6

Standards, Guides
and Regulatory Aspects

6.1. Introduction

In recent years, many standards and guides have been proposed in the
field of information system security. Some of these standards propose an
approach for risk management in line with ISO 31000: these are ISO 27000
standards. Other standards focus on industrial control system (ICS), such as
IEC 62443 or the NIST SP 800-82 guide. Others have been developed for a
particular field, such as electricity distribution or production, or the nuclear
sector. This chapter presents the main standards (Figure 6.1), including the
ISO 27000 family, National Institute of Standards and Technology (NIST)
guides, the ANSSI approach, NERC CIP sector standards and International
Atomic Energy Agency (IAEA) standards. The IEC 62443 standard is
presented in Chapter 7, which focuses on it, while the standards for
operational safety, the IEC 61508 family, are introduced in Chapter 8.

Risk management
ISO 31000

Operational safety
Cybersecurity of
Functional industrial Security of information
safety installations systems
ISO 61508
IEC 62443 ISO 27000

Figure 6.1. Relations between the main standards

142 Cybersecurity of Industrial Systems

6.2. ISO 27000 family

27000 General overview and vocabulary

27001 Requirements for ISMS

27002 Code of good practice

114 measures
27005 Risk
27003 Implementation guide management process

27004 Metrics

27006 Requirements for certification

27007 Guide for auditing the ISMS

27008 Guide for auditors on information security controls

27014 Governance of information security

Figure 6.2. Main standards of the ISO 27000 family

The ISO 27000 family of standards defines good practices for information
system security management. These have evolved over the years and are part
of the general ISO 31000 framework, which describes the principles and
guidelines for risk management, as well as the implementation processes at
strategic and operational level.

The most important parts of this family include the following:

– ISO 27000, which provides an overview and defines the vocabulary;
– ISO 27001, which provides an approach for an organization to
implement and improve the information security management system (ISMS)
(see section 3.6 for more details), and normative requirements for the
development and use of an ISMS;
 Standards, Guides and Regulatory Aspects 143

– ISO 27002, which is a set of good practices for information security

management. It proposes 114 security controls organized into 14 themes. It is
designed for organizations wishing to select the necessary security measures
as part of the process of implementing an ISMS such as the one described in
standard 27001;
– ISO 27003, which is an implementation guide for ISMS;
– ISO 27004, which is a guide for the development of metrics for the
implementation of ISMS;
– ISO 27005, which describes the information security risk management
process (Figure 6.3) in accordance with ISO 31000. It is based on the general
concepts specified in standards 27000 and 27001;
– ISO 27006, which defines the requirements for the accreditation of
organizations for the certification of ISMS;
– ISO 27007, which is a guide for the audit of an ISMS;
– ISO 27019, entitled “Information technology–Security techniques–
Information security management guidelines based on ISO/IEC 27002 for
process control systems specific to the energy utility industry”, which
addresses cybersecurity of energy distribution systems. It is intended to help
interpret and apply the ISO/IEC 27002 standard for this type of industry. The
standard was first published as a technical report in 2013. It was revised in
October 2017 to become a complete international standard harmonized with
the 2013 version of ISO/IEC 27001 and 27002, in conjunction with IEC
standards TC 57 and TC 65 (IEC 62443-2-1) and IEC SC45A (IEC 62645);
– ISO 27031, which describes the concepts and principles for preparing
information and communication technology for business continuity;
– ISO 27032, which concerns the management of cybersecurity, in the
sense of information security in a cyberspace (Internet network) context;
– ISO 27035, which concerns the management of security incidents. It
defines a five-step process: preparation, incident identification, incident
evaluation, response and feedback management;
– ISO 27799, entitled “Health informatics–Health information security
management using ISO/IEC 27002”, which was first published in 2008
and revised in 2016. It specifies guidelines for interpreting and implementing
the 27002 standard in the field of health informatics and is complementary
to it.
144 Cybersecurity of Industrial Systems

Among the important elements highlighted in these different standards,

the concept of ISMS is described in section 3.6, the risk management process
in section 3.3 and the security measures in standard 27002 are presented in
Chapter 9 (Figure 9.3). In addition, the IEC 62443 standard, presented in
Chapter 7, is aligned with ISO 27000 standards.

