What is the state of cybersecurity in the industry, water and infrastructure sectors in the year 2021? According to Michael Theuerzeit, Lead Consultant at Hudson Cybertec and Marcel Jutte, Managing Director at Hudson Cybertec, there is more attention than ever for cybersecurity. As a result an increasing number of organizations certify (parts of) their OT/PA domain against the international IEC. 62443 standards. On the other hand, it has never been easier for the average hacker to get effective tools, to attack the OT/PA domain.
What do the infrastructure, industry and water sectors have in common when it comes to cyber security? All three sectors have to deal with both an IT/OA domain and an OT/PA domain. Whereas the OT/PA domain originally was never conceived to connect to the Internet while with today’s digitalization, such connectivity is increasingly expected to be a requirement.
One of the most striking developments in the field of cyber security is the increased attention for certification. Besides the fact that more and more companies that recognize the importance of the international IEC 62443 standard, there is increasing attention to cybersecurity nationally. “For example, we see that in the Netherlands the Cybersecurity Implementation Directive (CSIR) gains wider adoption”, says Jutte.
The CSIR for Rijkswaterstaat has been recently updated and there is increasing interest to support using it for other applications. For example, within the Management Agreement for Water (BAW): parties such as Rijkswaterstaat, the water boards, the Association of Provincial Authorities, the Association of Netherlands Municipalities, and the drinking water companies are represented in the BAW. Theuerzeit: “The aim of generalising the CSIR is to make it suitable for other parties besides Rijkswaterstaat. Just as IEC 62443 is now widely accepted, it would be good if the CSIR could also count on wider acceptance. We are currently focusing mainly on the water boards, but other BAW partners could join us in the short term.” For the process industry, the CSIR becomes relevant the moment companies outsource the processing of wastewater to a party covered by the CSIR.
The whole picture
The CSIR is not simply a national implementation of the IEC 62443 standard. Theuerzeit: “They are two different things. The IEC 62443 describes that you must arrange certain things regarding cybersecurity. It says what you should do, but not exactly how you should do it. The CSIR speaks of measure sets: it describes in detail how you must implement measures. In addition to technical and process requirements, concrete measures are prescribed for several risk areas. The CSIR also contains guidelines with industry best practices, and thus the CSIR gives a concrete interpretation of cyber security measures.”
There are more trends to observe than just the above mentioned developments regarding standards. The media regularly reports on successful hacks, new forms of cybercrime and observations on the degree of cybersecurity of certain sectors. “Recently the media reported that many Dutch municipalities are not prepared for cyber-attacks,” says Theuerzeit. “When you read reports like that, you might think that things are bad when it comes to cybercrime, but the reality is a bit more nuanced.” Theuerzeit notes an increase in awareness regarding cybercrime. “Even in the boardroom, cybersecurity is now significantly more often on the agenda than a few years ago. And that is due in part to those reports in the media. The CEOs of large companies also read those reports and then want to know how resilient their organization is.”
It becomes increasingly more difficult to keep attackers out, therefore it becomes more important to take the necessary measures to ensure that detect when an attacker has successfully penetrated your defences to minimize the potential consequences. Monitoring is extremely important in this respect. “You then have to do that in a way that suits your situation,” clarifies Theuerzeit. “Monitoring in an OT/PA environment requires very different tools than monitoring an IT/OA environment. For example, our monitoring solution, called ‘OT Insight’ is built precisely for the OT environment, taking into account all the risks that are inherent to such an environment.”
This is a summary, read the whole article here
Source: Process Control, July 2021