Source: IEC Blog (https://blog.iec.ch/)
The consequences of an attack on cyber physical systems (CPS) could be devastating for human lives and the environment. Examples of CPS include the smart grid, autonomous automobile systems, medical monitoring and industrial control systems.
The research firm Gartner predicts that within the next three years the financial impact of CPS attacks resulting in fatal casualties will exceed $50 billion. As well as reputation loss, this figure includes legal costs, compensation and regulatory fines.
It is also likely that regulators and governments will clamp down as the number of incidents grows due to insufficient investment in security. Gartner says that business leaders will be held personally liable if they fail to take adequate measures to secure CPS.
In some countries and regions, CEOs already face potentially severe penalties for failure to protect personal data. In the US, for example, corporate officers who fail to comply with the Gramm-Leach-Bliley Act (GLBA) could pay hefty fines or spend up to five years in jail.
Unfortunately, corporations do not always seem to understand the cyber security challenges of the operational technology used in CPS. A key issue is that security is too often understood only in terms of IT (information technology).
Those responsible for security often overlook the operational constraints in sectors such as energy, manufacturing, healthcare or transport.
The growth of connected devices has accelerated the convergence of the once separate domains of IT and operational technology (OT). From a cyber security perspective, the challenge is that unlike business systems, IACS are actually designed to facilitate ease of access from different networks.
That is because industrial environments have to cope with different kinds of risk. Where IT security focuses in equal measure on protecting the confidentiality, integrity and availability of data — the so-called “C-I-A triad” — in the world of OT, availability is of foremost importance.
Priorities for OT environments focus on health and safety and protecting the environment. In the event of an emergency in order to be able to protect personnel or to minimize the impacts of natural disasters, it is therefore vital that operators can receive accurate and timely information and can quickly take appropriate actions, such as shutting off power or shifting to backup equipment.
International standards provide solutions to many of these challenges based on global best practices. For example, IEC 62443, is designed to keep OT systems running. It can be applied to any industrial environment, including critical infrastructure facilities, such as power utilities or nuclear plants, as well as in the health and transport sectors.
The industrial cyber security programme of the IECEE — the IEC System for Conformity Assessment Schemes for Electrotechnical Equipment and Components — tests and certifies cyber security in the industrial automation sector. The IECEE Conformity Assessment Scheme includes a programme that provides certification to standards within the IEC 62443 series.
International Electrotechnical Commission
IEC Central Office
3, rue de Varembé, 1st floor
P.O. Box 131
CH - 1211 Geneva 20 - Switzerland
Phone: +41 22 919 02 11
Fax : +41 22 919 03 00
Contact BPS – The Philippines’ member to IEC
Bureau of Philippine Standards (BPS)
Department of Trade and Industry
3F Trade and Industry Bldg., 361 Sen. Gil Puyat Ave.,
Makati City, Philippines