In my last post in this two-post series, we looked briefly at the operational benefits of IoT-enabled electrical power distribution systems. We also learned why cybersecurity management is becoming an increasingly critical requirement as the number of IoT devices continues to grow, and IT and operational technology (OT) networks continue to converge. One only needs to look at examples like the 2015 cyberattack on the Ukranian power grid to appreciate the potential for widespread damage – in that single incident, 225,000 customers lost power.
Putting a comprehensive cybersecurity strategy in place can seem like a daunting task, especially for facility operations teams that aren’t as versed in the subject as IT teams are. Fortunately the IEC 62443 standard can help make the process simpler. In this post we’ll take an introductory look at how this works.
Bringing IT and OT teams together
To tackle cybersecurity challenges in electrical systems, it’s important that IT and OT teams collaborate closely. But the priorities of each team – though often overlapping – can be different. IT groups are primarily concerned with protecting data and network availability, while OT groups are focused on safety as well as the reliability and efficiency of processes.
In addition, each team has different areas of expertise. Though an IT team may be required to lead all cybersecurity efforts, they will not have experience with electrical systems. IT policies applied to OT could potentially cause unwanted disruptions. In contrast, the OT team may manage the electrical infrastructure, but may have little experience with cybersecurity.
The IEC 62443 standard offers IT and OT teams a bridge for cooperation, helping both teams understand the cybersecurity requirements for the electrical system. It also provides a framework that makes it simpler to ensure the appropriate level of security while providing consistency of specification.
Assessing the risks
The first step the standard helps with is guiding an organization through assessing risk, looking at all relevant incident scenarios. The process assigns values based on: threats, likelihood, vulnerabilities, assets affected (e.g. monitoring and control systems, intellectual property, potential for human injury), and consequences.
The next step is determining risk tolerance. This will depend on how risk adverse an organization is, and will help in analyzing its level of response to risks.
Choosing security levels for the seven pillars
The IEC 62443 standard expands on the core priorities of IT and OT groups by defining seven ‘pillars’, i.e. seven foundational requirements:
- Access Control
- Use Control
- Data Integrity
- Data Confidentiality
- Restrict Data Flow
- Timely Response to Event
- Resource Availability
For each of these requirements, the organization must define the required security ‘level’. There is a choice of four levels, with higher levels providing greater protection against more sophisticated attacks. For example, if the organization is only concerned with protecting against casual violations made by a careless employee or contractor, level SL1 should be adequate. But to protect against hackers, terrorists, or competitors, a minimum of level SL3 is required.
Security levels define extensive cybersecurity functions needed from the device level to throughout the entire electrical system level. Typically, a single security level will be applied consistently across all seven of the foundational requirements.
In this way, the IEC 62443 standard gives electrical systems designers and their clients a simplified process to specify a target level of cybersecurity compliance needed for a facility’s electrical system.
To learn more, download the white paper “Understanding cybersecurity for IoT-enabled electrical distribution systems. ” Schneider Electric has adopted the IEC 62443 standard as well as following extensive cybersecurity best practices throughout product and solution development, engineering, and service delivery. Discover more about our cybersecurity solutions.