Security Framework Annex A : Industrial Security Standards
Annexes
Annex A INDUSTRIAL SECURITY STANDARDS
Numerous guidelines , standards and regulations relate to the protection of Industrial Internet of Things systems . We discuss here the role of standards and compliance and introduce those that relate most to IIoT systems .
These could stem from the need to control access to financial systems ( for example , Sarbanes- Oxley legislation ), protect credit card information ( from the PCI DSS standard ), to protect critical infrastructure ( such as NERC CIP , the ANSSI critical infrastructure standards or FDA 510 ( k ) premarket submissions ). 1 Equally from the OT side , there are a number of OT regulations that could be applicable to IIoT systems such as : Cybersecurity with ISA 99 , IEEE PC37.240 , Safety Integrity Level ( SIL ), Critical Infrastructure Protection ( CIP ), Critical Infrastructure Security ( CIS ), Current Good Manufacturing Practices ( CGMP ), Emissions control with Environment Protection Agency ( EPA ) and Marine Pollution ( MARPOL ), Facilities Standards with Energy Performance of Building Directive ( EPBD ) and Motor Efficiency with Minimum Energy Performance Standards ( MEPS ) 2 .
A . 1
ROLE OF STANDARDS AND COMPLIANCE IN SECURITY
Security standards guide and enforce a common level of security capability across an industry . Compliance with a standard requires taking steps to achieve the prescribed alignment , theoretically avoiding financial or other penalties for deviations from the standard ’ s requirements . Standards rarely govern implementations , so a solution may be compliant with the standard but the resulting security posture may not be optimal . Design tradeoffs may also be necessary between levels of compliance and cost , ease of operation and maintainability .
The objective of securing IIoT systems is to address their availability , integrity and confidentiality requirements . The realization of an adequately secure environment should be guided by a series of informed decisions intended to ensure that the identified threats , vulnerabilities and countermeasures are commensurate with an acceptable level of risk . Security standards compliance is intended to guide an organization in best security practices , but it does not imply that the organization ’ s products will be free of vulnerabilities or impenetrable to exploit .
Ideally , security implementations should also be updated periodically to adapt to newfound threats , possibly triggering the need to reassess standards compliance . Unfortunately , making such security updates may be infeasible or too costly . The operational functions and safety
1
See [ SarOxl ], [ PCI-DSS ], [ NERC-CIP ], [ ANSSI-CMKM ] and [ FDA-510K ]
2
See [ ISA-99 ], [ IEEE-C37-240 ], SIL at [ IEC-61508 ], [ NERC-CIP ], [ DHS-CIS ], [ FDA-CGMP ], [ EPA-SRG ], [ IMO-MARPOL ], [ EU-CA-EPBD ], and [ IEA-MEPS ]
IIC : PUB : G4 : V1.0 : PB : 20160926 - 125 -