Context Establishment

RISK ASSESSMENT

RISK ANALYSIS

Risk Monitoring and Review

Risk Identification
Risk Communication

Risk Estimation

Risk Evaluation

Assessment No
satisfactory ?
Yes

Risk Treatment

Treatment No
satisfactory ?
Yes

Risk Acceptance
End of iteration

Figure 6.3. Risk management process (ISO27005)

6.3. NIST framework and guides

6.3.1. NIST Cyber Security Framework

The security of an installation is divided into several stages, ranging from

the installation of protection to the development of reaction capabilities.
These steps have been formalized by the NIST in a framework called the
Cyber Security Framework (CSF) (NIST 2018). These steps are as follows:
 Standards, Guides and Regulatory Aspects 145

– identification;
– protection;
– detection, during operation;
– the response to attacks;
– recovery.

For each phase, a number of areas have been identified (Figure 6.4). They
include a list of measures to be implemented.
A version of this framework has been adapted for industrial production
systems (Stouffer et al. 2017).

NIST Cyber Security Framework

Identify Protect Detect Respond Recover

Anomalies and
Asset Management Access Control Response Planning Recovery Planning
Events

Business Awareness and Security Continuous

Communications Improvements
Environment Training Monitoring

Governance Data Security Detection Processes Analysis Communications

Info Protection
Risk Assessment Processes and Mitigation
Procedures

Risk Management
Maintenance Improvements
Strategy

Protective
Technology

Figure 6.4. Structure of the NIST framework. For a color

version of this figure, see www.iste.co.uk/flaus/cybersecurity.zip

6.3.2. The guides

In addition, the NIST publishes many guides, which include the

following:
– the NIST SP 800-82 guide, which describes a comprehensive approach
to securing ICS;
146 Cybersecurity of Industrial Systems

– the very comprehensive NIST SP 800-53 guide, which provides a list of

security measures organized according to CSF headings;
– the NIST guide SP 800-30, which deals with risk assessment for IT
systems;
– many ad hoc guides, such as NIST SP800-41, Guidelines on Firewalls
and Firewall Policy.

Figure 6.5. Structure of the NIST Framework. For a color

version of this figure, see www.iste.co.uk/flaus/cybersecurity.zip

The SP800-82 guide is dedicated to ICS. The approach it describes is part

of a four-phase risk management process: scoping, assessment, response and
monitoring, which corresponds to the process proposed in the NIST SP800-
39 guide.

The scoping step sets the context and defines an approach with which the
organization manages risks. This step produces a risk management strategy
that translates into the risk assessment, response and monitoring steps.
 Standards, Guides and Regulatory Aspects 147

Risk assessment is classic: it consists of identifying threats, impacts and

estimating the level of each risk.

Risk response defines how the organization chooses to address the risks it
faces: acceptance, mitigation, avoidance or transfer.

Risk monitoring involves periodic or continuous action to validate known

sources of risk, identify new sources (external threats or internal
environmental changes) and verify the implementation or validation of the
effectiveness of actions chosen as part of the risk response.

The process is therefore similar to that described in Chapter 3.

The SP800-82 guide describes the steps of a management system for the
security process of an ICS:
– development of an economic argument highlighting the stakes: potential
benefits of a security management system, costs of potential damage, high-
level view on the process to be implemented to manage security and the cost
of the resources needed to implement this program;
– presentation of this argument to decision makers;
– setting up a multi-skilled team (IT staff, control engineer, operator,
etc.);
– definition of the charter and its scope;
– definition of the policy and procedures specific to the security of ICS;
– inventory of ICS equipment and definition of security requirements in
terms of CIA (confidentiality, integrity, availability);
– selection of measures to be implemented according to security
requirements;
– risk assessment, to determine the desired level of protection (low,
medium, high) and to determine countermeasures;
– implementation of measures.
The proposed measures are in line with the NIST SP 800-53 guide and
include 18 themes (Appendix 3):
– access control;
– awareness and training;
148 Cybersecurity of Industrial Systems

– audit and accountability;

– security assessment and authorization;
– configuration management;
– contingency planning;
– identification and authentication;
– incident response;
– maintenance;
– media protection;
– physical and environmental protection;
– planning;
– personnel security;
– risk assessment;
– system and services acquisition;
– system and communications protection;
– system and information integrity;
– organization-wide security management;
– privacy controls.

