Professional Documents
Culture Documents
2
Three axes of cyber security
The IEC advocates a holistic approach to in national standards. This may lead to This requires conformity assessment.
building cyber resilience, combining best improved security, but cannot address Standards and conformity assessment are
practices with testing and certification. the needs of individual organizations in a like two sides of a coin. Only together do
A holistic approach incorporates people, comprehensive manner, which can only they have value.
processes and technology: the three be achieved through a process of risk
axes of cyber security. Cyber security assessment that addresses not only external
protection technologies only really work challenges, but also internal weaknesses.
when combined with proper organization,
processes and procedures. This requires an
ongoing effort and recurring investment, not
least in the training of people.
3
Critical vs. non-critical systems
Official reports, formal studies and countless IT and OT: complementary but greater than those caused by attacks on IT
stories from trusted news media around the different systems. Protecting the automated system
world testify to the fact that cyber attacks are — of an oil refinery has a different impact from
increasing, both in level and sophistication. Attacks targeting critical infrastructure have that of the customer database of a bank. Any
Many of the attacks are against systems, provoked power outages and compromised interruption or malfunction of an OT system
facilities, technologies, networks, assets and sensitive data, as well as evoking nightmare can result in injuries, faulty goods, spills or
services essential to health, safety, security scenarios involving environments such when an electricity grid goes offline, in the
or economic well-being. as water supply systems, petrochemical shutdown of all essential services.
installations, nuclear power plants and
It is important to differentiate between transport infrastructure systems, which are In the past IT and OT had separate roles.
critical and non-critical systems and all dependent on operational technology OT teams were used to working with closed
infrastructure. Cyber attacks against home (OT) and to varying degrees, information systems that relied heavily on physical
networks and consumer devices are serious technology (IT). The primary focus of IT is security mechanisms to ensure integrity.
for those directly concerned, but not vital data and its ability to flow freely and securely. With the emergence of the industrial
to a larger population. If malicious actions It is fluid and has many moving parts and internet of things (IIoT)and the integration
target home thermostats or automated gateways, making it more vulnerable and of physical machines with networked
blinds, for example, this can be annoying offering a large surface for a greater variety sensors and software, the lines between
for users. In the worst case scenario, these of constantly evolving attacks. Defending the two are blurring. As more and more
attacks may open hidden gateways (e.g. against attacks is about safeguarding every objects are connected, communicate and
door locks), but they do not bring down layer, continuously identifying and correcting interact with each other in the internet of
critical infrastructure – entire systems that weaknesses to keep data flowing. things (IoT), there has been a surge in the
would affect a country’s ability to function number of endpoints and potential ways for
normally, such as electricity generation, cyber criminals to gain access to networks
water distribution or healthcare. On or off and infrastructure systems. Simply put,
— the convergence – the combination of two
In a world where cyber threats are becoming In manufacturing and critical infrastructure or more different technologies in a single
increasingly common, being able to apply such as electricity generation, water device or system – of the once separate
a specific set of International Standards management, transportation, or healthcare, domains has made cyber security more
combined with a dedicated and worldwide operational technologies ensure the correct technically complex.
certification programme, is a proven and execution of all actions. Everything in OT is
highly effective approach to ensuring long- geared to physically moving and controlling
term cyber resilience. A concerted effort in devices and processes to keep systems
international standardization and conformity working as intended, with a primary focus
assessment offers many advantages. on security and increased efficiency. For
Applying Standards alone will not result in example, OT helps ensure that a generator
an “achieved cyber-secure state”. comes online when there is an increase in
electricity demand, or an overflow valve
opens when a chemical tank is full, to avoid
a spill of hazardous substances. When OT
systems are under attack, the physical
effects of incidents are generally magnitudes
4
Protecting supply chains
It is thought that the vast majority of cyber each of which acts as an acquirer, supplier, OT) and processes, as well as products –
breaches may originate in supply chains. or both to form successive supplier components and systems central to OT, such
Generally speaking, a supply chain is the relationships established upon placement as industrial automation and control systems
journey that products and services make of a purchase order, agreement, or other (IACS) and increasingly, IoT elements.
from supplier to customer. A supply chain is formal sourcing agreement.” A definition of
a system that encompasses organizations, supply chain for critical infrastructure, such Industrial and critical infrastructure assets
people, activities, information and resources. as power grids, transportation systems and are most at risk, but protecting supply chains
smart manufacturing, is more complex as it is of crucial importance for all businesses
As defined in ISO/IEC 27036-1, “the IT supply comprises not only IT, but also the OT supply and enterprises. The IEC has developed
chain consists of a set of organizations with chain. This includes people (developers, Standards and conformity assessment
linked sets of resources and processes, suppliers, vendors and staff working on schemes to protect supply chains.
