Cybersecurity Standards for digital manufacturing

This is a collection of Industrial CyberSecurity Standards and de-facto standards relevant for organizations designing, developing, selecting, installing and operating digital manufacturing platforms. The selection was made on the basis of expert advisory and selections by researchers in their assessment of relevant State of the Art. Next to the standards, readers should also consider the works ongoing in standardisation efforts.


  • Cloud Security Alliance (CSA)

    https://cloudsecurityalliance.org/

  • Cloud Security Alliance (CSA) – Consensus Assessment Initiative Questionnaire (CAIQ)

    An industry-accepted way to document what security controls exist in IaaS, PaaS, and SaaS services, providing security control transparency. It provides a set of Yes/No questions a cloud consumer and cloud auditor may wish to ask of a cloud provider to ascertain their compliance to the Cloud Controls Matrix (CCM).  

    It helps cloud service providers and their customers to gauge the security posture and determine if their cloud services are suitably secure. In addition to improving the clarity and accuracy, it also supports better auditability of the CCM controls.

    https://cloudsecurityalliance.org/artifacts/consensus-assessments-initiative-questionnaire-v3-1/

  • IIC – SMM
  • Industrial Internet Consortium (IIC) – Industrial Internet Security Framework (IISF)

    The Industrial Internet Security Framework (IISF) is a cross-industry-focused security framework comprising expert vision, experience and security best practices. It reflects thousands of hours of knowledge and experiences from security experts, collected, researched and evaluated for the benefit of all IIoT system deployments.
    It builds on the ‘Industrial Internet of Things Reference Architecture’ (IIRA), that lays out the most important architecture components, how they fit together and how they influence each other. Each of these components must be made secure, as must the key system characteristics that bind them together into a trustworthy system.

    It reviews security assessment for organizations, architectures and technologies. It outlines how to evaluate attacks as part of a risk analysis and highlights the many factors that should be considered, ranging from the endpoints and communications to management systems and the supply chains of the elements comprising the system. Different roles are identified that should be considered in conjunction with the key characteristics, including, owner/operator, system integrator/builder and equipment vendor. Each role offers different risk management perspectives that affect the decisions regarding security and privacy.

    https://www.iiconsortium.org/IISF.htm
    https://www.iiconsortium.org/pdf/IIC_PUB_G4_V1.00_PB-3.pdf

     

  • Namur, WG 4.18 Automation Security

    NAMUR, the "User Association of Automation Technology in Process Industries", is an international association of user companies (established in 1949) and represents their interests concerning automation technology. NAMUR numbers over 150 member companies. The achievement of added value through automation engineering is at the forefront in all NAMUR member company activities. NAMUR conducts a frank and fair dialogue with manufacturers.

    NAMUR’s Automation Security working group 4.18 addresses issues including the following topics in the context of its experience exchange, its concept developments, formulation of requirements to be met by automation solutions and its involvement in national and international standardisation.

    Relevant recommendations and worksheets

    • NA 163    Security Risk Assessment of SIS (Safety Instrumented Systems)
    • NA 169    Automation Security Management in the Process Industry.  NA 169 describes the steps to systematically build a Cyber Security Management System (CSMS) for automation systems in the process industry in order to ensure the correct operation of the functional safety devices, to protect critical data and to ensure the availability and reliability of the plants

    See Namur website WG 4.18 pages

  • OMG – Eclipse Foundation

    https://projects.eclipse.org

  • OPC-UA

    OPC Unified Architecture (OPC UA) is a machine to machine communication protocol for industrial automation developed by the OPC Foundation.
    (see https://en.wikipedia.org/wiki/OPC_Unified_Architecture)

  • Open Web Application Security Project® Foundation (OWASP)

    https://owasp.org/

  • Platform I4.0 WG Sicherheit, RAMI Security model developments

    See https://www.plattform-i40.de/PI40/Redaktion/EN/Standardartikel/working-group-03.html

    Asociated content:

    • Associated Metamodel Asset Administration Shell for Security
    • Access control for Industrie 4.0 components for application by manufacturers, operators and integrators
    • Specification - Details of the Asset Administration Shell - Part 1
    • Artificial Intelligence (AI) in Security Aspects of Industrie 4.0
    • Cybersecurity Regulatory Framework in Germany/EU and USA (GER/ENG/CHN)Industrie 4.0 Security Guidelines
  • ROS – SROS

    http://wiki.ros.org/

  • NIST 800.82

    This document provides guidance on how to secure Industrial Control Systems (ICS), including Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS), and other control system configurations such as Programmable Logic Controllers (PLC), while addressing their unique performance, reliability, and safety requirements. The document provides an overview of ICS and typical system topologies, identifies typical threats and vulnerabilities to these systems, and provides recommended security countermeasures to mitigate the associated risks.

