Europe

Europe

European Union Agency for Network and Information Security (ENISA)

Published: December 2016

Read Abstract

What’s in the Standard

The objective of this document is to provide insight into the communication network interdependencies currently present in industrial infrastructures, mapping critical assets, assessing possible attacks, identifying good practices and security measures, and defines guidelines for the establishment of appropriate cybersecurity insurance requirements.

The ISA95 standard was selected as a main reference for guidance – focusing on the interconnection between assets and systems and sorting them into classifications/levels.

Unidirectional technology is mentioned multiple times in the context of technology that provides security for insecure protocols, and as a recommended practice in SCADA security to reinforce security systems.

Take Aways

Although unidirectional technology is recommended for SCADA systems, which is a progress for ENISA, overall this guideline disappoints on the level of counter measures for malware infection attacks and SCADA system compromises. The authors could have taken the opportunity to recommend robust security through unidirectional technology but instead they mention just about every defense IT solution within Defense-in-Depth.

Agence nationale de la sécurité des systèmes d’information (ANSSI)

Published: September 2016

Read Abstract

What’s in the Standard

This is a fictional use case intended to provide an example of how the 2014 ANSSI industrial control system security documents would apply to a control system fora hypothetical highway tunnel.

Take Aways

The ANSSI approach to cyber-security for control systems focuses very much on preventing intrusion.  Everywhere the protection of a class 3 asset is mentioned, the document also mentions unidirectional data flow technology, and forbids firewalled connections between networks at different levels of criticality.

Office for Nuclear Regulation (ONR)

Published: March 2016

Read Abstract

Coming soon.

Department for Transport (DfT)

Published: February 2016

Read Abstract

What is in the standard
This guidance is concerned with protecting rail infrastructure and rolling-stock systems and handling threats and incidents. The Department for Transport (DfT) is looking to encourage the use of the US NIST cybersecurity framework amongst UK companies that operate critical infrastructure. Rail systems are becoming more vulnerable to cyber attack due to the integration of open-platform systems, equipment using COTS components and increased prevalence of control and automation systems that can be accessed remotely via public and private networks. The guidance applies to all rail networks in Great Britain to include high speed heavy rail, conventional heavy rail, London Underground, Docklands Light Railway, Glasgow Subway.

Relationship to Unidirectional Gateways
As signals are of critical importance from a safety perspective, the guidance states that signaling systems on rail networks should contain unidirectional gateways. Train control and signaling – networks for passengers should be physically or electronically separate from networks used for train control and signaling (especially where WiFi is used).

Take Aways
The attack surface of rail networks is rather large due to multiple systems control, signaling, IT and passenger networks. The DfT understands the threat cyber attacks can have on public safety and recommends the strongest technology for its signal systems – unidirectional gateways.

Chatham House – Royal Institute of International Affairs (RIIA)

Published: December 2015

Read Abstract

What is in the standard
This report finds that the trend toward connecting business syetems with nuclear facilities introduces a host of cyber vulnerabilities to nuclear facilities that nuclear plant personnel may not be aware of. This report focuses on cyber attacks that seek to take over nuclear industrial control systems acting either inside or outside of the facilities where these systems are located. The authors of the report believe that many of the findings and guidelines also apply to wider critical infrastructure, to include power grids, transport networks, and maritime shipping. The report emphasizes the necessity of unidirectional communication technology at nuclear facilities; concerning both protecting the network perimeter from the IT network and vendor VPN remote access. The report notes a number of specific recommendations to address the challenges identified in the study. It is recommended that in order to address the challenge of enhancing security – due to insufficient spending on cyber security within the nuclear industry – they encourage the further adoption of secure unidirectional communications technology.

Relationship to Unidirectional Gateways
The report states that it would be fairly straightforward for a hacker to breakthrough a firewall and gain access to the ICS network, however with unidirectional communication technology installed, the network impossible to breach. For protecting the ICS network the results of the study are clear – firewalls aren’t good enough: they are reactive rather than anticipatory, attacks can go undetected, and attacks are detected when they are already inside the network. The report highlights seven known cyber security indidents at nuclear facilities around the world which could have been prevented with Unidirectional Security Gateways.

Take Away
Nuclear facilities in the UK are becoming increasingly reliant on digitization and commercial software. This recent trend has presented a growing attack surface area for nuclear plants. The UK and Europe are beginning to catch on to the trend toward unidirectional communication technology to protect the national critical infrastructure which could cause the most widespread damage if breached. The case is made strong in this report, unidirectional gateways are the way to go.