Each theme includes several measures and submeasures, that are selected -
or not, according to the desired level of protection (low, medium, high).

The proposed approach is consistent with the approach presented in

Chapter 11. Only the first step (economic argument) is developed in more
detail in the guide.

6.4. Distribution and production of electrical energy

6.4.1. NERC CIP

The NERC CIP (North American Electric Reliability Corporation Critical

Infrastructure Protection) standard includes nine components and 45
requirements covering the security of power generation and transmission
systems. It includes the protection of critical IT assets, as well as personnel
and training, security management and disaster recovery planning.
 Standards, Guides and Regulatory Aspects 149

PAC-001 Sabotage reporting

CIP-002 Critical cyber asset identification

CIP-003 Security management controls

CIP-004 Personnel and training

CIP-005 Electronic security perimeters

CIP-006 Physical security of critical cyber assets

CIP-007 Systems security management

CIP-008 Incident reporting and response planning

CIP-009 Recovery plans for critical cyber assets

Table 6.1. Structure of the CIP standard

The main objective of CIP-002 to CIP-009 (CIP-001 is not related to

cybersecurity) is to protect the electricity distribution system from unwanted
and destructive effects caused by cyber-terrorism and other cyber-attacks,
including internal attacks.

Under the NERC CIP standard, organizations are required to identify

critical assets and regularly conduct a risk analysis of these assets. Strategies
for monitoring and modifying the configuration of critical assets must be
defined, as must the rules governing access to these resources. In addition,
NERC CIP requires the implementation of protection systems such as the use
of firewalls to block vulnerable ports and tools to monitor cyber-attacks.

Security event monitoring systems must be deployed, and organizations

must have comprehensive contingency plans for cyber-attacks, natural
disasters and other unforeseen events.

The CIP standard is one of the 14 mandatory standards of the Federal

Energy Regulatory Commission (FERC) in the United States. Penalties for
non-compliance with NERC CIP may include fines, sanctions or other
actions against the entities concerned.
150 Cybersecurity of Industrial Systems

FERC’s objective with this standard is to ensure that the North American
power grid will not fail due to cybercrime.

6.4.2. IEC 62351

The IEC 62351 standard is a standard developed by WG15 of the IEC TC

57 group. It has been designed to manage the security of the TC 57 group
protocol series, including the 60870 series, used by electrical power
distributors (Chapter 2). TC 57 is responsible for developing standards for the
exchange of information on energy supply and related systems, including
energy management systems, SCADA control systems, distribution
automation and remote protection. The various security objectives of IEC
62351 include authentication of data transfer via digital signatures, ensuring
authenticated access, prevention of wiretapping, prevention of identity
reading and misuse, and intrusion detection (Table 6.2).

IEC 62351-1-1 Introduction to the standard

IEC 62351-2 Glossary of terms

IEC 62351-3 Security for any profiles including TCP/IP

Security for any profiles including MMS (e.g. ICCP-based IEC

IEC 62351-4
60870-6, IEC 61850, etc.)

Security for any profiles including IEC 60870-5 (e.g. DNP3

IEC 62351-5
derivative)

IEC 62351-6 Security for IEC 61850 profiles

IEC 62351-7 Security through network and system management

IEC 62351-8 Role-based access control

IEC 62351-9 Key management

IEC 62351-10-10 Security architecture

IEC 62351-11-11 Security for XML files

Table 6.2. Structure of standard 62351

 Standards, Guides and Regulatory Aspects 151

6.4.3. IEEE 1686

In the field of electrical distribution, there is also the IEEE 1686 standard
for intelligent electronic devices (Chapter 1) cybersecurity (IEEE 2013).

6.5. Nuclear industry

6.5.1. The IAEA technical guide

A first guide, entitled Computer Security at Nuclear Facilities

(International Atomic Energy Agency 2011), provides specific advice to key
nuclear facilities on implementing a computer security program and
evaluating existing programs.

A second guide, entitled Computer Security of Instrumentation and

Control Systems at Nuclear Facilities (International Atomic Energy Agency
2015), describes security measures for instrumentation and control (I&C)
systems.

