10 key private-sector cybersecurity standards
A previous article in this series discussed government efforts for cybersecurity. This article will give a rundown on some of the major standards development organizations (SDOs) in the area of cybersecurity, with appropriate links. It is impossible to include every organization, but these are the main ones.
American Water Works Association
In 2017 the AWWA published an updated version of its guide, Process Control System Security Guidance for the Water Sector, which includes an extensive list of cybersecurity best practices that are applicable to companies in any industry, not just water utilities.
Similarly, the American Gas Association has a library of material on cybersecurity available for download.
The American National Standards Institute (ANSI) does not actually create standards, but, in the words of the NIST paper Cyber Security Standards, “it administers and coordinates the activities of the US private sector voluntary standardization system. ANSI sponsors cyber security-related working groups, such as a Homeland Security Standards Panel and a Healthcare Information Technology Standards Panel.” Thus many well-known standards have the prefix ANSI/IEC, ANSI/ISA, ANSI UL and so on.
ANSI has also published a book for CFOs entitled The Financial Management of Cyber Risk.
The FDA recently adopted ANSI UL 2900-2-1, which adds a consensus standard for cyber security of medical devices. This is an addition to ANSI UL 2900-1, Standard for Software Cybersecurity for Network-Connectable Products, Part 1: General Requirements. Another, UL 2900-2-2, Outline of Investigation for Software Cybersecurity for Network-Connectable Products, Part 2-2: Particular Requirements for Industrial Control Systems, is an outline, rather than a standard.
The Electric Power Research Institute’s Cyber Security Research Laboratory (CSRL) addresses the security issues of critical functions of electric utilities. A good explanation of its activities can be found here.
The Institute of Electrical and Electronic Engineers publishes a number of standards on cybersecurity. Included are IEEE 1686-2013 – IEEE Standard for Intelligent Electronic Devices Cyber Security Capabilities; IEEE P1815 – Standard for Electric Power Systems Communications-Distributed Network Protocol (DNP3), sponsored by PE/PSCC – Power System Communications and Cybersecurity; and IEEE 1888.3-2013 – IEEE Standard for Ubiquitous Green Community Control Network: Security.
One of the major activities of the Instrumentation, Systems, and Automation Society (ISA) is the development of standards for automation technologies. ISA’s SP99 working group develops security standards for manufacturing and control systems, such as supervisory control and data acquisition (SCADA) systems and distributed control systems (DCS). An overview is available in the ISA Technical Report ANSI/ISA-TR99.00.01-2007, Security Technologies for Industrial Automation and Control Systems.
ISA’s current cyber security standards are:
- ANSI/ISA-62443-1-1 (99.01.01)-2007 – Security for Industrial Automation and Control Systems Part 1: Terminology, Concepts, and Models
- ANSI/ISA-62443-2-1 (99.02.01)-2009 – Security for Industrial Automation and Control Systems: Establishing an Industrial Automation and Control Systems Security Program
- ANSI/ISA-TR62443-2-3-2015, Security for industrial automation and control systems – Part 2-3: Patch management in the IACS environment
- ANSI/ISA-62443-3-3 (99.03.03)-2013 – Security for Industrial Automation and Control Systems Part 3-3: System Security Requirements and Security levels
A brochure explaining ISA’s cybersecurity offerings is available here.
ISA also has a series of four cybersecurity certificate programs, consisting of classroom instruction and examinations leading to designation as an ISA/IEC 62443 Cybersecurity Expert as well as a series of training courses.
The ISO and the IEC (International Electrotechnical Commission) jointly publish the ISO/IEC 27000-series of standards on information security. There are currently about 45 standards in the series, of which ISO/IEC 27001:2013 Information technology – Security techniques – Information security management systems – Requirements is the best known, with requirements for establishing, implementing, maintaining and continually improving an information security management system, and for the assessment and treatment of information security risks.
Dealing directly with cybersecurity are ISO/IEC TR 27103:2018 Information technology – Security techniques – Cybersecurity and ISO and IEC Standards, which provides guidance on how to leverage existing standards in a cybersecurity framework; and ISO/IEC 27032:2012 Information technology – Security techniques – Guidelines for cybersecurity provides guidance for improving the state of Cybersecurity, drawing out the unique aspects of that activity and its dependencies on other security domains, in particular: information security, network security, internet security, and critical information infrastructure protection (CIIP).
Three additional works are currently under development: ISO/PRF TR 22100-4 Safety of machinery – Relationship with ISO 12100 – Part 4: Guidance to machinery manufacturers for consideration of related IT-security (cyber security) aspects, ISO/IEC CD 27102 Information technology – Security techniques – Information security management guidelines for cyber insurance and ISO/SAE CD 21434 Road Vehicles – Cybersecurity engineering, and ISO/IEC AWI TS 27101 Information technology – Security techniques – Cybersecurity – Framework development guidelines.
The Internet Engineering Task Force (IETF) is mostly concerned with the details of Internet protocols and the like, including security, but the topic is too big to cover here.
The ICT Security Standards Roadmap, published by the International Telecommunications Union (ITU), helps users to navigate the huge number of standards applicable to telecommunications, as well the organizations promulgating them.
The North American Electric Reliability Corporation (NERC), designated by the Federal Energy Regulatory Commission (FERC) as the Electric Reliability Organization (ERO) for the United States, publishes mandatory standards designed to ensure the reliability of bulk power delivery across the United States and Canada. There are currently 11 Critical Infrastructure (CIP) standards subject to enforcement; Standards CIP-002-3(i) through CIP-009-3 provide a cyber security framework for the identification and protection of Critical Cyber Assets.
NERC’s Electricity Information Sharing and Analysis Center (E-ISAC).provides security services to bulk power system owners and operators across North America, including cyber and physical security threat intelligence, tailored cyber security knowledge and physical security collaboration. It operated independently of NERC’s enforcement processes.
The Organization for the Advancement of Structured Information Standards (OASIS) creates and publishes standards for all aspects of the XML language; among them are several dealing with Web services security.
More government information
In addition to the material presented in the last article in this series, NIST has an excellent overview of security standards, a Cloud Computing Standards Roadmap, as well as a presentation on its voluntary Framework for Improving Critical Infrastructure Cybersecurity.
In addition to all the above, controls companies publish instructions on cyber security for their own equipment; ABB, for example, has an excellent cybersecurity deployment guideline for its REF615 feeder protection and control relay for utility and industrial power distribution systems, and similar guidelines for other products; Honeywell publishes an eBook on Industrial Cyber Security Risk Management Best Practices; Emerson Automation Solutions has an array of cybersecurity services for its DeltaV and other equipment, as well as an interesting short comment on how not to approach cybersecurity for a control system; Siemens has information on cybersecurity for grid systems, medical equipment and more; GE Digital offers an array of cybersecurity services; Schneider provides cybersecurity services to its own customers, and has published a number of white papers on the topic; and the list goes on.