ISA/IEC 62443 based ICS-OT Cyber Security Program
ISA/IEC 62443 – The ISA/IEC 62443 is the only standard which can correctly guide your organization toward defining, developing, implementing and maintaining a cyber safe ICS operation. Of course, there is a whole list of other documents, like the NIS 800-82, NIST 800-53, NERC-CIP, the NIST Framework 1.1, etc., but it is important to clarify that these are a set of rules, guidelines, ideas or best practices, which you can use in order to learn the topic, deal with problems or to decide among relevant choices.
On the contrary to that, the ISA/IEC 62443 guides your organization, your integrator and your maintenance provider. This standard deals with the most important topics such as defining the risk level and the level of needed security, segmentation to zones, creating cyber-safe conduits, defining the actual requirements and more.
How to start?
Prior to diving into the project, it is important to realize that the ISA/IEC 62443 standard includes 14 sections and is written over more than 1000 pages. It means that most people might never study that standard and look for another “easier” document.
Furthermore, it is important to realize that in the ICS Cyber security arena, there are three defined players, and not everyone is obliged to study all 14 sections.
- The system owner / operator: Responsible for the safe, reliable continuous and cyber secured operation of the facility.
- The system integrator and maintenance provider: Responsible for delivering the correctly deployed and maintained system.
- The components’ vendors: Responsible for delivery of HW and SW which matches the detailed definitions of the integrator.
Obviously, not all ICS plants are protected using the same, often expensive and complex cyber defense measures. Similarly, not all zones in an ICS use the same defense measures. Therefore, for each system and zone, you must define the risks and the correct Security Level (SL):
- Security Level SL1: The goal is to prevent the unauthorized access to information via casual exposure or an attack carried out by a coincidental access without specific intention.
- Security Level SL 2: The goal is to prevent the unauthorized access to information when the attacker searching for a victim, uses simple means with low resources and has “low” motivation.
- Security Level SL 3: The goal is to prevent the unauthorized access to information when the attacker uses sophisticated means with moderate skills and resources and moderate motivation.
- Security Level SL 4: The goal is to prevent the unauthorized access to information when the attacker uses sophisticated means with extended resources, specific skills and high motivation.
Consequently, for defining cyber security measures for a specific system, the solution must be tuned according to the defined SL. The Functional Requirements (FR) must be specifically defined for SL1 to SL4, and for higher SL, you will need to deploy more expensive and more complex cyber defense.
FR 1 – Identification and Authentication Control (IAC): Deals with reliably identifying and authenticating all users (humans, software processes and devices) prior to accessing the ICS.
FR 2 – Use Control (UC): deals with enforcing assigned privileges to authenticated users (human, software process or devices) to perform only the allowed operations for the system or assets.
FR 3 – System Integrity (SI): Deals with verifying system conditions, in which the mandated operational and technical parameters are within the prescribed limits and prescribed variation rate.
FR 4 – Data Confidentiality (DC): Aimed at ensuring the confidentiality of information along the ICS data channels and in the ICS data repositories, to prevent unauthorized disclosure or data leakage.
FR 5 – Restricted Data Flow (RDF): Required to control the communicated data via zones and conduits to limit the not-required data flow and prevent cross-zones data flow.
FR 6 – Timely Response to Events (TRE): Refers to security violations by notifying the proper authority and taking timely predefined corrective actions when an incident occurs.
FR 7 – Resource Availability (RA): Aimed at ensuring and verifying the availability of specific ICS functions and equipment and taking proactive actions to prevent degradation of the industrial operation.
Zones and Conduits
The ISA/IEC 62443 standard refers to specific requirements listed in Group 3 Part 3-2. It clearly defines which critical assets due to cyber security reasons within the ICS, must be partitioned/segregated from each other. Refer to the following:
- Segregate business section dealing with IT from the all critical ICS assets, because IT is connected to the internet.
- Segregate safety related assets which are controlled in addition to ICS also by Safety Instrument Systems (SIS).
- Segregate from the ICS all network parts and various Industrial Internet of things (IIoT) devices using wireless connection.
- Segregate all temporarily connected IIoT devices and computers because they might be infected prior to the connection.
- Segregate devices connected via external networks for remote access such as service computers at external facilities, etc.
The strong segregation is, in accordance with the ISA/IEC 62443 standard, a mandatory requirement for protecting the operating Safety, Reliability and Productivity (SRP) of industrial operations. Furthermore, information flow through the conduits among ICS zones must be encrypted and all connecting devices must be authenticated and inspected.
Summary and Conclusions
ICS cybersecurity must be an ongoing and consistent process and all the above detailed processes should be based on the complete risk assessment conducted for the specific plant. Use of the ISA/IEC 62443 standard clearly defines for all stakeholders their commitments. As part of that process, all vendors of components, software and services must be committed to delivering mature solutions and assure the system Life Cycle during the entire operating time of the ICS and the operating life of the plant.
Daniel Ehrenreich, BSc., is a consultant and lecturer acting at Secure Communications and Control Experts, periodically teaches in colleges and present at industry conferences topics on integration of cyber defense with ICS; Daniel has over 29 years of engineering experience with ICS/OT for: Electricity, water, oil and gas and power plants as part of his activities at Tadiran Electronics, Motorola Solutions, Siemens and Waterfall Security.
ISA/IEC 62443 based ICS-OT Cyber Security Program