The IEC advocates a holistic approach to building cyber resilience, combining best practices with testing and certification. A holistic approach incorporates people, processes and technology: the three axes of cyber security.
It is essential to start considering security threats during the initial design and development phase. In many instances, organisations only look at security after implementation, rather than building cyber resilience from the beginning of the development lifecycle. The work of IEC Technical Committee (TC) 57 provides a good example of the standardization of best practices.
IEC TC 57 has created a working group (WG 15) to make power grids secure-by-design. The group, which evaluates requirements from a technology perspective and defines a standard way to implement them, has identified the components needed for a secure-by-design power system. These include the end-to-end encryption principle, the definition of roles for all users and identity management, as well as pervasive monitoring of the system itself.
Currently, the IEC 62351 family of standards (see IEC 62351-1: Introduction for an in-depth overview) depicts the architecture of a secure power system and standardizes its protocols and components. An interesting read for a better overview of it is: IEC 62351-10: Security Architecture Guidelines for TC57 Systems.
Because not all risks are technology-based, it is essential that the technical staff responsible for data management have the required training, knowledge and skills. The work of the Committee on Conformity Assessment (CASCO) – a joint effort by IEC and ISO – is vital to the process of determining whether an organization meets the requirements related to its technical competence in this area. ISO/IEC 17024 sets out the general requirements for personnel certification, while ISO/IEC 17065 covers the requirements for certifying products, processes and services.
International Standards can play an important role in helping to protect brand reputations and to minimize adverse publicity by giving clients confidence in the reliability of the systems to which they have entrusted their data. Against a backdrop of sweeping regulatory change, they provide the tools for implementing robust data security management systems that deal with sensitive information efficiently and effectively.