Building a Resilient World:
The ISAGCA Blog

Welcome to the official blog of the ISA Global Cybersecurity Alliance (ISAGCA).

This blog covers topics on automation cybersecurity such as risk assessment, compliance, educational resources, and how to leverage the ISA/IEC 62443 series of standards.

The material and information contained on this website is for general information purposes only. ISAGCA blog posts may be authored by ISA staff and guest authors from the cybersecurity community. Views and opinions expressed by a guest author are solely their own, and do not necessarily represent those of ISA. Posts made by guest authors have been subject to peer review.

All Posts

Protecting Africa's Critical Infrastructure: The Adoption of ISA/IEC

The potential of a digitally interconnected world is immense. Internet-based technologies are becoming an integral part of all critical infrastructure, from water and waste management systems to electric grid and air traffic control. Traditionally, these systems have operated in isolation mainly using legacy proprietary software. The benefits from the use of internet technology in critical infrastructure, however, brings a host of vulnerabilities and risks.

This blog seeks to provide insight within an African context; the cyber threats targeted at critical infrastructure, the magnitude of the risks, the consequences of security breaches, and why the adoption of International Society of Automation/International Electrotechnical Commission's (ISA/IEC) standards could complement Africa’s initiatives to ensure the resilience of critical information systems.

What is Critical Infrastructure?

The United States Cybersecurity and Infrastructure Security Agency (CISA) defines critical infrastructure as: Assets, systems, and networks, physical or virtual, that are deemed to be vital to nation states that their compromise would have an enervating effect on security, public health, or safety.

Examples of critical infrastructure include:

  • Electricity generation and distribution systems
  • Water and waste management systems
  • Defense industries and transport
  • Traffic control systems

Adversaries with ever-increasing sophistication, determination, and zeal see a lot of potential for exploiting the vulnerabilities associated with the use of internet-based technology in critical infrastructure control systems. Combating these threats and ensuring the resilience of internet-enabled systems will require a systematic approach and use of robust cybersecurity standards. The ISA/IEC standards can assist in achieving a coherent and common baseline-level approach to cybersecurity in Africa.

There are a multitude of threats persistently targeting nation states’ critical infrastructure by adversaries with resources and motivation to inflict damage.

According to the International Society of Automation (ISA), the impact of these threats include:

  • Compromised national security
  • Health, safety, and environmental damage, including the loss of life
  • Unavailability of critical services
  • Negative publicity
  • Loss of public trust
  • Theft of data

A recent Government Technology article highlighted a trend towards these attacks becoming more and more oriented towards the destruction of assets rather than criminal activities to make money. Several recent cyberattacks illustrate the gravity of the threats and the magnitude of the impact such compromises can have. The following are some of the attacks that made headlines globally.

Ransomware Attack at Norsk Hydro

On March 19, 2019, Hydro was hit by an extensive cyberattack. While the attack affected all business operations, the extent differed across various operations. The cost of the attack was estimated at around $46 to $52 million.

Stuxnet

Stuxnet is a malware first discovered in January 2010 at the Iranian Nantaz nuclear facility. It is believed to have been in development since at least 2005. Stuxnet targets supervisory control and data acquisition (SCADA) systems and is thought to be responsible for damaging centrifuges used in uranium enrichment. Stuxnet has been dubbed the world’s first digital weapon.

Shamoon

Shamoon is a virus first discovered in 2012, famous for its destructive nature and the cost involved in restoring systems. It can spread from an infected machine to others on the network and has the capability to compile a list of files from specific locations on the system, upload them to the attacker, and erase them. It can also overwrite the boot records of the infected machine, thus making it unusable. This virus was used by adversaries to wipe data from 30,000 computer workstations at Saudi Aramco, and a different version of Shamoon was believed to have been used against Qatar’s Ras Gas.

Key Benefits of Adopting ISA/IEC Standards

Given the significance of these threats, it is imperative that African countries strengthen their ability to prevent, detect, and respond to incidents. Such capabilities can only be developed through a consistent, credible, and coherent set of standards, implemented holistically. Although some governments across the continent have started developing legislative frameworks related to cybercrime and cyber threats, most African countries do not have their own national cybersecurity standards to guide their efforts in securing nationally significant information on networks and systems.

The ISA/IEC standards provide a framework that is flexible and can be used in a wide range of industrial control system (ICS) environments. The standards can be applied regardless of the technology implementation and offers flexibility by helping address current and future information security vulnerabilities.

The development of standards is often a long process, spanning in some cases to more than two years or so. The process requires significant investment in terms of financial commitment, time, and expertise. In most African countries, governments and regulators do not have sufficient financial or other resources to develop comprehensive information security standards. Therefore, the adoption of ISA/IEC standards can help governments and private sector institutions provide security baselines and reference frameworks at a much-reduced cost.

Africa has undergone significant brain drain as skilled professionals, including information security personnel, have migrated in search of better working conditions overseas. A 2016 research study by the Department of Electrical and Computer Engineering at Carnegie Mellon University (Kigali) highlighted that only around 7,000 qualified information security professionals are available for a population of 1.3 billion in Africa. Countries in Africa can leverage ISA standards to bridge the skills gap, as the guidelines are developed upon the consensus and expertise of practitioners from all over the world.

ISA standards strive to provide a common taxonomy and language for product suppliers. The continent has witnessed a proliferation of various ICS devices from vendors in China, Europe, and the US. Considering the global reach of supply chains and differences in technology provider’s standards, African countries stand to benefit by embracing the likes of ISA 62443-4-1 (Secure Product Development Life Cycle), as many countries have not yet set stringent guidelines on the specifications of devices that are used in their critical infrastructure.

Conclusion

The risk of cyberattacks on critical infrastructure is increasing exponentially with the advance in operation technologies (OT). The intensity of the threats and the consequences of security breaches have far-reaching ramifications. The adoption of ISA/IEC standards can help institutions in Africa build resiliency within their critical information systems.

Patrick Katuruza
Patrick Katuruza
Patrick Katuruza works at Morison Menon Consulting and Advisory as Lead Technical Auditor (Industrial Control Systems). He has extensive experience in Industrial Automation Controls Systems (IACS) cybersecurity assurance and consulting. He is ISA/IEC 62443 Certified, Certified Information Systems Security Professional (CISSP) and Certified Information Systems Auditor (CISA).

Related Posts

North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) and ISA/IEC 62443 Comparative Analysis

The Utilities Technology Council and Cumulys recently prepared a report in partnership with the ISA Globa...
Kara Phelps Dec 13, 2024 7:00:00 AM

Securing PLCs Through the Backplane: Balancing Performance and Simplicity

With the increasing convergence of operational technology (OT) and information technology (IT), the need ...
Ashraf Sainudeen Dec 6, 2024 7:00:00 AM

Practical Insights for Implementing Control System Security

Introduction In this blog post, we’ll share practical insights from operational experience in managing cy...
Pinakin Gokhale Nov 29, 2024 7:00:00 AM