A holistic strategy, combining best practices with testing and certification, is the best way to build cyber resilience.
A risk-based approach to cyber security can be highly effective, especially when based on an assessment of existing, or potential, internal vulnerabilities and identified, or possible, external threats. This works best as part of a holistic approach that combines Standards with testing and certification, also known as Conformity Assessment, as opposed to treating them as distinct areas.
Such an approach increases the confidence of stakeholders by demonstrating not only the use of security measures based on best practices, but also that an organization has implemented the measures efficiently and effectively. A systems approach works by prioritizing and mitigating risks to an acceptable level, which requires a neutral approach that accommodates different kinds of Conformity Assessment — ranging from self-assessment to independent, third-party testing — according to the different levels of risk.
Many organizations base their cyber security strategies on compliance with mandatory rules and regulations. This may lead to improved security, but cannot address the needs of individual organizations in a comprehensive manner.
The most robust defences rely on both ‘horizontal’ and ‘vertical’ standards. Horizontal Standards are generic and flexible, while vertical standards cater to very specific needs. Two examples stand out.
The ISO/IEC 27000 family of standards helps to protect purely information systems (IT) and ensures the free flow of data in the virtual world. It provides a powerful, horizontal framework for benchmarking against best practices in the implementation, maintenance and continual improvement of controls.
IEC 62443, the other horizontal standards series, is designed to keep OT systems running in the real world. It can be applied to any industrial environment, including critical infrastructure facilities, such as power utilities or nuclear plants, as well as in the health and transport sectors. IECEE, the IEC System of Conformity Assessment Schemes for Electrotechnical Equipment and Components, has created global certification services based on the IEC 62443 series.
Complementing the horizontal Standards are custom solutions designed to meet the needs of specific sectors. There are vertical standards covering the specific security needs of the nuclear sector, industrial communications networks, industrial automation and the maritime industry, among others.
The systems approach is about sustainability, which is a vital component of any cyber defence strategy. Only through accurate risk assessment is it possible to strike the right balance between the level of protection and testing, and the overall cost.