When Cybersecurity Standards Meet Management
Note: The Chinese version was published in Taiwan’s CIO IT Magazine in February 2022. The views here are my own and do not necessarily reflect those of my employer.
The general impression of international cybersecurity standards is that they are either filled with complicated and incomprehensible articles, or are simply promoted and implemented in response to the demands of clients or regulations. Since the release of ISO 27001, a raft of new international information security standards have emerged, which have also become the main focus at various cybersecurity conferences in Taiwan. Within the trend of cyber/digital resilience, how exactly do senior executives understand the latest cybersecurity standards from a management perspective? To differentiate from past information security standards, the latest standards are referred to digital resilience standards below.
How to communicate cybersecurity standards from a management standpoint has always been the main focus of cybersecurity standards. BS7799 was the first cybersecurity certification I obtained when helping the National Center for Cyber Security Technology (NCCST) in Taiwan promote the Level-A government agencies certification project in 2004. At the time, government agencies led by example and obtained the BS7799 certification introduced by the British Standards Institution for the purpose of compliance with international cybersecurity standards.
The following year, BS7799 was revised and updated into ISO 27001. Below are some thoughts and insights on the risk management practices over recent years based on my experience as a consultant, advisor and reviewer participating in certification evaluation, standards formulation, and manuals localization.
Digital Resilience is an Ongoing Topic
During the Cybersecurity 1.0 era, information technology (information security) professionals primarily focused on the management of IT technology in response to attacks of regional computer mutating viruses. In 2014, Gartner’s annual report explored the importance of the new cybersecurity paradigm shift, and even boldly proposed the viewpoint of “perfect prevention is impossible.” Facing the increasingly aggressively attacks of international hackers during the pandemic, enterprises should implement international digital resilience practices to prepare for the challenges of “Cybersecurity 2.0.” In essence, digital resilience has become the sustainable foundation of digital transformation implementation in the post-pandemic era.
Management Issues of Standards
One might ask: Isn’t cybersecurity all about the execution of those controlling measures that will be audited? Why bother with the study and research on frameworks or management principles behind these digital resilience standards?
Using ISO 27001 as an example, the Standard adopts the PDCA management principles: Plan, Do, Check, and Action. Different digital resilience standards adopt different management principles or address specific cybersecurity issues that must be resolved. Leveraging my project execution experience, I will analyze the management issues behind the NIST CSF, SEMI E187, IEC/ISA 62443, and CMMC standards as follows.
Since its release in 2014, the Cybersecurity Framework (CSF) introduced by the U.S. National Institute of Standards and Technology (NIST) has become a practical standard of international digital resilience.
CSF adopts risk management procedures and is linked to organizational communication of cybersecurity strategic decisions and prioritization. From the perspective of corporate strategy, the lifecycle of an organization’s cybersecurity risk management is considered; from the perspective of risk management, an organization may adopt different methods of risk options, such as mitigation, transfer, avoidance, and acceptance, depending on the analysis of the potential impacts on the corporate critical services. Lastly, an enterprise prioritizes cybersecurity activities based on their risk tolerance levels.
The Specification for Cybersecurity of Fab Equipment (SEMI E187) released by SEMI in 2022 helps reduce the risk of cyberattacks on legacy software installed on semiconductor fab equipment.
While legacy equipment is often found in factories, the cybersecurity issues of legacy software are often overlooked, especially software for equipment supplied by foreign tool vendors. For example, an infrastructure company uses original electrical equipment from Japanese manufacturers. Once a device needs patch updates, it must be sent back to Japan for revalidation. The owner of the equipment may find it too much trouble to try to get to the bottom of a problem, and simply downplay or disregard any cybersecurity issues. If the software is not updated, however, it would be like leaving the security gate of production line wide open; once the IT defense is broken through, hackers could gain direct access.
Moreover, equipment software is a critical part of the equipment supply chain, and it will be difficult for a single company to try to intervene and solve the problem alone. Through the collective effort and cooperation of interdisciplinary cybersecurity experts of the semiconductor industry in Taiwan, the Standard is expected to solve this difficult and critical cybersecurity issue of the global supply chain.
Targeting the cybersecurity of factory equipment, the International Society for Automation (ISA) has introduced the IEC/ISA 62443 series of standards for industrial automation and control systems starting in 2009.
This series aims to resolve the issues of equipment cybersecurity ownership: Who exactly is responsible for equipment cybersecurity? Company IT departments, cybersecurity departments, equipment users, procurement departments, or equipment suppliers? Similar to the aforementioned legacy software of semiconductor fab equipment, procurement departments hope that equipment users can provide them equipment cybersecurity specifications; equipment users believe that this is not part of their responsibility or KPI (key performance indicator), as it is the expertise of the IT or cybersecurity department; the IT or cybersecurity department believes that production equipment is not their issue to manage. Thus, this critical cybersecurity issue becomes a no man’s land.