    ICS cybersecurity programs should always be part of broader ICS safety and reliability programs at both industrial sites and enterprise cybersecurity programs, because cybersecurity is essential to the safe and reliable operation of modern industrial processes. Threats to control systems can come from numerous sources, including hostile governments, terrorist groups, disgruntled employees, malicious intruders, complexities, accidents, and natural disasters as well as malicious or accidental actions by insiders. ICS security objectives typically follow the priority of availability and integrity, followed by confidentiality.

    https://csrc.nist.gov/publications/detail/sp/800-82/rev-2/final

  • NIST CyberSecurity Framework (Framework for Improving Critical Infrastructure Cybersecurity)

    The Framework focuses on using business drivers to guide cybersecurity activities and considering cybersecurity risks as part of the organization’s risk management processes. The Framework consists of three parts: the Framework Core, the Implementation Tiers, and the Framework Profiles. The Framework Core is a set of cybersecurity activities, outcomes, and informative references that are common across sectors and critical infrastructure. Elements of the Core provide detailed guidance for developing individual organizational Profiles. Through use of Profiles, the Framework will help an organization to align and prioritize its cybersecurity activities with its business/mission requirements, risk tolerances, and resources. The Tiers provide a mechanism for organizations to view and understand the characteristics of their approach to managing cybersecurity risk, which will help in prioritizing and achieving cybersecurity objectives.

    While this document was developed to improve cybersecurity risk management in critical infrastructure, the Framework can be used by organizations in any sector or community. The Framework enables organizations – regardless of size, degree of cybersecurity risk, or cybersecurity sophistication – to apply the principles and best practices of risk management to improving security and resilience.

    The Framework provides a common organizing structure for multiple approaches to cybersecurity by assembling standards, guidelines, and practices that are working effectively today.

    https://www.nist.gov/cyberframework

  • NISTIR 8183 - Cybersecurity Framework Version 1.1 Manufacturing Profile

    The Cybersecurity Framework (CSF) Version 1.1 implementation details developed for the manufacturing environment. The “Manufacturing Profile” of the CSF can be used as a roadmap for reducing cybersecurity risk for manufacturers that is aligned with manufacturing sector goals and industry best practices. This Manufacturing Profile provides a voluntary, risk-based approach for managing cybersecurity activities and reducing cyber risk to manufacturing systems. The Manufacturing Profile is meant to enhance but not replace current cybersecurity standards and industry guidelines that the manufacturer is embracing.

    https://csrc.nist.gov/publications/detail/nistir/8183/rev-1/final

     

  • NISTIR 8259 - Foundational Cybersecurity Activities for IoT Device Manufacturers

    Internet of Things (IoT) devices often lack device cybersecurity capabilities their customers organizations and individuals—can use to help mitigate their cybersecurity risks. Manufacturers can help their customers by improving how securable the IoT devices they make are by providing necessary cybersecurity functionality and by providing customers with the cybersecurity-related information they need. This publication describes recommended activities related to cybersecurity that manufacturers should consider performing before their IoT devices are sold to customers. These foundational cybersecurity activities can help manufacturers lessen the cybersecurity-related efforts needed by customers, which in turn can reduce the prevalence and severity of IoT device compromises and the attacks performed using compromised devices

    https://csrc.nist.gov/publications/detail/nistir/8259/final

The following is a collection of Industrial CyberSecurity Standards and de-facto standards relevant for organizations designing, developing, selecting, installing and operating digital manufacturing platforms. The selection was made on the basis of expert advisory and selections by researchers in their assessment of relevant State of the Art. Next to the standards, readers should also consider the works ongoing in standardization efforts