We are seeing an ever-increasing number of regulations being put into place around the world. In EU we have seen NIS2 come into effect and in a couple of years the CyberResiliency Act (CRA) will be made fully applicable, on 11 December 2027.

Noncompliance with these regulations can cause significant amounts of money! So, what are we to do as cybersecurity professionals, when guiding and advising our clients? How do we show to regulators that we have made a provable effort to secure and protect data and applications against attacks?

In my opinion, implementing the relevant standards is the way to go. Something we can be audited against proves that we have taken steps to protect ourselves and our customers. This is the first article in a series looking into some of the other standards in the IEC series of standards, related to cybersecurity for operational technologies.

The series of articles will be standalone, it will not be necessary to read them in any particular order.

OT Security standards

Operational Technology (OT) spans industrial control systems (ICS), automation, safety systems, and energy infrastructure. Several IEC standards are commonly referenced in OT environments. See the list below.

I recently did a series of five articles focusing on the IEC 62443 standard, you can find links to those at the end of this article. Because of that I will not touch upon the IEC 62443 set of standards.

There are many standards in the IEC family of standards, some that are more relevant for machine producers, like:

IEC 61508 (Functional Safety of Electrical/Electronic/Programmable Electronic Safety-Related Systems)

IEC 61508 defines how to achieve and prove functional safety for electrical, electronic, and programmable electronic systems across their entire lifecycle using risk-based Safety Integrity Levels.

IEC 61508 defines how to design, implement, operate, and maintain safety-related systems so that risks caused by system failures are reduced to an acceptable level.

It applies when:

• A failure could lead to harm to people, the environment, or assets
• Safety functions are implemented using electrical, electronic, or programmable electronics (e.g. PLCs, safety controllers, sensors, actuators)

It is technology-neutral and industry-agnostic. IEC 62508 is not as big as IEC 62443, but it covers many areas that are relevant to cybersecurity, like software safety requirements.

IEC 61508 mandates:

• Structured development lifecycle
• Coding standards
• Defensive programming
• Verification methods

Like IEC 62443, there are many parts to IEC62508:

• General requirements
• Hardware requirements
• Software requirements
• Definitions and abbreviations
• Examples of risk reduction methods
• Guidelines on application
• Overview of techniques and measures

IEC 61508 is the “mother standard” of functional safety, bit it is related to several other standards.

IEC 62508 is typically used in situations where:

• No sector-specific standard exists
• You are developing generic safety products
• You are certifying safety components for multiple industries

IEC 61850 (Communication Networks and Systems for Power Utility Automation)

IEC 61850 is the international standard for communication networks and systems in power utility automation, especially substation automation. It defines how protection, control, measurement, and monitoring devices in electrical power systems communicate and interoperate.

IEC 61850 standardizes:

• Data models (what information exists)
• Communication services (how information is exchanged)
• Engineering processes (how systems are configured)
• Time-critical messaging (for protection and control)

Its main goal is interoperability between devices from different vendors in power systems.Especially important where there is cross boarder communication between sovereign countries and their power stations.

IEC 61850 is primarily used in:

• Electrical substations
• Transmission and distribution grids
• Renewable energy plants (wind, solar)
• Power plants and industrial power networks

Some of the key components of IEC 61850 are:

• Object Oriented Data Model
  • IEC 61850 uses a hierarchical data model, not simple registers. Logical Device → Logical Node → Data Object → Data Attribute
• Communication Services
  • IEC 61850 defines Abstract Communication Service Interface (ACSI), which is mapped to real protocols, like time protocols like NTP and PTP.
• Time-Critical Communication
  • IEC 61850 supports hard real-time performance

IEC 61850 defines standardized, object-oriented communication and engineering models that enable interoperable, real-time automation and protection in electrical power systems.

The IEC 61850. Standard is not related to cybersecurity, so why have I put it in here? Well, most of the networking vendors we know within IT have ruggedized equipment aimed at industrial environments, so asking for support for IEC 61850 in that equipment is an important requirement when looking to buy new or upgrade existing infrastructure.

In addition to that IEC 62850 is also related to IEC 62351 – Security for power system communication, which I will get into in the next article in this series.

Check out also IEC 62443: A Cybersecurity Guide for Industrial Systems

Part I | Part II | Part III | Part IV | Part V | Vocabulary