A Comparative Analysis of Industrial Cybersecurity Standards
Cybersecurity standards provide a structured approach to manage and assess cybersecurity risks. They are the primary source for security requirements and controls used by organizations to reduce the likelihood and the impact of cybersecurity attacks. However, the large number of available cybersecur...
| Main Authors: | , |
|---|---|
| Format: | Article |
| Language: | English |
| Published: |
IEEE
2023-01-01
|
| Series: | IEEE Access |
| Subjects: | |
| Online Access: | https://ieeexplore.ieee.org/document/10210561/ |
| _version_ | 1797741551726624768 |
|---|---|
| author | Fatiha Djebbar Kim Nordstrom |
| author_facet | Fatiha Djebbar Kim Nordstrom |
| author_sort | Fatiha Djebbar |
| collection | DOAJ |
| description | Cybersecurity standards provide a structured approach to manage and assess cybersecurity risks. They are the primary source for security requirements and controls used by organizations to reduce the likelihood and the impact of cybersecurity attacks. However, the large number of available cybersecurity standards and frameworks make the selection of the right security standards for a specific system challenging. The absence of a comprehensive comparison overlap across these standards further increases the difficulty of the selection process. In situations where new business needs dictate to comply or implement additional security standard, there may be a risk of duplicating existing security requirements and controls between the standards resulting in unnecessary added cost and workload. To optimize the performance and cost benefits of compliance efforts to standards, it is important to analyze cybersecurity standards and identify the overlapping security controls and requirements. In this work, we conduct a comparative study to identify possible overlaps and discrepancies between three security standards: ETSI EN 303 645 v2.1.1 for consumer devices connected to the internet, ISA/IEC 62443-3-3:2019 for industrial automation and control systems, and ISO/IEC 27001:2022 for information security management systems. The standards were carefully chosen for their broad adoption and acceptance by the international community. We intentionally selected standards with different areas of focus to illustrate the significant overlaps that can exist despite being designed for different environments. Our objective is to help organizations select the most suitable security controls for their specific needs and to simplify and clarify the compliance process. Our findings show a significant overlap among the three selected standards. This information can help organizations gain a comprehensive understanding of common security requirements and controls, enabling them to streamline their compliance efforts by eliminating duplicated work especially when meeting the requirements of multiple standards. |
| first_indexed | 2024-03-12T14:28:21Z |
| format | Article |
| id | doaj.art-6f156bb1d4b649aabb2a5aa95a01dce7 |
| institution | Directory Open Access Journal |
| issn | 2169-3536 |
| language | English |
| last_indexed | 2024-03-12T14:28:21Z |
| publishDate | 2023-01-01 |
| publisher | IEEE |
| record_format | Article |
| series | IEEE Access |
| spelling | doaj.art-6f156bb1d4b649aabb2a5aa95a01dce72023-08-17T23:00:39ZengIEEEIEEE Access2169-35362023-01-0111853158533210.1109/ACCESS.2023.330320510210561A Comparative Analysis of Industrial Cybersecurity StandardsFatiha Djebbar0https://orcid.org/0000-0003-1613-2393Kim Nordstrom1Department of Engineering Science, Högskolan Väst, Trollhättan, SwedenCybersecurity Product Compliance Group, Stockholm, SwedenCybersecurity standards provide a structured approach to manage and assess cybersecurity risks. They are the primary source for security requirements and controls used by organizations to reduce the likelihood and the impact of cybersecurity attacks. However, the large number of available cybersecurity standards and frameworks make the selection of the right security standards for a specific system challenging. The absence of a comprehensive comparison overlap across these standards further increases the difficulty of the selection process. In situations where new business needs dictate to comply or implement additional security standard, there may be a risk of duplicating existing security requirements and controls between the standards resulting in unnecessary added cost and workload. To optimize the performance and cost benefits of compliance efforts to standards, it is important to analyze cybersecurity standards and identify the overlapping security controls and requirements. In this work, we conduct a comparative study to identify possible overlaps and discrepancies between three security standards: ETSI EN 303 645 v2.1.1 for consumer devices connected to the internet, ISA/IEC 62443-3-3:2019 for industrial automation and control systems, and ISO/IEC 27001:2022 for information security management systems. The standards were carefully chosen for their broad adoption and acceptance by the international community. We intentionally selected standards with different areas of focus to illustrate the significant overlaps that can exist despite being designed for different environments. Our objective is to help organizations select the most suitable security controls for their specific needs and to simplify and clarify the compliance process. Our findings show a significant overlap among the three selected standards. This information can help organizations gain a comprehensive understanding of common security requirements and controls, enabling them to streamline their compliance efforts by eliminating duplicated work especially when meeting the requirements of multiple standards.https://ieeexplore.ieee.org/document/10210561/Cybersecuritysecurity controlssecurity standardscybersecurity conceptsthreatssecurity requirements |
| spellingShingle | Fatiha Djebbar Kim Nordstrom A Comparative Analysis of Industrial Cybersecurity Standards IEEE Access Cybersecurity security controls security standards cybersecurity concepts threats security requirements |
| title | A Comparative Analysis of Industrial Cybersecurity Standards |
| title_full | A Comparative Analysis of Industrial Cybersecurity Standards |
| title_fullStr | A Comparative Analysis of Industrial Cybersecurity Standards |
| title_full_unstemmed | A Comparative Analysis of Industrial Cybersecurity Standards |
| title_short | A Comparative Analysis of Industrial Cybersecurity Standards |
| title_sort | comparative analysis of industrial cybersecurity standards |
| topic | Cybersecurity security controls security standards cybersecurity concepts threats security requirements |
| url | https://ieeexplore.ieee.org/document/10210561/ |
| work_keys_str_mv | AT fatihadjebbar acomparativeanalysisofindustrialcybersecuritystandards AT kimnordstrom acomparativeanalysisofindustrialcybersecuritystandards AT fatihadjebbar comparativeanalysisofindustrialcybersecuritystandards AT kimnordstrom comparativeanalysisofindustrialcybersecuritystandards |