Critical challenges in enhancing digital resilience of cyber physical systems
•Download as PPTX, PDF•
2 likes•511 views
The document discusses several challenges around ensuring cybersecurity and resilience of critical infrastructure systems. As infrastructure becomes more digitally connected and complex, it faces increased cyber vulnerabilities. Regulators need to provide clear requirements and assign accountability, while utilities must accept responsibility and make necessary investments to update their infrastructure. International standards like those from the IEC provide common platforms to encourage cooperation on these issues. The goal is to implement a "defense-in-depth" architecture using standards and frameworks like ISO/IEC 27000 series and IEC 62443 for industrial control systems.
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Critical challenges in enhancing digital resilience of cyber physical systems
Similar to Critical challenges in enhancing digital resilience of cyber physical systems (20)
More from International Electrotechnical Commission (IEC)
More from International Electrotechnical Commission (IEC) (8)
Recently uploaded
Recently uploaded (20)
Critical challenges in enhancing digital resilience of cyber physical systems
- 2. Critical challenges • Digital risks to critical infrastructure? • How to enhance digital resilience? • Who is responsible for what? • How to verify proper implementation of regulations?
- 3. Example: energy Complexity is increasing: + More interconnection + More information exchange + Higher reliability, increased control + Better interoperability - Increased cyber vulnerabilities
- 4. Roles and challenges Regulators: • Raise cyber security awareness, assign accountability, provide clear requirements Utilities: • Accept responsibility, update infrastructure, commit necessary investment
- 5. Protecting cyber physical systems Virtual world Data Identify, correct, protect from constant attacks Large surface for attacks Physical world Ensure physical function - reliability, time and time again - either/or Narrow surface for attacks ICT OT
- 6. Global risks, global approach Prefer common platforms that encourage cooperation and avoid island solutions IEC Standards: • Global reach – 171 countries • Members = countries not companies • Built-in high consensus value • Neutral, independent Provide input to standardization
- 7. Three axes of cyber security Credit: Schneider Electric
- 8. ISO/IEC 27001/2 key clauses = Unique Domains
- 9. Build to International Standards Credit: Schneider Electric IEC: 235 OT and ICT security related publications IEC CA Systems also active in cyber security – helps regulators verify implementation
- 10. Real-time visibility of threats Credit: Schneider Electric
- 12. • IECEE solutions for the cyber physical world • IEC 62443 series for Industrial Automation and Control Systems (IACS) builds on established Standards - e.g., ISO/IEC 27000 series • “Defense-in-depth” architecture is the goal IEC Security Infrastructure Solution (SIS) – Cyber security
- 13. Most successful strategies : • Site security evaluation • Prioritization of “crown jewels” • Risk assessment, layer of protection analysis, security assurance levels • Exercise alert/detection systems and personnel • Disaster recovery • Continuously re-evaluate and strengthen Defense-in-depth
Editor's Notes
- Among the most critical challenges is the security of connected cyber physical systems. Very often little or no attention is paid at the design stage to ensure that connected objects are secure against malicious attacks. The exploitation of cyber vulnerabilities of infrastructure systems is becoming an increasing threat to business and society’s overall security. Let me explain the unique way in which the IEC helps improve cyber security with the example of energy.
- Over the past decade, energy systems have become more interconnected and provide more information, resulting in higher reliability, increased levels of control and higher productivity. Interoperability between different vendor products and systems has been increasingly achieved by deploying products and solutions based on open standards such as the IEC 61850 series which covers communication networks and systems for power utility automation and IEC 61970 the Common Information Model (CIM) for information exchange for energy management systems, SCADA, planning and optimization. However, this change in technologies has also exposed utilities to increased cyber security threats.
- Utilities are under huge pressure to update infrastructure but also to reduce cost and increase profitability. The role of regulators should be to create awareness at the management level by making top management accountable for cyber security outcomes and by providing clear requirements.
- Big data opens many new market opportunities but it also generates new risks. To protect cyber physical systems effectively it is necessary to have an ICT and an OT approach. While IT has to safeguard every layer of the system, continuously correcting any possible weakness, OT is about keeping systems functioning as intended, on or off. Today, cyber security is generally led by an IT approach. Information and communication technology has lots of moving parts with many variants. Gateways are everywhere and offer a large surface for potential attacks. IT is responsible for safeguarding every layer, constantly identifying and correcting every possible weakness. The primary focus is about data and its ability to flow securely in a virtual world. However, given the operational constraints in energy generation and distribution, both an ICT and an OT approach to cyber security is needed. This is also true in many other critical infrastructure systems. Operational technology systems are engineered for specific actions in the physical world. The primary security focus in OT is about ensuring control over physical outcomes. OT cyber security is a key strength of the IEC.
