, and SP800-53 and SP800-82 special publications address the people, processes, and technology elements of an effective response. Some of the above points place more emphasis on people and processes, while others focus more on technology. To be most effective, standards must be based on well-established principles and concepts. They, in turn, provide a consistent basis for effective practices, programs, testing and certifications of products and systems.

Standards can take various forms. Some only state the normative or essential requirements. Others provide a significant amount of supportive reasons and requirement improvements. Risk assessment is an important basic concept. It includes the identification and analysis of threats, vulnerabilities and possible consequences. Based on several recent incidents, threats and vulnerabilities are cross-industry. Threats like ransomware can affect virtually any business or business, regardless of industry or industry. Direct or indirect attacks on industrial control systems can affect any business that uses equipment or systems that share a common vulnerability.

More Products  Do not get stuck in reverse: When is it time to evaluate your reverse logistics practices?

As industry evolves and the available standards and procedures improve, it is important not to be too prescriptive. Owners of assets must have some freedom to calibrate their response to potential consequences, as these risk elements can vary from sector to sector.

Reality for the Asset Owner

Assuming that the above is correct and representative, one may wonder why we see no evidence of wider acceptance and risk mitigation. There are many possible explanations.

First, we need to consider that adoptions are more common than reported. If a property owner sees no specific benefit, he may not want to share the details of his response, as this may make them a target.

However, based on individual reports, we can assume that more adoptions are needed to overcome some obstacles. Many people consider cybersecurity an obscure subject, and the established standards can be quite complex and intimidating for those unfamiliar with the subject. Many asset owners may not have internal resources with the knowledge or expertise to fully understand and select the guidance available, which is most relevant to their situation.

For that reason, standards are just the starting point. Owners of assets need practical guidance and instructions based on or derived from real-life examples. These can be detailed case studies or shorter and more specific use cases.

Case Studies

Case studies tend to be somewhat broader in application. You can describe several elements of the answer. At a minimum, a well-designed case study should consider:

  • Intent – Defines what the property owner seeks to achieve, typically in terms of the consequences that should be avoided or prevented.
  • Terminology – This is an important element. Since safety-related terminology can be complex and even mysterious, it is important that the case study interprets or restates the terminology in a context appropriate to the situation.
  • Scope – As with terminology, it is important to define scope in a particular context. Successful application in one sector (eg energy) may or may not be transferred directly to another.
  • Roles and Responsibilities – This is another essential element that needs to be considered in context. For example, in an industrial environment, we may speak of the responsibilities of control engineers and plant operators, while transport related roles may include designers, maintenance personnel, and plant operators.
  • Possible Consequences – This may be the industry most – or sector specific. While consequences such as the release of harmful material in the process industries may be the most serious consequence, other industry sectors may view the most serious consequence as equipment damage or compromised product quality.

Applications

Compared to case studies, use cases tend to be shorter and more specific and illustrate a specific aspect of the reaction. Examples include risk assessment and patch management. It is customary to describe these in relation to what is done by those who fill one or more roles (ie "actors").

Practices or profiles

Persons providing guidance in the form of recommended practices or profiles in a given sector or group of guidelines (development of standards
Organizations often use the term "profile".

Case studies, use cases, practices, and profiles are all effective tools for sharing experiences. Asset owners usually find these and similar documents most useful, as they provide useful information in a practical sense.

Such documents may use a more prescriptive language, as they are intended for a narrower context than broader standards.

Asset For owners, this type of document is usually more useful because it directly refers to what needs to be done by whom, without unnecessarily addressing the reasons and causes. The latter information is always available in the supporting standards when needed. For such documents, it is also important to describe the implications of various choices that may be available at the level of response required.


Potential value

Taking into account the above differences, a significant potential value can be derived from the exchange of information across sectors and industries. It is important that we find ways to identify and capture that value in order to benefit everyone involved.

Fortunately, some early indicators suggest that such a value is achievable. Some have developed normative standards originally developed for typical applications in the process industry and successfully applied in other environments.

Parts of the transport sector have adopted standards for their environment in the IEC 62443 series. Building automation industry associations have expressed a similar interest in discussions with the ISA Security Compliance Institute (ISCI), which is responsible for the ISASecure Conformance Specifications. Each of these sectors has much in common with other sectors where industrial control systems are used.

Further away, the Medical Devices, Innovation and Security Consortium (MDISS) has shown that the same standards apply to medical devices and systems. This starts with interpreting the terminology and concepts and identifying the specific implications for different key roles.

These examples show the value that can be derived from the cross-sectoral exchange of standards and practices, and this is easy when sector experts are involved in the process. Asset owners in other critical infrastructure sectors can benefit from similar adjustments. In cases where industry-specific standards already exist (eg NERC CIP for Energy), it makes sense to assign these international standards such as IEC 62443 and ISO 27001. This should be easier within the framework of the NIST Cybersecurity Framework.

Acceptance of this kind of cross-industry sharing and collaboration enables asset owners and other stakeholders to leverage their resources to improve their specific programs. Suppliers also benefit because they have a broader and more consistent view of what is required for the safe implementation and safe operation of their products.


Recommendations

Based on ARC research and analysis, we recommend the following actions for owner-operators and other technology users:

  • Threats and Vulnerabilities – It is not enough to know these risk elements or them only from a theoretical perspective to understand. It is important to interpret them in the context of the intended application. This is only possible if those who provide profiles or guidelines are familiar with this context (ie industry or sector).
  • Basic Concepts and Principles – These are also important as they form the basis for standards and practices. Those who want to apply these tools need to understand this foundation to properly adapt the requirements and guidelines.
  • Similarities – Those who want to improve the security of industrial systems in different sectors may have much more in common than they realize. Instead of focusing on the features that can differentiate sectors, we should focus on common features such as threats and vulnerabilities.
  • Beyond the Sector – Identifying these commonalities requires those who define and develop programs to look beyond their immediate sector or industry. You can do this in a variety of ways, including attending user group meetings and similar events.
  • Observations and Results – In order to "pay" performance as much as possible and to improve performance as much as possible, facility owners and other stakeholders must collect their observations and results and take the initiative to share this information with others to share. Each asset owner should consider developing use cases or case studies and offering them to their peers.

For more information or to provide feedback on this insight, please contact your Account Manager or Author at [email protected] ARC Insights published and copyrighted by ARC Advisory Group. The information is the property of ARC and may not be reproduced without the prior permission of ARC .

Please send us your request with full details via the following link to supply your equipment in the fields of power, instrumentation and industrial computers. We will try to respond to you as soon as possible.

Click to Send inquiry to Ocean Part

Leave a Reply