Page 15 - Cyber Warnings
P. 15
These ISO/IEC standards establish a framework of core standards for implementing
information security management systems, and incorporate particular standards
regarding OT cybersecurity. In addition, ISO/IEC 21827 offers a set of practices that
define cybersecurity and management practices to help organizations implement and
mature their cybersecurity strategies.
ISA/IEC Standards: The IADC Guidelines refer extensively to the ISA/IEC 62443,
created by the International Society for Automation and aligned with IEC Standards.
ISA/IEC 62443 is a standards family specifically for industrial automation and control
systems cybersecurity (though the standards are not drilling control systems-specific).
The Guidelines focus in particular on ISA/IEC 62443-3-2, which provides a prescriptive
approach to (1) identifying critical systems, (2) defining target security levels, and (3)
assessing risks to identify gaps and allocate appropriate countermeasures.
Recently, yet another oil and gas industry association – the International Association of Drilling
Contractors (“IADC”) – has issued additional cybersecurity guidelines for its members. IADC’s
Guidelines for Assessing and Managing Cybersecurity Risks to Drilling Assets address the
cyber risks affecting the “digital oilfield” – including wireless offshore technologies and
automated drilling assets and drilling control systems.
Importantly, the IADC Guidelines present few original risk management standards and instead
seek to harmonize various existing international cybersecurity frameworks with high-level, non-
regionalized standards.
The Guidelines’ main focus is on risk management methods companies can use for assessing
the cybersecurity risks of drilling assets, including identifying and quantifying the potential for
loss associated with cyber threats and establishing the priorities for their mitigation response.
The goal of the process is to help companies assess the need for risk mitigation measures for
each type of risk – whether the measures are immediately required, or are necessary but not
critical, or merely should be considered – and to implement the mitigation measures according
to the need determination.
The Guidelines are based on the three existing cybersecurity standards described above – the
NIST Cybersecurity Framework, ISO/IEC Standards, and ISA/IEC Standards.
Our take:
There are many benefits to industry groups engaging in dialogues about cyber-security best
practices and working to ensure that their members are supported in the challenge of tackling
cyber-security risks.
15 Cyber Warnings E-Magazine – June 2016 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