These guides recommend that the operator define IT security

requirements based on a gradual approach, based on the risk level, and taking
into account the following elements:
– the importance of the I&C system’s functions for safety and security;
– the threats identified and assessed for the installation;
– the attractiveness of the I&C system for potential opponents;
– the I&C system vulnerabilities;
– the operating environment;
– the potential consequences that can result directly or indirectly from a
compromise of the system.

Such an approach can be based on the results of a risk assessment

(International Atomic Energy Agency 2016).

The concept of zone is introduced in this standard, as well as the principle

of defense in depth. A step-by-step approach is proposed, based on the
diagram in Figure 6.6. For each level, specific measures are defined.
152 Cybersecurity of Industrial Systems

Criticality of the system Level 1 measures

Level 2 measures
Generic measures

Level 3 measures

Level 4 measures

Level 5 measures

Figure 6.6. Gradual approach. For a color version of this figure, see
www.iste.co.uk/flaus/cybersecurity.zip

These guides follow the same approach as that proposed in IEC 62645
described in the following section.

6.5.2. IEC 62645

This standard was developed by the IEC/SC45A group in charge of the

instrumentation, control and power supply aspects of nuclear installations.
This group works in a coordinated way with the IAEA. The IEC 62645
standard was published in 2014. It has been designed to be consistent with
ISO 27001 and ISO 27002. Overall, standard 62645 is mainly structured into
three parts:
– a first one dealing with the lifecycle of security at the level of the
security program;
– a second one dealing with the lifecycle of security at system level;
– a third describing security measures by theme: security policy, asset
management, human aspects, etc.

According to this new standard, IT system security must be based on a

graduated approach, according to the following principles:

– three security levels (called security levels S1, S2 and S3) are defined in
the standard. Security measures cannot be defined individually for each
 Standards, Guides and Regulatory Aspects 153

system, as this would lead to a large amount of studies (and cost) and to
many problems for connecting communicating systems;
– the systems must be considered from a functional point of view and
have a level of security based on their possible direct or indirect impact on
the security and availability of the installations;
– the generic measures given must be adapted to each level in order to
effectively protect the systems of each level considered.

Some generic characteristics in development of the graduated approach

are as follows:
– security programs must be developed according to the level of system
software development, with the establishment of a secure development and of
a secure operating environment during the various phases of the software
lifecycle;
– a similar level of security must be achieved for all systems with the
same security requirement, regardless of their designer and developer;
– interfaces between systems with different security levels must be
specifically addressed;
– interfaces must be secured, but must not prevent functional transmission.

6.6. Transportation

6.6.1. Vehicles

The SAE J306 standard, which concerns motor vehicles, was developed
with the ISO 26262 (Chapter 7) operational safety standard in mind. It
describes a structured process to reduce the probability of a successful attack.

The principles of the approach are as follows: consider the use of

functionality by vehicle owners, implement cybersecurity in the design and
engineering phases, implement cybersecurity in development and validation,
implement cybersecurity in incident response, and consider cybersecurity
when the vehicle owner changes.

6.6.2. Aeronautics

Nowadays, with increasing connectivity, security-based security is

crucial. RTCA Safety Standard DO-326A (2014) applies to aircraft and
154 Cybersecurity of Industrial Systems

aircraft systems. It only deals with security aspects that could have an impact
on flight safety. This standard specifies a process for top-down risk
assessment with a generic set of activities, and is compatible with other
industry standards dedicated to the certification of aircraft systems.

This standard separates the IT security and safety aspects, with feedback
only, from safety to security.

6.7. Other standards

6.7.1. National Information Security Standards

BS7799 (2002) is a British standard describing good practices for

information security management, consisting of three parts. It provides
detailed and structured coverage of security issues. It has been incorporated
into standards 27001:2013 and 27002:2013. It was adopted by ISO as an ISO
17799 standard in 2000.

IT-Grundschutz is a German security standard. It is one of a series of

guides published by the German Federal Office for Information Security
(BSI), which describe “information security methods, processes, procedures,
approaches and measures” based on ISO/IEC 27001:2013.

This standard provides a guideline for conducting a risk analysis and

includes a large number of security controls to provide a relatively high level
of protection, without having to perform a detailed risk analysis. The purpose
of the IT-Grundschutz risk assessment method is to provide a qualitative
assessment; it includes the identification, analysis and evaluation of security
incidents that could be harmful to the company.

