Chapter 6
Chapter 6
Chapter 6
Standards, Guides
and Regulatory Aspects
6.1. Introduction
In recent years, many standards and guides have been proposed in the
field of information system security. Some of these standards propose an
approach for risk management in line with ISO 31000: these are ISO 27000
standards. Other standards focus on industrial control system (ICS), such as
IEC 62443 or the NIST SP 800-82 guide. Others have been developed for a
particular field, such as electricity distribution or production, or the nuclear
sector. This chapter presents the main standards (Figure 6.1), including the
ISO 27000 family, National Institute of Standards and Technology (NIST)
guides, the ANSSI approach, NERC CIP sector standards and International
Atomic Energy Agency (IAEA) standards. The IEC 62443 standard is
presented in Chapter 7, which focuses on it, while the standards for
operational safety, the IEC 61508 family, are introduced in Chapter 8.
Risk management
ISO 31000
Operational safety
Cybersecurity of
Functional industrial Security of information
safety installations systems
ISO 61508
IEC 62443 ISO 27000
27004 Metrics
The ISO 27000 family of standards defines good practices for information
system security management. These have evolved over the years and are part
of the general ISO 31000 framework, which describes the principles and
guidelines for risk management, as well as the implementation processes at
strategic and operational level.
Context Establishment
RISK ASSESSMENT
RISK ANALYSIS
Risk Estimation
Risk Evaluation
Assessment No
satisfactory ?
Yes
Risk Treatment
Treatment No
satisfactory ?
Yes
Risk Acceptance
End of iteration
– identification;
– protection;
– detection, during operation;
– the response to attacks;
– recovery.
For each phase, a number of areas have been identified (Figure 6.4). They
include a list of measures to be implemented.
A version of this framework has been adapted for industrial production
systems (Stouffer et al. 2017).
Anomalies and
Asset Management Access Control Response Planning Recovery Planning
Events
Info Protection
Risk Assessment Processes and Mitigation
Procedures
Risk Management
Maintenance Improvements
Strategy
Protective
Technology
The scoping step sets the context and defines an approach with which the
organization manages risks. This step produces a risk management strategy
that translates into the risk assessment, response and monitoring steps.
Standards, Guides and Regulatory Aspects 147
Risk response defines how the organization chooses to address the risks it
faces: acceptance, mitigation, avoidance or transfer.
The SP800-82 guide describes the steps of a management system for the
security process of an ICS:
– development of an economic argument highlighting the stakes: potential
benefits of a security management system, costs of potential damage, high-
level view on the process to be implemented to manage security and the cost
of the resources needed to implement this program;
– presentation of this argument to decision makers;
– setting up a multi-skilled team (IT staff, control engineer, operator,
etc.);
– definition of the charter and its scope;
– definition of the policy and procedures specific to the security of ICS;
– inventory of ICS equipment and definition of security requirements in
terms of CIA (confidentiality, integrity, availability);
– selection of measures to be implemented according to security
requirements;
– risk assessment, to determine the desired level of protection (low,
medium, high) and to determine countermeasures;
– implementation of measures.
The proposed measures are in line with the NIST SP 800-53 guide and
include 18 themes (Appendix 3):
– access control;
– awareness and training;
148 Cybersecurity of Industrial Systems
Each theme includes several measures and submeasures, that are selected -
or not, according to the desired level of protection (low, medium, high).
FERC’s objective with this standard is to ensure that the North American
power grid will not fail due to cybercrime.
In the field of electrical distribution, there is also the IEEE 1686 standard
for intelligent electronic devices (Chapter 1) cybersecurity (IEEE 2013).
Level 2 measures
Generic measures
Level 3 measures
Level 4 measures
Level 5 measures
Figure 6.6. Gradual approach. For a color version of this figure, see
www.iste.co.uk/flaus/cybersecurity.zip
These guides follow the same approach as that proposed in IEC 62645
described in the following section.
– three security levels (called security levels S1, S2 and S3) are defined in
the standard. Security measures cannot be defined individually for each
Standards, Guides and Regulatory Aspects 153
system, as this would lead to a large amount of studies (and cost) and to
many problems for connecting communicating systems;
– the systems must be considered from a functional point of view and
have a level of security based on their possible direct or indirect impact on
the security and availability of the installations;
– the generic measures given must be adapted to each level in order to
effectively protect the systems of each level considered.
6.6. Transportation
6.6.1. Vehicles
The SAE J306 standard, which concerns motor vehicles, was developed
with the ISO 26262 (Chapter 7) operational safety standard in mind. It
describes a structured process to reduce the probability of a successful attack.
6.6.2. Aeronautics
aircraft systems. It only deals with security aspects that could have an impact
on flight safety. This standard specifies a process for top-down risk
assessment with a generic set of activities, and is compatible with other
industry standards dedicated to the certification of aircraft systems.
This standard separates the IT security and safety aspects, with feedback
only, from safety to security.
Impact
Classification
Attackers
Likelihood
Users
Functionality
level
Exposure
Connectivity
This approach introduces the notion of class for a system, which allows
the risk level of a facility to be taken into account. The classes are defined as
follows:
– class 1: these are industrial systems for which the risk or impact of an
attack is low. All measures recommended for this class must be applicable in
complete autonomy. This level is the default level for any installation, and
the proposed measures are similar to basic good practices;
– class 2: these are industrial systems for which the risk or impact of an
attack is significant. There is no public control for this class of industrial
156 Cybersecurity of Industrial Systems
system, but the responsible entity must be able to provide evidence that
adequate measures have been put in place in the event of verification or of an
incident;
– class 3: these are industrial systems for which the risk or impact of an
attack is critical. In this class, the obligations are higher and the conformity of
these industrial systems is verified by public authorities or an accredited body.
