STANDARDS,

FRAMEWORKS, AND
REGULATIONS
That an ICS/OT Cybersecurity leader
should refer to

©Security Quarks
Table of Contents
The ISA/IEC 62443 Series of Standards ...................................................................... 2
ISO 27000 Series...................................................................................................... 3
NIST CSF 2.0 ............................................................................................................ 4
NIST SP 800 Series ................................................................................................... 6
NIS 2 Directives ....................................................................................................... 7
NERC CIP ................................................................................................................ 8
TSA ....................................................................................................................... 10
The HIPAA Privacy Rule ........................................................................................... 11
IMO Cybersecurity Standards ................................................................................. 12
Bill C-26 ................................................................................................................ 14
GDPR .................................................................................................................... 15
CMMC 2.0 ............................................................................................................. 17
NCA OTCC............................................................................................................. 18
IEC 62351 .............................................................................................................. 19
IEEE 1686 .............................................................................................................. 21
ISO/SAE 21434....................................................................................................... 22
CRA ...................................................................................................................... 23
CEA Regulation ...................................................................................................... 25
Summary .............................................................................................................. 26

Shared By: Shamikkumar Dave P a g e 1 | 28

The ISA/IEC 62443 Series of Standards
The ISA/IEC 62443 series represent the only globally recognized consensus-based
standards for cybersecurity in automation and control systems. These standards
outline the requirements and processes needed to implement and maintain
electronically secure Industrial Automation and Control Systems (IACS). They establish
best practices for security and provide a framework for evaluating the level of security
performance. Their comprehensive approach addresses both operational technology
and information technology, as well as integrating process safety and cybersecurity.

Key Standards within ISA/IEC 62443

ISA/IEC 62443-1-1: Terminology, Concepts, and Models

This standard introduces foundational terminology, concepts, and models utilized

throughout the ISA/IEC 62443 series. It offers a uniform language and framework
essential for understanding and implementing cybersecurity measures in IACS.

ISA/IEC 62443-2-1: Security Program Requirements for IACS Asset Owners

This standard specifies the requirements for establishing and maintaining a

Cybersecurity Management System (CSMS) for asset owners. It encompasses policies,
procedures, and governance frameworks necessary for managing cybersecurity risks
within IACS environments.

ISA/IEC 62443-2-3: Patch Management in the IACS Environment

Provides guidelines for managing patches and updates in IACS environments. This
standard ensures that vulnerabilities are promptly addressed, reducing the risk of cyber
threats.

ISA/IEC 62443-2-4: Security Program Requirements for IACS Service Providers

This standard defines the security program requirements for service providers
supporting IACS operations. It ensures that service providers implement adequate
security measures to protect IACS from cyber threats.

ISA/IEC 62443-3-2: Security Risk Assessment for System Design

This standard provides guidelines for conducting security risk assessments during the
design phase of IACS. It assists organizations in identifying and mitigating security risks
early in the system development lifecycle.

ISA/IEC 62443-3-3: System Security Requirements and Security Levels

This standard delineates the security requirements and levels for IACS. It provides a
framework for implementing security controls based on the criticality and risk profile of
the system.

Shared By: Shamikkumar Dave P a g e 2 | 28

ISA/IEC 62443-4-1: Secure Product Development Lifecycle Requirements

This standard establishes requirements for the secure development of IACS products,
including secure coding practices, vulnerability management, and security testing
throughout the product development lifecycle.

ISA/IEC 62443-4-2: Technical Security Requirements for IACS Components

This standard specifies the technical security requirements for individual IACS
components, ensuring that each component meets the necessary security criteria to
defend against cyber threats.

In a Nutshell
ISA/IEC 62443 series is Comprehensive standards for securing industrial automation
and control systems, covering all aspects for asset owners, system Integrators,
component providers and advisors.

ISO 27000 Series

The ISO 27000 series, published by the International Organization for Standardization
(ISO) and the International Electrotechnical Commission (IEC), includes multiple
standards that provide best practices for information security management. Key
standards in this series include ISO 27001, ISO 27002, ISO 27005, and ISO 27019,
among others.

Key Standards and Their Relevance to OT Cybersecurity

1. ISO 27001: Information Security Management Systems (ISMS)

• Risk Management: ISO 27001 emphasizes risk assessment and

management, which is crucial for OT environments where cyber threats
can directly impact physical processes and safety. By identifying and
mitigating risks, organizations can protect their operational systems from
disruptions and damage.

• Compliance and Legal Requirements: Adhering to ISO 27001 helps

organizations comply with various regulatory requirements and industry
standards, reducing the risk of legal penalties and enhancing trust with
stakeholders.

• Integration of Best Practices: The standard incorporates best practices

for information security, which can be adapted to the unique needs of OT
systems. This includes securing network communications, implementing
robust access controls, and ensuring the physical security of critical
infrastructure.

Shared By: Shamikkumar Dave P a g e 3 | 28

 2. ISO 27002: Information Security Controls

• Control Implementation: ISO 27002 provides guidelines for

implementing information security controls, which can be tailored to OT
environments. These controls include measures for access control,
incident response, and continuous monitoring.

• Best Practices: The standard encapsulates industry best practices,

empowering security practitioners with the tools and strategies essential
to protect critical infrastructure effectively.

3. ISO 27005: Information Security Risk Management

• Risk Assessment: ISO 27005 focuses on risk assessment

methodologies, providing a structured approach to identifying, analyzing,
and mitigating risks in OT environments. This helps organizations prioritize
their security efforts based on the most significant threats.

• Dynamic Defense: The standard supports a dynamic defense strategy

that adjusts to the shifting cyber landscape, ensuring continuous
protection against emerging threats.

