The ISA/IEC 62443 cybersecurity documents contain a lot of guidance that easily overwhelms or confuses people when unpacking its components. It covers a range of topics including how to:

  • Build a Cybersecurity Management System (CSMS)
  • Structure industrial cybersecurity assessments (while not replacing actual ISA 84 for example)
  • Define security requirements for several Foundational Requirement (FR) areas
  • Define, determine, apply, and evaluate target Security Levels (SL)

This article though is not to rehash those topics – those can be found in our ISA 62443 all-in-one guide – but instead, this article aims to help asset owners, integrators and customers understand how to begin a cybersecurity program to improve overall maturity against the elements of the IEC 62443 standard.

In the IT cybersecurity world, there is a plethora of frameworks and education. But in OT cybersecurity, it is paralyzing to understand and properly implement meaningful security. The good news is that it can be done safely in a way that considers both enterprise/IT and OT/ICS audiences via a phased and pragmatic approach.

5 Steps to Build an ICS Cybersecurity Maturity Program Using the IEC 62443 Standards

  • Security Foundations – Cyber Security Management System (CSMS) definition
    • Develop the objectives, policies, metrics, and governance for the overall ICS security program
  • Risk assessment
    • Develop a detailed view of risks at each facility, endpoint, network, and user
  • Design of security program
    • Prioritize a set of initiatives to reduce risks across each area to achieve the security objectives established in phase 1
  • Implementation & Testing
    • Execute the plan and conduct robust testing of solutions, stand-alone as well as in concert with each other
  • Maintenance & Continuous Improvement
    • Ensure controls and execution is monitored and tracked and improvement occurs over time

For audiences that are more visual, the following diagram illustrates the five phases aligned for IEC 62443 compatibility:

IEC 62443 simplified for asset owners by phases
Figure 1: IEC 62443 simplified for asset owners by phases

Key Takeaways from IEC 62443 Standards

  • Achieving IACS cybersecurity requires a combination of people, processes, and technologies. The foundational elements of a CSMS define an enterprise’s overall cybersecurity objectives including its risk tolerance, the potential impacts of events, the policies that the organization will adopt to ensure security, etc. These are not a “tool”. They require thoughtful debate and trade-offs, debated at senior levels of an organization.

However, to ensure the implementation of these policies as well as the maintenance and continuous improvement of overall security levels (SLs), technology is a critical component in the overall program. As we hear over and over, the number one challenge in achieving ICS cyber security is resources. Technology enables greater efficiency and effectiveness to reduce the resource burdens required.

  • Monitoring is NOT enough. Security requires active management of the devices and systems to ensure they are secured as designed, and that security is maintained – and improved – over time. Certainly, monitoring or initial visibility is an important component. But to achieve true security level improvements, organizations need to conduct “OT Systems Management” to patch, harden configurations, manage users and accounts, manage anti-virus and other protective solutions, etc. This active management is a necessary capability in the overall Cyber Security Management System of any organization.

This point is perhaps best made in reviewing the Foundational Requirements (FR) in IEC 62443.

Figure 2: IEC 62443 Foundational Requirement Areas & Definitions
Figure 2: IEC 62443 Foundational Requirement Areas & Definitions

As seen in ISA 62443’s Foundational Requirements (FRs), monitoring technologies cannot provide sufficient overall coverage to allow asset owners to achieve an SL-T between 0 & 1 (basically, they might tell you something is wrong, but provide no level of resistance/protection).

