Analysis
Expert
ISA/IEC 62443
Manufacturing
Regulation, Standards and Compliance

Manufacturing Cybersecurity – Standards, Regulation and Compliance

January 09, 2024
Manufacturing Cybersecurity - Regulations and Standards

Welcome back to our journey through the dynamic and evolving world of cybersecurity in modern manufacturing. In part six of this series, we’re diving deep into the pivotal role of regulations and compliance.

Grasping the nuances of regulatory and compliance issues in this sector is far more than a recommended practice; it’s a fundamental necessity for an industrial enterprise’s long-term success. Staying informed and current with the myriad of cybersecurity frameworks and standards that dictate industry norms is critical.

This diligence is key not only in upholding the accountability, safety, and security of manufacturing operations but also in safeguarding sensitive data, reducing cyber risks, and ensuring seamless production processes. By giving these elements the attention, they deserve, manufacturers are better positioned to adeptly handle the intricacies of cybersecurity in their domain. Remember, while compliance alone doesn’t equate to security, it can lay the groundwork for a more secure operational environment.

Boosting Security in Manufacturing with Cybersecurity Frameworks and Standards

Manufacturers have a bunch of cybersecurity frameworks and standards at their disposal, which are super important for safeguarding critical infrastructure. These frameworks and standards, driven by legal and industry needs, are essential for protecting sensitive info and keeping operations running without a hitch. Standards like the NIST Cybersecurity Framework, IEC 62443, and ISO 27001 are there to offer strong protection against the ever-changing landscape of cyber threats, ensuring resilience and operational integrity.

Let’s break down some key standards and regulations:

  • IEC 62443 Standards: These are becoming the go-to for securing industrial control systems (ICS) in various industries, including manufacturing.
  • NIS2 Directive: This updates EU critical infrastructure regulation, expanding its reach to include manufacturing and other sectors. It sets out requirements for cybersecurity incident reporting and mandates risk management measures.
  • Cyber Resilience Act (CRA): This is a big deal in the EU, setting cybersecurity standards for digital products sold in Europe.
  • Machinery Regulation (EU) 2023/1230: While not solely focused on cybersecurity, this regulation includes health and safety requirements for machinery, considering cybersecurity and digital instructions.
  • Singapore’s Cybersecurity Act’s Codes of Practice: Known as CCoP 2.0, this is a key standard for Critical Information Infrastructure (CII) owners in Singapore.
  • Australia’s Security of Critical Infrastructure Act 2018 (SOCI Act 2018): –      The Act is part of Australia’s broader strategy to protect essential services like electricity, water,      port facilities, and manufacturing which are crucial for the nation’s well-being and security.
  • U.S. HHS FDA Cybersecurity Requirements: These new requirements focus on cybersecurity for cyber devices in healthcare.
  • The National Institute of Standards and Technology (NIST) released a summary and analysis of comments on SP 800-171 Revision 3’s initial public draft, impacting numerous businesses working with the federal government.

Staying up to date with Cybersecurity Standards

In manufacturing, there’s growing pressure to meet various regulatory and compliance standards. Adopting an OT-specific cybersecurity approach, like the IEC 62443 standards, is crucial for addressing security needs throughout the OT system’s lifecycle.

New regulations cover a lot of ground, from critical infrastructure protection to product security and machinery safety. However, they usually build on existing standards rather than creating completely new cybersecurity principles.

EU regulations, for instance, focus more on having a cybersecurity management system rather than specific security measures. So, going for an information security management system according to ISO/IEC 27001 and/or ISA/IEC 62443-2-1, and implementing a secure development lifecycle as per ISA/IEC 62443-4-1 for OT components, are smart moves. Upcoming regulations will likely require these measures.

Audits and Certifications: Keeping Up in Manufacturing

In the manufacturing world, audits and certifications like ISASecure are key to ensuring cybersecurity compliance in OT environments. These certifications show that security features are built-in, while audits check how effective control systems are throughout their lifecycle. Without a solid security architecture, audits and testing might not be as effective, leading to weak control measures.

In the EU, manufacturers might not need to provide certification or undergo audits for compliance with the NIS2 directive, as they’re considered ‘important entities’. However, compliance with the CRA and the machinery regulation will likely require conformity assessments and certifications. Certified products can then be marketed as safe and secure, which is great for getting management on board with other cybersecurity initiatives.

In the U.S., authorities are including cybersecurity-specific questions in inspections and audits at manufacturing sites. It’s also important for organizations to make sure their suppliers and vendors meet regulatory requirements and have strong cybersecurity measures in place. This might involve regular audits and requiring third-party suppliers to stick to strict security standards.

Adapting to Regulatory Requirements and Compliance Frameworks

In manufacturing, developing and executing cybersecurity strategies are heavily influenced by regulatory demands and compliance frameworks. Companies need to navigate these requirements while keeping their operations efficient.

Effective security management strategies should focus on risk-based approaches, a key aspect of NIS2. This framework highlights the responsibility of management bodies in essential entities to oversee risk management measures and ensure comprehensive cybersecurity training. Adopting a risk-based approach helps organizations focus resources on major cybersecurity challenges while keeping operations smooth.

Cybersecurity is becoming a big part of the procurement process in manufacturing. However, there’s a knowledge gap, with buyers often unsure about the right questions to ask, and sellers struggling to showcase the key cybersecurity features of their products. New regulations might add some complexity, but they also provide much-needed guidance. The big opportunity for businesses, whether buying or selling, is to improve how they understand and communicate the cybersecurity aspects of their products.

