Cyber security requirements are essential to specify for your industrial management systems in terms of access control, software updates and monitoring. Here are some things to consider.

By Jeppe Pilgaard Bjerre, FORCE Technology

The importance of cyber security within industry and critical infrastructure cannot be underestimated. Whether it is a PLC at a small production plant or a control centre at a power plant, it can have major consequences if they no longer work as intended.

Similarly, cyber security is an aspect of one’s electronic products that must be looked into when making requirement specifications for new modules and installations. In the same way one sets basic functional requirements for what and how sensors and actuators are connected, cyber security requirements must also be set in terms of access control, software updates and monitoring.

As systems become more automated, there will also be a far higher degree of digital communication between devices of different makes and types. Here, it is essential that you have an overview and insight into which devices support which security mechanisms.

In short, requirements must be set for the environmental impact that a product will be subjected to in the respective environment - just as both developers and customers already do in relation to thermomechanical and EMC influences.

Uniform methods

For example, if you should assess whether a product can be reliably used in an industrial installation, you must check as to whether it meets the ISO/IEC61000-6-2 standard. The same approach can be used to check cyber security.

There are now some cyber security standards that apply to industrial systems, such as ISO/IEC62443 or UL2900. These standards set specific requirements about the risk management mechanisms that must be present in a product. For example, it may be a requirement that the product must not be able to be put into operation if it has been set up with an admin/password as login or requirements for user control so that ordinary users cannot change mission-critical parameters.
Cybersikkerhed industrielle sikkerhedssystemer

Using one or more standards to set up requirements for the products contained in your installation will thereby also draw attention to any products that do not meet these requirements, and thus any risks can be assessed, and potential problems uncovered.

In short, it is about creating transparency around cyber security in the products you use. For example, if you use ISO/IEC62443 as a reference, it is easy to point out to a supplier what requirements their products have to meet, thereby reducing the problem of when a product is ‘safe enough’.

Security processes

However, it is not enough to merely specify the functional safety mechanisms that ought to be in a product. We also need to look at how we work with the security in such products by having specific processes for how we continuously keep products secure, for example, by installing software updates from manufacturers or replacing components when a manufacturer decides to stop supporting a system. 
Here you can beneficially rely on ISO/IEC62443-2-3, which caters to both manufacturers and buyers of equipment. Among other things, the standard describes how to inform about new software updates and the associated implementation processes that are for manufacturers (development and testing) and buyers.

One of the tools that is important for the development of software updates is the detection of vulnerabilities in existing products. Here, it can be an advantage for manufacturers to have a clear communication channel for reporting vulnerabilities detected by people outside the company.

The communication channel can be implemented in such a way that the data sent is kept encrypted. As an incentive for the reporting of vulnerabilities, ‘bug bounties’ (a form of reward) can be given to those who uncover security vulnerability.

The human challenge

A large part of the cyber security challenge is associated with the people who use and work with the underlying systems. Much of the hard cyber-attacks that have occurred in recent years were due to human error. For example, the attack on the Ukrainian electricity grid in 2015 was started with a spear-phishing attack in which an employee was conned by an email.

The challenge with the human aspect is that it is far more difficult to change human behaviour than it is to modify the code in a piece of software. Therefore, it is necessary to stimulate a company culture where IT security is discussed openly and where employees focus on it in their everyday life. It can be suitable procedures regarding passwords and the handling of internal documents, and that employees can spot phishing emails and know what to do if they suspect a security issue.

One way of dealing with the human aspect may be to use ISO27001 or IASME. These standards can help the company during the actual implementation and maintenance of security processes, e.g. how to handle the dismissal of employees and how to conduct risk management in a responsible way.

Cyber security is a shared task

In order for the level of security to be raised, it is essential to understand that it is a task that must be worked on jointly - not only between the public and private sectors, but also between companies.

It is important that we warn each other about ongoing attacks and that we share our knowledge and experiences with each other. It is of no use to compete with each other on this, as there is a societal interest that the systems we are in contact with meet a reasonable minimum of security. Especially in terms of critical infrastructure: if a power plant or water plant is exposed to cyber-attacks, others should be made aware of it so that they can investigate if they too are under attack.

It is clear that there is information on critical infrastructure that the public does not need to have access to. However, here it should still be possible to discuss challenges and issues in a confidential forum with others who are in the same boat.

The role of the public

Cyber security is an issue that ought to have public focus. We simply need to address the challenges that exist in the technology that is installed around hospitals, power plants and other agencies on which our society depends. In the same way that we ensure that we have back-up power units and mechanisms to deal with power grid outages, we should also work to secure the digital sections on which our society depends.

Denmark is one of the most digitalized countries in the world, which we can be proud of, but it also means that we need a responsible culture in terms of cyber security. We need to take care of both the management of personal data and the operational elements of the industry, e.g. SCADA systems, frequency converters and the like. Here, it is important to be able to draw on experiences from the world of IT, as there are large amounts of knowledge that overlap.

It is in everyone’s interest that this topic is given focus, both from industry and the public. Cyber security is not a topic that many people think about in their daily lives, but in spite of that, a culture is being established into the population that one has to deal with.

An example of this is the green padlock that appears in the browser when the Internet connection is encrypted. When people see the padlock, they think that the Internet connection is secure and therefore, confidential information can be sent safely. But if this is not the case any longer, it must be presented to the general public. As a result, this gives rise to a discussion as to who should have the responsibility of and pay for this kind of public education. However, this is probably a discussion for the elected representatives in the Danish government.

The article has been published in Aktuel Elektronik, September 2019.