Leveraging IEC 62443 Standards in ICS Security
Watch the IEC 62443 webinar for practical experiences on how to address these standards and make meaningful progress in your overall ICS security maturity efforts.
Learn MoreThe ISA/IEC 62443 cybersecurity documents contain a lot of guidance that easily overwhelms or confuses people when unpacking its components. It covers a range of topics including how to:
- Build a Cybersecurity Management System (CSMS)
- Structure industrial cybersecurity assessments (while not replacing actual ISA 84 for example)
- Define security requirements for several Foundational Requirement (FR) areas
- Define, determine, apply, and evaluate target Security Levels (SL)
This article though is not to rehash those topics – those can be found in our ISA 62443 all-in-one guide – but instead, this article aims to help asset owners, integrators and customers understand how to begin a cybersecurity program to improve overall maturity against the elements of the IEC 62443 standard.
In the IT cybersecurity world, there is a plethora of frameworks and education. But in OT cybersecurity, it is paralyzing to understand and properly implement meaningful security. The good news is that it can be done safely in a way that considers both enterprise/IT and OT/ICS audiences via a phased and pragmatic approach.
5 Steps to Build an ICS Cybersecurity Maturity Program Using the IEC 62443 Standards
- Security Foundations – Cyber Security Management System (CSMS) definition
- Develop the objectives, policies, metrics, and governance for the overall ICS security program
- Risk assessment
- Develop a detailed view of risks at each facility, endpoint, network, and user
- Design of security program
- Prioritize a set of initiatives to reduce risks across each area to achieve the security objectives established in phase 1
- Implementation & Testing
- Execute the plan and conduct robust testing of solutions, stand-alone as well as in concert with each other
- Maintenance & Continuous Improvement
- Ensure controls and execution is monitored and tracked and improvement occurs over time
For audiences that are more visual, the following diagram illustrates the five phases aligned for IEC 62443 compatibility:
Key Takeaways from IEC 62443 Standards
- Achieving IACS cybersecurity requires a combination of people, processes, and technologies. The foundational elements of a CSMS define an enterprise’s overall cybersecurity objectives including its risk tolerance, the potential impacts of events, the policies that the organization will adopt to ensure security, etc. These are not a “tool”. They require thoughtful debate and trade-offs, debated at senior levels of an organization.
However, to ensure the implementation of these policies as well as the maintenance and continuous improvement of overall security levels (SLs), technology is a critical component in the overall program. As we hear over and over, the number one challenge in achieving ICS cyber security is resources. Technology enables greater efficiency and effectiveness to reduce the resource burdens required.
- Monitoring is NOT enough. Security requires active management of the devices and systems to ensure they are secured as designed, and that security is maintained – and improved – over time. Certainly, monitoring or initial visibility is an important component. But to achieve true security level improvements, organizations need to conduct “OT Systems Management” to patch, harden configurations, manage users and accounts, manage anti-virus and other protective solutions, etc. This active management is a necessary capability in the overall Cyber Security Management System of any organization.
This point is perhaps best made in reviewing the Foundational Requirements (FR) in IEC 62443.
As seen in ISA 62443’s Foundational Requirements (FRs), monitoring technologies cannot provide sufficient overall coverage to allow asset owners to achieve an SL-T between 0 & 1 (basically, they might tell you something is wrong, but provide no level of resistance/protection).
