The increasing connectivity of industrial systems has made them vulnerable to cyber attacks that could have devastating consequences. Industrial control systems (ICS) and Operational Technology (OT) networks control everything from power plants to water treatment facilities, and a cyber attack on these systems could cause physical damage and disrupt essential services. To protect these systems, it is essential to have regulations and industry standards in place that set the minimum security requirements and best practices that organizations should follow. However, as the threat landscape evolves, it’s important to ensure that these regulations and standards are keeping pace.
Regulations and standards for industrial systems security are currently dispersed across different regions and industries, and their effectiveness varies. While many countries have begun to enact regulations to address industrial systems security, many of these regulations are still in the development phase, or lack enforcement mechanisms. On the other hand, industry standards are voluntary and organizations are not obligated to follow them, but it’s a good practice to do so.
As the threat landscape for industrial systems continues to evolve, it’s important to reassess the regulations and standards in place to ensure that they are still adequate. New types of attacks and new vulnerabilities are constantly being discovered, and regulations and standards must be updated to address these new threats. For example, the increasing use of IoT and IIoT devices in industrial environments has expanded the attack surface, and older regulations may not take this into account.
In this article, we will examine the current regulations and industry standards that govern the security of industrial systems, and assess how well they are equipped to handle the evolving threat landscape. We will explore the regulations and standards in different regions and industries, and highlight their strengths and weaknesses. Additionally, we will examine the challenges that organizations face in complying with these regulations and standards, and the impact that non-compliance can have. Ultimately, we aim to provide a comprehensive overview of the state of industrial systems security regulations and standards, and identify areas where they need to be improved to better protect organizations against cyber attacks.
Current regulations and industry standards
In the United States, the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) standards are mandatory for organizations that operate in the United States electrical grid. These standards address various aspects of industrial systems security, such as physical security, incident reporting, and risk management, and require regular testing and audits to ensure compliance. One strength of these standards is that they are industry-specific and tailored to the unique requirements of the electricity sector, addressing the specific risks and regulatory requirements. However, some organizations have criticized them for being too prescriptive, and not giving enough flexibility to adapt to their specific needs.
In Europe, there are several regulations and industry standards that govern the security of industrial systems. One example is the IEC 62443 standard, the ISO27001 for securing ICS/OT environment. These standards are set by the International Electrotechnical Commission and provide a comprehensive framework for securing industrial control systems. It covers topics such as network design, incident management, and security assessment. One of the strengths of these standards is that they provide a holistic view of industrial systems security and can be applied to any industry. However, they are not mandatory and it might be challenging to enforce.
Another example is the new Cyber Resilience Act that was proposed by the European Commission in September 2022. The Act targets to ensure the protection of internet-connected electronic products, like IoT and IIoT, from unauthorized access throughout their entire lifecycle. It establishes harmonized rules for new products or software and a framework of cybersecurity requirements that cover the planning, design, development, and maintenance of products along the whole value chain. Additionally, it places an obligation on manufacturers to provide a duty of care throughout the entire lifecycle of the products they produce. The act aims to ensure the safety of these devices, address the unique risks they poses, and improve the overall cyber resilience of the EU. This Act is a significant step towards improving the cybersecurity of IoT and IIoT devices and ensuring their safety throughout the entire product lifecycle.
In the Middle East, the Saudi Cyber Security Authority has released the Cybersecurity Guidelines for Industrial Control Systems, that provides a comprehensive security guidelines for the protection of industrial control systems and operational technology networks. These guidelines provide a detailed overview of the security controls that organizations in Saudi Arabia should implement to protect their industrial systems, but are only mandatory for organizations in Saudi Arabia and might not be seen as a standard recognized by other countries.
In Asia, there are several regulations and standards regarding industrial systems security in different countries. For example, in Japan, the JIS Q 27005 standard (an equivalent of ISO 27005) provides guidance for information security management systems for industrial systems, and in China, the GB/T 33009-2016 standard specifies the security requirements and evaluation methods for industrial control systems. Similarly to the Saudi guidelines, these standards provide a good starting point for securing industrial systems in their respective countries, but may not be well-known or adopted by other countries.
Regulations and industry standards governing the security of industrial systems vary between regions and industries. They provide detailed guidance and best practices, but can have limitations such as lack of enforceability and non-recognition across countries and industries. Additionally, as the technology and threat landscape continues to evolve, it’s important for these regulations and standards to be updated regularly to ensure that they are still adequate and relevant.
Why does organization struggle to get compliant?
