National center of Incident readiness and Strategy for Cybersecurity – Government of Japan (NISC)
Published: May 2015
What is in the standard
This is a basic shared policy which outlines responsibilities for the government and guidance for operators of critical infrastructure concerning the protection of critical information infrastructure. Its purpose is to give instruction to stakeholders to protect critical infrastructure by reducing the risk of IT outages and ensure prompt recovery after an event. It outlines basic safety principles, information sharing, incident response, risk management and continuous improvement of critical information infrastructure protection. The policy does not acknowledge or recommend any specific type of technology and maintains that the most current and robust technology be leveraged.
The unique and unusual part of this standard is in the annexes at the end of the document. As the goal of the document is to “prevent serious effects on the public welfare and socioeconomic activities due to IT outages”, Annex 1 lists all of the specific categories of CII sectors, the applicable operators, the critical control systems and examples of IT outages. Annex 2 goes a step further with “CII Service and Maintenance Levels”. In it, certain maintenance levels and standards are to be maintained at all times. Certain failures in control systems due to IT outages are not allowed to take place. The level of failures is extremely strict, making it seemingly impossible to have any interconnection between control systems and enterprise systems. For example, for electric power supply services “no supply problem incidents of over 10 minutes for supply power of 100,000 kw or more should occur”, and for gas supply services, “no supply problem incidents effecting supply to 20 or more houses should occur as a result of IT outages”. For water systems it is even more strict: “no interruption or decrease of water supply, abnormal quality water supply or serious problems in systems should be caused for supply of water as a result of suspended IT failures”. These stringent standards of service maintenance levels go on for each CII industry sector.
It would be interesting to see how the authors of this policy would go about answering the question of how to ensure these service maintenance levels through different cyber security technology options. For service maintenance levels as strict as these, unidirectional gateway technology would be an appropriate solution.
Qatar National Information Assurance (ICT QATAR)
Published: March 2014
What’s in the Standard
This ICS security standard document provides the minimum controls that need to be incorporated or addressed for any ICS system that has been determined to be critical. The current version of the standard identifies only certain control system networks in Qatar’s electric sector as critical. The scope of this document is therefore directly comparable to the scope of the NA NERC CIP standards. The document describes what security controls are optional and which are required, but provides little explanation as to why these controls were selected, or what risks they are intended to address.
This document is to be used together with a suitable risk based security management program.
The document is an easier read than the NERC CIP standards, and is a mix of stronger and weaker requirements than CIP. Unlike CIP, the Qatari standard does not distinguish between security controls appropriate to networks at different levels of criticality. The document does say unidirectional gateways should be used whenever practical, but provides no examples of where the gateways or any other technology might be practical or impractical.