The cyber security of critical infrastructure is an international concern and several initiatives have been taken to assess the risks of current facilities and proposals have been made on how to avoid them.
Sixteen critical infrastructure sectors are defined, whose assets, whether physical or virtual, are considered vital to the country, as their disability or destruction will have a debilitating impact on the country’s economy, health or safety.
- Commercial facilities
- Critical Manufacturing
- Industrial Defense Base
- Emergency Services
- Financial Services
- Food and Agriculture
- Government Facilities
- Public Health
- Information Technology
- Nuclear reactors, materials and debris
- Transport Systems
- Water and sewage systems
Since then, various government agencies and private entities have taken initiatives to regulate the protection of critical infrastructure in their areas. Protecting critical infrastructure was initially aimed at protecting physical assets against acts of sabotage or terrorists of domestic or foreign origin.
The threat of cyber attacks has become a government-level concern to protect critical infrastructure. The US Government issued on February 12, 2013 the “Executive Order 11363- Improving Critical Infrastructure Cybersecurity”. This order instructed the US Department of Commerce’s National Institute of Standards and Technology (NIST) to issue a Cybersecurity regulation for the country’s Critical Infrastructure area, the Cybersecurity Framework (CSF), which has the following objectives:
- Provide a prioritized, flexible, repeatable, performance-based and cost-effective approach, including information security measures and controls, to help critical infrastructure owners and operators identify, assess, and manage cyber risks.
- Identify intersectoral safety standards and guidelines applicable to critical infrastructures
- Identify areas for improvement that should be addressed through future collaboration with specific sectors and standards development organizations.
- Provide technology-neutral guidance and enable critical infrastructure industries to benefit from a competitive market for products and services that meet cyber risk standards, methodologies, procedures and processes designed to address cybernetic threats
- Include guidelines for measuring an entity’s performance in implementing the Cybersecurity Framework.
- Include methodologies to identify and mitigate the impacts of the Cybersecurity Framework and associated information security measures or controls on business confidentiality, and to protect individual privacy and civil liberties.
- Engage in an open public review and comment process
- Consult with the Secretary, National Security Agency, Sector Specific Agencies and other interested agencies, including OMB, critical infrastructure owners and operators, and other stakeholders through the advisory process set out in section 6 of this request.
- Provide threat and vulnerability information and technical expertise to inform the development of the Cyber Security Framework.
- Provide performance targets for the Cyber Security Framework
In 2014 NIST issued version 1.0 of the Cybersecurity Framework, which has become a worldwide standard “defacto” and originated regional documents based on it.
The main standards followed by CelPlan are:
- International Organization for Standardization (ISO) 15408 – a standard that develops what is called the “Common Criteria” that allows various software and hardware products to be integrated and tested securely.
- IETF-RFC 2196 – Memorandum published by the Internet Engineering Task Force for the development of day-to-day security policies and procedures for Internet-connected information systems.
- American National Standards Institute (ANSI) / International Society of Automation (ISA) 62443 – A series of standards, technical reports, and related information that defines procedures for implementing Electronic Protection and Control Automation Systems (IACS). This guideline applies to end users (ie asset owners), system integrators, security professionals, and control system manufacturers responsible for manufacturing, implementing, or managing IACS.
CelPlan counts with the following Cybersecurity Assessment tools:
- Cyber Security Evaluation Tool (CSET) – Developed by the Department of Homeland Security (DHS) and the National Cybersecurity and Communications Integration Center (NCCIC), provides a systematic, disciplined, and repeatable approach to assessing an organization’s security posture. It is a software tool that guides asset owners and operators through a step-by-step process for evaluating their industrial control system (ICS) and information technology (IT) network security practices. Users can assess their own cyber security stance using many recognized government and industry standards. The developed the CSET application.
This assessment process can be effectively used by organizations in all industries to evaluate ICS (TO) or IT networks. The process follows the steps illustrated in the figure below.
To get the most out of a CSET assessment, it is recommended to select a cross-functional team from many areas of the organization. To properly prepare a CSET self-assessment, this team should review policies and procedures, network topology diagrams, inventory lists of critical assets and components, past risk assessments, IT and ICS policies, and network practices and organizational functions. and responsibilities. The team must also understand its operational data flow.
- Security Tools for Industrial Control Systems (ICS) – tools to detect:
- External cyber attacks
- Internal threats
- Human error and neglect
For this to be done the tools must:
- Map OT assets
- Recognize assets: manufacturers, models, software versions, and other information.
- Search asset security deficiencies in databases
- Map information exchanges between assets and validate them
- Periodically evaluate changes in configurations and interconnections and alarm if they occur
CelPlan works with the tools of Indegy and Claroty.
- IT Security Tools – These tools have to perform the following tasks:
- Audit network access rights
- Monitor, respond and report threats and real time.
- Manage events and issues reports
- Address vulnerabilities
CelPlan Works with SolarWinds and Carbon Black Tools.
Read more: Understand the cybersecurity threats posed to OT and IT systems in utilities.