IEC/ISA 62443 determines that equipment users are responsible for the management of equipment cybersecurity. From the perspective of maintenance and repair (M&R), is software update part of equipment M&R? The answer is definitely yes. In the past, equipment users were only responsible for recording and reporting hardware malfunctions, and were not responsible for software malfunctions. This series of standards help equipment users clarify the roles and objectives of third-party service providers and integrated service providers. Secondly, cybersecurity management systems, factory assets inventory, factory security structures (such as reference models), equipment cybersecurity risk assessment and software update procedure, are all cybersecurity management mechanisms that must be established by factories.
In 2019, the U.S. Department of Defense officially announced the Cybersecurity Maturity Model Certification (CMMC) 1.0 requiring all contractors to follow the cybersecurity standard. As a continuation of the Capability Maturity Model (CMM), Carnegie Mellon University developed this cybersecurity standard based on the same maturity principles.
In 17 cybersecurity domains and 171 practices, CMMC 1.0 specifies five maturity levels to verify an organization’s execution of cybersecurity processes and capabilities. CMMC 2.0 was launched two years later, and was streamlined into three maturity levels: Foundational, Advanced, and Expert. Foundational assessment is annual self-assessment; advanced assessment includes both self-assessment and certification by a recognized third party; finally, expert assessment shall be conducted under the leadership of the government. CMMC 2.0 is also aligned with the NIST CSF standard in aim to keep up with the latest international cybersecurity practices.
Enterprise Cybersecurity Posture
Regardless of public talks or clients’ assessment projects, the most frequently asked question is how enterprises are evaluated and assessed, or questions on cybersecurity maturity.
NIST CSF does not emphasize maturity scores in the cybersecurity standard, and has gone as far as to state that the four tiers do not represent maturity levels. Examining international third-party certification agencies, digital resilience standards can be used as measuring references to industry maturity (industry evaluation) or enterprise cybersecurity posture (self-evaluation). When information of industry maturity is inaccessible, it is a concrete and feasible way for enterprises to use digital resilience standards as self-evaluation tools.
In this wave of international mainstream discussions, cybersecurity posture has become the focal point of the promotion of standards in the cybersecurity sector. What is posture? Using our body as an example, posture differs from person to person, but there are extensive studies focusing on the correlation between posture and health. If IT were natural and genetic, then cybersecurity posture would be nurtured and learned. Through digital resilience standards, an enterprise can evaluate the as-is and to-be of its cybersecurity health before it can formulate a suitable cybersecurity action plan.
Standards Are Not Just Standards
By the demand of laws and regulations of clients, most of the domestic organizations that have passed the ISO 27001 certification put the IT department in charge of implementation; at best, the R&D unit or business units that clients are more concerned with would be involved. Unfamiliar with digital resilience standards, the IT department usually gives similar responses, stating that IT has been working on the controlling measures of digital resilience standards.
This kind of thinking somehow limits the scope of an enterprise’s cybersecurity asset management. Using an international OEM manufacturing company as an example, its IT department emphasizes it has already implemented ISO 27001. In fact, IT is the only department in the entire company that has passed the certification, and the scope of the company’s cybersecurity risk identification is limited to the IT system and does not include factory (hardware) cybersecurity, nor does it cover the cybersecurity risk issues of the entire company.
Secondly, cybersecurity asset management is also related to departmental roles and responsibilities. As mentioned above, CSF is the standard developed from the thinking of corporate risk management. Using a client’s cybersecurity head in the IT department as an example, he may emphasize that CSF is a management framework, and is not much help to IT; as for the risk management mentioned in CSF, the company’s risk management committee will assume their responsibility, and he or share may only care about the cybersecurity standards or indicators related to IT.
Thus, this new wave of international cybersecurity standards not only puts emphasis on the domestically overlooked issues of corporate cyber risk management, including risk management framework, legacy software, and ownership, but also paves the way for research and application of holistic enterprise cybersecurity posture, driving the best practices of international digital resilience.
Wu, M.C., Legacy Systems Pose Broad Security Risk for Chipmakers, EE Times (2022). https://www.eetimes.com/legacy-systems-pose-broad-security-risk-for-chipmakers/
Wu, M.C., Key Implementation Challenges on International Cybersecurity Standards and their Supportive Management Resources, ISSA Journal. (Nov, 2021). https://www.issa.org/
Wu, M.C., “Emerging Standard Helps Address Cybersecurity,” Standards Watch (March 2021), SEMI, www.semi.org/en/standards-watch-2021March/tw-cybersecurity.
About the Author
Ming-Chang (Bright) Wu is a founding member for Cybersecurity Committee at SEMI Taiwan and join the task force for drafting SEMI 187 since 2018. He is a qualified speaker for Taiwan Corporate Governance Association. His resilience book was selected as the 2020 “Book of the Month” recommended by the National Academy of Civil Service in Taiwan. Now he is helping localization of SEMI E187, NIST CSF and ISA/IEC 62443 in Taiwan. Bright Wu can be reached on LinkedIn.