4. ISO 27019: Information Security Management Guidelines for Process Control

Systems

• OT-Specific Guidelines: ISO 27019 provides guidelines specifically for

process control systems used in the energy industry, which can be
adapted to other OT environments. It covers aspects such as secure
design, implementation, and operation of control systems.

• Collaborative Defense: Organizations that adhere to these guidelines

actively participate in the collective defense of critical infrastructure,
reducing vulnerabilities through industry cooperation.

In a Nutshell
ISO 27000 Series of standards are globally adapted for managing information security
risks, including guidelines for risk assessment, control implementation, and continuous
improvement of information security management systems (ISMS).

NIST CSF 2.0

NIST CSF 2.0 builds upon the original framework by incorporating new insights, best
practices, and lessons learned from its widespread adoption. It offers a taxonomy of
high-level cybersecurity outcomes that can be used by any organization to better
understand, assess, prioritize, and communicate its cybersecurity efforts. The
framework is designed to be adaptable, allowing organizations to tailor its

Shared By: Shamikkumar Dave P a g e 4 | 28

implementation to their specific needs and risk profiles. The key change from its
predecessor is the added focus on the governance.

Key Components of NIST CSF 2.0

1. Core Functions

• Identify: Develop an organizational understanding to manage

cybersecurity risk to systems, assets, data, and capabilities. This includes
identifying critical functions and resources, understanding the business
context, and assessing risks.

• Protect: Implement appropriate safeguards to ensure the delivery of

critical services. This includes access control, data security, and
protective technology.

• Detect: Develop and implement activities to identify the occurrence of

cybersecurity events. This includes continuous monitoring, detection
processes, and anomaly detection.

• Respond: Develop and implement activities to act regarding a detected

cybersecurity event. This includes response planning, communications,
and mitigation.

• Recover: Develop and implement activities to maintain plans for

resilience and restore any capabilities or services impaired due to a
cybersecurity event. This includes recovery planning, improvements, and
communications.

2. Implementation Tiers

• Tier 1: Partial: Risk management practices are not formalized, and

cybersecurity activities are performed in an ad hoc manner.

• Tier 2: Risk-Informed: Risk management practices are approved by

management but may not be established as organizational policy.

• Tier 3: Repeatable: Risk management practices are formally approved

and expressed as policy, with consistent implementation across the
organization.

• Tier 4: Adaptive: Risk management practices are part of the

organizational culture, with continuous improvement and adaptation to
changing risks.

Shared By: Shamikkumar Dave P a g e 5 | 28

 3. Profiles

• Current Profile: Represents the organization's current cybersecurity

posture.

• Target Profile: Represents the desired cybersecurity posture, based on

business needs and risk assessments.

• Gap Analysis: Identifies the differences between the current and target
profiles, helping organizations prioritize improvements.

In a Nutshell

NIST CSF 2.0 provides set of guidelines to help organizations improve their
cybersecurity risk management and resilience, focusing on identifying, protecting,
detecting, responding to, and recovering from cyber threats with special focus on the
governance part of the security.

NIST SP 800 Series

The NIST SP 800 series addresses a broad range of cybersecurity topics, providing a
robust framework for managing and mitigating risks. Key publications within this series
include:

1. NIST SP 800-53: Security and Privacy Controls for Federal Information

Systems and Organizations

• Purpose: Provides a catalogue of security and privacy controls for federal

information systems and organizations, aimed at protecting against a
diverse set of threats.

• Relevance to OT: While originally designed for IT systems, many of the

controls can be adapted to OT environments to enhance security
measures. This includes controls for access management, incident
response, and continuous monitoring.

2. NIST SP 800-82: Guide to Industrial Control Systems (ICS) Security

• Purpose: Offers specific guidance on securing Industrial Control Systems

(ICS), which are integral to OT environments.

• Key Features: Covers risk management, security controls, and incident

response tailored to ICS. It provides best practices for protecting ICS from
cyber threats, ensuring the safe and reliable operation of critical
infrastructure.

Shared By: Shamikkumar Dave P a g e 6 | 28

 3. NIST SP 800-30: Guide for Conducting Risk Assessments

• Purpose: Provides a comprehensive methodology for conducting risk

assessments, essential for identifying and mitigating risks in both IT and
OT environments.

• Application to OT: Helps organizations systematically identify

vulnerabilities and threats to OT systems, enabling them to prioritize and
implement effective security measures.

4. NIST SP 800-37: Guide for Applying the Risk Management Framework

• Purpose: Describes the Risk Management Framework (RMF) for

integrating security and risk management activities into the system
development life cycle.

• Relevance to OT: The RMF can be applied to OT systems to ensure that

security considerations are integrated from the design phase through to
operation and maintenance.

5. NIST SP 800-171: Protecting Controlled Unclassified Information in Non-

federal Systems and Organizations

• Purpose: Provides guidelines for protecting Controlled Unclassified

Information (CUI) in non-federal systems.

• Impact on OT: Ensures that organizations handling CUI within OT

environments implement appropriate security controls to safeguard
sensitive information.

In a Nutshell

NIST SP-800 Series provides world class framework, detailed guidelines and best
practices for information systems, covering a wide range of cybersecurity topics such as
special guidance for operational technology, risk management, security controls, and
incident response.

NIS 2 Directives
NIS2, formally known as Directive (EU) 2022/2555, was adopted on December 14, 2022,
and came into force on January 16, 2023. It aims to ensure a high common level of
cybersecurity across the EU by setting higher standards for essential services and
critical infrastructure. The directive mandates that member states transpose its
requirements into national law by October 17, 2024.