- It is important that cyber security standards go beyond the country level and are built by specialists with the input of regulators and industry. Regulators need to offer common platforms that encourage broad cooperation, interoperability and avoid island solutions. IEC standards can be a useful tool to design and enforce regulation, because of the high consensus value that is embedded in them. IEC members are countries, not individual companies. IEC governance ensures a neutral and independent platform. However, if regulators want to benefit from standardization they need to get involved at least in the inception of new topics to be standardized and the management of portfolios of standards. Cyber-attacks often spread globally. For this reason cyber security standards need to be built by specialists with the input of regulators and industry from around the world. IEC Standards together with conformity assessment can be useful tools to design and enforce cyber security, because of the high consensus value that is embedded in them.
- A concerted effort in international standardization and regulation offers many advantages. However, standards alone will not bring the appropriate level of security or result in an “achieved cyber-secure state”. Mitigating risk and anticipating attack vulnerabilities on utility grids and systems are not just about installing secure technology, but equally about understanding and managing risk. Adequate protection from cyber threats requires a cyber security strategy at the organization, process and technical levels. Those must include a comprehensive set of measures, processes and technical means as well as proper preparation of people. A strong cyber defence also needs an ongoing effort and recurring investment in risk assessment, cyber security processes, design and implementation as well as people and asset management. Cyber security has to be worked out in layers.
- Ideally risk assessment and security policy and processes should be led by the ISO/IEC 27000 series of International Standards on IT Security Techniques which provides best practice recommendations in this area.
- To ensure high quality and dependable cyber security functionality in heterogeneous installations, preference should be given to technology that is based on International Standards. The IEC has issued 235 OT and IT security related publications. Some 160 have been developed in cooperation with ISO, including the IEC/ISO 27000 family of Standards. The IEC CA Systems are also active in this area and can help policy makers verify implementation of cyber security regulations.
- For example, state of the art cyber security products based on International Standards provide utilities with real-time visibility of security-relevant user activity within their systems and help secure power system-specific communication protocols. IEC 62351 helps ensure that users only receive the permissions they need to perform their duties according to the principle of fewest privileges. The Standard includes a list of pre-defined roles with pre-defined rights. It helps protect access, informs user authentication and establishes security logs contributing to secure communications.
- Nuclear power plants are still another ball game in terms of security. The primary systems that control the reactor and the secondary systems that control the power generation equipment have often been built years ago. They are isolated from each other and most are based on analogue equipment that is not connected to a network and therefore overall less susceptible to cyber-attacks. However, more recently these systems are being retrofitted with digital equipment and as a result cyber security considerations are moving to the forefront. Since 1970, the IEC works closely with the International Atomic Energy Agency (IAEA). In 2014, this collaboration resulted in IEC 62645, which directly addresses requirements for cyber security in nuclear power plants. It takes into account the principles and basic safety aspects as well as terminology and definitions applied by the IAEA. While IEC 62645 applies some of the high-level principles and concepts of ISO/IEC 27000 it tailors them to fit the nuclear context. In particular, it defines adequate measures for the prevention, detection and reaction to malicious cyber-attacks on computer based systems in nuclear power plants. The Standard is intended to be used by nuclear power plant designers, operators, systems evaluators, vendors, subcontractors and licensors.
- The IEC is currently also exploring market needs in terms of global certification for products, systems, services and personnel in the area of cyber security. In this context, the IEC, through IECEE is already offering verification solutions to protect the cyber physical world. The IECEE Conformity Assessment Scheme, commonly called the CB Scheme, now includes a programme, which provides certification to select Standards within the IEC 62443 series, including ISO/IEC 27000. The aim is to put in place a business-continuity-security-system that helps protect as many assets as possible. However, since it is impossible to protect everything equally, it is necessary to prioritize the “crown jewels”, to erect the defense-in-depth architecture that provides the best solution to ensure business continuity. IEC 62443 is an important tool in the deployment of this strategy.
- An efficient defense-in-depth strategy that is future proof needs to address the following: Site security practices and policies Prioritization of assets that require first line defense Risk assessment of current level of protection Development of protection strategy, including reason why and who is responsible Regular testing and verification of readiness of security alert and detection systems, including all relevant responding personnel Establishment and testing of disaster recovery measures, including backup retrieval and system re-initialization Continuous evaluation and improvements of protection layers
- Last but not least, IEC work is not limited to energy. We also cover a wide array of other areas, including medical, transportation, for example railways, maritime, automotive, manufacturing, finance, home entertainment and smart devices.