Other examples are the Swedish standard SS627799, replaced by ISO

27001, or the GB/T22080-2008 standard in China corresponding to ISO
27001.

6.7.2. Operating safety standards

Standard 61508 (and its derivatives) describes the functional safety

approach to ensure that a system presents a risk below a set threshold for the
various hazards it may encounter. It is discussed in Chapter 8.
 Standards, Guides and Regulatory Aspects 155

6.8. ANSSI’s approach

In a general manner, this approach follows the risk management process

approach described in ISO 27005, adding certain aspects specific to ICS. It is
detailed in ANSSI (2013a, 2013b) and can be summarized as follows:
– description of the installation, functional and/or physical, showing the
physical components and the components of the industrial information
system. Section 10.1 describes the approaches to achieve this description;
– mapping of industrial information system (IIS) components, physical
and logical, and hosted applications;
– partial risk analysis and classification of the installation with the
approach detailed below (Figure 6.7);
– identification of countermeasures to be implemented depending on
classification.

Impact

Classification
Attackers
Likelihood
Users

Functionality
level
Exposure

Connectivity

Figure 6.7. General approach to classification

This approach introduces the notion of class for a system, which allows
the risk level of a facility to be taken into account. The classes are defined as
follows:
– class 1: these are industrial systems for which the risk or impact of an
attack is low. All measures recommended for this class must be applicable in
complete autonomy. This level is the default level for any installation, and
the proposed measures are similar to basic good practices;
– class 2: these are industrial systems for which the risk or impact of an
attack is significant. There is no public control for this class of industrial
156 Cybersecurity of Industrial Systems

system, but the responsible entity must be able to provide evidence that
adequate measures have been put in place in the event of verification or of an
incident;
– class 3: these are industrial systems for which the risk or impact of an
attack is critical. In this class, the obligations are higher and the conformity of
these industrial systems is verified by public authorities or an accredited body.

The level assessment is based on the rating of a number of installation

characteristics (Figure 6.7). Combination rules are used to obtain the class of
the installation. It is a combination of likelihood and impact level, therefore
homogeneous to a risk level. A detailed guide proposes a series of measures
to be implemented to reduce the risk. They are presented in Appendix 4.

The approach to evaluate the class is as follows:

– determine the level of functionality, noted F (Table 6.6) and the level of
connectivity C (Table 6.7) to determine the level of exposure noted E with a
matrix (Figure 6.8, left matrix);
– determine the level of attackers A (Table 6.4) and the type of
stakeholders (Table 6.5), noted I;

– calculate the likelihood: V = E + by rounding up to the next

upper integer;
– determine the severity level (Table 6.3);
– determine the class (Figure 6.8, matrix on the right).

The level of measures to be implemented depends on the class obtained

(ANSSI 2013a).

Class

5+ 2 2 3 3
Display 4 2 2 2 3
Impact

3 3 3 4 4 5 3 1 2 2 2
Functionalities

2 2 2 3 4 5 2 1 1 2 2
1 1 2 3 4 5 1 1 1 1 1
1 2 3 4 5 1 2 3 4+

Connectivity Likelihood

Figure 6.8. Matrix to determine exposure level and class. For a

color version of this figure, see www.iste.co.uk/flaus/cybersecurity.zip
 Standards, Guides and Regulatory Aspects 157

Human Environmental Consequences

Level
Consequences consequences on the service
Limited and temporary
violation of a
Reported accident Heavy impacts on
rejection standard
1 Insignificant without stopping or 1,000
without legal reporting
medical treatment people
requirements
to the authorities
Violating a discharge
standard requiring Heavy impacts on
Reported accident
reporting to authorities 10,000 people.
2 Minor with sick leave or
but without Disruption of the local
medical treatment
environmental economy
consequences
Heavy impacts on
Moderate pollution 100,000 people.
3 Moderate Permanent
limited to the site Temporary loss of
disability
major infrastructure
Heavy impacts on
Significant pollution or
One death. more than 1,000,000
pollution external to the
4 Major Permanent people
site
disability Permanent loss of a
Evacuation of people
major infrastructure
Major pollution with Heavy impacts on
lasting environmental 10,000,000 people
5 Catastrophic Several deaths
consequences external Permanent loss of
to the site critical infrastructure

