Industries are under constant threat from hacking. Sean Ottewell reports on the emergence of new cybersecurity standards.
In the face of sustained attacks by hackers on infrastructure, industry and government departments over recent years, the US National Institute of Standards and Technology (NIST) has released a Framework for Improving Critical Infrastructure Cybersecurity. The framework provides a structure that organisations, regulators and customers can use to create, guide, assess or improve comprehensive cybersecurity programmes.
The framework is a response to President Obama's February 2013 executive order calling for the development of a voluntary, risk-based cybersecurity framework - a set of standards, guidelines and practices to help organisations manage cyber risks.
The resulting framework, created through public-private collaboration, provides a common language to address and manage cyber risk in a cost-effective way based on business needs, without placing additional regulatory requirements on businesses.
"The framework provides a consensus description of what's needed for a comprehensive cybersecurity programme," said NIST director Patrick D Gallagher. "It reflects the efforts of a broad range of industries that see the value of and need for improving cybersecurity and lowering risk. It will help companies prove to themselves and their stakeholders that good cybersecurity is good business."
The framework allows organisations - regardless of size, degree of cyber risk or cybersecurity sophistication - to apply the principles and best practices of risk management to improve the security and resilience of critical infrastructure.
Organisations can use the framework to determine their current level of cybersecurity, set goals for cybersecurity that are in sync with their business environment, and establish a plan for improving or maintaining their cybersecurity. It also offers a methodology to protect privacy and civil liberties to help organisations incorporate those protections into a comprehensive cybersecurity programme.
While today's framework is the culmination of a year-long effort that brought together thousands of individuals and organisations from industry, academia and government, it is expected to be a first step in a continuous process to improve overall cybersecurity.
The three main elements described in the document are the framework core, tiers and profiles. The core presents five functions - identify, protect, detect, respond and recover - that taken together allow any organisation to understand and shape its cybersecurity programme. The tiers describe the degree to which an organisation's cybersecurity risk management meets goals set out in the framework and "range from informal, reactive responses to agile and risk-informed". The profiles help organisations progress from a current level of cybersecurity sophistication to a target improved state that meets business needs.
"The development of this framework has jumpstarted a vital conversation between critical infrastructure sectors and their stakeholders," said Gallagher. "They can now work to understand the cybersecurity issues they have in common and how those issues can be addressed in a cost-effective way without reinventing the wheel."
One of the first organisations to endorse the new framework is Rockwell Automation. Over the past year, the company participated in its development process and associated workshops. The company collaborated with other private-sector participants and industry groups, NIST, and government to enhance the Framework's attention to industrial control system security. Company executives also presented at NIST's workshops and panels.
"Rockwell Automation is honoured to have actively contributed to the development of the Cybersecurity Framework that will help address cyber risks to critical infrastructure and manufacturing processes alike," said Keith Nosbusch, chairman and ceo of Rockwell Automation. "This guideline provides a flexible structure that can help organisations improve information security protection programs to manage risks to industrial control and information systems."
The importance of having such a framework is illustrated by Schneider which issued four security updates concerning different vulnerabilities in January alone. The company describes its integrated cybersecurity solutions for critical infrastructures as best-in-class, allowing users to centralise security, provide robust change management and automate reporting that supports regulatory compliance (Fig.1).
In another development, the US Food and Drug Agency (FDA) has incorporated ISA's ISA/IEC62443 series of industrial automation and control systems (IACS) security standards onto its recognised consensus standards list.
Owners of manufacturing plants and operators of critical infrastructure know that the IACS components and systems they purchase with the ISASecure designation are resilient against network attacks and are free from known security vulnerabilities.
Developed through the work of the ISA Committee on Security for Industrial Automation & Control Systems (ISA99), the ISA/IEC62443 standards are designed to prevent and mitigate potentially devastating cyber damage to the industrial plant systems and networks commonly used in transportation grids, power plants, water treatment facilities, and other vital industrial settings.
Boot camps for process measurement and control
Reflecting growing demand for more general, fundamental instruction in process automation, the International Society of Automation (ISA) has developed a new course for non-maintenance personnel with little or no background in the field of process measurement and control.
ISA Process Automation Boot Camp for Non-Maintenance Personnel (PABC) is specifically designed for: operations personnel with no instrument maintenance responsibilities, but who require a general knowledge of process automation equipment; automation engineers who need a basic understanding of process automation equipment, signal transmissions and process measurements; process control engineers who need to understand the operation of all equipment associated with the process control loop; process control equipment sales staff needing to learn process measurement and control and the various applications of process instrumentation; and managers responsible for overseeing operations or maintenance personnel who need a general overview of the technology maintained by their staff.
While more general in focus, ISA says this new course delivers highly intensive instruction - combining select laboratory demonstrations (approximately 25 per cent of course time) with expert-led, in-depth lecture and classroom discussion - over a full week. Considerable emphasis is placed on the physical measurement technologies, the communication signals, and the various applications of instrument equipment to achieve common process measurements and control.
Primary course objectives include providing an overview of industrial measurement, automation equipment, and equipment installation to non-maintenance personnel so that they gain a basic knowledge of instrumentation, including terminology and operation; and outlining recommended installation practices for the most common process measurement and control equipment.