The Blackberry 2022 Threat Report highlights the growing vulnerability of critical infrastructure to cyber-attacks. The power grid, manufacturing plants, transport, and the healthcare sector all use cyber-physical systems, where information technology and operational technology work together.
“Every organization, in every vertical industry sector, runs the risk of breach, ransomware deployment, and extortion,” says the report. “However, few carry the same real-world risk from cyberattacks as those in the critical infrastructure sector.”
Unfortunately, many critical infrastructure systems are not equipped to deal with cyber threats. A key issue, as explained in a special IEC Technology Report, is that cyber security is commonly understood only in terms of IT.
Those responsible for security often overlook the inherent operational constraints in critical infrastructure.
Operational technology (OT) called industrial control and automation systems (ICAS) run in a loop to check continually that everything is functioning correctly. Supervisory control and data acquisition (SCADA) systems utilize remote terminals to control the switches that regulate production.
Cyber-attacks on IT and OT systems often have different consequences. The effects of cyber-attacks on IT are generally economic, while cyber-attacks on critical infrastructure can impact the environment, damage equipment, or even threaten public health and lives.
IT security focuses in equal measure on protecting the confidentiality, integrity and availability of data — the so-called C-I-A triad. Confidentiality is of paramount importance and information security management systems, such as the one described in ISO/IEC 27001, are designed to protect sensitive data, such as personally identifiable information (PII), intellectual property, or credit card numbers, for example.
In cyber-physical systems, the emphasis is on protecting safety, integrity, availability and confidentiality (S-I-A-C). Availability and integrity both take presence over confidentiality.
Availability is of utmost importance because they must stay up and running, avoiding interruptions or unexpected downtime. Cyber-physical systems are designed to facilitate ease of access from different networks and devices.
Integrity is about ensuring the consistency of systems, networks and data. It is crucial that the data that reaches the control room accurately reflects what is happening to ensure safety and maintain operations.
When implementing a cybersecurity strategy, it is essential to take the different priorities of cyber-physical and IT systems into account. IEC provides relevant and specific guidance via two of the world’s best-known cyber security standards: IEC 62443 for cyber-physical systems and together with ISO, ISO/IEC 27001 for IT systems.
Conformity assessment provides further security by ensuring that the standards are implemented correctly: IECEE certification for IEC 62443 and IECQ for ISO/IEC 27001.
Sign up to receive selected stories