Table 6.3. Severity level

Level Description
1 Non-targeted Viruses, robots, etc.
People with very limited ressources, not necessarily a
2 Hobbyist
willingness to harm
Person or organization with limited resources but with
3 Isolated attacker
some determination (e.g., a licensed employee)
Organization with significant resources (e.g.,
4 Private organization
terrorism, unfair competition)
Organization with unlimited resources
5 State organization
and a very strong determination

Table 6.4. Attacker level

158 Cybersecurity of Industrial Systems

Level Description
Authorized All authorized participants are authorized and
1
and controlled controlled. Unauthorized intervention is not possible
All authorized players are authorized, but at least
Authorized,
2 some of the possible operations are not tracked.
and controlled
Unauthorized intervention is not possible
There is no specific requirement for authorized
3 Authorized intervenors but an unauthorized intervention
is not possible
This category contains all industrial systems in which
4 Not allowed
unauthorized intervention is possible

Table 6.5. Types of stakeholders (noted I)

Level Description
This category includes industrial systems with only
CIM 0 and level 1 elements1 (control-command)
excluding programming consoles,
namely:
– sensors/actuators;
F1 Minimum systems – remote inputs/outputs;
– PLCs;
– desks;
– embedded systems;
– analyzers.
Complex systems. This category includes industrial
F2 Complex systems systems containing only CIM level 0 to 2 elements
(control and command and SCADA)
This category includes all industrial systems that do
not fall into the first two categories.
In particular, all systems:
– with programming consoles;
F3 Very complex systems – with permanently connected engineering
stations;
– which are connected to a manufacturing
execution system;
– with centralized historian databases.

Table 6.6. Level of functionality

1 The CIM levels (Purdue model) are detailed in Chapter 1.

 Standards, Guides and Regulatory Aspects 159

Level Description
Isolated industrial
1 Completely closed production networks
system
Production networks connected to the company’s
Industrial system management information system, but without
2
connected to an IS operations from outside the management information
system being authorized
Industrial system
3 using wireless Industrial systems using wireless technology
technology
A distributed system where the different sites
communicate with each other through a private
Distributed industrial
infrastructure (completely private or leased from a
4 system with private
telecommunications operator), or with operations from
infrastructure
outside or from a management network, such as
remote diagnosis and maintenance
Similar to the previous category, except that the
Distributed industrial
infrastructure used is public, such as that of a
5 system with public
telecommunications operator. Example: Water
infrastructure
distribution infrastructure

Table 6.7. Connectivity level

6.9. Good practices for securing industrial Internet of Things

equipment

The Industrial Internet Consortium has proposed a set of good practices

for securing industrial Internet of Things terminal equipment (Hanna et al.
2018), which are defined as components with computing capabilities and
network connectivity. This can be, for example, a sensor or actuator in the
world of car making, an embedded medical device in the world of healthcare
or a pump or a flow sensor in the industrial world.

The proposed practices are based on NIST standards 800-53 and 800-82
(NIST 2014; Stouffer et al. 2015) and IEC 62443 (Chapter 7).

This guide defines three levels of security: basic, enhanced and critical.
These levels correspond to security levels 2, 3 and 4 defined by IEC 62443
part 3-3. Security levels 0 and 1 of IEC 62443-3-3 are not covered, as they
cover low security environments, which is not suitable for industrial
160 Cybersecurity of Industrial Systems

environments connected to the Internet. The NIST SP 800-53r4 guide defines

three levels of security in the same way.

The security levels are defined as follows:

– the basic security level (BSL) provides protection against “an
intentional violation by simple means with limited resources”, such as an
ordinary virus;
– the enhanced security level (ESL) corresponds to a defense against
“sophisticated means with moderate resources”, such as the exploitation of
known vulnerabilities in software or ICS;
– the critical security level (CSL) is adapted against attackers with
“sophisticated means, extended resources”, such as the ability to develop
tailor-made zero day attacks.

Each piece of equipment must have an appropriate level of security,

determined by risk analysis. Each security level has its own specific
architecture (Figure 6.9). The following sections describe the elements of
these architectures.

