Security (also) Industrial
In recent years, in the development of different aspects of information security and risk management in traditional IT environments, we have witnessed many convergence processes: technologies, risk models, methodologies, tools, or metrics, among others.
Convergence brings advantages such as the integration of management, automation (reducing response times to business), full and transverse visibility of the converging elements, scalability while being efficient in resource usage, and finally, better traceability in management and operation.
In industrial environments, where information security was introduced later than in traditional IT environments, many organizations are faced with the dilemma of whether risk management in both IT and OT environments can converge into a single model, or whether two parallel and completely separate models must be maintained.
Convergence should not be confused with homogenization; convergence means treating equals the same way and differently from the different.
At Izertis, we work from a convergence model for security, risk management, and compliance governance that allows for the most efficient development of these functions in both environments.
Frameworks of reference for designing and implementing an IT security management model
The most widely used framework for designing and implementing an IT security management model is the ISO 27001 standard. This standard specifies the requirements for the implementation of an information security management system (ISMS), which includes the identification of information assets, risk assessment, implementation of security measures, monitoring, and continuous improvement.
The latest version was released in October 2022 and although it incorporates new features, they are mainly aimed at facilitating its integration with other management systems while maintaining its structure and form unchanged.
Another related standard is ISO 27002, a comprehensive guide that includes a wide variety of security objectives and measures (“controls”) to help organizations protect their information. In the recent 2022 update, the standard is divided into four sections, each of which focuses on a specific area of information security management:
- Organizational controls (37)
- Personnel-related controls (8)
- Physical controls (14)
- Technological controls (34)
The ISO 27001 and 27002 standards are closely related and complement each other. ISO 27001 establishes the criteria and requirements for implementing an information security management system (ISMS) and its certification, while ISO 27002 provides a complete guide of best practices and recommendations for information security management that will facilitate compliance with the requirements established in ISO 27001. The two standards work together to provide organizations with an integral and complete information security management framework.
ISO 27001 and 27002 work together to provide organizations with an integral and complete information security management framework
In terms of OT security management, the main reference is the international standard for industrial systems and applications security UNE/IEC 62443, which includes identity management, access control, encryption, monitoring, and contingency.
The standard's structure is hierarchical in terms of requirements and consists of three types of requirements: Fundamental Requirements (FR), System Requirements (SR), and Improvement Requirements (IR). Each fundamental requirement contains different system requirements and these, in turn, have improvement requirements. This is intended to cover all situations that occur during the life cycle of a system.
The groups of fundamental requirements included are:
- Identification and Authentication Control (IAC).
- Use Control (UC).
- System Integrity (SI).
- Data Confidentiality (DC).
- Data Flow Restriction (DFR).
- Time Response to Events (TRE).
- Resource Availability (RA).
As can be seen, the ISO 27001 and 27002 standards go beyond the purely technological field (only 36% of the controls of the latter correspond to this segment) and provide a solid foundation for developing an information security management system (ISMS).
The IEC 62443 standard, on the other hand, is focused on the specific field of operational technologies, how to identify assets, group them, and define the necessary technical security measures for their protection.
Convergence ISO 27002 - IEC 62443
The ISO 27002 standard and the IEC 62443 standard are similar from several perspectives and aim to contribute to essentially the same purpose: preserving the security, confidentiality and availability of services or business. Both standards include similar concepts such as the importance of information security management, the need for security policies and procedures, and the importance of ongoing evaluation and improvement. Additionally, they include the importance of identifying and evaluating risks, implementing appropriate security measures to mitigate those risks, and the need for testing and auditing to ensure the effectiveness of the implemented security measures.
Finally, it cannot be ignored today that there is an overlapping area that is increasingly extensive and relevant between these two environments: that of IT systems that control, monitor or support OT elements and that are essential for the correct (or optimal) operation of the OT supervision, control and process elements.
The integration of security management in industrial environments with ISO 27001 based security management systems ensures that all security aspects are systematically and systematically addressed. The ISO 27001 standard establishes a framework for security management that can be applied to any type of organization, including industrial environments.
On the other hand, the IEC 62443 standard provides a guide for the implementation of security controls in industrial systems, including the identification of risks and the implementation of appropriate security measures. Integrating the controls defined by the IEC 62443 standard into the ISO 27001 based security management system will ensure proper and effective security management in industrial environments.
In summary, the integration of security management in industrial environments with ISO 27001 based security management systems and the integration of the controls defined by the IEC 62443 standard into the management system are essential to ensure adequate and effective protection of security in industrial environments.