Shared By: Shamikkumar Dave P a g e 7 | 28

Key Features of NIS2

1. Expanded Scope: NIS2 covers a broader range of sectors compared to its

predecessor, including energy, transport, banking, financial market
infrastructures, health, drinking water supply and distribution, digital
infrastructure, public administration, and space. This expansion ensures that
more entities are obliged to take measures to enhance their cybersecurity.

2. Enhanced Security Requirements: The directive introduces stricter security

requirements for essential and important entities. These requirements include
risk management, incident reporting, supply chain security, and vulnerability
management. Entities must implement appropriate technical and organizational
measures to manage cybersecurity risks.

3. Incident Reporting: NIS2 mandates timely reporting of cybersecurity incidents

to national authorities. This helps in quick response and mitigation of threats,
ensuring minimal disruption to services.

4. Supply Chain Security: The directive emphasizes the importance of securing

supply chains, recognizing that vulnerabilities can be exploited through
interconnected systems. Entities must assess and manage risks associated with
their supply chains.

5. Cyber Hygiene and Awareness: NIS2 promotes cyber hygiene practices and
awareness among employees and stakeholders. This includes regular training
and updates on cybersecurity policies and procedures.

6. Peer Reviews and Cooperation: The directive encourages member states to

conduct peer reviews and collaborate on cybersecurity initiatives. This fosters
knowledge sharing and enhances collective defense against cyber threats.

In a Nutshell

NIS2 Directive is an EU directive aimed at enhancing cybersecurity across essential and

digital services, with requirements for risk management, incident reporting, and supply
chain security.

NERC CIP
The North American Electric Reliability Corporation (NERC) Critical Infrastructure
Protection (CIP) standards are a set of cybersecurity requirements designed to protect
the Bulk Electric System (BES) in North America. These standards are crucial for
ensuring the reliable operation of the electric grid, which is essential for the functioning
of modern society. This section explores the key aspects of NERC CIP and its
significance for Operational Technology (OT) cybersecurity.

Shared By: Shamikkumar Dave P a g e 8 | 28

What is NERC CIP?

NERC CIP consists of a series of standards that provide a comprehensive framework

designed to mitigate cybersecurity risks and ensure the integrity, availability, and
reliability of the electric grid.

Key Standards within NERC CIP

1. CIP-002: Critical Cyber Asset Identification

• Requires entities to identify and document critical cyber assets that

support the reliable operation of the BES. This involves conducting a risk-
based assessment to determine which assets are critical.

2. CIP-003: Security Management Controls

• Establishes security management controls to protect critical cyber

assets. This includes policies, procedures, and governance frameworks.

3. CIP-004: Personnel and Training

• Requires entities to implement personnel training and security awareness

programs. This ensures that staff are knowledgeable about cybersecurity
policies and procedures.

4. CIP-005: Electronic Security Perimeters

• Defines requirements for establishing electronic security perimeters

around critical cyber assets. This includes controlling access to these
assets and monitoring communications.

5. CIP-006: Physical Security of BES Cyber Systems

• Requires entities to implement physical security measures to protect BES

cyber systems. This includes securing physical access to critical assets.

6. CIP-007: System Security Management

• Establishes requirements for managing system security, including patch

management, malware prevention, and vulnerability assessments.

7. CIP-008: Incident Reporting and Response Planning

• Requires entities to develop and implement incident response plans. This

includes reporting cybersecurity incidents and conducting post-incident
reviews.

Shared By: Shamikkumar Dave P a g e 9 | 28

 8. CIP-009: Recovery Plans for BES Cyber Systems

• Requires entities to develop recovery plans for BES cyber systems. This
ensures that critical assets can be restored following a cyber incident.

In a Nutshell

NERC CIP Standards are designed to ensure the security of the North American bulk
electric system, focusing on areas like cybersecurity management controls, incident
reporting, and risk management.

TSA
TSA's cybersecurity efforts aim to protect transportation systems like aviation, rail, and
pipelines from cyber threats. They focus on performance measures, continuous
monitoring, and proactive risk management to secure critical infrastructure.

Key TSA Cybersecurity Requirements

1. Network Segmentation Policies and Controls

• TSA requires regulated entities to develop and implement network

segmentation policies. These controls ensure that operational technology
systems can continue to operate safely even if an information technology
system is compromised. This separation helps prevent the spread of
cyber threats across different network segments.

2. Access Control Measures

• TSA mandates the creation of robust access control measures to secure

critical cyber systems. This includes preventing unauthorized access and
ensuring that only authorized personnel can interact with sensitive
systems and data.

3. Continuous Monitoring and Detection

• TSA emphasizes the importance of continuous monitoring and detection

policies. Regulated entities must implement procedures to detect and
respond to cybersecurity threats and anomalies in real-time, ensuring
rapid mitigation of potential risks.

4. Patch Management and Vulnerability Mitigation

• TSA requires entities to reduce the risk of exploitation of unpatched

systems by applying security patches and updates in a timely manner.
This proactive approach helps protect critical systems from known
vulnerabilities and emerging threats.

Shared By: Shamikkumar Dave P a g e 10 | 28

 5. Incident Reporting and Response Planning

• TSA mandates the reporting of significant cybersecurity incidents to the

Cybersecurity and Infrastructure Security Agency (CISA). Entities must
also develop and adopt comprehensive cybersecurity incident response
plans to effectively manage and mitigate the impact of cyber incidents.

In a Nutshell

TSA is a Security protocol is for transportation systems, including cybersecurity

measures for protecting transportation infrastructure and responding to incidents.

The HIPAA Privacy Rule

The HIPAA Security Rule establishes a comprehensive framework for safeguarding ePHI.
It requires covered entities, such as healthcare providers, health plans, and healthcare
clearinghouses, as well as their business associates, to implement administrative,
physical, and technical safeguards to ensure the confidentiality, integrity, and
availability of ePHI.