Functional RequirementsSecurity Requirement AreaCTIMonitoringOT Systems Management
IACSR 1.1 - Human user identificationMinimalMinimalModerate
SR 1.2 - Software process and device identification and authenticationNoneMinimalComplete
SR 1.3 - Account managementMinimalNoneComplete
SR 1.4 - Identifier managementNoneNoneComplete
SR 1.5 - Authenticator managementNoneNoneComplete
SR 1.6 - Wireless access managementNoneMinimalComplete
SR 1.7 - Strength of password-based authenticationNoneNoneComplete
SR 1.8 - Public key infrastructure certificatesNoneNoneNone
SR 1.9 - Strength of public key authenticationNoneNoneMinimal
SR 1.10 - Authenticator feedbackNoneNoneMinimal
SR 1.11 - Unsuccessful login attemptsMinimalMinimalComplete
SR 1.12 - System use notificationMinimalMinimalComplete
SR 1.1.13 - Access via untrusted networksNoneNoneNone
UACSR 2.1 - Authorization enforcementNoneNoneModerate
SR2.2 - Wireless use controlNoneNoneMinimal
SR 2.3 - Use control for portable and mobile devicesNoneNoneMinimal
SR 2.4 - Mobile codeNoneNoneNone
SR 2.5 - Session lockNoneNoneMinimal
SR 2.6 - Remote session terminationNoneNoneMinimal
SR 2.7 - Concurrent session controlNoneNoneMinimal
SR 2.8 - Auditable eventsMinimalModerateComplete
SR 2.9 - Audit storage capacityNoneModerateComplete
SR 2.10 - Response to audit processing failuresNoneNoneNone
SR 2.11 - TimestampsNoneModerateModerate
SR 2.12 - Non-repudiationMinimalModerateModerate
SISR 3.1 - Communication integrityNoneMinimalModerate
SR 3.2 - Malicious code protectionNoneNoneComplete
SR 3.3 - Security functionality verificationNoneNoneComplete
SR 3.4 - Software and information integrityNoneNoneComplete
SR 3.5 - Input validationNoneNoneNone
SR 3.6 - Deterministic outputNoneNoneNone
SR 3.7 - Error handlingNoneNoneComplete
SR 3.8 - Session integrityNoneModerateModerate
SR 3.9 - Protection of audit informationMinimalMinimalModerate
DCSR 4.1 - Information confidentialityMinimalMinimalModerate
SR 4.2 - Information persistenceNoneMinimalModerate
SR 4.3 - Use of cryptographyNoneMinimalModerate
RDFSR 5.1 - Network segmentationNoneNoneNone
SR 5.2 - Zone boundary protectionMinimalMinimalModerate
SR 5.3 - General purpose person-to-person communication restrictionsNoneNoneNone
SR 5.4 - Application partitioningNoneNoneNone
TRESR 6.1 - Audit log accessibilityNoneModerateComplete
SR 6.2 - Continuous monitoringModerateModerateComplete
RASR 7.1 - Denial of service protectionNoneNoneNone
SR 7.2 - Resource managementNoneNoneComplete
SR 7.3 - Control system backupNoneNoneComplete
SR 7.4 - Control system recovery and reconstitutionNoneNoneModerate
SR 7.5 - Emergency powerNoneNoneNone
SR 7.6 - Network and security configuration settingsNoneMinimalComplete
SR 7.7 - Least functionalityNoneNoneComplete
SR 7.8 - Control system component inventoryNoneMinimalComplete
  • FRs require a wide range of security management across all Systems Under Consideration (SUC) (both device level and process level), requiring holistic security approaches.

The FRs are comprehensive across a range of security elements. IEC 62443 applies both to product development/procurement as well as to the overall process operations of industrial controls systems. Many manufacturers are pursuing SL 1 or 2 status for their products, which is a great initial outcome of the standards. But true security will require operators, themselves, to adopt the standards across their systems-of-systems. Security of the control system involves the interaction of many components, broken into “zones” and “conduits”.  IEC 62443 requires taking this system-wide look at security to increase maturity across the landscape.

To manage IEC 62443 across FRs, organizations need to manage their implementation and continuous improvement across multiple security elements and layers of SUCs.  Using just one capability to secure an OT environment would be difficult for any resource, skilled or not, but organizations need to do this across multiple capabilities. Fortunately, the ISA/IEC 62443 committees have a diverse audience of OEMs, asset owners, and security practitioners, and the focus is on a combination of management, action, monitoring, and procedure.  Each of these FRs can have specific SRs or another form of enhancement based on the use case.

If we are to continue with the philosophy that an organization’s security is made up of more than a single product’s SL-T designation, then it should stand to reason that cyber risk reduction for an asset owner must not just be for zones, conduits, devices, and endpoints – but instead inclusive of the larger ecosystem at a facility.  This would mean an asset owner needs to cover in-depth several FRs, and multiple systems, zones, and conduits.

