SecureIT blog series; previous articles:

Introduction

New cyber security laws intended to protect critical infrastructure are being enacted by countries across the globe. Industrial Control System (ICS) users, implementer's, and vendors can no longer ignore trends toward national standards for cyber systems for Industrial Controls. Today, large countries like the United States, Germany and China have all enacted cyber security laws requiring vendors and implementer's of Industrial Control Systems to take on new compliance burdens. Even the smallest Industrial Control users must consider cyber security compliance to local laws in their ICS operations.

Overview of Cyber Law Trends

The first truly modern Cyber Security Law for critical infrastructure and Industrial Controls was passed in Germany in 2015. This law was the first to be called “strict” in that it has language to oblige private firms and German federal agencies to certify systems against cyber security standards. While there have been many countries who have passed laws to protect government systems, this was the first to require private firms to adhere to cyber security requirements. While Germany has pursued middle ground in cyber security Law, the United States has taken a more hands-off approach to private sector cyber security requirements. With the exception of US Electrical Grid operators, most US Cyber law are of the recommendation type and streamlining of cyber threat sharing like what is codified in the Cybersecurity Information Sharing Act of 2015 (CISA). That law mostly allows for all companies to share cyber threat data without concern of US Anti-Trust violation, more of this law will be discussed below. Also, a more recent type of law from China for Network Operation Security was passed. This law will have sweeping impact in how companies do business in China and its features will be outlined as well.

Key Point – Most modern Industrial countries are revisiting their cyber security related laws and making them stricter in terms of systems that affect critical industrial infrastructure.

Why are countries passing new Cyber Law? – The Security Goal

In the aftermath of several Critical Infrastructure cyber security breaches like the German Steel Mill, Stuxnet, and Ukrainian power grid it’s now at the forefront of national policy to prepare a countries critical infrastructure for potential cyber-attack. The goal for countries is to prepare public and private facilities against most of the threats that would cripple a nations industries. This preparation is easy to execute in public agencies because all that is needed is a security policy change by the government itself. But, private industries have been a bit of a problem for many countries to mandate cyber security requirements due to fear of cost impacting a nation’s industrial competitiveness. This concern is so large in the United States that most of the security requirement language was removed from the law that became the Cybersecurity Information Sharing Act. China seems particularly interested in creating a law framework that is very strict to companies doing business in China.

United States Cyber Law – Cybersecurity Information Sharing Act of 2015

In many ways the Cybersecurity Information Sharing Act (CISA) has the smallest impact of any current National Cybersecurity Law currently being implemented by National Governments. The CISA’s main provisions make it easier for companies to share personal business information with the government. The law creates an information sharing system between government and private companies allowing the free flow of Cyber Security Threat information. The law makes Cyber Security information easier to share via exclusions from Anti-Trust and Privacy laws to better allow private companies and government collaborate on Cyber Security Threats without fear of prosecution or censure. It is worth noting that Industrial Control systems are not specifically called out in CISA nor is Critical infrastructure. While the Act is modest in its actions required of private industry, CISA is viewed by many in US policy circles as an initial and vital first step in the process to get a new and more expansive Cyber Security law enacted in the US.

German Cyber Law – IT Security Act

While the CISA in the US is considered an initial effort at National Cybersecurity policy, the German IT Security Act is a sizeable law requiring a great deal of both the National Bureaucracy and private companies. (Note, ‘IT’ is an acronym for Information Technology) The IT Security Act defines ‘Critical Infrastructure’ as equipment and plants which are of great importance to the functioning of the community, because their failure could lead to shortfalls or threats to public safety. Further the IT Security Act enumerates the following sectors for special concern: Energy, Information Technology, Telecommunications, Transport and Traffic, Health, Water, Food, Finance, Insurance.

The exact scope of cyber security regulation in these sectors will be determined by additional legislation, but obviously Industrial Control systems are involved with most of these sectors. And certain service/sector providers have been explicitly exempted from implementing minimum IT security measures, and reporting cyber incidents. As the law is currently worded many companies and organizations in the above sectors must start implementation of minimum IT security measures and start reporting cyber incidents.

The specific new obligations to critical infrastructure operators are:

Implement appropriate organizational and technical safeguards
Regularly Prove that they fulfill the security requirements (at least every two years, e.g. via security audits)
Designate a contact point for the German Federal Government’s BSI
Notify the BSI immediately of any significant disruptions of the availability, integrity, authenticity and confidentiality of their IT systems

The German IT Security Act is a robust law requiring a great deal of public and private organizations. This law represents a firm step towards Central National Government control of Cyber Security Preparations and further paves the way to mandating Cyber Security Technical Safeguards for critical infrastructure systems.

Chinese Cyber Law – Network Operation Security

If we were to consider the German IT Security Law robust, one might say that the Chinese Cyber Law of 2016 is possibly overbearing in its scope and impact. While the new China Cyber Law does have some notification of Cyber Incidents language. The purpose appears (unlike the German Law) to be to tactically and defensively stop any network attacks during their execution. The reporting of Cyber Security incidents appears to be not in the same nature of notification like the German Law.

What is exceptional about the Chinese Law is the direct calls for IT Vendor Systems to be tested by a future Chinese Testing Organization. This testing methodology and requirements have yet to be determined. But from the language it clearly states that ALL systems must be tested to be sold in China.