Key Components of the HIPAA Security Rule

1. Administrative Safeguards

• Security Management Process: Implement policies and procedures to

prevent, detect, contain, and correct security violations. This includes
conducting risk assessments and managing identified risks.

• Security Personnel: Designate a security official responsible for

developing and implementing security policies and procedures.

• Information Access Management: Implement policies and procedures

to authorize access to ePHI only to those individuals who need it to
perform their job duties.

• Workforce Training and Management: Train all workforce members on

security policies and procedures and apply appropriate sanctions for
violations.

2. Physical Safeguards

• Facility Access Controls: Implement policies and procedures to limit

physical access to electronic information systems and the facilities in
which they are housed, while ensuring that authorized access is allowed.

Shared By: Shamikkumar Dave P a g e 11 | 28

 • Workstation Use and Security: Implement policies and procedures to
specify the proper functions to be performed on workstations and ensure
their physical security.

• Device and Media Controls: Implement policies and procedures for the
receipt and removal of hardware and electronic media that contain ePHI,
including disposal, reuse, and accountability.

3. Technical Safeguards

• Access Control: Implement technical policies and procedures to allow

access to ePHI only to authorized persons or software programs.

• Audit Controls: Implement hardware, software, and procedural

mechanisms to record and examine access and other activity in
information systems that contain or use ePHI.

• Integrity Controls: Implement policies and procedures to protect ePHI

from improper alteration or destruction.

• Transmission Security: Implement technical security measures to guard

against unauthorized access to ePHI that is being transmitted over an
electronic communications network.

In a Nutshell

HIPAA Regulations protect the privacy and security of health information, including
administrative, physical, and technical safeguards, as well as breach notification
requirements.

IMO Cybersecurity Standards

IMO's cybersecurity standards aim to safeguard shipping from current and emerging
cyber threats and vulnerabilities. These standards provide high-level recommendations
and functional elements that support effective cyber risk management, ensuring the
safe and secure operation of maritime vessels and infrastructure.

Key IMO Cybersecurity Standards

1. Resolution MSC.428(98): Maritime Cyber Risk Management in Safety

Management Systems

• Purpose: Requires that cybersecurity risks be managed as part of a ship’s

Safety Management System (SMS). This resolution acknowledges that
cybersecurity is essential to the safety and security of shipping
operations.

Shared By: Shamikkumar Dave P a g e 12 | 28

 • Implementation: Encourages administrations to ensure that cyber risks
are appropriately addressed in existing safety management systems no
later than the first annual verification of the company's Document of
Compliance after January 1, 2021.

2. MSC-FAL.1/Circ.3: Guidelines on Maritime Cyber Risk Management

• Purpose: Provides high-level recommendations on maritime cyber risk

management to safeguard shipping from cyber threats and vulnerabilities.

• Key Features: Includes functional elements that support effective cyber

risk management, such as identifying, analyzing, assessing, and
communicating cyber-related risks. These guidelines can be incorporated
into existing risk management processes and complement established
safety and security management practices. Additionally, they provide a
framework for continuous improvement and feedback, ensuring that
cybersecurity measures evolve in response to emerging threats.

3. Guidelines on Cyber Security Onboard Ships

• Purpose: Offers practical guidance on implementing cybersecurity

measures onboard ships. These guidelines are developed by various
industry organizations, including ICS, BIMCO, and INTERTANKO.

• Key Features: Covers aspects such as network security, access control,

incident response, and continuous monitoring to protect shipboard
systems from cyber threats.

4. IACS Recommandation on Cyber Resilience (Rec. 166)

• Purpose: Provides recommendations for enhancing cyber resilience in

maritime operations. Developed by the International Association of
Classification Societies (IACS), this recommendation focuses on
protecting shipboard systems from cyber threats.

• Key Features: Includes guidelines for secure design, implementation,

and operation of maritime systems, ensuring robust protection against
cyber risks.

In a Nutshell

IMO Standards are International maritime security standards for ships and ports,
including the Safety of Life at Sea (SOLAS) and the International Ship and Port Facility
Security (ISPS) Code.

Shared By: Shamikkumar Dave P a g e 13 | 28

Bill C-26
Bill C-26 amends the Telecommunications Act and introduces the CCSPA, creating a
comprehensive framework for cybersecurity in Canada. The bill empowers the federal
government to enforce cybersecurity measures and mandates organizations operating
critical cyber systems to adhere to stringent security requirements.

Key Components of Bill C-26

1. Amendments to the Telecommunications Act

• Objective: Promotes the security of the Canadian telecommunications

system by granting the federal government authority to ban
telecommunications service providers (TSPs) from using high-risk
suppliers. This includes prohibiting the use of products and services from
specified persons and directing TSPs to remove existing high-risk
equipment.

• Impact: Ensures that Canada's telecommunications infrastructure is

protected from vulnerabilities associated with high-risk suppliers,
enhancing overall network security.

2. Critical Cyber Systems Protection Act (CCSPA)

• Cybersecurity Program Requirements: Designated operators of critical

cyber systems are required to establish and maintain a cybersecurity
program. This includes implementing policies, procedures, and controls
to manage cybersecurity risks effectively.

• Mandatory Cyber Incident Reporting: Organizations must report

significant cybersecurity incidents to the federal government. This
ensures timely response and mitigation of threats, minimizing the impact
on critical infrastructure.

• Cybersecurity Directions: The federal government can issue

cybersecurity directions to designated operators, requiring them to take
specific actions to protect their systems from cyber threats.

