Industrial control systems have been essential components of the critical infrastructure for decades. Securing these systems is essential to protect their integrity and availability of the equipment under control and the associated information. The control systems requiring protection are very similar. They are applied in virtually all industrial sectors using similar or common configurations. The products and technologies used to assemble and configure these systems are available from a number of suppliers. The primary functional requirements for these systems are also largely the same, although the relative weights placed on specific requirements may vary by application.
Those conducting a critical analysis of the security-related requirements often come to very similar conclusions, regardless of industry, sector or process types. For example, the ISA-62443/IEC 62443 series of standards begin with a short list of foundational requirements that address the areas of people, process and technology. These requirements are:
FR 1 – Identification and Authentication Control (IAC)
FR 2 – Use Control (UC)
FR 3 – System Integrity
FR 4 – Data Confidentiality (DC)
FR 5 – Restricted Data Flow (RDF)
FR 6 – Timely response to events (TRE)
FR 7 – Resource availability (RA)
Each of the more detailed requirements in the 62443 standards derive directly or indirectly from one or more items on this list. In addressing these requirements, the security community has defined several fundamental concepts, including network segmentation, security levels based on risk assessment, and the linkage between security and process safety.
Based on the above, it is tempting to conclude that the cybersecurity response should be the same regardless of industry or sector. This is true to some degree, but as the old adage says, “The devil is in the details.”
Many of these details reflect the characteristics and constraints associated with the processes under control. For example, for large continuous processes, it is common to place a high priority on availability; while processes that change often may require rapid reconfiguration. Business requirements, constraints and even regulations also influence the nature of the response. In regulated industries, data confidentiality and integrity may be determining factors.
Before comprehensive, industry-wide standards such as ISA-62443/IEC 62443 were widely available, several industry sectors developed more focused cybersecurity standards and practices for their respective industries and applications. For example, the electrical sub-sector has the NERC CIP standards, the petroleum industry has API-1164, and the chemical sector has specific cybersecurity related provisions in the Responsible Care® security code. In addition to the above, there is also valuable guidance available in the form of the special publications 800-53 and 800-82 from NIST.
Although many if not most of the basic concepts and essential requirements are similar across all these sources, each has a specific focus and purpose, tailored to the target sector.
It is tempting to view the situation as presenting a choice between sector specific and general standards, but the answer is a bit more involved. In each application, the appropriate response must be to establish the proper foundation based on common international standards, while addressing more detailed requirements defined in sector-specific standards, guidance, and practices. Fortunately, the expertise required to conducts this analysis and develop the appropriate response is widely available as more companies develop cybersecurity service offerings.