Covid Best Practices for Cyber Risk Management

If we learned anything from the year 2020, it is that we need to be more prepared for the unexpected. We need to be working to enable our business to be more resilient in the face of unexpected challenges. We strongly believe that for the industrial sector, the most effective way to enable resiliency is to ensure you have integrity in your operational technology (OT). The objective of this paper is to identify and manage the risk that arose from managing plants remotely. As a result of COVID-19, people started working and managing from home. While this needed to be done to keep businesses running, many risks were introduced as well. How to manage them effectively to reduce cyber risk to an acceptable level will be discussed. Industrial frameworks to identify security gaps, and thus risk, were considered, such as ISA-99/IEC-62443, NIST, ISO-27001, and Top CIS controls. New practices critical infrastructure followed to reduce infection rates were identified from interviews and surveys conducted by PAS, part of Hexagon, of our customers who work with critical infrastructure. These new practices were then compared to the industrial risk management framework to identify the severity of the threats. Once these were identified, mitigation plans were recommended to reduce the risk to an acceptable level. Because of this rapid shift to run the plant remotely, there was an over-provisioning of access in the early stages of the pandemic – i.e., giving more direct access to the industrial control system environment. This was not wise from a security standpoint, but the priority was to keep businesses up and running, so they were ready to take that risk. Now that some organizations have decided to continue with remote work, it is imperative to verify all remote access considers the least privileged access concept. Remote access is like a bridge that bypasses all the controls implemented. Having a remote access vulnerability will help bad actors break into the network and cause catastrophic damage. Though this paper focuses on remote access risk introduced by the COVID-19 pandemic, you can apply the findings to all remote access into critical infrastructure.

Towards Cross-Standard Compliance Readiness: Security Requirements Model for Smart Grid

The critical infrastructure is constantly under cyber and physical threats. Applying security controls without guidance or traceability can create a false sense of security. Security standards facilitate security knowledge and control best practices in a more systematic way. However, the number of standards is continually increasing. Product providers that operate in multiple geographical regions often face the obligation to comply with multiple standards simultaneously. This introduces the problem of the convenient interpretation of different standards. Thus, a comprehensive analysis of the requirements from different security standards and guidelines applicable to the smart grid has been performed to detect similarities that can be shaped into entities of the conceptual model for requirement representation. The purpose of the model—presented in a form of a Unified Modeling Language (UML) class diagram—is to give product providers a canonical way to map requirements from arbitrary standards, guidelines, and regulations and accelerate the cross-standard compliance readiness by defining priority for requirement implementation. In addition, the research showed that multiple vectors should impact the priority of the implementation of the security controls defined through the requirements: domain affiliation, the essence of the requirement, associated threats, risks, and social dependencies between actors involved in the implementation. To examine the model correctness, NISTIR 7628—de facto smart grid standard—was used to provide insights into how the model would be used for requirements implementation tracking. The structure of individual requirements was analyzed to detect the building blocks and extract relevant parts that can be mapped to the model components. Further, all requirements were classified into one of the defined domains to provide the basis for referencing similar requirements from different standards. Finally, one arbitrary requirement was used to demonstrate model usage, and depict all available information that can be provided to the users in a custom-made scenario where the need arises to have simultaneous alignment with three standards—NISTIR 7628, NIST 800-53, and IEC 62443-3-3.

Ochrona informacji sterującej w sieciach i systemach przemysłowych – propozycja podstaw edukacyjnych

W artykule przedstawiono problematykę nauczania zagadnień bezpieczeństwa dla przemysłowych systemów sterowania. Po zwięzłym scharakteryzowaniu we wstępie sieci i systemów przemysłowych, w kolejnych punktach krótko opisano podstawowe dla tego obszaru problemowego normy i standardy (IEC 62443 oraz CIS Critical Security Controls for Effective Cyber Defense), framework MITRE ATT&CK oraz zbiór „dobrych praktyk” opublikowany przez Bundesamt für Sichercheit in der Informationstechnik.

Security Assessment of Agriculture IoT (AIoT) Applications

Cybersecurity is an important field in our digital world. It protects computer systems and communication networks against theft or sabotage of information to guarantee trouble-free operation in a trustworthy working environment. This article gives an overview of a cybersecurity assessment process and an appropriate Cybersecurity Management (CSM) implementation for future digital agriculture applications. The cybersecurity assessment follows the IEC 62443 cybersecurity standard for Industrial Automation Control Systems (IACS), adapted to Agriculture Automation Control Systems (AACS). However, the research results showed application differences; thus, an expansion of the standard is necessary to fill the existing open security gaps in agriculture. Agriculture differs from industrial control systems because of the outdoor located field area, which requires other forms of security. An appropriate cybersecurity standard for the agriculture domain is not currently available. However, such a standard will be necessary to define generally applicable procedures to protect agricultural assets against cyberattacks. The cybersecurity standards and regulations existing today (2021) are not sufficient for securing the agriculture domain against new and domain-specific cyberattacks. This article describes some of the cyber vulnerabilities identified and provides initial recommendations for addressing them.

Audit, Validation, Verification and Assessment for Safety and Security Standards

Internal auditing is important for ensuring compliance to multiple safety and security standards. The problem is that although safety and security have similarities when it comes to auditing, they also have differences that makes auditing both areas under the same process difficult. This paper has shown how to overcome those differences and leverage the similarities to create one auditing process for both safety and security. The paper has harmonized the different terminology between safety and security and showed how the new auditing process can allow compliance to IEC 61508, ISO 27001 and IEC 62443.

Cyber security requirements for railway control systems according to standard IEC 62443

Modern railway control systems are based on computer and embedded systems. This components are connected directly via ICT networks, it is also possible to use wireless industrial networks. Cyber security attacks in automation control systems are becoming more dangerous and common. To protect these safety critical systems, the standard IEC 62443 has been developed. This standard provides guidelines and requirements for industrial automation and control systems which also apply to railway systems. This article is mainly focused on chapter IEC 62443-4-2 which provides Technical security requirements for IACS components. Proper protection against cyber attacks is also important for maintaining RAMS parameters (Reliability, Availability, Maintainability and Safety). Railway control systems performs mainly safety critical functionality which are related with railway traffic management. Safety related control algorithms and vital modules cannot be disturbed by security mechanisms and functions. The analysis of cyber threats should be performed by railway infrastructure operators in cooperation with manufacturers of railway control systems. It is important to determine what level of requirements fulfilment according to standard IEC 62443 must be met (security level). Railway traffic control systems are long life and high availability systems, therefore they should be properly maintained during lifecycle. The manufacturer of railway control systems and end user should together develop a policy and guidelines for securing the systems against cyber attacks.