When we look at some of the challenges that are facing control systems, we also have to think about what forces are influencing how asset owners adopt cybersecurity. We'll talk about four of those main drivers that play a role in cybersecurity implementation.
National Standards and Regulation
The first is national standards and regulation. This is specific government requirements in different regions different countries. This can vary quite a bit depending on the region. For example, in the UK, the Health and Safety Executive is driving cybersecurity implementation for critical infrastructure. They are conducting audits and helping build remediation plans as we speak. They make sure that companies have conduct cybersecurity risk assessments with the potential for fines or regulatory action if those steps aren't being taken in an acceptable time frame.
It's certainly not just the UK. For the European Union the NIS2 Directive has been recently updated. That's having a major impact on how cybersecurity is being implemented in Australia. The Security of Critical Infrastructure Act is having a major impact on critical infrastructure targets there. In the US. we've got some industry specific regulations looking at the TSA security directives that have come out in recent years. For each country, there are different standards and regulations that really have to be looked at and understood that may play a role on how that company chooses to implement cybersecurity.
Insurance Requirements
Next we can look at the potential insurance requirements. This is something that we're seeing particularly in the United States. Cybersecurity insurance has become really an increasingly hot topic, both in terms of organizations looking to get coverage as well as trying to understanding what it is that has to be in place in order for an organization to get a policy. The insurers are coming in and auditing to make a determination of whether or not a company can be given a policy because they're trying to understand their risk. If they give a policy that covers for a ransomware attack, for example, and the site is not well protected, their chances of experiencing a ransomware attack are pretty high each year. That's going to be a bad return for the insurance company. They have very specific questions, very specific things that they're looking for when making that decision to offer a policy or not. We've even seen some instances where the insurer may ask a company to fill out a survey or provide information about their current protections. If the person filling out the survey isn't familiar with what the questions they are asking, doesn't know how well those controls are being implemented for their site, it's actually possible that the policy may be voided.
Industry Standards
The next one that we can look at industry standards or our international guidelines that provide some recommendations and best practices on how to implement cyber security. The IEC 62443 standard is really what we're seeing being broadly adopted in many different regions and many different industries. This gives that defensible set of best practices that identifies requirements for different stakeholders in the industrial cybersecurity space. It can also be used to really build out a full cybersecurity lifecycle.
Certainly, that's not the only standard that's being looked at. There are a number of other best practices, such as the NIST cybersecurity framework or NIST 882 that are also playing a role in shaping this. But really for industrial systems, we're seeing 62443 really be the gold standard. In addition to the cybersecurity standards, it's also important to realize that cybersecurity is being highlighted in safety standards as well. The 2016 release of the IEC 61511 standard included specific requirements around doing cybersecurity risk assessments for the SIS and connected systems. If a manufacturer is providing a configurable component that's going to be used in a 61511 safety system, there are now specific requirements to doing a cybersecurity risk assessment as part of that. We're also seeing other industries follow suit. So it's not just the process safety industry, but newer updates to machine safety standards as well as updates to the machinery directive.
Stakeholder Expectations
Lastly, we’ll look at the stakeholder expectations. This is something where it's not just external drivers that are shaping how companies look at this, but also the individuals within that organization. Even a question as simple as “who really has ownership of a cybersecurity risk?” can lead to some very interesting conversations. Is that the ultimate responsibility of a chief information officer or a chief information security officer? Or is it something that's really owned by the plant manager or the engineering manager? As you look at all of the different roles who are involved in cybersecurity, it's important to understand what your specific responsibilities might be or what role your organization is expecting you to take there.
This is particularly important when we think about the potential for significant downtime or safety impact from an attack on industrial control systems. If you're a process safety engineer who's counting on an SIS to work and that SIS is compromised, what sort of responsibility do you have to? Ask those questions and make sure that that system is designed properly for your control system that you're responsible for. What are you doing to really make sure that the risk is managed? That's something that has to be thought about from the individual stakeholders as well because all of those will drive the way in which companies look at and approach their facility risk management.
Related Items
Implementing IEC 62443 - A Pragmatic Approach to Cybersecurity Book
Tagged as: Patrick O'Brien NIST iec62443 cybersecurity