It is easy to think only of protecting your electronic
frontiers – stopping hackers on the outside. There are
many aspects to improving security. Where to start?
1. KNOW WHICH
Every industry sector has its own specific security threats
and most often, is subject to mandatory requirements with
governmental or other regulatory oversight. Regulatory bodies
create industry guidelines and standards.
As an example, the United States electrical utility sector is
regulated by the Federal Energy Regulatory Commission
(FERC) and North American Reliability Corporation (NERC).
NERC has created specific regulations designed to protect
against attacks that might compromise the bulk electrical
system. They also publish important guidelines and suggested
implementation notes that will be a valuable resource.
Cyber Security is a large and well-studied aspect of standard
security practices, which has resulted in many standards and
even more recommendations. Often the density of material
adds confusion to this already complex subject.
Industrial Control Systems (ICS) are often part of critical
infrastructure systems such as Utilities. Most governments
have regulations around Critical Infrastructure Protection
(CIP) which will include Cyber Security. Globally, two closely
related groups of standards have a key bearing on CIP and the
industries that are part of this:
● ISO27000 is a process framework for operational security
management. It is comprehensive in scope and defines
sector-specific guidelines. For example, ISO27032
provides guidelines for Cyber Security. ISO27000 derived
standards and guidelines are commonly used in Europe.
● NIST SP800 is also comprehensive, and widely used as
the basis for other industry-specific recommendations.
For example, NERC has relied on NIST SP800 for
its version 5 regulations for the North American Bulk
Electrical Supply industry.
Within the US, eight regional entities have delegated authority
from NERC. (An example is WECC, the regional entity
for the western interconnect.) Regional entities coordinate
and support interconnection members, most have active
Cyber Security programs and can provide additional advice.
In particular, the regional entities create Inherent Risk
Assessment reviews and their input should be sought. On the
websites of these authorities you will also find informative
industry discussions and forums.
2. ASSESS THE RISK
Risk assessment is an iterative, ongoing process which starts
with your known areas of concern. Simplicity is important; if
the process is too complex, it reduces your ability to revisit it,
which is vital to stay on top of evolving threats.
Cyber Security design begins with a comprehensive
risk assessment to understand the nature, likelihood and
implication of threats, and to ensure the network is designed
EVOLVE SO YOUR
WILL NEED TO
DO THAT TOO.
ONLY AS GOOD
AS THE PEOPLE