Norms and Standards Regarding Cybersecurity (Managers)

00:07 Hello and welcome to today's lecture about cybersecurity rules and standards.

00:12 I know that for the majority of you, this is probably a pretty messy, very large area.

00:17 I have thousands of different rules and criteria that are undoubtedly boring - I have to do them because I have to, and so on.

00:25 I want to shed some light on this chaos, this region, and I do so by first providing you with a fast overview of the landscape of norms, and especially by diving into the basics, into risk management, IEC, and ISO 27001 as the basic norm for risk management, for information security management.

00:51 Finally, I'd like to discuss IEC 62443, a relatively new standard for manufacturing companies. As previously stated, it is a big area - perhaps initially a confusing area of available norms, standards, or rules that I must pay attention to, in part due to government legislation, in part due to my customers who also demand certain credentials - certain norms.

01:26 But it will also show me how to get out of this mess.

01:34 I am expected by my company to determine which of these rules and principles apply to me. And it's always a good idea, to begin with: What are the fundamentals for ensuring security? The risk management system is always the cornerstone of guaranteeing security. It is not about willingly selecting and executing technical and organizational security measures.

01:59 It is not enough to merely purchase a firewall.

02:02 Instead, I must first consider the probable consequences.

02:07 What types of attack scenarios are there? These then show me the protective targets I need to watch out for.

02:15 That means risk management is always the base, particularly ISO 27001 and the following standards, which I should adopt as the foundation for a variety of other standards that we need to apply here, such as IEC 62443, which requires the 27001.

02:36 However, there are a slew of other norms that may apply to me, which I should consider carefully. I am the one in charge.

02:45 As the manager and CEO, I am accountable for this.

02:49 However, this certainly provides me with the opportunity to determine which norms are also important for myself, which may result in an additional benefit.

02:58 That implies that, depending on the industry, I have groups like NAMUR, BIDEW, and others to help me get started.

03:08 I can take the appropriate guidelines from the manufacturers, and last, but not least, there is an abundance of guidelines and recommendations from various organizations, such as the VDI and the BSI, the German Federal Office for Information Security, that may be able to make this journey easier for me, and that can be translated.

03:30 And I don't have to read the entire standard, but I can ask, "Okay, how do I go through that step by step?" "How do I ensure security in an ISO 27001 risk management system and an information security management system?" Obviously, to keep things brief, I won't go into the typical in the fullness of it.

03:58 That would be too much, but because this is such an important framework, I'd like to discuss how I can continuously assure security in a process.

04:09 To that purpose, I'm employing the PDCA process paradigm, which I'd like to discuss briefly. It's known as "Plan Do Check Act." It's a model for operating in processes, for operating methodically, and it's not just about safety.

04:25 It can also be utilized - and is frequently employed - in completely different fields, such as manufacturing and quality assurance.

04:32 However, it is not about implementing a specific standard, but about the philosophy behind it, and the first step is always, "I need to think about which areas I actually want to ensure security in." Am I considering my entire company? Is it possible that I'm only seeing a portion of it? Is it possible that I am looking at the development department, or am I looking at my entire firm, a power plant, a specific power plant that I am now looking at very specifically? That means I must describe the assets, and assets include not only machines and technology, but also processes in manufacturing and the office environment, as well as the people who support them.

05:13 And the data that is traveling back and forth there is also required.

05:17 That is, I duplicate my assets in order to specify the scope required for security.

05:23 And for this given scope, I will first determine which threats exist.

05:30 What types of attack scenarios are there? There are various assailants - various types of attackers.

05:38 Which of them are applicable to me? There will very certainly be an attack scenario for critical infrastructure in which a terrorist organization strikes their systems in order to shut them down and do maximum damage to an entire society.

05:58 This attack scenario, however, will not apply to the baker around the corner.

06:04 No terrorist organization will go to such extent to assassinate the baker because it is simply not worth it.

06:17 That implies I need to examine my dangers in order to determine the end goals, and the protective target for a power plant is obviously much higher than for a baker.

06:31 Once I've specified these protective aims, I can choose from a variety of focused security methods that pertain to achieving this protective goal.

06:41 The various standards then have more or less large catalogs, often hundreds, that I can look at and go through systematically to evaluate the required security measures.

06:52 And these aren't just technical safeguards like installing a firewall or an anomaly detection system, but also organizational ones.

07:00 The emphasis is always on people.

07:02 That means individuals must be taught in order to deal with these technical measures.

07:07 They must be able to make educated guesses about what is going on.

07:10 How should I respond? That means I'll need reaction channels, as well as training that takes place there - both technological and organizational measures.

