iQoncept - Fotolia
Those in the security domain are barraged by rules and regulations directed at the business side of the enterprise, including security requirements for privacy, data breach protection and financial information governance. This regulatory environment is quite mature and is readily understood by the typical CISO. But what about security regulations for the industrial side of the business? What about protecting industrial control systems, IoT and industrial IoT?
Unfortunately, the answers are not as clear when compared to the compliance rules for banks or retail companies. There are some regulatory or industry drivers for ICS cybersecurity, but most of the guidelines for security of these devices are just that -- guidelines -- and do not mandate compliance or close adherence to the rules.
There are, however, international industry rules and guidelines in place that can help guide protection of these types of systems and devices.
The 12 standards included in the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) target many North American-based electric utilities. The emphasis of the CIP standards is to protect the cyber-elements of those systems and components that could impact the reliability of the Bulk Electric System, such as the transmission grid. Therefore, the NERC CIP standards only apply to those electric utilities with control centers, generators and substations that exceed a certain size or voltage that are defined through the standards. Local distribution utilities are not required to comply with NERC CIP standards.
U.S. Nuclear Regulatory Commission
All commercial nuclear power plants in the United States are obliged to comply with the security requirements established by the U.S. Nuclear Regulatory Commission (NRC). NRC continuously updates its regulations and has some rules designed specifically for ICS security. These requirements are mandatory and also could result in financial penalties.
EU NIS Directive
The European Parliament passed the Security of Network and Information Systems Directive, aka NIS Directive, in July 2016. The directive's intent is to drive a high level of network and informational security across the European Union. The EU's technical guidance on these requirements is often drawn from the EU Agency for Cybersecurity (ENISA) and/or local government cybersecurity agencies. The NIS Directive includes sections outlining cybersecurity mandates in relation to national capabilities, collaboration between countries and critical sector supervision, including the following:
- EU member states must perform specific exercises to prepare for a malicious cyberattack.
- Cross-border cybersecurity collaboration between EU countries is mandated under the NIS Directive, as is having an operational EU computer security incident response team network.
- EU member states must supervise the cybersecurity of critical market operators in their country. For instance, the EU member country governments must direct and lead their nation's cybersecurity oversight of critical infrastructure sectors and digital service providers.
The NIS Directive is not specifically focused on ICS, IoT or industrial IoT (IIoT), but some of these systems could be covered by some of the EU member states' specific rules.
Germany's IT Security Act
In 2015, before the NIS Directive was in place, the German government rolled out the IT Security Act, which applies to critical infrastructure -- defined as "facilities and installations (or parts thereof) in sectors whose interruption could seriously affect public utility or safety." The relevant sectors include energy, IT, telecommunications, transportation, traffic, healthcare, water, food, finance and insurance.
ENISA has also reported that, in Germany, detailed regulations specific for each critical infrastructure sector are promulgated by working committees -- one committee for each sector -- composed of government regulatory personnel and representatives of critical infrastructure operators. Each committee defines minimal requirements for securing ICS supervisory control and data acquisition (SCADA) in each corresponding sector.
Ultimately, the German government will plan on conducting biannual audits of critical infrastructure entities for compliance with German cybersecurity rules. Noncompliance with regulations penalties are predicted to be up to 100,000 euros.
U.K. Centre for the Protection of National Infrastructure
The U.K. Centre for the Protection of National Infrastructure (CPNI) -- the U.K. government authority for protective security advice to the U.K. national infrastructure -- has published guidance on protecting ICSes. However, there are no regulations mandating specific cybersecurity practices. CPNI has published a guide called "10 Steps to Cyber Security," with the intention of providing general guidance for all organizations in the U.K. on ways to best protect against cyberattacks. However, the guidance is general in nature and not specific to ICS, IoT and IIoT.
France's Military Programming Law
The Military Programming Law (LPM) was adopted by the French government in 2013 and is enforced by the French National Cybersecurity Agency. LPM mandates that certain economic and public operators safeguard IT systems deemed to be of "vital importance." The law states that critical infrastructure and service providers in a broad array of industries must have ICS security in place for any service that has an impact on France's military operations, economy and national security.
The law also makes it mandatory for operators of vital importance to report incidents detected on these systems.
Qatar's National ICS Security Standard
After the Stuxnet attack on Iran in 2010, the Qatari government established mandatory cybersecurity rules for ICSes. The rules were published in Qatar's National ICS Security Standard. As noted in the standard: "This ICS security baseline standard document provides the minimum controls that need to be incorporated or addressed for any ICS system that has been determined to be critical to the State of Qatar." The document is intended to be used together with a suitable risk-based security management program.
Globally, many industrialized countries are recognizing the need to at least provide summary guidance on ICS, IoT and IIoT cybersecurity. As noted above, the U.K. has offered a guide but no mandated rules per se. Similarly, you can find ICS/SCADA security guidance in the Netherlands, Norway and Sweden. Canada has also published ICS/SCADA security guidance. But, overall, it appears that only the U.S. electric transmission and generation sectors, as well as some of the EU member states, such as Germany and France, are promulgating true ICS, IoT and IIoT cybersecurity regulations.