From: Control Engineering Europe
While cyber security for industrial automation and control systems suffers from a lack of solid data on incidents and attacks, there is common agreement that more needs to be done. The picture is made fuzzier by the array of regulations, legislations, directives and guidelines that are being worked on. Paul Gogarty, cyber security, Oil & Gas, ABB UK tries to make things clearer.
Standards and guidelines for industrial automation and control systems (IACS) security provide a degree of assurance that security practices will be maintained. However, an ongoing assurance process is necessary to ensure that the standards reflect the latest threats and that compliance is maintained.
Control system manufacturers today, base of their cyber-security recommendations and services offerings on internationally recognised principles and best practices. Because control systems are used in many different industries, vendors need to familiarise themselves with the wide variety of standards, regulations and guidelines that have emerged for each specific industry. Only then can the vendors design security into their products, systems and services that match the standards of that customer’s industry.
As such, the standards landscape is a challenge for vendors. Whereas customers often have one standard to which they must comply, a vendor has many customers in many sectors and they must understand all of the standards that their customers must meet.
While cyber-security is a relatively new discipline, a number of key industry standards for both IT security in general and mission-critical industrial automation systems, have emerged at the national and international levels, with a welcome trend towards convergence.
Regulations are the key element driving some market segments and help define vendor programs. In the utility industry, for example, NERC CIP has become mandatory and this is the one to which ABB, for instance, is giving much attention. However, in the chemical, oil and gas sector there are yet more standards. In particular, ISA 99 is commonly quoted and this standard is also being adopted as IEC 62443. Those involved with government infrastructure projects often find themselves having to comply with NIST 800-53.
Legislative standards or best practice. It is worth noting the difference between legislative standards and best practice standards. ISA99/ IEC 62443, for example, is a best practice standard. It recommends best practice for cyber security and it is up to an individual organisation to decide as to what extent they follow or implement these guidelines.
NERC CIP is a legal requirement for domestic electricity suppliers within the United States. Operators must comply with the cyber security measures described in these rules and regulations or face fines and possibly have their license to generate electricity in the US revoked.
Leave a Reply