The Australian SOCI Act 2018, for example, significantly impacts manufacturing companies in Australia, particularly those involved in or connected to critical infrastructure. It requires them to take a proactive approach to risk management, comply with reporting obligations, and engage in collaborative efforts with the government to ensure the security and resilience of their operations. Key impacts include:

  • Risk Management Programs: Companies must create programs to identify and mitigate operational risks.
  • Mandatory Reporting: There’s a need for detailed reporting on ownership and operational control.
  • Enhanced Security Measures: Companies should implement advanced security measures for infrastructure protection.
  • Compliance and Penalties: Adherence to the Act is crucial, with significant penalties for non-compliance.
  • Supply Chain Security: The Act emphasizes securing supply chains, especially those connected to critical infrastructure.
  • Government Collaboration: It encourages information sharing and cooperation with the government for infrastructure security.
  • Increased Scrutiny and Oversight: The government has more authority to oversee and intervene in the operations of these companies.
  • Investment Implications: The Act introduces additional regulatory considerations for investments in critical infrastructure.

Similarly, Singapore’s Cybersecurity Act, CCoP 2.0, has several implications for manufacturers, particularly those identified as owners of Critical Information Infrastructure (CII). Key impacts include:

  • Enhanced Cybersecurity Measures: CII owners must adopt stronger cybersecurity practices, integrating specific security measures and best practices into their strategies.
  • Compliance Obligations: Manufacturers are required to align their cybersecurity practices with CCoP 2.0, with non-compliance potentially leading to legal issues and fines.
  • Regular Audits and Risk Assessments: There’s a need for ongoing cybersecurity audits and risk assessments to identify and address vulnerabilities.
  • Incident Reporting Protocols: Rapid detection and reporting of cybersecurity incidents are mandatory to mitigate threats effectively.
  • Supply Chain Security: Ensuring the cybersecurity of the supply chain is crucial, which may involve vetting suppliers and including cybersecurity in contractual agreements.
  • Collaborative Efforts: Manufacturers should actively participate in sharing information about cyber threats and solutions, both within the industry and with government bodies.
  • Resilience and Recovery Planning: A strong focus on disaster recovery and business continuity plans is essential to quickly bounce back from cyber incidents.

Keeping Up with the Changing Regulatory Landscape

Manufacturing organizations need to keep up with the constantly evolving cybersecurity landscape, aligning with new regulations to stay compliant and cost-effective. They should keep an eye on regulatory updates and work with government bodies for cyber threat mitigation and risk management. Engaging with regional security agencies or cybersecurity experts can help ensure compliance with standards.

As governments tighten cybersecurity regulations, transparency in the legislative process is increasing. Manufacturers should integrate cybersecurity into their management systems, promoting secure practices and proactive risk assessments. This approach will help them stay ahead of upcoming regulations and boost their overall security posture.

The Risks and Penalties of Ignoring Cybersecurity Rules

Ignoring cybersecurity regulations in manufacturing can damage a brand’s reputation, hurt investment appeal, increase costs, and even risk business continuity due to breaches and high staff turnover. Setting up strong compliance management systems is essential to avoid these risks.

Non-compliance can lead to fines and market access restrictions, especially in Europe, highlighting the importance of meeting cybersecurity standards to stay competitive. Customers prefer partners whose products are secure and reliable.

In Australia, the SOCI Act imposes hefty penalties for non-compliance, with fines increasing for each day of violation. For example, failing to meet risk management and cybersecurity obligations can lead to civil penalties of up to 200 penalty units, about AUD$55,000 (USD$37,000) at current rates.

The NIS2 directive outlines various consequences for non-compliance, including non-monetary remedies, administrative fines, and criminal sanctions. These penalties apply to critical and significant entities that neglect security requirements or fail to report incidents.

In case you missed the previous installments:

Jonathon Gordon
With over 30 years of experience in cybersecurity, information systems, and telecoms, Jonathon provides focused research and actionable insights to industrial enterprises and those responsible for safeguarding them against cyber threats. Since joining TPR in 2018, he has published numerous reports and playbooks on various industrial cybersecurity topics, including secure remote access, network visibility, asset inventory, perimeter security and ransomware attack recovery. Jonathon is also known as the author of the annual buyers guide for industrial cybersecurity. Prior to joining TP Research, he held various technical, managerial, and senior executive positions with prominent technology companies.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Through the Lens of a Case Study: What It Takes to Be a Cyber-Physical Risk Analyst
Through the Lens of a Case Study: What It Takes to Be a Cyber-Physical Risk Analyst
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
Enhancing industrial cybersecurity by tackling threats, complying with regulations, boosting operational resilience
Enhancing industrial cybersecurity by tackling threats, complying with regulations, boosting operational resilience
New bill introduced to set up Water Risk and Resilience Organization to secure water systems from cyber threats
New bill introduced to set up Water Risk and Resilience Organization to secure water systems from cyber threats
Industrial Cybersecurity Buyers’ Guide 2024 navigates complex industrial landscape
Industrial Cybersecurity Buyers’ Guide 2024 navigates complex industrial landscape
House Energy and Commerce Committee members seek answers from UnitedHealth on Change healthcare cyberattack
House Energy and Commerce Committee members seek answers from UnitedHealth on Change healthcare cyberattack
Kaspersky ICS CERT reports on escalating consequences of cyber attacks on industrial organizations
Kaspersky ICS CERT reports on escalating consequences of cyber attacks on industrial organizations
Strategic Decision-Making in Cyber-Physical Risk Assessments and Cyber Ethics.
Strategic Decision-Making in Cyber-Physical Risk Assessments and Cyber Ethics.