No target too small or too big
Cyberattacks targeting individuals and institutions through spam emails, viruses and other types of malware have been known for a long time. Their impact for those concerned may be serious, even catastrophic, and lead to financial losses, but have not resulted so far in a major disaster.
This may not last as critical assets are increasingly targeted and as the range of connected objects and systems keeps growing. As a result cyber-insecurity is becoming the new normal.
In late 2015, a special report by the London-based Chatham House think-tank identified the risks facing nuclear power plants (NPPs) with dozens of these having control systems accessible through the internet.
During the first half of 2015, at least five airlines, two airport operators and one civil aviation authority have been publicly reported as victims of online attacks, according to a recent International Air Transport Association (IATA) analysis.
Healthcare service providers and insurances have been increasingly targeted by criminals. Between 2010 and 2014, approximately 37 million healthcare records were compromised in data breaches in the US, but in the first seven months of 2015 alone, more than 105 million healthcare records had already been exposed through 153 separate attacks, according to the US Identity Theft Resource Center (ITRC).
Other targets of choice are retailers and institutions that keep financial details of their clients. In a well-publicized case, a cyberattack on a major US retailer led to the theft of the credit card details of an estimated 40 million customers in November 2013. The retailer paid some USD 10 million to compensate its customers and settled for USD 67 million with a credit card company.
Successful attempts at tampering with on-board systems in cars have opened the prospect of out of control vehicles representing a major road hazard. This forced a major manufacturer to recall some 1,4 million vehicles to fix a software vulnerability in July 2015. This incident, and others, also cast doubts on certain aspects of future autonomous cars.
Recently, appliances, such as fridges, and consumer electronics or toys, like dolls or learning toys have been shown to be open to cyberattacks, sometimes compromising the identity of their owners and damaging the reputation of companies that produced them.
Targets and objectives
The perception of which areas are considered parts of a country’s critical infrastructure varies from country to country. For the US government, and increasingly for many other governments, "critical infrastructure means systems and assets, whether physical or virtual, so vital (…) that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters." (Executive Order 13636, 12 Feb 2013)
The sectors/systems most at risk include:
- Energy supply (generation, transmission and distribution)
- Financial services
- Industrial controls systems
The widespread introduction of connected objects and systems in a variety of domains in what is labelled the Internet of Things (IoT) presents a number of risks as security implications are often not given appropriate attention. The risks are particularly serious as regards the potential to target critical assets as these become more and more interconnected.
Cyberattacks have a number of objectives, whose consequences often overlap. They depend on both the targets and the attackers’ motives.
Tailor-made protection for specific assets
Critical installations, such as power networks are often insufficiently protected. Details emerged in 2014 of a series of attacks on the industrial control systems of hundreds of US and European energy companies, which started in early 2013.
Power networks have become more interconnected and provide end users with much more information, resulting in higher reliability, increased levels of control and higher productivity. However, fragmented access policies, such as shared passwords present security risks and must be better managed. Central user account management combined with Role Based Access Control (RBAC) is the perfect solution for managing user accounts and user permissions centrally and efficiently, while still providing a state of the art security solution.
IEC TC 57: Power systems management and associated information exchange, has developed International Standards, such as its IEC 62351 series of Standards on data and communications security. This series of technical security International Standards aims to secure power system-specific communication protocols such as described in the IEC 61850 series on communication networks and systems for power utility automation or IEC 60870-5-104:2016, Telecontrol equipment and systems - Part 5-104: Transmission protocols - Network access for IEC 60870-5-101 using standard transport profile, also developed by TC 57.
More standardization work to protect specific areas and keep industry safe includes Standards prepared by IEC TC 65: Industrial-process measurement, control and automation, such as the IEC 62443 series on industrial communication networks and for security for industrial automation and control systems.
IEC SC 45A: Instrumentation, control, and electrical systems of nuclear facilities, published IEC 62645:2014, Requirements for security programmes for computer-based systems, for the prevention and detection of and reaction to malicious acts by cyberattacks.
The healthcare sector has been increasingly reliant on IT systems for years, with medical equipment dependent on software to operate more efficiently and reliably.
IEC TC 62: Electrical equipment in medical practice, and its SCs develop International Standards for electrical equipment, electrical systems and software used in healthcare. The TC remit is to focus on safety and performance (e.g. data security, data integrity and data privacy), among other aspects.
The shipping industry has not yet been affected by major cyberattacks, but industry bodies see this as highly likely in the future. To prevent this, they recommend taking cybersecurity measures resting on a number of International Standards, many of which, are being developed by ISO/IEC JTC 1/SC 27: Security Techniques.
For its part IEC TC 80: Maritime navigation and radiocommunication equipment and systems, published IEC 61162-460:2015, Maritime navigation and radiocommunication equipment and systems – Digital interfaces – Part 460: Multiple talkers and multiple listeners – Ethernet interconnection – Safety and security. This Standard is "an add-on to the IEC 61162-450 standard where higher safety and security standards are needed, e.g. due to higher exposure to external threats or to improve network integrity".
Taking additional measures
Given the seriousness of cyberattacks and the risks they pose to many sectors, the IEC established the Advisory Committee on Information Security and Data Privacy (ACSEC), in 2014. The Committee deals with information security and data privacy matters which are not specific to a single IEC TC. It also coordinates work and provides advice to TCs/SCs on information security and data privacy both generally and for specific sectors.
The standardization work, conformity assessment and advisory activities carried out across various IEC committees and other groups will contribute significantly to better protection against cyberattacks in countless domains.