In today’s world a growing number of devices is not only fitted with built-in intelligence, but also connected to other devices and larger networks. There are many motives driving this development, but the promise of useful information being derived from all gathered data is probably the main one. However, with the ever increasing numbers of devices and connections, so do the potential numbers of weaknesses and points where undesired access can be gained.
This development is not reserved to isolated fields of business or technology, but takes place all around us. Kids’ toys, smart wrist watches, gas and electricity meters, process instrumentation and infrastructural equipment are smartening up and being interconnected to create a smart plant, city or world. Privacy, data integrity and security breaches make the headlines more and more often. Where in some cases the impact of these breaches is limited, the possible negative consequences are likely to grow with the numbers and types of applications.
Any smart device is likely to live most of its technical life doing what it is supposed to do. However, before getting there, such devices need to be developed, designed and built first. Moreover, once in-use, typically proper maintenance, service and support are required to keep these devices functioning as intended. One pretty generic example of that are software updates. The best possible guarantee for safe operation, is where cyber security is taken into account throughout the complete life-cycle of the device, from design, to operation, all the way down to end-of-life.
Over the last decade or so, experts from various fields have recognised the risks sketched above and started work on developing guidance and tools to mitigate them. This has resulted in a (set of) standards covering the complete life-cycle and all relevant aspects related to cyber security, ranging from design to patch management and including all that is in between. Known as either ISA99 or IEC 62443, the valuable joint knowhow of these experts can now be utilised as a tool for improving cyber security in a wide range of applications.
Depending on one’s role in our smart world, one’s interests are likely to vary. Owners / users of systems have concerns that differ from suppliers of intelligent devices, as do system integrators who provide complete solutions, possibly (partly) based on third party telecommunications infrastructure. For the one, an in depth investigation of a particular component might be the answer, where an audit on a complete system, identifying aspects eligible for improvement, could be the better outcome for another. Luckily, and not accidently, the aforementioned set of standards offer valuable guidance for each of those interests. Cyber security depends on the combination of hardware, software and the activities of people both in development and maintenance. Be it an audit on procedures, staff or determining the state-of-affairs of a system, or going through the code embedded in a particular component, fit-for-purpose guidance and services are now available.
NMi has a lot of experience in smart meters, mobility, the process industry and smart city applications. Besides that, certification by an independent third party helps prove outsiders certain criteria are met. This certification stimulates awareness and quality within the certified company or producer of the certified product. Against that background, NMi has continued to extend its knowledge and innovate its test methods to also include compliance testing for software and communications. Recently we have completed a security assessment for the Smart City of Dordrecht (NL), based on the IEC 62443 and Welmec 7.2.