Many power stations and industrial plants are not equipped to deal with cyber security threats. A key issue, according to a recent IEC Technology Report, is that security is too often understood only in terms of IT (information technology).
Those responsible for security often overlook the operational constraints in sectors such as energy, manufacturing, healthcare or transport. The growth of connected devices has accelerated the convergence of the once separate domains of IT and operational technology (OT).
From a cyber security perspective, the challenge is that unlike business systems, industrial automation and control systems (IACS) are actually designed to facilitate ease of access from different networks. That is because industrial environments have to cope with different kinds of risk.
IT security focuses in equal measure on protecting the confidentiality, integrity and availability of data — the so-called ‘C-I-A triad’. In the world of OT, however, availability is of foremost importance.
Priorities for OT environments focus on health and safety and protecting the environment. In the event of an emergency in order to be able to protect personnel or to minimize the impacts of natural disasters, it is therefore vital that operators can receive accurate and timely information and can quickly take appropriate actions, such as shutting off power or shifting to backup equipment.
SCADA systems, which are used to oversee electric grids as well as plant and machinery in industrial installations, often rely on “security by obscurity”, reflecting the ingrained mindset that since no one knows or cares about their communications systems or their data, they don’t need to protect it. However, SCADA systems can now have widespread communication networks increasingly reaching directly or indirectly into thousands of facilities, with increasing threats (both deliberate and inadvertent) potentially causing serious harm to people and to equipment.
The retrofitting of appropriate and effective security measures has therefore become quite difficult for these SCADA systems. In the world of IT, for example, intrusion detection and prevention systems (IDPSs), are on the frontline of defence against malware.
IDPSs are usually software applications that eavesdrop on network traffic. Depending on how they are configured, IDPSs can do everything from reporting intrusions to taking actions aimed at preventing or mitigating the impact of breaches. The challenge with SCADA systems is how to distinguish between normal data and potentially intrusive data that could cause harm.
International standards provide solutions to many of these challenges based on global best practices. For example, IEC 62443, is designed to keep OT systems running. It can be applied to any industrial environment, including critical infrastructure facilities, such as power utilities or nuclear plants, as well as in the health and transport sectors.
The industrial cybersecurity programme of the IECEE — the IEC System for Conformity Assessment Schemes for Electrotechnical Equipment and Components — tests and certifies cybersecurity in the industrial automation sector. The IECEE Conformity Assessment Scheme includes a programme that provides certification to standards within the IEC 62443 series.
Sign up to receive selected stories