Class
5+ 2 2 3 3
Display 4 2 2 2 3
Impact
3 3 3 4 4 5 3 1 2 2 2
Functionalities
2 2 2 3 4 5 2 1 1 2 2
1 1 2 3 4 5 1 1 1 1 1
1 2 3 4 5 1 2 3 4+
Connectivity Likelihood
Level Description
1 Non-targeted Viruses, robots, etc.
People with very limited ressources, not necessarily a
2 Hobbyist
willingness to harm
Person or organization with limited resources but with
3 Isolated attacker
some determination (e.g., a licensed employee)
Organization with significant resources (e.g.,
4 Private organization
terrorism, unfair competition)
Organization with unlimited resources
5 State organization
and a very strong determination
Level Description
Authorized All authorized participants are authorized and
1
and controlled controlled. Unauthorized intervention is not possible
All authorized players are authorized, but at least
Authorized,
2 some of the possible operations are not tracked.
and controlled
Unauthorized intervention is not possible
There is no specific requirement for authorized
3 Authorized intervenors but an unauthorized intervention
is not possible
This category contains all industrial systems in which
4 Not allowed
unauthorized intervention is possible
Level Description
This category includes industrial systems with only
CIM 0 and level 1 elements1 (control-command)
excluding programming consoles,
namely:
– sensors/actuators;
F1 Minimum systems – remote inputs/outputs;
– PLCs;
– desks;
– embedded systems;
– analyzers.
Complex systems. This category includes industrial
F2 Complex systems systems containing only CIM level 0 to 2 elements
(control and command and SCADA)
This category includes all industrial systems that do
not fall into the first two categories.
In particular, all systems:
– with programming consoles;
F3 Very complex systems – with permanently connected engineering
stations;
– which are connected to a manufacturing
execution system;
– with centralized historian databases.
Level Description
Isolated industrial
1 Completely closed production networks
system
Production networks connected to the company’s
Industrial system management information system, but without
2
connected to an IS operations from outside the management information
system being authorized
Industrial system
3 using wireless Industrial systems using wireless technology
technology
A distributed system where the different sites
communicate with each other through a private
Distributed industrial
infrastructure (completely private or leased from a
4 system with private
telecommunications operator), or with operations from
infrastructure
outside or from a management network, such as
remote diagnosis and maintenance
Similar to the previous category, except that the
Distributed industrial
infrastructure used is public, such as that of a
5 system with public
telecommunications operator. Example: Water
infrastructure
distribution infrastructure
The proposed practices are based on NIST standards 800-53 and 800-82
(NIST 2014; Stouffer et al. 2015) and IEC 62443 (Chapter 7).
This guide defines three levels of security: basic, enhanced and critical.
These levels correspond to security levels 2, 3 and 4 defined by IEC 62443
part 3-3. Security levels 0 and 1 of IEC 62443-3-3 are not covered, as they
cover low security environments, which is not suitable for industrial
160 Cybersecurity of Industrial Systems
CRITICAL
Security Information
ENHANCED & Event Management
In practice, the object must have a secure element memory to store keys
and certificates that are used to check the integrity of the software at start-up,
to guarantee the identity of the object or to establish secure communications.
This type of memory is similar to what is found in smart cards.
The equipment must provide cryptographic services for data transport and
storage. These services include:
– functions supporting the management of Public Key Cryptography
Standards (PKCS) for asymmetric and symmetric encryption, hash functions
and random number generators of adequate resistance (these numbers are the
basis of encryption algorithms);
– implementations of validated cryptographic algorithms (NIST/FIPS
standards);
162 Cybersecurity of Industrial Systems
The first category of facilities is that for which a cyber-attack can lead to
an inability to produce or provide the required services and disrupt a
country’s economic and social life. The second category is that for which a
164 Cybersecurity of Industrial Systems
The NIS Directive has been transposed into French law. The law (France
Loi no. 2018-133 2018) was adopted on February 15, 2018 and promulgated
on February 26, 2018. Its objective is to define measures to ensure a high
level of network and information system security. It aims to protect against
cyber-attacks against certain strategic companies. It introduces two new
categories of actors, which will be subject to higher standards of IT security:
– operators of essential services (OES);
– digital service providers (DSP).
The security rules to be respected are presented for each BSVI and are
classified by theme (France Annex JORF 2016). For OESs (or OVIs in
France), the main obligations of the law transposing the NIS Directive are as
follows:
– a declaration to ANSSI, without delay after becoming aware of it, of
incidents affecting the networks and information systems necessary for the
provision of essential services, where such incidents have or are likely to
have, taking into account in particular the number of users and the
geographical area affected as well as the duration of the incident, a significant
impact on the continuity of these services;
– an obligation to identify the risks that threaten the security of these
networks and information systems, and an obligation to take the necessary
and proportionate technical and organizational measures to manage these
risks, in the following areas:
– security of systems and installations;
– incident management;
– business continuity management;
– monitoring, audit and control;
– compliance with international standards:
– cooperation during ANSSI controls.
In line with the NIS Directive, the European Council called at the end of
2017 for a common EU approach to cybersecurity. New proposals (European
Council 2017) have been made, such as the establishment of an EU
cybersecurity agency, giving ENISA (European Union Agency for Network
and Information Security) greater powers and establishing an EU-wide
cybersecurity certification system.