CRITICAL

Security Information
ENHANCED & Event Management

Endpoint configuration Endpoint configuration Policy & Activity

& Management & Management Dashboard
BASIC
Secure Secure Secure
communication communication communication

Cryptographic Cryptographic Cryptographic

services services services

Secure Endpoint Secure Endpoint Secure Endpoint

boot identity boot identity boot identity

Root of trust Root of trust Root of trust

Figure 6.9. Security profile

6.9.1. Trust base (root of trust)

This first element corresponds to basic requirements to guarantee

security. It is about providing functions to guarantee:
 Standards, Guides and Regulatory Aspects 161

– the identity of the element (a unique identifier);

– the identity and integrity of the software and electronic components.

In practice, the object must have a secure element memory to store keys
and certificates that are used to check the integrity of the software at start-up,
to guarantee the identity of the object or to establish secure communications.
This type of memory is similar to what is found in smart cards.

6.9.2. Identity management (endpoint identity)

Guaranteeing identity is a fundamental aspect. Support for a Public Key

Infrastructure (PKI) is mandatory for all security levels. Protocols defined by
an open standard for managing standard certificates (e.g. TSE) are used to
automate the issuance, renewal, updating and revocation of certificates issued
by an internal or external certification authority.

6.9.3. Secure boot

At start-up, the object performs a secure boot (or secure bootstrap):

– verification of the integrity of the firmware and software modules by
comparing their fingerprints (with an SHA256 algorithm, for example) with
those stored. Fingerprints can be encrypted with asymmetric encryption, the
object having a public key and the provider of a public key;
– identification, using the certificates in memory, of the equipment with
which it is associated.

6.9.4. Cryptographic services

The equipment must provide cryptographic services for data transport and
storage. These services include:
– functions supporting the management of Public Key Cryptography
Standards (PKCS) for asymmetric and symmetric encryption, hash functions
and random number generators of adequate resistance (these numbers are the
basis of encryption algorithms);
– implementations of validated cryptographic algorithms (NIST/FIPS
standards);
162 Cybersecurity of Industrial Systems

– an ability to update these algorithms (in the event of progress in

decryption algorithms, particularly quantum computing);
– interoperability of cryptographic key types and certificates between
multivendor systems.

6.9.5. Secure communications

A stack of secure end-to-end communication protocols is required,

including:
– support for scalable authentication protocols to authenticate the
equipment;
– an encrypted communication medium equipment-cloud;
– an encrypted equipment to equipment communication support for key
management, for example.

More details are given in Hanna et al. (2018).

6.9.6. Equipment configuration and management

This function is intended to allow a secure update of the firmware and

operating system (OS). It must rely on PKCS standards for data encryption
and validate the sources and destinations of updates via certificates.

This function is required for advanced and critical levels.

6.9.7. Activity dashboard and event management by a SIEM

Continuous monitoring of equipment requires:

– configuration control to detect unauthorized changes in firmware, OS
and installed applications;
– application-level controls to detect and prevent unauthorized activities
(e.g., the use of unsecured encryption, hashing algorithms) that compromise
data confidentiality or integrity.

In addition, remote security policy management functions must be

possible for Operation Technology (OT) operators, and selected security
 Standards, Guides and Regulatory Aspects 163

events must be communicated in an appropriate format to an SIEM (Chapter

10).

These functions are required for the critical level.

6.10. Legislative and regulatory aspects

Strengthening critical infrastructure protection has been one of the Obama

administration’s objectives. Executive Decree 13636 of February 2013 put in
place a number of measures. First, the Department of Homeland Security
(DHS) and the Department of Defense (DOD) have been tasked with
establishing procedures to begin sharing cybersecurity information with
owners and operators of critical infrastructure. It identifies 16 areas of critical
infrastructure and asks the NIST to propose a framework for controlling these
risks. In February 2014, the NIST published its framework (section 6.3.1).
Based on these elements, the Cybersecurity Act was signed on December 18,
2015 by President Obama. It contains the text on information sharing
(Cybersecurity Information Sharing Act). The purpose of the legislation is to
promote and encourage the private sector and the U.S. government to
exchange information on cyber threats quickly and responsibly. Under the
law, information about a threat found on a system can be quickly shared in
order to prevent a similar attack or mitigate a similar threat to other
companies, agencies and consumers.

Cybersecurity legislation has also been strengthened in Europe in recent

years, and regulatory compliance is an important issue for companies. The
threat of severe financial penalties for non-compliance with established rules
is real.

