Across the wider community, cybersecurity is often discussed with concern in relation to data security. When large organisations experience unauthorised access to their computer systems it can make headline news particularly when customers’ personal data is exposed.

Operations technology (OT) breaches do not characteristically carry the same consequences to the community as a distribution of personal information does, however the integrity of the operation itself can be compromised to the detriment of process safety, as shown in the epitomical Stuxnet (2010) and Maroochy Shire Sewerage (2000) incidents. These are conceivably more dire than information breaches.

The responsibility for standards compliance, if required, often lies with technology vendors and systems integrators. Chemical engineers would not usually be directly involved with specifying security requirements for system implementation; however, they should know enough to gauge whether the level of security rigour being sought is consistent with the risk profile of the affected assets.

Industrial cybersecurity standards have been developed to address needs specific to industrial automation control systems which typically have longer lifetimes and higher availability requirements. This does not mean that the more ubiquitous information technology (IT) cybersecurity standards and guidelines are not relevant, because often OT systems will reside within a wider IT network, and OT hardware is not usually fundamentally different from IT. The underlying principles of good engineering are applicable to both. Many useful and readily available publications come from government agencies in different jurisdictions. Their usefulness is not limited to computer systems residing in the directly affected geographical area.

Global references of interest are presented here. The reference content is subject to change and the reader is advised to check for the latest version with the publishing entity.

International Society of Automation/Industrial Electrotechnical Commission (ISA/IEC) 62443

ISA/IEC 62443, touted by ISA as “the world’s only consensus-based automation and control systems cybersecurity standards” and endorsed by the United Nations, is a series of standards specifically to address the cybersecurity of operational technology and industrial automation control systems (IACS). Together the standards’ parts address requirements of the asset owner/operator, the system integrator and component manufacturer which makes it relatively accessible to the traditional project development processes between engineering contractors, asset operators and equipment vendors.

Security levels

The standards provide four security levels (SL) for IACS components to target. They are an indicator of the level of robustness against an attack. The lower levels have no protection and include accidental misuse, and the highest levels provide resilience to a state sponsored attack.

Functional requirements (FR) and system requirements (SR)

ISA/IEC 62443 enumerates functional requirements and system requirements. Functional requirements describe a high-level requirement eg FR2 “use control (UC)”, each of which drills down into system requirements which are features or characteristics that relate to how the FR is implemented. For example, FR2 includes SR 2.6 ‘remote session termination’ and SR 2.8 ‘auditable events’. The strength of an SR is improved by also implementing a relevant Requirement Enhancement (RE) eg SR 2.8 RE 1 ‘centrally managed, system-wide audit trail’ which is considered an improvement over equipment solely managing its own history.

ISA/IEC 62443-3-3 maps functional requirements, system requirements and their requirement enhancements to each of the security level targets.

Other international standards

The ISO 27000 series has a wide scope. ISO/IEC 27001 provides the requirements for an ‘informational security management system’ and ISO/IEC 27002 provides a detailing of security controls that can be considered. ISO/IEC 27034 is multipart and focusses on software security. There are many other standards in the ISO 27000 series.

Australia

The Australian Cyber Security Centre (ACSC) is part of the Australian Signals Directorate (ASD), an Australian Government agency. The ACSC publishes the Information Security Manual, a framework that details many facets of information technology largely in the context of handling national security information. It is augmented by the Strategies to Mitigate Cyber Security Incidents, and the Essential Eight – a baseline set of standard mitigations that are considered essential by ASD for all organisations.

ACSC publications are generally accessible to a wide audience and include both technical and general advice for members of the general public.

Additional information from Australia

• Australian Government's Industrial Control Systems Remote Access Protocol
• Australian Government's Cyber Security Principles 

EU

The European Union Agency for Cybersecurity (ENISA) publishes  information freely, each publication usually having a narrow focus.  The European Telecommunication Standards Institute (ETSI) has a much broader scope than cybersecurity, however do also publish in the field.

CEN/CENELEC adopt the relevant ISO standards as European standards (EN) and develop new material to fill gaps in support of EU regulations. ETSI is a worldwide standards organisation and a European Standards Organization whose CYBER committee produces many standards relevant to operations technology.

Additional information from the EU

• ENISA Publications
• ETSI Standards

UK

The Cyber Assessment Framework (CAF) is published by the National Cyber Security Centre (NCSC) and describes objectives and principles of cybersecurity. The four objectives it identifies are:

1. Objective A: Managing security risk
2. Objective B: Protecting against cyber-attack
3. Objective C: Detecting cyber security events
4. Objective D: Minimising the impact of cyber security incidents

Each objective is broken down into a total of fourteen principles across the four objectives.

The included ‘table view of principles and related guidance’ provides a comprehensive summary of the CAF principles and directly relevant guidelines as published by the NCSC, ISO/IEC, ENISA and other organisations.

The NCSC provides lists of ‘assured products’ that support the CAF principles.

Additional information from the UK

• NCSC Cyber Assessment Framework Guidance
• NCSC Reports

USA

The National Institute of Standards and Technology (NIST) publishes their Cybersecurity Framework and associated reports and guidance material. The Cybersecurity framework is broadly referenced and identifies the following functions: Identify, Protect, Detect, Respond, and Recover.

NIST has a specialist program for Internet-of-Things (IoT) devices which are attracting increased attention in industrial systems. NIST publishes literature that is directly relevant to process industries such as NIST IR 8406 Cybersecurity Framework Profile for Liquefied Natural Gas, as well as the Guide to Industrial Control Systems (ICS) Security (SP 800-82 Rev. 2).

The National Security Agency (NSA) are responsible for National Security Systems in the USA, and work with equipment vendors to minimise cybersecurity risk. Technical reports such as the Network Infrastructure Security Guide are comprehensive, and shorter publications such as NSA’s Top Ten Cybersecurity Mitigation Strategies have relevance in IT and OT environments.

Additional information from the USA

• NIST Cybersecurity
• NSA Cybersecurity Publications