| Functional Requirements | Security Requirement Area | CTI | Monitoring | OT Systems Management |
|---|---|---|---|---|
| IAC | SR 1.1 - Human user identification | Minimal | Minimal | Moderate |
| SR 1.2 - Software process and device identification and authentication | None | Minimal | Complete | |
| SR 1.3 - Account management | Minimal | None | Complete | |
| SR 1.4 - Identifier management | None | None | Complete | |
| SR 1.5 - Authenticator management | None | None | Complete | |
| SR 1.6 - Wireless access management | None | Minimal | Complete | |
| SR 1.7 - Strength of password-based authentication | None | None | Complete | |
| SR 1.8 - Public key infrastructure certificates | None | None | None | |
| SR 1.9 - Strength of public key authentication | None | None | Minimal | |
| SR 1.10 - Authenticator feedback | None | None | Minimal | |
| SR 1.11 - Unsuccessful login attempts | Minimal | Minimal | Complete | |
| SR 1.12 - System use notification | Minimal | Minimal | Complete | |
| SR 1.1.13 - Access via untrusted networks | None | None | None | |
| UAC | SR 2.1 - Authorization enforcement | None | None | Moderate |
| SR2.2 - Wireless use control | None | None | Minimal | |
| SR 2.3 - Use control for portable and mobile devices | None | None | Minimal | |
| SR 2.4 - Mobile code | None | None | None | |
| SR 2.5 - Session lock | None | None | Minimal | |
| SR 2.6 - Remote session termination | None | None | Minimal | |
| SR 2.7 - Concurrent session control | None | None | Minimal | |
| SR 2.8 - Auditable events | Minimal | Moderate | Complete | |
| SR 2.9 - Audit storage capacity | None | Moderate | Complete | |
| SR 2.10 - Response to audit processing failures | None | None | None | |
| SR 2.11 - Timestamps | None | Moderate | Moderate | |
| SR 2.12 - Non-repudiation | Minimal | Moderate | Moderate | |
| SI | SR 3.1 - Communication integrity | None | Minimal | Moderate |
| SR 3.2 - Malicious code protection | None | None | Complete | |
| SR 3.3 - Security functionality verification | None | None | Complete | |
| SR 3.4 - Software and information integrity | None | None | Complete | |
| SR 3.5 - Input validation | None | None | None | |
| SR 3.6 - Deterministic output | None | None | None | |
| SR 3.7 - Error handling | None | None | Complete | |
| SR 3.8 - Session integrity | None | Moderate | Moderate | |
| SR 3.9 - Protection of audit information | Minimal | Minimal | Moderate | |
| DC | SR 4.1 - Information confidentiality | Minimal | Minimal | Moderate |
| SR 4.2 - Information persistence | None | Minimal | Moderate | |
| SR 4.3 - Use of cryptography | None | Minimal | Moderate | |
| RDF | SR 5.1 - Network segmentation | None | None | None |
| SR 5.2 - Zone boundary protection | Minimal | Minimal | Moderate | |
| SR 5.3 - General purpose person-to-person communication restrictions | None | None | None | |
| SR 5.4 - Application partitioning | None | None | None | |
| TRE | SR 6.1 - Audit log accessibility | None | Moderate | Complete |
| SR 6.2 - Continuous monitoring | Moderate | Moderate | Complete | |
| RA | SR 7.1 - Denial of service protection | None | None | None |
| SR 7.2 - Resource management | None | None | Complete | |
| SR 7.3 - Control system backup | None | None | Complete | |
| SR 7.4 - Control system recovery and reconstitution | None | None | Moderate | |
| SR 7.5 - Emergency power | None | None | None | |
| SR 7.6 - Network and security configuration settings | None | Minimal | Complete | |
| SR 7.7 - Least functionality | None | None | Complete | |
| SR 7.8 - Control system component inventory | None | Minimal | Complete |
- FRs require a wide range of security management across all Systems Under Consideration (SUC) (both device level and process level), requiring holistic security approaches.
The FRs are comprehensive across a range of security elements. IEC 62443 applies both to product development/procurement as well as to the overall process operations of industrial controls systems. Many manufacturers are pursuing SL 1 or 2 status for their products, which is a great initial outcome of the standards. But true security will require operators, themselves, to adopt the standards across their systems-of-systems. Security of the control system involves the interaction of many components, broken into “zones” and “conduits”. IEC 62443 requires taking this system-wide look at security to increase maturity across the landscape.
To manage IEC 62443 across FRs, organizations need to manage their implementation and continuous improvement across multiple security elements and layers of SUCs. Using just one capability to secure an OT environment would be difficult for any resource, skilled or not, but organizations need to do this across multiple capabilities. Fortunately, the ISA/IEC 62443 committees have a diverse audience of OEMs, asset owners, and security practitioners, and the focus is on a combination of management, action, monitoring, and procedure. Each of these FRs can have specific SRs or another form of enhancement based on the use case.
