Institute of Measurement and Control. Functional Safety 2016
Page 4
IT is focused on, in order of priority,
Confidentiality-Integrity-Availability
whereas OT needs a
different priority order namely
Availability-Integrity-Confidentiality
.
For example while it may be acceptable to routinely patch IT related operating systems as soon as
patches are available, for OT there will need to be a degree of assurance that the patch will not
adversely affect the operation and safety of the process. Applying OS patches must be done in
conjunction with vendor recommendations after the patches have been tested for compatibility.
Typically the higher up the automation hierarchy, the more the dependence on IT technologies so a
cross-over of expertise becomes necessary. OT needs to become more expert in the world of IT and
the IT department, where the expertise on cyber security has traditionally resided, needs to
understand and be more involved in meeting the more availability focussed, real-time requirements
of OT.
The emphasis on availability for OT makes for additional cyber security challenges. Implementing
operating system upgrades or IACS software upgrades requires investment and careful planning.
Which guidelines to follow?
Siemens focuses on the following guidelines as being most applicable:
·
NERC CIP
(North American Electric Reliability Corporation Critical Infrastructure Protection).
NERC Standards CIP-002-3 through CIP-009-3 provide cyber security framework for the
identification and protection of critical cyber assets to support reliable operation of the bulk
electric system.
·
WIB M-2784
. WIB Report: M 2784 - X-10, version 2.0. This document specifies requirements
and gives recommendations for IT security to be fulfilled by vendors of process control and
automation systems to be used in process control domains (“PCDs”).
·
IEC 62443 (under development)
internationally supported, it involves the component
supplier, asset owner, and systems integrator in the solution and supports a defence-in-
depth approach. It gives a holistic perspective of industrial security.
Of these Siemens views IEC 62443 as a leading standard because it is international in scope, vendor
neutral, and incorporates important elements from other relevant standards including WIB M-2784
and NERC-CIP. It supports a defence-in-depth approach and promotes involvement of all
stakeholders including the asset owner, system integrator, and component supplier.
IEC 62443 is holistic in nature and covers the following aspect.
Figure 2