Security Framework Annex A: Industrial Security Standards
Annexes
Annex A INDUSTRIAL SECURITY STANDARDS
Numerous guidelines, standards and regulations relate to the protection of Industrial Internet of Things systems. We discuss here the role of standards and compliance and introduce those that relate most to IIoT systems.
These could stem from the need to control access to financial systems( for example, Sarbanes- Oxley legislation), protect credit card information( from the PCI DSS standard), to protect critical infrastructure( such as NERC CIP, the ANSSI critical infrastructure standards or FDA 510( k) premarket submissions). 1 Equally from the OT side, there are a number of OT regulations that could be applicable to IIoT systems such as: Cybersecurity with ISA 99, IEEE PC37.240, Safety Integrity Level( SIL), Critical Infrastructure Protection( CIP), Critical Infrastructure Security( CIS), Current Good Manufacturing Practices( CGMP), Emissions control with Environment Protection Agency( EPA) and Marine Pollution( MARPOL), Facilities Standards with Energy Performance of Building Directive( EPBD) and Motor Efficiency with Minimum Energy Performance Standards( MEPS) 2.
A. 1
ROLE OF STANDARDS AND COMPLIANCE IN SECURITY
Security standards guide and enforce a common level of security capability across an industry. Compliance with a standard requires taking steps to achieve the prescribed alignment, theoretically avoiding financial or other penalties for deviations from the standard’ s requirements. Standards rarely govern implementations, so a solution may be compliant with the standard but the resulting security posture may not be optimal. Design tradeoffs may also be necessary between levels of compliance and cost, ease of operation and maintainability.
The objective of securing IIoT systems is to address their availability, integrity and confidentiality requirements. The realization of an adequately secure environment should be guided by a series of informed decisions intended to ensure that the identified threats, vulnerabilities and countermeasures are commensurate with an acceptable level of risk. Security standards compliance is intended to guide an organization in best security practices, but it does not imply that the organization’ s products will be free of vulnerabilities or impenetrable to exploit.
Ideally, security implementations should also be updated periodically to adapt to newfound threats, possibly triggering the need to reassess standards compliance. Unfortunately, making such security updates may be infeasible or too costly. The operational functions and safety
1
See [ SarOxl ], [ PCI-DSS ], [ NERC-CIP ], [ ANSSI-CMKM ] and [ FDA-510K ]
2
See [ ISA-99 ], [ IEEE-C37-240 ], SIL at [ IEC-61508 ], [ NERC-CIP ], [ DHS-CIS ], [ FDA-CGMP ], [ EPA-SRG ], [ IMO-MARPOL ], [ EU-CA-EPBD ], and [ IEA-MEPS ]
IIC: PUB: G4: V1.0: PB: 20160926- 125-