The best way to make something safe is to build it that way. Remember the little pig in the fairy tale who chose bricks and mortar? His home was able to weather the worst of the big bad wolf’s huffing and puffing, unlike those of his less well-prepared siblings.
That is how, as children, we learn that minimizing risk means designing products to be secure from the foundation. Not surprisingly, the concept of security-by-design is popular in both software and hardware development.
It means making products and systems that are not only free of vulnerabilities but also subject to continuous testing during their life cycle. The thinking is that when trouble strikes, it is already too late.
“Most of the time cyber security is after the fact,” says IEC cyber security expert Moreno Carullo. “It’s like adding air conditioning after a building has gone up. There are are constraints.”
Carullo is a key member of IEC Technical Committee 57, Working Group 15, which brings together ICS operators, SCADA engineers, security specialists and networking engineers to develop a key cybersecurity standard on behalf of the IEC.
“If you think at the very beginning, like we’re doing in Working Group 15, of all the possible pieces and all the elements that an end-to-end security system should have. The net result is that it’s more secure because you’re designing it, not reverse engineering or discovering something.”
Security-by-design can enhance the protection of new power stations and reduce the need for costly upgrades and enhancements during their operating life. It is, of course, also true that security-by-design cannot fully protect a plant from rapidly evolving cyber attacks, which may expose previously unknown vulnerabilities.
That is why TC 57 WG 15 have designed the security-by-design standard IEC 62351 to incorporate tools for pervasive and continuous monitoring.
Related content in e-tech