The Bridge - Issue 2, 2023 - 9

A Barrier-based Approach to Cyber Security in Critical Infrastructures
Feature
It is an open question whether these cyber security
measures and corresponding requirements should
be included in a dedicated cybersecurity performance
standard or whether they should be included in
existing performance standards for the systems that
should be protected. Reasons for choosing a dedicated
cybersecurity performance standard include obtaining the
necessary ownership and visibility, and potentially greater
confidentiality since all requirements will be compiled in
one document. A related consideration is how to treat
requirements for operational and organizational barrier
elements, both for cybersecurity barriers and safety
barriers, i.e., either as a separate performance standard or
added to the technical requirements in the different
performance standards.
Apart from assessing compliance with requirements and
the status of cybersecurity, several aspects of a barrier
approach to cybersecurity must be investigated. These
include how to integrate security and safety, how to align IT
and OT cultures, and what the alternatives are to a barrieroriented
approach to cyber security.
TABLE II
Differentiation Between Countermeasures and Barriers
Countermeasure
Cybersecurity Barrier
Consideration
Vigilant user
Patch management
(ad hoc/formal/centrally
managed)
Anti-virus (AV) software
(updated/centrally
managed)
Audit log
Portable media prevented
via administrative controls/software/hardware/
physical
removal of ports
Personnel security
Physical access
control/locks
Intrusion detection
Can be a cybersecurity
barrier
Performance influencing
factor
Can be a cybersecurity
barrier
Control measure - part
of normal operation
Intrinsic security - part of
normal operation
Control measure - part
of normal operation
Control measure - part
of normal operation
Can be a cybersecurity
barrier (function)
Figure 3. Bow-tie model with barriers, control measures and PIFs [2]
III. WHAT IS A CYBERSECURITY BARRIER?
In the vernacular, there seems to be little difference
between the terms " barrier " and " countermeasure " when
used in the context of cybersecurity. However, if we adopt
the same reasoning as PSA does in the case of safety
barriers, a barrier is something that comes into play for
exceptional events, not something that is just part of normal
operations or good security management practice. This can
be illustrated and explained using a bow-tie diagram, as
shown in Figure 3 (adapted from Øie et al. [2]).
PSA makes a distinction between barriers and: 1)
measures to prevent triggering events or conditions
(control measures) being part of normal operation; and
2) measures to prevent barrier degradation and failure
(performance influencing factors - PIFs). In a cybersecurity
context, countermeasures often seems to be the term used
for all of these measures, i.e., barriers, control measures,
and PIFs.
Looking at the example countermeasures in ISATR84.00.09-2017
[13], it is clear that many do not satisfy
the " exceptional " criterion to count as a barrier. Note that
the countermeasures do not distinguish between functions
and systems or elements, e.g., intrusion detection, included
in Table II, is a function, whereas an intrusion detection
system (IDS) can be considered a barrier.
Figure 4. Selected standards and guidelines for functional safety
and cybersecurity
As an example, physical (or logical) access control is used
as part of normal operation, also to avoid unauthorized
access from employees who may unintentionally make
a mistake. Access control is not only used to prevent
intentional cyberattacks. If unauthorized access is
discovered, e.g., by an IDS, then it is the IDS that represents
a barrier.
HKN.ORG
9
https://hkn.ieee.org/
The Bridge - Issue 2, 2023

Table of Contents for the Digital Edition of The Bridge - Issue 2, 2023
