There are a variety of global standards that have been created to provide guidance to Industrial Control System (ICS) vendors and end users attempting to secure systems. Examples include ISA/IEC 62443, and ISO/IEC 15408. Many countries are utilizing these globally accepted standards to define ICS cybersecurity requirements. Several countries have begun to create independent cybersecurity requirements. Some examples include:
- China – GB/T 22239 defines cybersecurity requirements for critical infrastructure.
- Russia – The Russian federation has defined FSTEK Order 31 and 187-FZ cybersecurity regulations.
- US – The US has not defined country specific requirements, but has created standards for specific industrial segments. NERC-CIP for example is applicable electrical utilities. NIST standards provide cybersecurity guidance, but are not required.
- Europe – The European Union is in the process of defining cybersecurity requirements through the ENISA agency.
- France – The French information security agency (ANSSI) developed the CSPN certification for products sold into France. Germany and the Netherlands are also in the process of creating the similar requirements.
The creation of cybersecurity regulations is a positive thing as it will help to improve solution security. Implementation of a variety of disparate standards may impact product time to market and cost, particularly if the documents do not convergence on the requirements or certification schemes. Let’s consider an example to illustrate the point.
Let’s assume an ICS vendor is planning a new product. The development team would have to ensure that it has obtained the latest version of each national requirements document to create the product specification. New ICS platforms can have multi-year development cycles, which introduces risk that national regulations could change during the development cycle. Some countries require verification using in country certification labs – the vendor may have to send products to different certification labs. Regulations may also require that encryption keys be provided to nation states, which would result in country specific offers. Countries can also push for inclusion of requirements that favor domestic products. This could impact companies who attempt to sell a solution. Assume for example that an ICS vendor must certify a solution that favors firewalls from each host country. Note that countries can also create requirements for different industrial segments – critical infrastructure vs. traditional manufacturing environments which can further complicate things.
In conclusion, adding cybersecurity features at the product and solution level is a good thing. The creation of a variety of independent standards could negatively impact product cost and time to market – it is preferable to drive towards the harmonization of requirements or the adoption of international standards like IEC62443.