Verve Industrial and OT Systems Management for IEC 62443

For the past 30 years, Verve has worked with industrial organizations to improve the reliability and security of their control systems. The Verve Security Center platform was built to address this type of security management in an efficient manner. Asset owners need to be enabled to act, not merely stuck with a fire alarm that cannot let them own and manage the assets they have.  They need a platform that traverses FRs and provides substantial coverage and functionality.  They also need professional service support that can help develop the right foundations and risk assessments based on experience and best practices.

PhaseExplanationApplicable Verve Product and/or Service
Security Foundations / CSMS DefinitionGovernance and defined processes, procedures, documents, architectures, policies, and requirements for the overall organization, layer, zone, conduit or assets in question. These are broken into a few categories to determine areas requiring definition and application.Verve advisory services leverages 30 years of ICS expertise and database of best practices to help organizations design the right cyber security management system for their organization.
Risk AssessmentA cyber risk assessment that can be performed via any number of methodologies. Most organizations opt for academic/paper-based gap assessments as an initial step before committing to a detailed risk assessment.Verve Tech-Enabled Assessment: an approach that leverages the unique architecture and technical capabilities to provide a deep/Cross-FR assessment as well as a solution to remediate as well as monitor ongoing improvement and maintenance.
DesignUsing detailed risk assessment results, projects or initiatives are formulated and executed upon. This generally has requirements analysis, site evaluations, solution inputs, and a plan is drafted towards piecing together an implementation.Verve’s roadmap and security design services help clients develop appropriate sequenced initiatives to systematically improve their overall security levels. These include roadmap sequencing, network design, solution, and organization design elements.
Implementation & TestingShifting from design to execution. This includes hardening, patching, user & access management limitations, etc. It also includes new device and SUC testing in advance of deployment of those systems. The Verve Security Center provides a robust integrated OT system management capability across most of the key tech-enabled FRs. The platform speeds the implementation of many FR requirements and allows for testing. In addition, Verve services assist clients in implementing network segmentation and “zones” and “conduits” implementations.
Maintenance, Management & Continuous ImprovementSecurity degrades as a function of time, updates need to be evaluated for priority & application, users removed or modified, software uninstalled, and other maintenance applied. Technology requires proper systems management, and ICS/OT environments are no different. Frequent and up-to-date dashboard highlighting work areas and having teams/products to action on them is critical.Verve Security Center constantly monitors the current status of all security across FRs. For instance, providing review of account and user status and risks, new patches and vulnerabilities discovered, devices that drift from hardened security configurations. Verve can also be used to continually update security settings across SUCs to maintain and improve Security Levels (SL).

It is important to note that depending on the type of asset or even the System under Consideration (SuC), the applicable FRs may change, and so do the solutions possible to enable certain controls.  For example, securing a Windows-based HMI or Historian will certainly be different than securing a PLC cabinet.  Verve provides controls, improves visibility on cyber-risks, and safely inventories across a variety of device types:

  • Routers and switches
  • Laptops, desktops, and servers
  • Human Machine Interfaces (HMI)
  • Programmable Logic Controllers (PLC)
  • Flow and valve controllers/sensors
  • Distributed Control Systems (DCS)

ISA 62443 alignment requires coverage across all areas of the People-Process-Technology spectrum.  In fact, it explores organizational aspects including requiring processes/procedures, maintaining asset inventories, applying security controls, and of course, having the resources or partners to do so. This means an effective security product should be robust and not limit itself to targeting one specific type of asset.  Security is not a one-time investment, but a continuous investment similar to purchasing and maintaining a vehicle.

The Ultimate Guide to IEC 62443

Grab our free guide to learn how to make the most of IEC 62443 to protect your OT systems.

Read the Guide

Additional Resources

Whitepaper

5 Principles for Designing a Successful Governance Model for OT Cyber Security

Download the our whitepaper to discover the five guiding principles you should consider for your organization.

Learn More
Blog

4 Elements for Developing a Mature OT Systems Management Process

A new practice in OTSM would significantly improve critical infrastructure operators' ability to build OT cybersecurity into their day to day management.

Learn More
Webinar

OT Security: Why Detecting Network Anomalies Isn't Enough

This webinar explores how to move beyond the limitations of network anomaly detection to enable prevention and protection from cyber threats.

Learn More

Talk to Verve

Reach out to see how Verve can maneuver your organization through 62443 or provide a more detailed mapping of 62443 functional requirements to product functionality and integrations.

Contact Us