Complying with regulations and standards for industrial systems security can pose several challenges for organizations. One of the main challenges is the cost of compliance. Implementing the security controls and protocols required by these regulations and standards can be expensive, particularly for small and medium-sized organizations. For example, performing regular security assessments and audits can be costly, as can training employees on the new security protocols. Additionally, organizations may need to invest in new technology or equipment to meet the requirements of these regulations and standards, which can also be costly.
The lack of understanding of the regulations and standards is another struggle. In some cases, organizations may not have the in-house expertise to fully understand the requirements of these regulations and standards, making it difficult for them to comply. Additionally, the regulations and standards themselves can be complex and difficult to navigate, which can further complicate the compliance process.
Finally these regulations and standards are not static, and are continuously evolving, making it hard for organizations to keep pace with the updates, and changes, which requires a constant monitoring and adaption, which can be costly and time consuming.
What is the impact of non-compliance?
Non-compliance with regulations and standards for industrial systems security can have serious consequences for organizations. In some cases, non-compliance can lead to legal penalties and fines, which can be costly. Additionally, organizations that fail to comply with these regulations and standards may be at a higher risk of cyber attacks, which can cause significant damage to their operations and reputation.
Organizations may lose intellectual property, sensitive data or even face shutdown or disruption of operations. Furthermore, non-compliance may also affect business continuity and ultimately damage the organization’s relationship with customers and partners, and their trust.
How to improve the efficiencies of these compliance frameworks?
Despite the presence of these regulations and standards, industrial systems are still vulnerable to cyber attacks and organizations face challenges to comply with these regulations and standards.
One area where these regulations and standards need to be improved is in their level of enforceability. Many of the regulations and standards in place are not mandatory, which does not incentive organization to comply with them. This can also make it challenging for regulatory bodies to promote these standards. Making these regulations and standards mandatory could help to ensure that organizations take the necessary steps to protect their industrial systems by raising the “non-compliance” flag, resulting in penalties and fines.
Another area where these regulations and standards need to be improved is in their level of flexibility. Some organizations have criticized these regulations and standards for being too prescriptive and not giving enough flexibility to adapt to their specific needs. This can make it difficult for organizations to comply with these regulations and standards and to implement effective security measures that are tailored to their specific requirements. As technology advances and the threat landscape changes, these regulations and standards need to be updated to ensure that they are still adequate and relevant. This requires constant monitoring, adaptation, and review which can be costly and time-consuming.
Lastly, the cross-border and cross-industry recognition and compatibility is crucial, as organizations are not limited to one country, region or industry. Many of these regulations and standards are limited to one area and might not be recognized or compatible with other regions or industries. This could lead to lack of communication and understanding among different zoning, as well as an inability to share information and best practices.
In conclusion, while industrial systems security regulations and standards provide guidance and best practices for protecting organizations against cyber attacks, there are areas where they need to be improved. Enforcing these regulations and standards, providing more flexibility, and keeping up with the evolving technology and threat landscape, and fostering cross-border and cross-industry recognition and compatibility would help to ensure that industrial systems are better protected against cyber attacks.
Conclusion
Industrial systems play a vital role in many industries and are becoming increasingly connected to the internet, making them vulnerable to cyber attacks. There are several regulations and industry standards in place to ensure the security of these systems, such as the NERC CIP standards in the US and IEC 62443 in Europe. However, organizations face several challenges in complying with these regulations and standards. The cost of compliance, lack of understanding of the regulations and standards, and the ever-evolving technology and threat landscape are among the major challenges organizations face. Furthermore, the cross-border and cross-industry recognition and compatibility could be improved.
Enforcing these regulations and standards, providing more flexibility, and keeping up with the evolving technology and threat landscape are essential to ensuring the security of industrial systems. Additionally, creating harmonized regulations and standards that can be recognized and adopted across different regions and industries, would help organizations better protect themselves against cyber attacks.
The new proposed Cyber Resilience Act in Europe, which is specifically targeting IoT and IIoT, is taking a step in the right direction to address the unique risks and challenges that these devices pose and to improve the overall cyber resilience. By requiring manufacturers to protect their internet-connected electronic products from unauthorized access at all stages of their life cycle, and providing a framework of cybersecurity requirements covering the entire value chain and an obligation to provide a duty of care, this act is aimed to make these devices safer.
While regulations and standards are in place to ensure the security of industrial systems, they need to be improved in a way that take into account the challenges organizations face and the ever-evolving technology and threat landscape. This will help ensure that industrial systems are better protected against cyber attacks, which is essential for maintaining business continuity and competitiveness.