07:20 And it is also feasible that there isn't just one protective measure for a protective aim, but rather a combination of multiple protective measures that, when combined, enable this protective goal to be realized.

07:34 However, it is possible that it is the other way around.

07:38 These protective measures apply not only to the protection here, but also to a wide range of protective goals, so that I eventually have a matrix of protective measures, technological, and organizational measures that achieve the overall protective goals.

07:53 Then I must carry out the protective objectives, which may take more or less time.

07:59 It could take a year to train all of my personnel, and I need also to evaluate these safeguards regularly.

08:06 Are they beneficial? If they're not necessary, I can skip them.

08:10 It's always about money as a secondary necessity, but is there anything else I haven't thought of? Is my focus shifting? I should also continuously document this so that I know what happens there so that I can then apply an iterative process and see, for example, once a year, which is also needed in various degrees by the norm, by the industries.

08:32 In general, it's vital to check once a year to see if, in my scope or a portion of my scope, these protective measures are effective.

08:41 Do I still have security issues that I should investigate before implementing further safeguards? My assets will undoubtedly change over time, as will my scope, new measures will be introduced, old ones will be eliminated, and so on.

08:54 I do this for myself to assure adequate security - not just security, but security in general. If I see this as an opportunity for efficient procedures, it requires me to think about everything, but it is also an opportunity to think through everything, design it efficiently, and so not only raise, but possibly even cut expenses.

09:21 I also require an external certificate on occasion.

09:25 There are clearly numerous certifying bodies, but it is also vital to note: "Okay, maybe I need it certified by a government regulator, by the customer who absolutely needs this piece of paper." However, it is always a good idea to have this not just so you can display it on your wall, but also to maintain efficient processes.

09:48 Now, I'd want to briefly discuss IEC 62443.

09:54 It is a relatively new standard that is only now beginning to gain acceptance in manufacturing enterprises of all sizes, including large, small, and medium-sized businesses. It is intended to secure communication interactions in industrial control operations.

10:10 Obviously, I cannot delve into the details of this standard due to time constraints, but I would like to discuss a notion that I believe is implemented extremely well here.

10:21 It distinguishes three jobs that must collaborate in order to assure and accomplish an acceptable level of security.

10:31 The first is the maker of the component.

10:34 They create the actors, robots, and control systems, which are then merged and combined in the second phase by the system integrator to develop, for example, a targeted manufacturing system, and which are obviously operated by the operator in the third step. So there are three roles: component manufacturer, system integrator, and operator, who are ultimately dependent on one another and obviously collaborate in some ways to maintain safety.

11:04 The component producer must ensure that the components meet a specified degree of protection, which must then be verified so that the system integrator can combine the separate components in a targeted manner.

11:19 For example, if I have a component, a control system, that I can easily access - that anyone can access - then the level of protection is quite minimal.

11:30 If I demand a password, the level of protection will be increased.

11:34 If I occasionally require two-factor authentication, the level of protection is already quite high. The system integrator can then appropriately integrate and combine the various components as needed.

11:47 Because the operator eventually defines the amount of security for the system, for the manufacturing system - and one clear truism here is that the weakest link in a chain ultimately determines the level of protection for this entire system - the system integrator must bear this in mind.

12:07 They are then given a certificate for the entire system.

12:10 The operator finally decides - they now have a system with a certain amount of security, but he also needs to operate it properly.

12:20 That is, if I need a high level of security and I have two-factor authentication from the component manufacturer, which the system integrator has also chosen appropriately, and which each operator then has in the system, it makes no sense.

12:35 The operator, who stands in front of the machine, then pins the password to it on a Post-it note, which is obviously useless.

12:42 That signifies I haven't reached my degree of protection.

12:45 That is why it is critical that the operator (who completes the circle) adopts a risk management system that considers not only the single system, but the full manufacturing cycle, as well as the people.

12:58 That means they must also implement and demonstrate a risk management system in accordance with ISO 27001 and the following standards.

13:10 This is another example where there is a wide range of possible certifications, certifications that are tied to specific components and therefore to the system, and they are then merged by the system integrator, and the operator is routinely issued a certificate.

13:26 Okay, you operate this system in a safe manner, and this certificate is obviously crucial so that I can verify it to the client and to the government institution when it is required. Of course, but when I do this successfully, and not only for my benefit, I have the opportunity to provide greater stability and efficiency overall.

13:54 And there are numerous actual instances that demonstrate that security does not only cost money, but also saves money and, in the best-case scenario, may even create money - considerable money.

14:08 And after I've accomplished that, I'll be delighted with our talk today; thank you very much.