Cybersecurity OT team
- Design, modernisation of OT networks, review of network equipment configuration
- Assessment of the security status of OT infrastructure
We partner with the most demanding customers, providing them with first-class solutions and services based on the expertise of the world’s leading providers of advanced information technology.
Cybersecurity Principles that may apply to your company
In order to effectively defend against cyber threats, we need to be aware of the current state of the infrastructure as well as the procedures and planned actions. Current legislation clearly sets out the requirements for cybersecurity in companies:
I
ISO/IEC 27001 Standard
Identifies ways to manage and protect information, enterprise risk management methods.
II
NIS2 Directive
Signed in December 2022 by the European Commission, it significantly expands the responsibilities and scope of those affected by cybersecurity. Full text of the directive – https://www.gov.pl/web/infrastruktura/informacje-biezace
III
NIST Cybersecurity Framework
Standards and methods described in the NIST Cybersecurity Framework. More information – https://www.nist.gov/cybersecurity
IV
Act on the National Cybersecurity System
Full text of the act – https://www.gov.pl/web/cyfryzacja/krajowy-system-cyberbezpieczenstwa-
V
ISA/IEC 62443 series standards
More information – https://www.isa.org/standards-and-publications/isa-standards/isa-iec-62443-series-of-standards
Feel free to contact our experts!
They are happy to provide training at your company.
ISO 27001 is the international standard for information security management. The full name of this standard is “ISO/IEC 27001:2013 – Information technology – Information security management systems – Requirements”.
ISO 27001 specifies the requirements for establishing, implementing, maintaining and continually improving an Information Security Management System (ISMS). ISMS is a systematic approach to managing a company’s sensitive data, ensuring its security, integrity and availability.
ISO 27001 certification demonstrates an organisation’s adherence to international standards in information security management, which can be crucial in building trust among customers and business partners.
The key points of the ISO 27001 standard include:
I
RISK ASSESSMENT
Identification of hazards, risks and ways to minimise them.
II
SECURITY POLICY
Identification of policies and procedures for information security management.
III
RESOURCE MANAGEMENT
Identification and management of the resources required to ensure information security.
IV
ACCESS CONTROL
Defining of information access rules to ensure that only those authorised to access specific data have access to it.
V
AUDIT AND CONTROL
Regular monitoring and review of the information security management system for improvement.
What is NIS2?
The NIS2 Directive (Network and Information Security Directive 2) is a piece of European Union legislation that aims to strengthen the security of networks and information systems in EU Member States. It is a continuation and extension of the earlier NIS Directive (Network and Information Security Directive) of 2016, which was the first common European legislation on cybersecurity.
NIS2 aims to better adapt legislation to the rapidly changing cyber threat environment and increase Europe’s resilience to cyber attacks.
Key objectives of the NIS2 Directive include:
I
INCREASING THE LEVEL OF CYBERSECURITY
The directive requires Member States to take measures to strengthen protection against cyber threats in sectors that are key to the functioning of society and the economy, such as energy, transport, banking, healthcare, digital infrastructure and key service providers.
II
RESPONSIBILITIES OF RISK MANAGEMENT
Compared to the first version of the directive, NIS2 covers a wider range of entities, including medium and large private sector companies as well as providers of digital and critical services such as cloud services, data centre infrastructure or social platforms.
III
RESPONSIBILITIES OF RISK MANAGEMENT
Organisations must implement risk management measures, which include cyber risk assessments, technical and organisational safeguards, incident response policies and business continuity management procedures, among others.
IV
REPORTING OF INCIDENTS
Companies and organisations to which the directive applies are required to report cybersecurity incidents to national authorities within a certain timeframe.
V
ENHANCED COOPERATION BETWEEN STATES
The NIS2 Directive envisages better coordination between EU countries, including the creation of systems to share information on cyber threats and incidents.
VI
PENALTIES AND SANCTIONS
The directive provides for severe penalties for entities that do not comply with cybersecurity requirements.
NIST Cybersecurity Framework (CSF)
The NIST Cybersecurity Framework (CSF) is a set of guidelines developed by the National Institute of Standards and Technology (NIST) in the USA to help organisations manage cyber security risks. These recommendations are widely used not only in the USA but also globally as a standard approach to protecting IT infrastructure.
The NIST Cybersecurity Framework is considered to be one of the most important tools in the field of cybersecurity management and is widely used.
Key elements of the NIST Cybersecurity Framework include:
- Core Functions:
- Identify: Identification of the assets that need to be protected and understand the threats and vulnerabilities that may affect system security. In this function, the organisation performs a risk analysis and identifies key assets such as data, people, technology, as well as dependencies on other actors.
- Protect: Implementation of appropriate safeguards to prevent and minimise the effects of potential risks. This includes access control, training, technical and physical security.
- Detect: Monitoring of systems to identify security breaches. This function focuses on implementing systems and processes to detect unauthorised access or unwanted activities immediately or as soon as possible after they occur.
- Respond: Development and implementation on incident response plans, including procedures for crisis management, communication, analysing incidents and implementing corrective actions.
