The Security of SCADA: Which Standard to Choose?

By Koos van der Spek & Floris Baauw

Recently, the results of a study by the University of Twente on the security of Dutch SCADA systems were presented. The research once again revealed that the security of these systems is far from adequate. Hundreds of components of SCADA systems with direct connections to the internet were found, which is a security risk. The question is, how do we address the ongoing vulnerability of these systems?


In previous blogs on this topic, we discussed common vulnerabilities in SCADA systems and the importance of SCADA cybersecurity. The government is increasingly recognizing this importance, especially as SCADA systems are often part of critical infrastructure, making their uninterrupted operation vital for society.

Despite the government's acknowledgment of the importance of SCADA cybersecurity, there is still no central authority guiding organizations on this issue. While the Dutch National Cyber Security Centre (NCSC) provides some basic security requirements, they cannot offer extensive implementation support. This is because resources within the government are limited, and organizations using SCADA systems are expected to take responsibility.

A common question we receive is which standard or norm is best for structuring and enhancing SCADA security. Several standards are commonly used in SCADA cybersecurity, such as NIST 800-82, IEC 62443, and ISO 27001 and 2. While there are differences between these standards, the key is to choose one that aligns with your organization's specific needs and security goals.

The choice between these standards often boils down to practicality and familiarity. The ISO 27001 and 2 standards are well-known in the information technology field, while NIST 800-82 is recognized for its practicality and best practices. IEC 62443, on the other hand, is designed specifically for SCADA cybersecurity. Each of these standards addresses similar security principles, so the real value comes from how they are implemented within your organization.

The focus should be on implementing the necessary cybersecurity measures that suit your organization's specific needs. Regardless of the standard you choose, there are common cybersecurity measures that should be considered, such as logical access control, malware scanning, security awareness, network segmentation, and system hardening.

In practice, we've found that developing a customized framework based on best practices from various standards can be highly effective. This framework can help you assess and improve the security of your SCADA systems according to your specific requirements.

In conclusion, the choice of standard for SCADA cybersecurity is important, but the key is to implement the right security measures for your organization. Developing a custom framework based on your specific needs and best practices is often more valuable than strictly adhering to a single standard. The goal is to enhance the security of SCADA systems and meet your organization's unique security objectives.

If you need further information, please feel free to reach out to us.

Related Insights