• Compliance and Enforcement: Regulators have the authority to enforce

compliance with the CCSPA, including conducting inspections, ordering
internal audits, and issuing compliance orders.

In a Nutshell

Bill C-26 is a Canadian legislation aimed at securing critical cyber systems in key
sectors, including telecommunications and critical infrastructure, with requirements for
risk mitigation and reporting.

Shared By: Shamikkumar Dave P a g e 14 | 28

GDPR
GDPR aims to give individuals control over their personal data and to unify data
protection regulations across the EU. It imposes obligations on organizations to ensure
the lawful, fair, and transparent processing of personal data, while also implementing
robust security measures to protect against data breaches and cyber threats.

Key Principles of GDPR

1. Lawfulness, Fairness, and Transparency

• Organizations must process personal data lawfully, fairly, and

transparently. This includes obtaining explicit consent from individuals
and providing clear information about how their data will be used.

2. Purpose Limitation

• Personal data must be collected for specified, explicit, and legitimate

purposes and not further processed in a manner incompatible with those
purposes.

3. Data Minimization

• Organizations should collect only the personal data that is necessary for
the intended purposes, ensuring that data collection is adequate,
relevant, and limited.

4. Accuracy

• Personal data must be accurate and kept up to date. Organizations are

required to take reasonable steps to ensure that inaccurate data is
corrected or deleted.

5. Storage Limitation

• Personal data should be retained only for as long as necessary to fulfill

the purposes for which it was collected. Organizations must establish
policies for data retention and deletion.

6. Integrity and Confidentiality

• Organizations must implement appropriate technical and organizational

measures to ensure the security of personal data, protecting it against
unauthorized or unlawful processing, accidental loss, destruction, or
damage.

Shared By: Shamikkumar Dave P a g e 15 | 28

 7. Accountability

• Organizations are responsible for demonstrating compliance with GDPR

principles. This includes maintaining documentation, conducting regular
audits, and implementing data protection policies.

GDPR and OT Cybersecurity

While GDPR primarily focuses on the protection of personal data, its principles and
requirements have significant implications for OT cybersecurity:

1. Risk Management

• GDPR mandates organizations to conduct risk assessments and

implement measures to mitigate risks to personal data. This includes
securing OT systems that process or store personal data, ensuring they
are protected against cyber threats.

2. Incident Response

• Organizations must report data breaches to supervisory authorities within

72 hours. This requires robust incident response plans and procedures to
detect, respond to, and mitigate the impact of cyber incidents on OT
systems.

3. Data Protection by Design and Default

• GDPR encourages organizations to integrate data protection measures

into the design and operation of systems and processes. This includes
implementing security controls in OT environments to safeguard personal
data.

4. Third-Party Management

• Organizations must ensure that third-party vendors and service providers

comply with GDPR requirements. This involves assessing the security
practices of third parties that interact with OT systems and personal data.
Regular audits and continuous monitoring of third-party compliance are
critical to maintaining data protection and cybersecurity across the
supply chain.

In a Nutshell

GDPR is a European regulation focused on protecting personal data and privacy,

emphasizing lawful processing, data minimization, and the rights of data subjects, also
applicable to OT systems handling personal data.

Shared By: Shamikkumar Dave P a g e 16 | 28

CMMC 2.0
CMMC 2.0 aims to enhance the cybersecurity posture of the Defense Industrial Base
(DIB) by ensuring that contractors and subcontractors implement appropriate security
measures to protect sensitive information. The model provides a tiered approach to
cybersecurity, with each level representing progressively advanced security
requirements.

Key Levels of CMMC 2.0

1. Level 1: Foundational

• Requirements: Focuses on basic safeguarding of FCI. Organizations

must implement 17 practices derived from Federal Acquisition Regulation
(FAR) clause 52.204-21.

• Assessment: Annual self-assessment and affirmation of compliance.

2. Level 2: Advanced

• Requirements: Incorporates 110 practices aligned with NIST SP 800-171.

This level is designed to protect CUI and includes practices for risk
management, incident response, and continuous monitoring.

• Assessment: Triennial third-party assessment for critical programs and

annual self-assessment for non-critical programs.

3. Level 3: Expert

• Requirements: Includes over 130 practices aligned with NIST SP 800-172.

This level is intended for the highest priority programs and involves
advanced cybersecurity practices such as proactive threat hunting and
robust incident response.

• Assessment: CMMC 2.0 is vital for national security and protecting

sensitive information from cyber threats. Non-compliance risks losing
defense contract eligibility, highlighting the importance of these
cybersecurity standards. CMMC 2.0 also aims to foster continuous
improvement and proactive defense against evolving cyber threats in the
Defense Industrial Base.

In a Nutshell

CMMC 2.0 is an updated cybersecurity framework by the U.S. Department of Defense to

protect sensitive information in the defense industrial base. It features a tiered model
with three levels of cybersecurity standards, assessment requirements, and
implementation through contracts.

Shared By: Shamikkumar Dave P a g e 17 | 28

NCA OTCC
The NCA OTCC provides a comprehensive set of cybersecurity controls tailored
specifically for OT environments. These controls are aligned with international
cybersecurity standards, frameworks, and best practices, and are intended to address
the unique challenges faced by OT systems. The OTCC aims to raise the cybersecurity
level of OT systems by setting minimum cybersecurity requirements for organizations
operating critical infrastructure.

Key Components of NCA OTCC

1. Governance and Risk Management

• Establishes the need for a robust governance framework to oversee

cybersecurity efforts. This includes defining roles and responsibilities,
developing cybersecurity policies, and conducting regular risk
assessments to identify and mitigate vulnerabilities in OT systems.

