ennl +31 88 52 25 000 Zandbreeweg 12, 7577 BZ Oldenzaal
Certified
PCS7, VMWare, Veeam, HPE
Best in class supplier and solutions expert
#1 Supplier in industrial automation and virtualization solutions

Standards in cyber security

Now that cyber security has become an ever increasing focus of governments and governing bodies, it might be interesting to know what there is to comply to, and how different standards can be used, to help you secure your process automation system. The industry standards are now slowly being put in place and hardware is being certified, while on the IT side a lot of options are available to secure systems. But how and where do these two systems interact and complement each other. We will try to explain these thing in this article.

Acts and regulations

Because of the amount of country or economic area wide regulation, a lot of regulations might not apply to your company, but they will still give you an idea on the best practices for securing your system. It might also become applicable to your company once you would like to start to sell your product in that economic are or country. When looking at acts that are important we can define 3 that are relevant because they complement the GAMP:

  • SOX – Governs user access and sign-on/login events
  • FISMA – Governs Configuration management and network event monitoring
  • PCI – originally for the payment card industry, governs files and data security

For most US based companies, these regulations must be adhered to and most other companies world wide would benefit from adhering to these regulations based on the risk mitigation they prescribe.

Standards

There are 2 important standards when it comes to cyber security in the process automation or industry environment. The most important one is the GAMP, which is not really a standard, but is mostly enforced as one. In the GAMP a reference is made to ensure all computer system are secured using the the ISO 17799, ISO/IEC27001 (BS7799) and ISO/IEC27002 standards on Information security. In turn the ISO standards reference a number of other ISO standards like 100007 that are more informational on system configuration. So the GAMP guides people in the correct direction to create a secure process automation and PC platform, which uses the based standards that the IT world use. The ISO standards referenced by the GAMP, will also make sure the your system is configured to fulfil all the requirements mentioned in the act in paragraph one, so doing a GAMP based computer system validation should be enough to validate a process automation system according to the regulations for IT security.

Secondly another more recent security standard for process automation is the ISA/IEC 62443 cyber security standard, which used to be called ISA-99. This standard has 4 main focus point:

  1. System architecture
  2. Actions that need to be carried out by asset owners
  3. Process automation system security and zoning of data streams
  4. Process automation products

and will guide the implementation specialist on creating a secure system for process automation purposes.

In the USA the NIST Cybersecurity Framework is used to fulfil the role of implementation standard, wich works according 5 main principals:

  1. Identity
  2. Protect
  3. Detect
  4. Respond
  5. Recover

Plans, actions, designs and mitigation fall under each of these main principals and have to be documented and applied to the process automation system.

IEC 62443

Example architecture

Checks and tests

It is very nice to know that everything should work well when you implement a certain standard, but how can you make sure the systems are configured properly? There obviously is a service many companies provide. iAUTOMATION is one of the companies who also provide these services, they are broadly called GAMP CSV, or Computer system validation. These are mostly validation audits on existing or designed systems, in which a company will look at, and investigate the settings and Implementation of configuration options according to the ISO standards. These audits and validation processes are often very costly, because a lot of data and configurations need to be checked. For smaller companies this can be too costly, and so often these companies have an non secure process automation system.

If a complete computer system validation is too costly, a smaller network audit can be done, this will let you know the state of the configuration and possible weaknesses. These weaknesses can then be repaired with the aim of keeping the badness out, without spending money on a full system compliance check for internal weaknesses. But the most important thing is to be aware of the potential risk, and a smaller assessment could highlight the areas to work on. These ares could then be worked on later, while keeping in mind where the weaknesses are.

iAUTOMATION specialized in IT infrastructure in the process automation environment as well as proces automation systems. With our solutions for industrial IT and cyber security your system will be secure, and you will be sure that nothing destructive will happen on your process automation platform. 

About iAUTOMATON

iAUTOMATION is an automation specialist that focuses on industrial automation, IT and the links between these two fields. With many years of experience in the industrial automation and IT world, iAUTOMATION is a mature partner that will benefit you.

iAUTOMATION provides complete projects for the industrial automation world with a specialty in PCS 7 consultancy and engineering. But other systems are also known to us and can be implemented by iAUTOMATION.

With knowledge of virtualization, networks, domains and IT management, iAUTOMATION is also a very suitable partner for all your IT questions and projects. We will always assist you with great enthusiasm and knowledge in your projects, and try to relieve our customers by proactively and positively tackling your project.

About the author

Dennis is Technical Director at iAUTOMATION, where he is responsible for all the technical queries and technical solutions that iAUTOMATION provide. Dennis also helps customers and the iAUTOMATION consultants with the technical side of projects and designs. Dennis has a lot of experience with process control systems and IT infrastructure, this is why his experience is key in projects that include both these areas of expertise like MES, virtualization and process automation projects.

Leave a Reply