Imagine a city the size of London thrown into chaos, as public transport grinds to a halt and traffic lights stop functioning …This is no longer only the stuff of nightmares or the scenario of a disaster movie but a real possibility that is getting more likely every day. Critical infrastructure facilities, whether power or nuclear plants, national railway and local underground systems or other forms of public transport, are increasingly targeted by cyber attacks. Sophisticated cyber weapons have been developed, including malware designed to disrupt the operation of industrial control systems. The growing use of connected devices in the industrial environment make cyber threats more likely. According to the report Threat Landscape for Industrial Automation Systems, published by cyber security firm Kaspersky Lab, 18 000 different malware modifications to industrial automation systems were detected in the first six months of 2017.
When machines talk to each other…
Machine-to-machine communication is a set of technologies that enables networked devices to interoperate, exchange information or perform actions, often wirelessly and without the manual assistance of humans. Sensors are embedded in a growing number of devices which are utilized to automate and manage process control systems, including transmission and distribution of electricity. While they offer undeniable advantages in terms of cost and maintenance, they are also increasingly vulnerable to hacking.
Cyber security is therefore one of the key concerns for those who manage modern manufacturing plants as well as any form of critical infrastructure. One of the only ways to safeguard these facilities now and in the future is by providing standardized protection measures.
Efficient security processes and procedures cover the whole value chain, from the manufacturers of automation technology to machine and system builders and installers as well as the operators themselves. Protection measures must address and mitigate not only current, but also pre-empt future security vulnerabilities.
Facilities need to understand and mitigate risk as well as install secure technology in order to build cyber resilience. This means implementing a holistic cyber security strategy at the organization, process and technical levels. Such a strategy must include comprehensive and standardized measures, processes and technical means, as well as preparation of people. But alongside all of this, it must also offer the recourse to an internationally recognized certification system.
A fundamental set of Standards for cyber security
The IEC has recently published IEC 62443-4-1-2018, the latest in a series of critical publications, establishing precise cyber security guidelines and specifications applicable to a wide range of industries and critical infrastructure environments. The IEC 62443 series recommends that security should be an integral part of the development process, with security functions already implemented in the machinery and systems.
These horizontal Standards are also used in the transport sector: a set of cyber security guidelines on board ships adopted by the International Maritime Organization (IMO) refer to IEC 62243. TheShift2Rail, an initiative that brings together key European railway stakeholders, is aiming to define how different aspects of cyber security should be applied to the railway sector. It has assessed applicable standards and has selected the IEC 62443 publications. The IEC 62443 Standards are also compatible with the US National Institute of Standards and Technology (NIST) cyber security framework.
Internationally recognized certification is key