- Recover: Restoring of normal operation after a security incident. This function includes data recovery plans, root cause analysis and actions to make the organisation more resilient to future threats.
- Profile(s): Tailoring of the framework to identify an organisation’s specific needs and risks. Organisations can create profiles that reflect their current security status and goals to be achieved.
- Maturity levels (Implementation Tiers): The NIST CSF introduces the concept of maturity levels to help organisations assess how well they are managing risk. These levels describe different stages of sophistication, from basic to advanced (where the organisation has fully implemented proactive and integrated risk management processes).
Act on the National Cybersecurity System (KSC)
The Act on the National Cybersecurity System (KSC) is a Polish act that came into force in 2018, aimed at strengthening cybersecurity in Poland. The law implements the provisions of the EU’s Network and Information Systems Directive (NIS), which aims to improve the security of networks and information systems in EU member states.
Key elements of the Act on National Cybersecurity System include:
- National Cybersecurity System: The Act establishes the National Cybersecurity System, which includes public administration bodies, key service operators, digital service providers and other entities related to cybersecurity in Poland. This system aims to ensure the coordination of the country’s cybersecurity activities.
- Key service providers: The act defines who is a key service operator (e.g. energy companies, water companies, the banking sector), i.e. which entities are vital to society and the economy. These operators are required to implement technical and organisational measures to ensure an adequate level of security for their information systems.
- Digital service providers: The act also covers digital service providers (e.g. e-commerce platforms, cloud computing services), who are required to comply with certain security standards and to report cybersecurity incidents.
- Incident reporting: Key service operators and digital service providers are required to report major cybersecurity incidents to the relevant CSIRT (Computer Security Incident Response Team), which is responsible for incident response at national level. There are three main CSIRT teams in Poland: CSIRT GOV (managed by ABW), CSIRT NASK (managed by NASK) and CSIRT MON (managed by the Ministry of Defence).
- Authorities and institutions responsible for cybersecurity:
- Cybersecurity Council: An advisory body that supports the government’s work on cybersecurity strategy and policy.
- Government Plenipotentiary for Cybersecurity: Responsible for coordinating the government’s activities in the area of cybersecurity.
- National Computer Incident Response System: A structure to coordinate the activities of the various CSIRTs and other institutions involved in cybersecurity.
- Penalties and sanctions: The act provides for sanctions for failure to comply with the obligations set out in the act, such as failure to implement appropriate security measures or failure to report a cybersecurity incident.
- International cooperation: The act provides mechanisms for cooperation with other EU member states and international organisations in the exchange of information on cyber threats and incident response.
ISA/IEC 62443 standards
ISA/IEC 62443 is a series of standards developed by the International Society of Automation (ISA) and the International Electrotechnical Commission (IEC). They concern the security of Industrial Automation and Control Systems (IACS), which are key elements of Operational Technology (OT) infrastructure. These standards are designed to protect OT systems from cyber threats that can affect the operation of key industrial processes.
The ISA/IEC 62443 standards are widely recognised as the primary cybersecurity guidelines for industrial automation systems. They help organisations protect their operational processes from cyber threats, ensuring business continuity, protecting property, health and safety of people and minimising potential financial losses from cyber attacks.
Key assumptions of the ISA/IEC 62443 standards include:
- Scope of application:
- OT (Operational Technology) systems: The ISA/IEC 62443 standards focus on the protection of OT systems, such as industrial control and automation systems, which are used in sectors such as energy, manufacturing, chemicals, pharmaceuticals, transport, and water utilities. These systems differ from IT systems in that their primary objective is the safe and reliable operation of physical processes.
- A risk-based approach:
- These standards emphasise assessing the risks associated with cyber threats and implementing safeguards appropriate to the level of risk. Organisations are encouraged to identify potential risks and weaknesses in their OT systems and then implement appropriate countermeasures.
- Structure of standards:
- General concepts and models: Papers in the 62443 series describe the basic concepts, models and approaches to cybersecurity in the context of OT. This includes, among other, a description of the IACS systems architecture and risk assessment methods.
- Policy and procedure requirements: These standards provide guidance on establishing policies, procedures and practices that organisations should follow to manage the security of OT systems.
- Component and system requirements: It defines the technical requirements for security at the device, system and overall OT infrastructure level, such as controllers, human-machine interfaces (HMIs), communication networks, servers, etc.
- Requirements for suppliers and integrators: These standards define the requirements for equipment suppliers and system integrators to provide solutions that comply with security requirements.
- Security Levels:
- ISA/IEC 62443 defines various security levels (Security Levels, SL) that determine the degree of protection required for OT systems. These levels are allocated on the basis of a risk analysis and can range from basic access controls to advanced threat detection and response systems.
- Safety at every stage of the life cycle:
- The ISA/IEC 62443 standards recommend integrating security at every stage of the OT system lifecycle, from design, deployment, operation to maintenance and decommissioning. This includes both technical aspects of security and management processes.
- Cooperation between IT and OT:
- One of the key challenges that these standards seek to address is the collaboration between IT (Information Technology) and OT teams. Harmonisation of security procedures and policies is required to ensure comprehensive protection for the entire organisation.
Feel free to contact our experts