The cyber-attack on the Colonial Pipeline on May 7, 2021, was to regulators what Stuxnet—the world’s first “cyber weapon” developed to disable Iran’s nuclear program—was to cybersecurity professionals. Both were tipping points that raised consciousness that operations technology (OT) networks are subject to the same vulnerabilities as any other connected system. As a result, several new requirements were published in the U.S. and EU to protect supply chains and critical Infrastructures.
Critical infrastructure includes energy, electricity, pipelines and rail. The rules around the supply chain supporting the critical infrastructure of practically all industries and the automation that controls them will need to comply with these new requirements soon. But what are some of those requirements and where is help available?
The EU passed its cybersecurity act in September 2022 making ENISA—the European agency for cybersecurity—responsible for developing safety certification requirements for various classes of devices. Microcontrollers are deemed “Class I” devices, which means control systems are subject to these constraints, including a requirement to provide security update support for a minimum of five years after sales. The associated requirement for making these updates on an operating facility also affects maintenance practices.
Closer to home, the U.S. Dept. of Homeland Security (DHS), Security & Exchange Commission (SEC) and the U.S. National Security Strategy (NSS) all identify cybersecurity requirements that need to be considered by any organization working in the country.
DHS mandated that all installations must have network segmentation between their IT/OT networks that correspond to the Cybersecurity Assessment Program and Implementation Plans to verify conformance with this requirement. They also require government suppliers to have at least a supply chain bill of materials (BoM). Because so many organizations supply the government at some point, this BoM requirement has quickly propagated to every software development company.
Similarly, the SEC requires cybersecurity incidents to be disclosed via a portal on its website within four days of the incident. This requirement extends to supply chain and third-party service providers. The SEC also requires a qualified individual at the board of directors’ level to provide cybersecurity oversight for the organization.
In addition, the NCC passed a rule in October 2022 that requires the U.S. federal government to implement a zero-trust security framework within 10 years and accelerate migration to cloud services, while implementing an IoT security labeling program. The labeling program is based on the Singapore-originated, four-tier “Cybersecurity Labeling for Consumers: Internet of Things (IoT) Devices and Software” program. It became a requirement of 2021 Executive Order 14028 that directed the National Institute of Standards and Technology (NIST) to initiate a labeling program. Also, in early 2022 the Federal Trade Commission (FTC) became involved.
The labeling scheme is voluntary in the EU. However, because it’s IoT-focused, it’s likely the requirement will soon work its way down to the automation sector.
Fortunately, in addition to creating the new regulations, governments and regulators are also developing associated guidance to meet these new requirements. In many cases, NIST will update or build on the widely used SP 800 documents.
All these industry standards rely heavily on the IEC 62443 (ISA-99) OT Cybersecurity and ISO-27001 (IT/Enterprise) security standards, which are actively updated and expanded to provide new parts with additional guidance on evaluations, reviews and implementation.
There is an ongoing debate about the need to incorporate cybersecurity in field devices and several fieldbus consortia are developing cybersecurity capabilities. With Ethernet Advanced Physical Layer (Ethernet-APL) making packet communications possible to the field device level, the work of these consortia becomes more important. Because of the “backwards compatibility” principle, the fieldbuses accomplish cybersecurity. Existing installed devices should be able to install the new firmware, except those where the protocol is in a universal asynchronous receiver-transmitter (UART).
All these factors point to the fact that cybersecurity is now another important consideration for every project and arguably for every change made to an intelligent and networked device in an OT environment.