Another unprecedented provision in the Chinese Law is the mandate for China computer system data to be stored in Mainland China. No vendor or company can store data about Chinese computer systems or Chinese citizens outside of China. Many internet service providers have already migrated data about Chinese customers to China in response to this law. The law makes no mention of a transition time or a mechanism to seek exemption from this Data Storage provision in the law. Most companies have assumed that the effect was immediate on the Law’s adoption by the Standing Committee. This nation state control of information flows, data flows that include private company information is very unique in Cyber Security doctrine. No other nation has implemented any kind of National Data storage limitation before. With modern internet IT systems being as complex as they are, one wonders if this Law can actually be fully implemented by all organizations. At the least the Chinese Cyber Security Law represents a huge power grab by a nation state in the area of Cyberspace. Also there is specific call out for scrutiny into Critical Infrastructure and Industrial Control systems in the China Cyber Law. Time will tell if the Chinese Law’s ideas spread to other countries wanting to secure and police their Cyber Infrastructure.

Cyber Law and the Future

Nation states are in the process of regulating their Cyber Infrastructure to a greater degree. No more can IT, Cyber or Cyber-physical systems be free of binding law at a National level. Whether its simple information sharing to mandated system testing. Nations are tightening the regulations regarding Cyber security and how it’s performed by both public and private entities. Time will tell if most countries follow the US, German or China model in their implementation of Cyber Security Law. But it is easy to see that times are changing in Cyber Security and more scrutiny into the security of IT Cyber and Industrial Control systems is guaranteed in the future.

Did you enjoy this article?? Leave a comment below!

Apr 18, 2024

Oil & Gas Operations and Decision-Making in the Cloud Era

Recently, KBC launched the Acuity Industrial Cloud Suite, consolidating its simulation software solutions. It aligns with KBC's portfolio to address challenges in energy transition, process optimization, value chain optimization, and asset management. For insights, we interviewed Rolando Gabarron, a senior consultant in product management.

Apr 2, 2024

Behind the scenes of Pioneers: Pursuing objectives while also focusing on personal growth with Esmeralda Roxas

In the dynamic landscape of professional careers, the journey of growth and adaptation of Esmeralda Roxas at Yokogawa stands out. From her humble beginnings in system sales engineering for upstream oil and gas to her current role in network security, her trajectory is a testament to resilience, proactivity, and a thirst for knowledge.

Dec 21, 2023

The Necessity of Converged IT/OT SOC in Strengthening Cybersecurity for Today's Industrial Landscape

In the rapidly advancing technological landscape, industrial organizations face escalating cyber threats. To fortify cybersecurity, embracing a Converged IT/OT SOC is imperative. Yokogawa's cloud-based IT/OT SOC service provides a holistic defense, offering integrated visibility, proactive measures, and real-time monitoring. As cyber threats evolve, businesses can stay ahead with Yokogawa, safeguarding operations effectively in the cybersecurity race.

Dec 19, 2023

Yokogawa Recognised as a ‘Leader’ in Verdantix Green Quadrant for Process Safety Software 2023

Yokogawa has been acknowledged as a key software platform provider in the Green Quadrant report published by Verdantix and achieved the title of a 'Leader' in Process Safety Management. This recognition stands as a great achievement for Yokogawa, showcasing excellent performance in areas such as Control of Work, Mobile, Platform Interoperability, Integration, and Sustainability, including ESG considerations, among other notable areas.

Dec 18, 2023

Behind the scenes of Pioneers: Mahalakshmi R, Deputy Head, Yokogawa India Service: A Trailblazer in Leadership and Career Success at Yokogawa

In a recent interview, Mahalakshmi, Deputy Head at Yokogawa India Service, revealed her remarkable 28-year journey with the company. A leader in training and customer service, she has driven innovative projects and fostered a culture of success. Let's explore the key elements that have defined her leadership and career at Yokogawa.

Nov 30, 2023

Optimizing Energy Efficiency for Industrial Enterprise Buildings & Offices

Explore Yokogawa's EEMS revolutionizing energy efficiency in industrial buildings, recognizing their substantial impact on global energy consumption and CO2 emissions. This blog delves into EEMS's digital prowess for optimizing energy dynamics through real-time monitoring and a centralized platform. Uncover insights into smart meters, sensors, and communication protocol challenges and solutions.

Oct 2, 2023

Enhancing Energy Security Unveils the Power of Convergence and Yokogawa's Cybersecurity Program

In an age of looming cyber threats, the energy sector's vulnerability is glaring. Embracing IT-OT convergence is vital to combat these risks. Explore the benefits, challenges, and the pivotal role of Yokogawa's cybersecurity program in safeguarding energy systems against cyber threats. Discover more in our enlightening infographic, here: Access the infographic. Convergence merges security aspects for a unified defense, yet poses new risks. The Colonial Pipeline incident highlighted the cascading impact of IT breaches on OT systems. Yokogawa's comprehensive cybersecurity program addresses these challenges, offering tailored solutions, risk assessment, layered defense, monitoring, and employee education. Join us in fortifying cybersecurity posture.

Digital Solutions Blog

SecureIT – National Cyber Security Laws and Industrial Control