Cybersecurity threats to manufacturing and process plants are coming from a wide range of attack vectors including supply chain, logistics, enterprise computing, remote connections, operator stations, programmable logic controllers, distributed control systems (DCSs), smart sensors and new smart devices. Many emerging Internet of Things (IoT) and communications technologies offer greater connectivity, but they make the cyber landscape more complex.
Several of the affected industries have taken great strides in improving their defense posture, mostly thanks to governmental regulatory compliance requirements. Most organizations with industrial control systems (ICS) fall into one of two categories: regulated and non-regulated. It is therefore essential to figure out which framework applies to your industry.
ISA/IEC 62443 series of standards belongs to the non-regulated compliance requirements.
The ISA99 Committee
The International Society of Automation (ISA) 99 standards development committee brings together industrial cyber security experts from across the globe to develop ISA standards on industrial automation and control systems security that are applicable to all industry sectors and critical infrastructure.
The ISA99 committee addresses industrial automation and control systems whose compromise could result in any, or all, of the following situations:
- endangerment of public or employee safety
- loss of public confidence
- violation of regulatory requirements
- loss of proprietary or confidential information
- economic loss
- impact on national security.
Manufacturing and control systems include, but are not limited to:
- hardware and software systems such as DCS, PLC, SCADA, networked electronic sensing and monitoring and diagnostic systems; and
- associated internal, human, network or machine interfaces used to provide control, safety and manufacturing operations functionality to continuous, batch, discrete and other processes.
The committee’s purpose is to establish standards, recommended practices, technical reports and related information that will define procedures for implementing electronically secure manufacturing and control systems and security practices as well as assessing electronic security performance. Guidance is directed toward those responsible for designing, implementing or managing manufacturing and control systems and shall also apply to users, systems integrators, security practitioners and control systems manufacturers and vendors.
The committee’s focus is to improve the confidentiality, integrity and availability of components or systems used for manufacturing or control and provide criteria for procuring and implementing secure control systems.
The ISA/IEC 62443 series
The ISA/IEC 62443 series of standards, developed by the ISA99 committee and adopted by the International Electrotechnical Commission (IEC), provides a flexible framework to address and mitigate current and future security vulnerabilities in industrial automation and control systems (IACSs).
The following diagram, courtesy of ISA, depicts the status of the various work products in the ISA/IEC 62443 series of IACS standards and technical reports.
The United Nations Economic Commission for Europe (UNECE) confirmed at its annual meeting in late 2018 that it will integrate the ISA/IEC 62443 series of standards into its forthcoming Common Regulatory Framework on Cybersecurity (CRF). The CRF will serve as an official UN policy position statement for Europe, establishing a common legislative basis for cybersecurity practices within the European Union trade markets.
IEC 62443 Principles
According to IEC 62443-1-1, an Industrial Automation and Control System (IACS) is a “collection of processes, personnel, hardware, and software that can affect or influence the safe, secure and reliable operation of an industrial process.”
The key standards in the IEC 62443 series are the following:
- IEC 62443-2-4, which covers the policies and practices for system integration
- IEC 62443-4-1, which covers the secure development lifecycle requirements
- IEC 62443-4-2, which covers the IACS components security specifications
- IEC 62443-3-3, which covers the security requirements and the security levels
The standard sees cybersecurity as an ongoing process and not as goal that has to be reached, and caters for the development of IACS components that are secure-by-design. The integration of these components into an industrial environment has to be govern by defense-in-depth policies and practices.
ISA/IEC 62443-4-2, Security for Industrial Automation and Control Systems: Technical Security Requirements for IACS Components, provides the cybersecurity technical requirements for components that make up an IACS, specifically the embedded devices, network components, host components and software applications. The standard sets forth security capabilities that enable a component to mitigate threats for a given security level without the assistance of compensating countermeasures.
“The standard definition of the security capabilities for system components provides a common language for product suppliers and all other control system stakeholders,” emphasizes Kevin Staggs of Honeywell, who led the ISA99 development group for the standard. “This simplifies the procurement and integration processes for the computers, applications, network equipment and control devices that make up a control system.”
ISA/IEC 62443-4-1, Product Security Development Life-Cycle Requirements, specifies process requirements for the secure development of products used in an IACS and defines a secure development lifecycle for developing and maintaining secure products. The lifecycle includes security requirements definition, secure design, secure implementation (including coding guidelines), verification and validation, defect management, patch management and product end-of-life.
These requirements can be applied to new or existing processes for developing, maintaining, and retiring hardware, software, or firmware. The requirements apply to the developer and maintainer of a product, but not to the integrator or user of the product.
“Designing security into products from the beginning of the development life cycle is critical, because it can help eliminate vulnerabilities from products before they ever reach the field,” emphasizes Michael Medoff of exida, who led the ISA99 development group for the standard. “We all know how difficult and expensive it can be to constantly have to patch software in the field. The new standard gives us a real opportunity to break the cycle of frequent security patches and to produce products that are secure by design.”
ISA/IEC 62443-3-3, System Security Requirements and Security Levels, defines the security assurance levels of the IACS components. Security levels define the cybersecurity functions embedded in our products, so as to increase the product robustness and make it resistant to the cyber threats.
Security Levels 1 and 2 correspond to threats originating from either insiders, such as careless or disgruntled employees or contractors, or intruders with low skills and motivation. On the other hand, Security Levels 3 and 4 are related to threats from “professional” cyber criminals, industrial espionage or state-sponsored malicious actors that demonstrate high skills and moderate to high motivation.
In addition, IEC 62443-3-3 defines the security Foundational Requirements, depicted in the image below, which include processes for user authentication, enforcement of roles and responsibilities, change management, use of encryption, network segmentation, audit logs, and system backup and recovery.
Another key ISA/IEC 62443 standard expected to be completed in the coming months is ISA/IEC 62443-3-2, Security Risk Assessment, System Partitioning and Security Levels, which is based on the understanding that IACS security is a matter of risk management. Each IACS presents a different risk to an organization depending upon the threats it is exposed to, the likelihood of those threats arising, the inherent vulnerabilities in the system, and the consequences if the system were to be compromised. Further, each organization that owns and operates an IACS has its own tolerance for risk.
For these reasons, ISA/IEC 62443-3-2 will define a set of engineering measures to guide organizations through the process of assessing the risk of a particular IACS and identifying and applying security countermeasures to reduce that risk to tolerable levels. A key concept is the application of IACS security zones and conduits, which were introduced in ISA/IEC 62443-1-1, Concepts and Models. The new standard provides a basis for specifying security countermeasures by aligning the identified target security level with the required security level capabilities set forth in ISA/IEC 62443‑3‑3, System Security Requirements and Security Levels.
How Tripwire Helps
Currently, IEC 62443 covers aspects for domains such as chemicals processing, petroleum refining, food and beverage, energy, pharmaceuticals, water and manufacturing, but it can also be used in automotive and medical devices.
Applying the controls suggested by the ISA/IEC 62443 framework can be an overwhelming task. Tripwire’s ICS Security Suite can help you meet the foundational requirements defined in the standard. Our cyber resiliency suite integrates with the plant network equipment and factory automation systems you already own to help you find, fix and monitor security to prevent and detect cyber incidents.