Governments, industries and individuals under fire
Cyberattacks can also affect government organizations. If the goal is to disrupt an economy or everyday life, then energy companies, utilities and transport services are prime targets.
In the latter case, cyberattacks have recently emerged as a more serious security threat to air traffic than previously thought. Two examples: In January 2015, the US Government Accountability Office (GAO) issued a report calling on the US Federal Aviation Authority (FAA) to take additional steps to better protect its air traffic control systems from cyber-based and other threats. The GAO had identified a number of "weaknesses in controls intended to prevent, limit, and detect unauthorized access to computer resources, such as controls for protecting system boundaries, identifying and authenticating users, authorizing users to access systems, encrypting sensitive data, and auditing and monitoring activity on FAA's system."
In late June 2015, an attack on Warsaw Chopin Airport's computers that issue flight plans delayed dozens of flights from Poland's national carrier LOT.
Protecting IT infrastructure systems
As concerns grow over the multitude of cyberattacks which affect individuals, companies, industries and governments, IEC has begun developing International Standards to combat these. A number of its Technical Committees (TCs) work on specific areas, including:
- IEC TC 65: Industrial-process measurement, control and automation, which has developed the IEC 62443 series of Standards on Industrial Communication Networks – Network and System Security, in order to keep industry safe.
- In the above mentioned case of energy companies, nuclear in particular, IEC Subcommittee (SC) 45A: Instrumentation, control, and electrical systems of nuclear facilities, published International Standard IEC 62645, which aims to define adequate programmatic measures for the prevention and detection of and reaction to malicious acts by cyberattacks.
- Important International Standards in the field of IT security techniques are developed by ISO/IEC JTC 1/SC 27, a Subcommittee of the Joint Technical Committee (JTC) set up by the IEC and ISO (International Organization for Standardization) to work on International Standards for information technology. ISO/IEC 27001 specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of an organization. In conjunction with this, ISO/IEC 27040 specifically deals with data storage security and how to manage it, from planning and design to implementation and documentation. It also comprises guidance on mitigating risks of data breaches or data corruption and considers new technologies and their connectivity.
This Standard is useful for managers and administrators with specific responsibilities for information or storage security, storage operation, who are in charge of an organization’s overall security and security policy development.
Taking additional measures
Given the seriousness of cyberattacks, the IEC established the Advisory Committee on Information Security and Data Privacy (ACSEC), in 2014. The Committee deals with information security and data privacy matters which are not specific to a single IEC TC. It also coordinates work and provides advice to TC/SCs on information security and data privacy both generally and for specific sectors.
IEC Conformity Assessment Board (CAB) Working Group (WG) 17 on cybersecurity and the IEC System of Conformity Assessment Schemes for Electrotechnical Equipment and Components (IECEE) WG 3: Cybersecurity task force will also contribute to IEC work on this topic.