The new IEC publication on cyber security is an executive introduction to strategy and best practices for decision-makers. Here is a quick overview of the management structure — IEC committees, working groups and systems — not covered in the new brochure.
IEC advocates a holistic approach to building cyber resilience, incorporating people, processes and technology and combining best practices with testing and certification. The collaboration of the IEC’s Standardization Management Board (SMB) and Conformity Assessment Board (CAB) reflects the systems-based approach adopted by the organization’s technical experts towards developing short, medium and long-term strategies.
The SMB has set up an Advisory Committee on Information security and data privacy (ACSEC). Its scope includes:
- Dealing with information security and data privacy matters which are not specific to a single IEC Technical Committee (TC);
- Coordinating activities related to information security and data privacy;
- Providing guidance to TCs and subcommittees (SCs) for the implementation of information security and data privacy in a general perspective and for specific sectors.
CAB manages and supervises all IEC conformity assessment (CA) activities and represents the IEC CA community. CAB also oversees the four IEC CA Systems but delegates their management and overall operational responsibility to the management body of each CA System.
CAB has set up a working group, CAB WG 17, to investigate the market need and time frame for CA services (global certification schemes) for products, services, personnel and integrated systems in the domain of cyber security. The working group collaborates with the United Nations Economic Commission for Europe (UNECE) on a project to create a Common Regulatory Objectives document focusing on cyber security.
The objective will be to describe a “world best practice process for a systems approach to conformity assessment for cyber security”, which will be a comprehensive but generic process that can be applied to any technical system.
In its analysis of and discussions with different sectors, CAB WG 17 found that there is a convergence towards two main series of Standards, IEC 62443 and the ISO/IEC 27000 family of Standards. The IEC 62443 series focuses on operational technology (OT), which is concerned with keeping cyber-physical systems operating as intended, while the ISO/IEC 27000 family of Standards focuses on information technology (IT), which is concerned about the flow and accuracy of data, data privacy, etc.
For a complete cyber security strategy both are needed, as well as some sector-specific Standards, including for example IEC 62645 for the nuclear industry or the IEC 62351 series of Standards for the electrical energy sector.
IECEE, the IEC System of Conformity Assessment Schemes for Electrotechnical Equipment and Components, has developed a testing and certification programme to address the expanding need for CA solutions related to cyber security in the industrial automation sector. The rules of procedure for the IECEE industrial cyber security programme have been approved by the Certification Management Committee.
The service provides a framework for assessments in accordance with the IEC 62443 series of International Standards on security for industrial automation and control systems. This will result in an IECEE certificate of conformity – industrial cyber security capability.