Regulations and standards - security considerations

03 December 2013

While cyber security for industrial automation and control systems suffers from a lack of solid data on incidents and attacks, there is common agreement that more needs to be done. The picture is made fuzzier by the array of regulations, legislations, directives and guidelines that are being worked on. Paul Gogarty, cyber security, Oil & Gas, ABB UK tries to make things clearer.

Standards and guidelines for industrial automation and control systems (IACS) security provide a degree of assurance that security practices will be maintained. However, an ongoing assurance process is necessary to ensure that the standards reflect the latest threats and that compliance is maintained. 

Control system manufacturers today, base of their cyber-security recommendations and services offerings on internationally recognised principles and best practices. Because control systems are used in many different industries, vendors need to familiarise themselves with the wide variety of standards, regulations and guidelines that have emerged for each specific industry. Only then can the vendors design security into their products, systems and services that match the standards of that customer’s industry. 

As such, the standards landscape is a challenge for vendors. Whereas customers often have one standard to which they must comply, a vendor has many customers in many sectors and they must understand all of the standards that their customers must meet.

While cyber-security is a relatively new discipline, a number of key industry standards for both IT security in general and mission-critical industrial automation systems, have emerged at the national and international levels, with a welcome trend towards convergence. 

Regulations are the key element driving some market segments and help define vendor programs. In the utility industry, for example, NERC CIP has become mandatory and this is the one to which ABB, for instance, is giving much attention. However, in the chemical, oil and gas sector there are yet more standards. In particular, ISA 99 is commonly quoted and this standard is also being adopted as IEC 62443. Those involved with government infrastructure projects often find themselves having to comply with NIST 800-53. 

Legislative standards or best practice
It is worth noting the difference between legislative standards and best practice standards. ISA99/ IEC 62443, for example, is a best practice standard. It recommends best practice for cyber security and it is up to an individual organisation to decide as to what extent they follow or implement these guidelines. 

NERC CIP is a legal requirement for domestic electricity suppliers within the United States. Operators must comply with the cyber security measures described in these rules and regulations or face fines and possibly have their license to generate electricity in the US revoked.

There is some overlap between standards, with some being more complete and some split responsibility between vendors and systems owner. As such it can be difficult for the end-user to comply unless they work with a vendor. One such example is the standard IEC 62443 which is also the ISA 99 standard. It has several parts, some of which are applicable to the vendor and some to the users. See Chart 1.

Patch management
One of the documents within IEC 62443 is dedicated to patch management. This subject is also covered within the NERC CIP standard. Yet even companies making a serious attempt to comply with NERC are failing to keep their patches current within the stipulated 30 days. In fact, it would appear that very few plants are achieving this frequency of update, with most only managing quarterly. The patch management document within the ISA TR99.02.03 demands a similar frequency.

Ports and services
Ports and services required for the applications must be identified and only those ports and services may be enabled, according to NERC CIP-007, ISA 99.03 SR 7.6, 7.7. But how do you know what to do as a customer, if you don’t have that information provided by your vendors? Yet the standard lays the ports and services requirement firmly at the doorstep of the system owner. In reality this has some implications for the vendor too – as they have to provide the end-user with that information.

Account management
Another key area within the standards is account management. Here there is a need to clearly understand the authentication and accountability required, principle of least privilege, security audit trail, periodic review, password policies and personnel changes. For example, all standards are attempting to address the principle of least privilege. No user should have more privilege than they need to do their jobs. 

Recovery plans
Another standard looks at the recovery plans for critical cyber assets. Everybody knows that it is a good idea to back up their systems but the standards require that you have also tested those back-ups and that they will be there when you need them. 

System owners also need a documented plan for recovering that back-up, including who is responsible. Plans must be tested at least annually, including walking through a simulated loss and recovery. These plans are not limited to backing up the software but may include recording configuration settings. Backups can be made without affecting normal plant operation.

Contact Details and Archive...

Print this page | E-mail this page