The aim of any cyber security strategy is to protect as many assets as possible and certainly the most important assets.
Since it is not feasible, sensible or even efficient to try to protect everything in equal measure, it is important to identify what is valuable and needs greatest protection, identify vulnerabilities, then to prioritize and to erect defence-in-depth architecture that ensures business continuity.
You do not achieve resilience simply by installing secure technology. It is mostly about understanding and mitigating risks in order to apply the right protection at the appropriate points in the system.
It is vital that this process is very closely aligned with organizational goals because mitigation decisions may have a serious impact on operations. Ideally, it should be based on a systems-approach that involves stakeholders from throughout the organization.
A key concept of defence-in-depth is that security requires a set of coordinated measures. There are four essential steps in order to deal with the risk and consequences of a cyber attack:
- Understand the system, what is valuable and what needs most protection
- Understand the known threats through threat modelling and risk assessment
- Address the risks and implement protection with the help of International Standards, which are based on global best practices
- Apply the appropriate level of conformity assessment—testing and certification—against the requirements.
This is the ABC of cyber security:
- A for assessment
- B for best practices to address the risk
- C for conformity assessment for monitoring and maintenance
A risk-based systems-approach increases the confidence of all stakeholders by demonstrating not only the use of security measures based on best practices, but also that an organization has implemented the measures efficiently and effectively. This means combining the right standards with right level of conformity assessment, rather than treating them as distinct areas.
The aim of the conformity assessment is to assess the components of the system, the competencies of the people designing, operating and maintaining it, and the processes and procedures used to run it. This may mean using different kinds of conformity assessment— ranging from corporate self-assessment to relying on supplier’s declarations to independent, third-party assessment and testing—whichever are most appropriate according to the different levels of risk.
In a world where cyber threats are becoming increasingly common, being able to apply a specific set of International Standards combined with a dedicated and worldwide certification programme, is a proven and highly effective approach to ensuring long-term cyber resilience.
The industrial cyber security programme of the IECEE—the IEC System for Conformity Assessment Schemes for Electrotechnical Equipment and Components—tests and certifies cyber security in the industrial automation sector. The IECEE Conformity Assessment Scheme includes a programme that provides certification to Standards within the IEC 62443 series.
Cyber security is a key strategic focus of both the IEC Standardization Management Board (SMB) and the IEC Conformity Assessment Board (CAB). They take a systems-approach to their coordination activities by involving all the IEC stakeholders. The SMB has set up an Advisory Committee on Security (ACSEC) with a scope that includes:
- Dealing with information security and data privacy matters which are not specific to a single IEC Technical Committee
- Coordinating activities related to information security and data privacy
- Providing guidance to TCs/SCs for the implementation of information security and data privacy in a general perspective and for specific sectors
The IEC CAB is working with the United Nations Economic Commission for Europe (UNECE) to create a United Nations Common Regulatory Objectives Guidelines for Cybersecurity that describes a generic process that integrates the four essential steps given above and focuses on often overlooked aspect of appropriate conformity assessment.