2. Asset Management

• Requires organizations to maintain an up-to-date inventory of all OT

assets. This includes identifying critical assets, assessing their security
posture, and implementing measures to protect them from cyber threats.
Additionally, organizations should establish procedures for the regular
review and updating of the asset inventory to address changes in the OT
environment.

3. Access Control

• Mandates the implementation of strict access control measures to

prevent unauthorized access to OT systems. This includes multi-factor
authentication, role-based access controls, and regular audits of access
permissions.

4. Network Security

• Emphasizes the importance of securing network communications within

OT environments. This includes segmenting networks, implementing
firewalls, and using encryption to protect data in transit.

5. Incident Response and Recovery

• Requires organizations to develop and implement incident response

plans to manage and mitigate the impact of cyber incidents. This includes
procedures for detecting, responding to, and recovering from
cyberattacks, as well as reporting incidents to relevant authorities.

Shared By: Shamikkumar Dave P a g e 18 | 28

 6. Continuous Monitoring and Detection

• Mandates the implementation of continuous monitoring systems to

detect anomalies and potential cyber threats in real-time. This proactive
approach helps in early identification and mitigation of risks.

7. Supply Chain Security

• Emphasizes the importance of securing supply chains to prevent

vulnerabilities from being exploited through interconnected systems.
Organizations must assess and manage risks associated with their supply
chains.

8. Training and Awareness

• Requires regular training programs for staff to ensure they are aware of
cybersecurity policies and procedures. This fosters a culture of security
within the organization and enhances overall cybersecurity awareness.

In a Nutshell

The Operational Technology Cybersecurity Controls (OTCC) by Saudi Arabia's National

Cybersecurity Authority (NCA) aims to protect critical infrastructures from cyber
threats. It includes three tiers of facilities, four main domains, 23 subdomains, 47 main
controls, and 122 sub controls, aligning with international standards.

IEC 62351
The IEC 62351 series, developed by the International Electrotechnical Commission
(IEC), focuses on securing communication protocols used in power system operations.
This series includes multiple standards that address various aspects of cybersecurity
for power systems.

Key Standards and Their Relevance to OT Cybersecurity

1. IEC 62351-1: Introduction

• This part lays the foundation for understanding the overarching goals and
structure of the IEC 62351 series of standards, highlighting the
importance of securing power system communication protocols to
ensure reliability and stability. It also outlines the main threats and
vulnerabilities addressed by the series.

2. IEC 62351-2: Glossary of Terms

• Includes definitions of terms and acronyms used throughout the IEC

62351 series, for clarity and uniformity in understanding the standards.

Shared By: Shamikkumar Dave P a g e 19 | 28

3. IEC 62351-3: Data and Communication Security

• Covers security for profiles using TCP/IP, including protocols like IEC
60870-6 (ICCP), IEC 60870-5-104, and IEC 61850.

• Implements measures such as TLS encryption, node authentication, and

message authentication to protect data integrity and confidentiality.

4. IEC 62351-4: Security for MMS and Similar Payloads

• Addresses security for profiles using MMS (Manufacturing Message

Specification), including IEC 60870-6 and IEC 61850.

• Ensures secure communication through authentication and encryption

techniques.

5. IEC 62351-5: Security for IEC 60870-5 and Derivatives

• Focuses on security for both serial and networked profiles of IEC 60870-5,
including DNP3.

• Utilizes TLS for TCP/IP profiles and encryption for serial profiles to prevent
unauthorized access and data breaches.

6. IEC 62351-6: Security for IEC 61850 Profiles

• Mandates the use of VLANs for GOOSE messages and secure time
synchronization using SNTP.

• Ensures the integrity of data exchanged within IEC 61850 profiles.

7. IEC 62351-7: Network and System Management

• Defines MIBs specific to the power industry for network and system
management using SNMP-based methods.

• Facilitates effective monitoring and control of network security.

8. IEC 62351-8: Role-Based Access Control (RBAC)

• Covers access control for users and automated agents to data objects in
power systems using RBAC.

• Ensures that only authorized personnel can access critical system

components.

9. IEC 62351-9: Key Management

• Describes the lifecycle management of cryptographic keys, including

creation, distribution, usage, and revocation.

Shared By: Shamikkumar Dave P a g e 20 | 28

 • Supports secure communication through proper handling of encryption
keys and digital certificates.

10. IEC 62351-10: Security Architecture

• Explains security architectures for the entire IT infrastructure, identifying

critical points and appropriate security mechanisms.

• Applies well-proven IT security standards to power system operations.

11. IEC 62351-11: Security for XML Files

• Embeds original XML content into secure containers, ensuring

authenticity and integrity through X.509 signatures.

• Provides optional data encryption for additional security.

In a Nutshell

The IEC 62351 series of standards are essential for securing communication protocols
in power systems, ensuring data integrity, confidentiality, and availability. These
standards provide comprehensive guidelines for implementing robust cybersecurity
measures in operational technology (OT) environments.

IEEE 1686
The IEEE 1686 standard focuses on defining the cybersecurity capabilities required for
Intelligent Electronic Devices (IEDs) used in power systems. Here’s an overview of the
key aspects of IEEE 1686 and its relevance to OT cybersecurity:

IEEE 1686-2022: Intelligent Electronic Devices Cybersecurity Capabilities

Scope and Purpose

• Defines the functions and features that IEDs must have to support cybersecurity
programs.
• Addresses security aspects related to access, operation, configuration, firmware
revision, and data retrieval from IEDs

Access Control

• Ensures only authorized personnel can access IEDs.

• Uses user authentication and role-based access control (RBAC).

Data Integrity and Confidentiality

• Protects data during transmission and storage with encryption.

• Ensures data remains accurate and confidential.

