This is the text of a keynote speech given by the IEC General Secretary Frans Vreeswijk at the Vienna Cyber Security Week. The theme of the event was protecting critical infrastructure.
Excellencies, distinguished guests, ladies and gentlemen,
Security has always been important to protect physical, information and financial assets. But before digitalization, the majority of threats were visible and took place at a clear geographical locations.
With the mass integration of cyber physical systems, we are now facing a new set of security risks, and cyber security has become a global preoccupation. But not every cyber attack is equal.
A malicious act against a personal device may be deeply disruptive for the individual, but it normally stays contained and doesn’t directly hurt large parts of the population. However, a cyber attack on a critical infrastructure such as a power plant or a hospital can bring down the whole system and affect people’s physical well-being, and their ability to run a business or obtain basic services such as water, food or healthcare.
Cyber security is often associated with IT and often led by IT. However, it is important to remember that the primary focus of IT is to ensure that data is able to flow freely and securely in the virtual world.
On the other hand, critical infrastructure and the automated environment have security requirements that are part of the real world. They rely on operational technologies to ensure the correct execution of automated actions such as shutting down a valve to avoid the overflow of chemicals or bringing a generator online to avoid a blackout.
In the past IT and OT had fairly separate roles. Now, the integration of physical machines with networked sensors and software is blurring the line between the two. To effectively protect critical infrastructure it is necessary to put in place a holistic approach that includes both IT and OT.
Since IT teams have little experience with the physical security requirements of OT systems, a purely IT led cyber security strategy is not appropriate for critical infrastructure systems. In cyber security there is no one-size-fits-all.
Adequate protection from cyber threats requires a strategy and concrete measures at the organizational, process and technical levels. They
must include proper training of people.
A strong cyber defence also needs ongoing effort and investment in risk assessment, security processes, design and implementation as well as people training and asset management. IEC International Standards can be a useful tool in this process, because of the state-of-the-art know-how and high global consensus that is embedded in them.
Cyber attacks often spread beyond national borders. For this reason cyber security standards need to be built by specialists with the input of public and private actors from around the world. The IEC brings together 171 countries and provides a neutral and independent consensus based platform for nearly 20 000 experts. Each member country has
a single vote.
The IEC also provides answers to market needs in terms of global certification for products, systems, services and personnel in the area of cyber security. This allows to protect the “crown-jewels” and to erect a defence-in-depth architecture that helps shield as many core assets as possible.
Tomorrow morning you will hear more about cyber defence strategies for critical infrastructure and why IEC 62443 is to OT systems what ISO/IEC 27001 is to IT systems.
I wish you now an excellent cyber security week. Thank you for your attention.