If we are to continue with the philosophy that an organization’s security is made up of more than a single product’s SL-T designation, then it should stand to reason that cyber risk reduction for an asset owner must not just be for zones, conduits, devices, and endpoints – but instead inclusive of the larger ecosystem at a facility. This would mean an asset owner needs to cover in-depth several FRs, and multiple systems, zones, and conduits.
Verve Industrial and OT Systems Management for IEC 62443
For the past 30 years, Verve has worked with industrial organizations to improve the reliability and security of their control systems. The Verve Security Center platform was built to address this type of security management in an efficient manner. Asset owners need to be enabled to act, not merely stuck with a fire alarm that cannot let them own and manage the assets they have. They need a platform that traverses FRs and provides substantial coverage and functionality. They also need professional service support that can help develop the right foundations and risk assessments based on experience and best practices.
| Phase | Explanation | Applicable Verve Product and/or Service |
|---|---|---|
| Security Foundations / CSMS Definition | Governance and defined processes, procedures, documents, architectures, policies, and requirements for the overall organization, layer, zone, conduit or assets in question. These are broken into a few categories to determine areas requiring definition and application. | Verve advisory services leverages 30 years of ICS expertise and database of best practices to help organizations design the right cyber security management system for their organization. |
| Risk Assessment | A cyber risk assessment that can be performed via any number of methodologies. Most organizations opt for academic/paper-based gap assessments as an initial step before committing to a detailed risk assessment. | Verve Tech-Enabled Assessment: an approach that leverages the unique architecture and technical capabilities to provide a deep/Cross-FR assessment as well as a solution to remediate as well as monitor ongoing improvement and maintenance. |
| Design | Using detailed risk assessment results, projects or initiatives are formulated and executed upon. This generally has requirements analysis, site evaluations, solution inputs, and a plan is drafted towards piecing together an implementation. | Verve’s roadmap and security design services help clients develop appropriate sequenced initiatives to systematically improve their overall security levels. These include roadmap sequencing, network design, solution, and organization design elements. |
| Implementation & Testing | Shifting from design to execution. This includes hardening, patching, user & access management limitations, etc. It also includes new device and SUC testing in advance of deployment of those systems. | The Verve Security Center provides a robust integrated OT system management capability across most of the key tech-enabled FRs. The platform speeds the implementation of many FR requirements and allows for testing. In addition, Verve services assist clients in implementing network segmentation and “zones” and “conduits” implementations. |
| Maintenance, Management & Continuous Improvement | Security degrades as a function of time, updates need to be evaluated for priority & application, users removed or modified, software uninstalled, and other maintenance applied. Technology requires proper systems management, and ICS/OT environments are no different. Frequent and up-to-date dashboard highlighting work areas and having teams/products to action on them is critical. | Verve Security Center constantly monitors the current status of all security across FRs. For instance, providing review of account and user status and risks, new patches and vulnerabilities discovered, devices that drift from hardened security configurations. Verve can also be used to continually update security settings across SUCs to maintain and improve Security Levels (SL). |
It is important to note that depending on the type of asset or even the System under Consideration (SuC), the applicable FRs may change, and so do the solutions possible to enable certain controls. For example, securing a Windows-based HMI or Historian will certainly be different than securing a PLC cabinet. Verve provides controls, improves visibility on cyber-risks, and safely inventories across a variety of device types:
- Routers and switches
- Laptops, desktops, and servers
- Human Machine Interfaces (HMI)
- Programmable Logic Controllers (PLC)
- Flow and valve controllers/sensors
- Distributed Control Systems (DCS)
ISA 62443 alignment requires coverage across all areas of the People-Process-Technology spectrum. In fact, it explores organizational aspects including requiring processes/procedures, maintaining asset inventories, applying security controls, and of course, having the resources or partners to do so. This means an effective security product should be robust and not limit itself to targeting one specific type of asset. Security is not a one-time investment, but a continuous investment similar to purchasing and maintaining a vehicle.
Additional Resources
Webinar
Blog, Guide
The Ultimate Guide to Protecting OT Systems with IEC 62443
The ISA/IEC 62443 collection of standards is laser-focused on industrial controls. Here’s how to make the most of them.
Learn More Video
Applying 62443 Concepts to Securing OT ICS Endpoints
Learn how to boost endpoint security using IEC 62443 standards. Discover mapping, monitoring, and strategy insights in this presentation.
Learn More