5
Generic and flexible: horizontal
Standards
The most effective defences rely on both contrast, IEC 62443 – an indispensable IEC 62443 is well known to cyber security
horizontal and vertical Standards. Horizontal series of Standards that establishes precise experts for adopting a layered, defence-in-
Standards are generic and flexible, while cyber security guidelines and specifications depth approach. The series is also used in
vertical Standards cater to very specific applicable to a wide range of industries the transport sector while the International
needs. and critical infrastructure environments – is Maritime Organization (IMO) refers to
designed to keep OT systems running in the IEC 62443 in a set of cyber security
The ISO/IEC 27000 family of Standards helps physical world. guidelines for ships. Shift2Rail, an initiative
to protect purely IT systems and ensures that brings together key European railway
the free flow of data in the virtual world. It The IECEE (IEC System of Conformity stakeholders, has selected IEC 62443
provides a powerful, horizontal framework Assessment Schemes for Electrotechnical for the railway sector. This series is also
for benchmarking against best practices Equipment and Components) includes a compatible with the US National Institute
in the implementation, maintenance and programme that provides certification to of Standards and Technology (NIST) cyber
continual improvement of controls. In Standards within the IEC 62443 series. security framework.
6
Custom solutions: vertical Standards
7
A framework for building resilience
The IEC provides a framework incorporating IECEE industrial cyber security programme Both the IEC Standardization Management
multiple Standards covering a variety of tests and certifies cyber security in the Board (SMB) and the Conformity Assessment
IT and OT technologies. More than 200 industrial automation sector, in accordance Board (CAB) have identified cyber security
IEC cyber security Standards enable with the IEC 62443 series. as a strategic priority. The SMB works with
organizations to increase their resilience and an advisory committee, while the CAB
robustness in the face of a rapidly-evolving Increasing numbers of organizations are relies on two working groups to coordinate
threat. The framework integrates horizontal turning to third-party certification to ensure activities related to testing and certification.
Standards that are suitable for all sectors, that they have a solid information security In addition, an IECEE committee focuses on
such as ISO/IEC 27000 or IEC 62443, management system (ISMS) in place which issues related to conformity assessment to
with vertical Standards written for specific conforms to ISO/IEC 27001. ISO/IEC 27006 the IEC 62443 series.
sectors. Furthermore, the IEC is the only provides the requirements that certification
organization in the world that provides an and registration bodies need to meet in
international and standardized approach to order to offer ISO/IEC 27001 certification
testing and certification. For cyber security services.
such services are supplied by the IECEE. The
8
© robotics.org
9
About the IEC
The IEC, headquartered in Geneva,
Switzerland, is the world’s leading publisher
of International Standards for electrical
Key figures
and electronic technologies. It is a global,
A global network of 170 countries
171
independent, not-for-profit, membership
organization (funded by membership fees that covers 99% of world population and
and sales). The IEC includes 171 countries electricity generation Members and affiliates
that represent 99% of world population and
energy generation.
20 000
to develop state-of-the-art, globally relevant to encourage developing countries to
IEC International Standards. These form participate in IEC work free of charge
the basis for testing and certification, and Experts from industry, test and research
support economic development, protecting labs, government, academia and
people and the environment. consumer groups
10
Further information
Please visit the IEC website at www.iec.ch Asia Pacific IEC Conformity Assessment
for further information. In the “About the Systems
IEC” section, you can contact your local IEC IEC-APRC − Asia-Pacific —
National Committee directly. Alternatively, Regional Centre IECEE / IECRE
please contact the IEC Central Office 2 Bukit Merah Central #15-02 c/o IEC − International Electrotechnical
in Geneva, Switzerland or the nearest Singapore 159835 Commission
IEC Regional Centre. 3 rue de Varembé
T +65 6377 5173 PO Box 131
Fax +65 6278 7573 CH-1211 Geneva 20
Global dch@iec.ch Switzerland
—
IEC − International Electrotechnical T +41 22 919 0211
Commission Latin America Fax +41 22 919 0300
Central Office secretariat@iecee.org
3 rue de Varembé IEC-LARC − Latin America secretariat@iecre.org
PO Box 131 Regional Centre www.iecee.org
CH-1211 Geneva 20 Av. Paulista, 2300 – Pilotis Floor – Cerq. www.iecre.org
Switzerland César
São Paulo - SP - CEP 01310-300
T +41 22 919 0211 Brazil IECEx / IECQ
Fax +41 22 919 0300 The Executive Centre
info@iec.ch T +55 11 2847 4672 Australia Square, Level 33
www.iec.ch as@iec.ch 264 George Street
Sydney NSW 2000
Australia
IEC Regional Offices North America
— T +61 2 4628 4690
Africa IEC-ReCNA − Regional Centre Fax +61 2 4627 5285
for North America chris.agius@iecex.com
IEC-AFRC − Africa Regional Centre 446 Main Street, 16th Floor chris.agius@iecq.org
7th Floor, Block One, Eden Square Worcester, MA 01608 www.iecex.com
Chiromo Road, Westlands USA www.iecq.org
PO Box 856
00606 Nairobi T +1 508 755 5663
Kenya Fax +1 508 755 5669
tro@iec.ch
T +254 20 367 3000 / +254 20 375 2244
M +254 73 389 7000 / +254 70 493 7806
Fax +254 20 374 0913
eod@iec.ch
fya@iec.ch
11
International
Electrotechnical
Commission
3 rue de Varembé T +41 22 919 0211
PO Box 131 info@iec.ch
Cyber security:2018-09(en)
® Registered trademark of the International Electrotechnical Commission. Copyright © IEC, Geneva, Switzerland. 2018.