How do you specify cyber security requirements for your industrial management systems regarding access control, software updates and monitoring?

By Jeppe Pilgaard Bjerre, FORCE Technology

Do not underestimate cyber security within industry and critical infrastructure

Cyber security is an aspect of electronic products that must be considered when making requirement specifications for new modules and installations. In the same way one sets basic functional requirements for what and how sensors and actuators are connected, cyber security requirements must also be set regarding access control, software updates and monitoring to avoid significant negative consequences.

Get an overview of which devices support which security mechanisms

As systems become more automated, there is a higher degree of digital communication between devices of different makes and types. You must have an overview and insight into which devices support which security mechanisms and set requirements for the environmental impact that a product will be subjected to in the respective environment - just as both developers and customers already do concerning thermomechanical and EMC influences.

Uniform methods to aid and maintain cybersecurity

For example, to assess whether a product can be reliably used in an industrial installation, you must check whether it meets the ISO/IEC61000-6-2 standard. You can use the same approach to assess cyber security.

Cyber security standards such as ISO/IEC62443 or UL2900 apply to industrial systems. These standards set specific requirements about the risk management mechanisms that must be present in a product. For example, it may be a requirement that the product must not be able to be put into operation if it has been set up with an admin/password as login or requirements for user control so that ordinary users cannot change mission-critical parameters.

Cybersikkerhed industrielle sikkerhedssystemer

Use standards to assess cyber security risks

Using one or more standards to set up requirements for the products contained in your installation will draw attention to any products that do not meet these requirements and is a tool to assess risks and uncover problems.

In short, it is vital to create transparency around cyber security in the products you use to find potential risks and be able to address them. For example, if you use ISO/IEC62443 as a reference, it is easy to point out to a supplier what requirements their products must meet, thereby eliminating the question of when a product is safe enough.

Having specific cyber security processes to keep products secure at all times

However, it is not enough to merely specify the functional safety mechanisms that ought to be in a product. We also need to look at how we work with the security in a product by having specific processes for how we continuously keep products secure. An example could be installing software updates from manufacturers or replacing components when a manufacturer decides to stop supporting a system.

Rely on ISO/IEC62443-2-3 to inform about new software updates

Here you can rely on ISO/IEC62443-2-3, which caters to both manufacturers and buyers of equipment. Among other things, the standard describes how to inform about new software updates and the associated implementation processes for manufacturers (development and testing) and buyers.

Have a clear communication channel for reporting cyber vulnerabilities

One important tool for developing software updates is detecting vulnerabilities in existing products. Here, it can be an advantage for manufacturers to have a clear communication channel for reporting vulnerabilities detected by people outside the company.

The communication channel can be implemented in a way where the data sent is kept encrypted. As an incentive for reporting vulnerabilities, 'bug bounties' (a form of reward) can be given to those who uncover security vulnerabilities.

Stimulate a company culture where you discuss IT security to reduce human error

A large part of the cyber security challenge is associated with the people who use and work with the underlying systems. Many cyber-attacks are due to human error, such as spear-phishing attacks where an employee gets conned by an email.

The problem with the human aspect of cyber security is that it is far more difficult to change human behavior than it is to modify the code in a piece of software. It is necessary to stimulate a company culture where IT security is discussed openly, and employees focus on suitable procedures regarding passwords, handling of internal documents, spotting phishing emails and knowing what to do if they suspect a security issue.

Use ISO27001 or IASME to deal with the human aspect of cyber security

One way of dealing with the human element of cyber security is using ISO27001 or IASME. These standards can help the company during the actual implementation and maintenance of security processes, for instance, when handling the dismissal of employees or conducting responsible risk management.

Cyber security is a shared task

To raise the security level, it is essential to understand that it is a task that must be worked on jointly - not only between the public and private sectors but also between companies.

We must warn each other about ongoing attacks and share knowledge and experiences. We cannot compete on this, as there is a societal interest in our systems being safe and secure. This is particularly true of critical infrastructure: if a power or water plant is exposed to cyber-attacks, others should be made aware of it so that they can investigate if they too are under attack.

We need to address the cyber challenges that exist in public infrastructure

The public should not be able to access all info about critical infrastructure. Yet it should still be possible to discuss challenges and issues in a confidential forum with others who face similar cyber contexts and challenges. We need to address the challenges that exist in the technology installed around hospitals, power plants and other agencies on which our society depends. In the same way that we ensure that we have backup power units and mechanisms to deal with power grid outages, we should also work to secure the digital backbones that support our communities.

We need to take care of both the management of personal data and the operational elements of the industry, e.g., SCADA systems, frequency converters and the like. Here, it is vital to draw on experiences from the IT world, as large amounts of knowledge overlap.

Contact us to find out how we can help design, test and manage cyber secure industrial security systems.