In addition to regulations applicable to all information systems, industrial

installations may be affected, as they belong to an operator of vital
importance, and fall under the Military Programming Act (LPM) (Legifrance
2018b) replaced by the NIS (EU) 2016/1148 directive of July 6, 2016
(Europe NSI 2016). They may also be part of the Seveso classified
establishments and be covered by Directive 2012/18/EU of July 4, 2012,
known as the Seveso 3 Directive (Europe Seveso III 2012).

The first category of facilities is that for which a cyber-attack can lead to
an inability to produce or provide the required services and disrupt a
country’s economic and social life. The second category is that for which a
164 Cybersecurity of Industrial Systems

cyber-attack can cause an industrial accident and have an impact on

populations.

The NIS Directive has been transposed into French law. The law (France
Loi no. 2018-133 2018) was adopted on February 15, 2018 and promulgated
on February 26, 2018. Its objective is to define measures to ensure a high
level of network and information system security. It aims to protect against
cyber-attacks against certain strategic companies. It introduces two new
categories of actors, which will be subject to higher standards of IT security:
– operators of essential services (OES);
– digital service providers (DSP).

In France, it is in line with the Military Programming Act of 2013, the

first step in the implementation of the new strategic guidelines of the White
Paper on Defense and National Security. More than 200 companies,
operating facilities or using facilities and structures whose unavailability
would have a significant impact on the country’s security and functioning,
are classified as “operators of vital importance (OVIs)”. They are divided
into 12 business sectors. The law requires them to strengthen the security of
the critical information systems they operate, which are called information
systems of vital importance.

A business sector of vital importance (BSVI), as defined by Article R.

1332-2 of the French Defense Code, consists of activities contributing to the
same objective, which:
– relate to the production and distribution of essential goods or services
(where these activities are difficult to substitute or replace): satisfaction of
basic needs for the life of populations, exercise of State authority, functioning
of the economy, maintenance of defense potential, national security;
– can present a serious danger to the population.

An OVI, as defined by Article R. 1332-1 of the Defense Code, is an

organization that:
– carries out activities included in a vitally important sector of activity;
– manages or uses for this activity one or more establishments or works,
one or more installations whose damage, unavailability or destruction as a
result of an act of malicious intent, sabotage or terrorism, would directly or
indirectly risk seriously jeopardizing the Nation’s combat or economic
potential, its security or capacity to survive.
 Standards, Guides and Regulatory Aspects 165

The security rules to be respected are presented for each BSVI and are
classified by theme (France Annex JORF 2016). For OESs (or OVIs in
France), the main obligations of the law transposing the NIS Directive are as
follows:
– a declaration to ANSSI, without delay after becoming aware of it, of
incidents affecting the networks and information systems necessary for the
provision of essential services, where such incidents have or are likely to
have, taking into account in particular the number of users and the
geographical area affected as well as the duration of the incident, a significant
impact on the continuity of these services;
– an obligation to identify the risks that threaten the security of these
networks and information systems, and an obligation to take the necessary
and proportionate technical and organizational measures to manage these
risks, in the following areas:
– security of systems and installations;
– incident management;
– business continuity management;
– monitoring, audit and control;
– compliance with international standards:
– cooperation during ANSSI controls.

Sanctions can be significant:

– in the event of failure to report incidents, a fine of 75,000 euros;
– in the event of an obstacle to ANSSI controls, a fine of 125,000 euros;
– in the absence of security measures or failure to comply with security
rules, a fine of 100,000 euros.

In line with the NIS Directive, the European Council called at the end of
2017 for a common EU approach to cybersecurity. New proposals (European
Council 2017) have been made, such as the establishment of an EU
cybersecurity agency, giving ENISA (European Union Agency for Network
and Information Security) greater powers and establishing an EU-wide
cybersecurity certification system.

It should also be mentioned that, for traditional information systems, a

very important regulation concerns the management of personal data. These
166 Cybersecurity of Industrial Systems

are subject to the General Data Protection Regulation (GDPR) (Europe

GDPR 2016), applicable since May 25, 2018. It replaces existing regulations
and has been designed to harmonies data privacy laws across Europe and to
strengthen the protection of private data. This regulation also applies to
industrial systems for their part in data management.