Australian Prime Minister Scott Morrison has urged businesses in Australia to raise their defences as the government and essential services ward off sophisticated state-based cyber-attacks. Mr Morrison said the attacks spanned “government, industry, political organisations, education, health, essential service providers and operators of other critical infrastructure”.
In recent years, nation states have been turning increasingly to cyber warfare to achieve political, economic and military goals. As we are currently seeing in Australia, the attacks are not limited to government institutions, but they are also targeting private corporations to steal sensitive data that can be sold for profit.
Most businesses can defend themselves by implementing an information management security system (ISMS), as described in ISO/IEC 27001. The well-known international standard defines a cyber risk management-based approach to managing people, processes, services and technology.
Using ISO/IEC 27001 helps organizations to manage their information security risks, including threats, vulnerabilities and impacts, as well as designing controls to protect the confidentiality, integrity and availability of data and for regulating access to critical information systems and networks.
In addition, ISO/IEC 27001 is now part of the approved process scheme that provides for the independent assessment and issuing of an international IECQ certificate of conformity for organizations that have demonstrated compliance with the relevant publications. IECQ ISMS facility assessments under the IECQ AP scheme ensure a focus on the key technical and administrative elements that provide confidence that the requirements of ISO/IEC 27001 have been met.
Industrial plants and power stations face a different challenge. According to a recent IEC Technology Report, a key issue for them is that cybersecurity is too often understood only in terms of IT (information technology).
Those responsible for security often overlook the operational constraints in sectors such as health, energy, manufacturing, or transport. The growth of connected devices has accelerated the convergence of the once separate domains of IT and operational technology (OT).
From a cybersecurity perspective, the challenge is that unlike business systems, IACS are actually designed to facilitate ease of access from different networks. That is because industrial environments have to cope with different kinds of risk.
Where IT security focuses in equal measure on protecting the confidentiality, integrity and availability of data — the so-called “C-I-A triad” — in the world of OT, availability is of foremost importance. Priorities for OT environments focus on health and safety and protecting the environment.
In the event of an emergency, in order to be able to protect personnel or to minimize the impacts of natural disasters, it is therefore vital that operators can receive accurate and timely information and can quickly take appropriate actions, such as shutting off power or shifting to backup equipment.
SCADA systems, which are used to oversee electric grids as well as plant and machinery in industrial installations, can now have widespread communication networks. They reach, directly or indirectly, into thousands of facilities, with increasing threats (both deliberate and inadvertent) potentially causing serious harm to people and to equipment.
International standards provide solutions to many of these challenges. For example, IEC 62443, is designed to keep OT systems running. It can be applied to any industrial environment, including critical infrastructure facilities, such as power utilities or nuclear plants, as well as in the health and transport sectors.
The industrial cybersecurity programme of the IECEE — the IEC System for Conformity Assessment Schemes for Electrotechnical Equipment and Components — tests and certifies cybersecurity in the industrial automation sector. The IECEE Conformity Assessment Scheme includes a programme that provides certification to standards within the IEC 62443 series.