Shared By: Shamikkumar Dave P a g e 21 | 28

Firmware and Configuration Management

• Provides guidelines for secure firmware updates and configuration changes.

• Verifies the authenticity and integrity of firmware before installation.

Audit and Monitoring

• Supports logging and monitoring of security events.

• Helps detect and respond to security incidents.

External Interface Security

• Secures external interfaces against unauthorized access and tampering.

• Implements secure communication protocols and physical security controls.

In a Nutshell

The IEEE 1686 standard is crucial for ensuring the cybersecurity of IEDs in power
systems. By defining comprehensive security requirements, it helps protect critical
infrastructure from cyber threats, ensuring the integrity, confidentiality, and availability
of power system operations.

ISO/SAE 21434
ISO/SAE 21434 is an international standard that defines cybersecurity processes for
road vehicles. It ensures that electronic and software-based systems in vehicles are
protected against cyber threats throughout their lifecycle.

Scope and Purpose

• Specifies requirements for managing cybersecurity risks in electrical and

electronic systems of road vehicles.

• Covers the entire lifecycle of a vehicle, from concept and development to

production, operation, maintenance, and decommissioning.

Concept and Product Development

• Establishes a framework for identifying and mitigating cybersecurity risks during

design and development.

• Ensures cybersecurity is integrated into the vehicle's architecture.

Production and Operation

• Provides guidelines for cybersecurity throughout production and operation.

Shared By: Shamikkumar Dave P a g e 22 | 28

 • Includes processes for monitoring and responding to cybersecurity threats
during the vehicle's operational life.

Maintenance and Decommissioning

• Addresses secure maintenance practices to prevent unauthorized access and

tampering.

• Ensures cybersecurity considerations are maintained even when the vehicle is

decommissioned.

Risk Management Framework

• Defines a structured approach for assessing and managing cybersecurity risks.

• Utilizes a common language for communicating and managing these risks

across different stages of the vehicle lifecycle.

In a Nutshell

ISO/SAE 21434 is essential for ensuring the cybersecurity of road vehicles, providing a
comprehensive framework for managing risks throughout the vehicle's lifecycle. This
standard helps protect vehicles from cyber threats, ensuring their safety and security.

CRA
The CRA addresses the inadequate level of cybersecurity in many digital products and
the lack of timely security updates. It introduces mandatory cybersecurity requirements
for manufacturers and retailers, governing the planning, design, development, and
maintenance of products with digital components. The regulation applies to all
products connected directly or indirectly to another device or network, with certain
exclusions such as specific open-source software or services already covered by
existing rules.

Key Requirements of the CRA

1. Security by Design and Default

• Products must be designed and configured with security features from

the outset. This principle ensures that cybersecurity is integrated into the
product development process, reducing vulnerabilities and enhancing
overall security.

2. Regular Security Updates

• Manufacturers are required to provide regular security updates to address

any vulnerabilities identified in the product and protect against emerging

Shared By: Shamikkumar Dave P a g e 23 | 28

 threats. This ensures that products remain secure throughout their
lifecycle.

3. Vulnerability Handling

• The CRA mandates robust vulnerability handling processes, including the

identification, assessment, and mitigation of security vulnerabilities.
Manufacturers must respond promptly to discovered vulnerabilities to
minimize risks.

4. Compliance and Conformity Assessments

• Critical products must undergo third-party assessments by authorized

bodies before being sold in the EU market and on the regular interval as
and when deemed necessary. This ensures that products meet the CRA's
cybersecurity standards and provides consumers with confidence in their
security.

5. Incident Reporting

• Manufacturers must report significant cybersecurity incidents to relevant

authorities. This facilitates timely response and mitigation of threats,
ensuring minimal disruption to services.

6. Market Surveillance and Enforcement

• The CRA establishes mechanisms for market surveillance and

enforcement to ensure compliance with cybersecurity requirements.
Regulators can act against non-compliant products and manufacturers.

7. Information Sharing

• The CRA promotes information sharing among manufacturers, retailers,

and authorities to enhance collective cybersecurity efforts. This
collaboration helps in identifying and addressing common threats.

8. User Awareness and Transparency

• Manufacturers must provide clear information to users about the

cybersecurity features of their products. This transparency helps users
make informed decisions and enhances overall cybersecurity awareness.

In a Nutshell

The Cyber Resilience Act (CRA) is an EU regulation aimed at improving the cybersecurity
and resilience of products with digital elements. It sets common standards for
manufacturers, including requirements for incident reporting and automatic security
updates, ensuring that products are secure throughout their lifecycle

Shared By: Shamikkumar Dave P a g e 24 | 28

CEA Regulation
The CEA Regulation on Cybersecurity in the Power Sector provides guidelines and
requirements for securing power systems against cyber intrusions and attacks. The
regulation covers various aspects of cybersecurity, including risk management, incident
response, and continuous monitoring, to safeguard critical infrastructure.

Key Components of CEA Regulation

1. Cybersecurity Program Requirements

• Establishes the need for a robust cybersecurity program for power sector
entities. This includes implementing policies, procedures, and controls to
manage cybersecurity risks effectively.

• Requires entities to develop and maintain a cybersecurity management

system (CSMS) that addresses the unique challenges of OT environments
in the power sector.

2. Risk Management and Vulnerability Assessment

• Mandates regular risk assessments to identify and mitigate vulnerabilities

in power systems. This includes evaluating the potential impact of cyber
threats on OT systems and implementing measures to reduce risks.

• Requires entities to conduct vulnerability assessments and apply security

patches and updates to protect against known threats.

3. Incident Response and Reporting

• Entities must develop and implement incident response plans to manage

and mitigate the impact of cyber incidents. This includes procedures for
detecting, responding to, and recovering from cyberattacks.

• Mandates timely reporting of significant cybersecurity incidents to

relevant authorities, including sectoral CERTs and CERT-In. This ensures
coordinated response and mitigation efforts.

• Entities are also required to conduct post-incident analyses to identify

lessons learned and improve future incident response capabilities.

4. Continuous Monitoring and Detection

• Requires the implementation of continuous monitoring systems to detect

anomalies and potential cyber threats in real-time. This proactive
approach helps in early identification and mitigation of risks.

Shared By: Shamikkumar Dave P a g e 25 | 28

 • Entities must deploy advanced detection mechanisms to identify and
respond to cyber threats promptly.

5. Supply Chain Security

• Emphasizes the importance of securing supply chains to prevent

vulnerabilities from being exploited through interconnected systems.
Entities must assess and manage risks associated with their supply
chains.

6. Training and Awareness

• Mandates regular training programs for staff to ensure they are aware of
cybersecurity policies and procedures. This fosters a culture of security
within the organization.

• Encourages entities to conduct cybersecurity awareness campaigns to

educate employees and stakeholders about the importance of
cybersecurity.

In a Nutshell

The Central Electricity Authority (CEA) Regulations pertain to cybersecurity in the power
sector in India. These regulations are designed to enhance the security of critical
infrastructure by implementing measures for identifying, analyzing, and preventing
cyber intrusions. They include guidelines for conducting cybersecurity audits, managing
vulnerabilities, and ensuring compliance with cybersecurity standards to protect the
power grid and related systems.

Summary
Standards Name Publisher Paid/Free Targeted At
ISA/IEC 62443 Series International Society Paid Cybersecurity for
of Automation (ISA) / Industrial Automation
International and Control Systems
Electrotechnical (IACS)
Commission (IEC)
ISO 27000 Series International Paid Information Security
Organization for Management, Risk
Standardization (ISO) / Management, Control
International Implementation
Electrotechnical
Commission (IEC)

Shared By: Shamikkumar Dave P a g e 26 | 28

 NIST CSF 2.0 National Institute of Free Cybersecurity Risk
Standards and Management,
Technology (NIST) Governance, Core
Functions (Identify,
Protect, Detect,
Respond, Recover)
NIST SP 800 Series National Institute of Free Security and Privacy
Standards and Controls, Risk
Technology (NIST) Management, Incident
Response, Industrial
Control Systems
Security
NIS 2 Directives European Union (EU) Free Cybersecurity for
Essential Services and
Critical Infrastructure,
Incident Reporting,
Supply Chain Security
NERC CIP North American Free Cybersecurity for Bulk
Electric Reliability Electric System (BES),
Corporation (NERC) Risk Management,
Incident Response
TSA Transportation Free Cybersecurity for
Security Administration Transportation Systems,
(TSA) Network Segmentation,
Continuous Monitoring
The HIPAA Privacy U.S. Department of Free Safeguarding
Rule Health and Human Electronic Protected
Services (HHS) Health Information
(ePHI), Administrative,
Physical, and Technical
Safeguards
IMO Cybersecurity International Maritime Paid Cyber Risk
Standards Organization (IMO) Management for
Maritime Vessels and
Infrastructure, Safety
Management Systems
Bill C-26 Government of Free Cybersecurity for
Canada Telecommunications
and Critical
Infrastructure, Incident
Reporting, Risk
Management

Shared By: Shamikkumar Dave P a g e 27 | 28

 GDPR European Union (EU) Free Data Protection and
Privacy, Lawful
Processing, Data
Minimization, Rights of
Data Subjects
CMMC 2.0 U.S. Department of Paid Cybersecurity for
Defense (DoD) Defense Industrial Base,
Tiered Model, Risk
Management, Incident
Response
NCA OTCC National Free Cybersecurity for
Cybersecurity Authority Operational Technology
(NCA), Saudi Arabia (OT), Governance, Risk
Management,
Continuous Monitoring
IEC 62351 International Paid Securing
Electrotechnical Communication
Commission (IEC) Protocols in Power
Systems, Data Integrity,
Confidentiality
IEEE 1686 Institute of Electrical Paid Cybersecurity for
and Electronics Intelligent Electronic
Engineers (IEEE) Devices (IEDs), Access
Control, Data Integrity
ISO/SAE 21434 International Paid Cybersecurity for
Organization for Road Vehicles, Risk
Standardization (ISO) / Management, Secure
Society of Automotive Development Lifecycle
Engineers (SAE)
CRA (Upcoming) European Union (EU) Free Cybersecurity for
Digital Products,
Security by Design,
Regular Security
Updates
CEA Regulation Central Electricity Free Cybersecurity for
(Upcoming) Authority (CEA), India Power Sector, Risk
Management, Incident
Response, Continuous
Monitoring

Shared By: Shamikkumar Dave P a g e 28 | 28

 Who are we?
Security Quarks is the world's only recruitment company dedicated exclusively
to ICS/OT cybersecurity professionals. We specialize in connecting top talent
with the best opportunities, ensuring a perfect match for both candidates and
employers.

Our Unique Value Propositions:

Exclusive Talent Pool: Access to a curated pool of professionals in ICS/OT
cybersecurity.
Industry Expertise: Our exclusive focus on ICS/OT cybersecurity means we
understand the industry's unique needs and can provide the best talent.
Transparent Recruitment Process: We maintain complete transparency
throughout the recruitment process, ensuring trust and reliability.
Training the resources for job readiness.
Expert led interviews for the roles that require deep understanding of the
subject matter.
Partner with Security Quarks today and secure top ICS/OT cybersecurity
professionals to drive your organization's success.

connect@securityquarks.com +91 7990619432