Applying 62443 Concepts to Securing OT ICS Endpoints

Mapping ISO to IEC 62443

Most cyber risks and events are associated with the compromise of endpoints or commodity systems, HMIs, Historians, AD servers, EWS, and technician laptops. This means we need to be considering these endpoints vs. merely monitoring network traffic when treating cyber-risk down to tolerable levels for the organization. The IEC 62443 standards have high-level, concentrated advice, but in comparison to NIST-SP technical requirements, it is not as clear because 62443 was designed to be highly agnostic and applicable to many industries.

When looking at the 62443 foundational requirements (FR) and security requirements (SR), many can be found within a cybersecurity program or tweaked to focus on endpoints and fulfilled using technology. Security continuously degrades and audits/remediation requires resources, but security controls per asset can be implemented and monitored so OT systems management (OTSM) teams can get ahead of the problem (where possible) using the correct solutions.

This session is about mapping endpoint security capabilities to those outlined in the 62443 families, using multiple products to tie FR/SRs together, and how to gain visibility on gaps, security-level (SL) variances, etc. via a centralized platform strategy that enables teams to act.

During this presentation, you will learn:

• An introduction to the 62443 FR/SRs with respect to endpoint security
• A mapping of FR/SRs to the various capabilities or products out there
• An example of an HMI “blueprint” with a specific target security level (SL-T)
• An example illustrating variance between an achieved security level (SL-As) vs. the desired SL-T via a compliance strategy
• An example dashboard report showing overall results as a feedback system for your CSMS
• Next steps to expanding this concept

Video Overview | Full Transcript

Overview and Full Transcript

Full Transcript

Introduction 

John Livingston
Thank you everyone for joining, and welcome to Verve’s presentation about applying IEC 62443 concepts to securing OT or ICS endpoints.

With me today is Ryan Zhan, the Director of Customer Success at Verve. Ryan has about 15 years of experience in the control system security world, with about eight of those years spent at Verve. He will be taking you through a brief demonstration of Verve’s platform and how we address endpoint risks.

Verve has been in business for nearly 30 years, initially starting as a control system engineering firm. Over the past 15 years, we’ve developed the Verve Security Center platform, which helps clients manage OT cybersecurity comprehensively. This platform, which Ryan will demonstrate later, is backed by our extensive experience in control system security services.

Understanding IEC 62443 Framework

Today, we’ll discuss how the principles of IEC 62443, often associated with networks and connections, are equally crucial for endpoint security. Endpoints play a pivotal role in automation and system management, yet they often remain insecure in traditional OT environments. The lack of IP security management or IT systems oversight leaves these devices vulnerable to threats like ransomware. Our goal today is to emphasize the significance of OT endpoint security and demonstrate how IEC 62443 principles can be applied to secure them effectively.

Before we delve into an endpoint demonstration, let’s revisit the foundational components of IEC 62443. These standards encompass security levels, zones, conduits, foundational requirements, and security requirements. Our focus today is on implementing and maintaining these controls for endpoints.

Security levels are our objectives for individual controls, categorized into target security levels, capability security levels, and achieved security levels (ranging from one to four). To attain a security level, we apply foundational requirements. In the context of endpoints, these requirements include identification and authentication control, use control, system integrity, data confidentiality, restricted data flow, event response, and resource availability.

Each foundational requirement contains specific security requirements. For example, foundational requirement six involves audit logs and accessibility to them. These foundational requirements guide us in achieving our target security levels for endpoints within critical zones. To do this, we carefully select and design security controls, considering aspects like patching, anti-malware deployment, application whitelisting, and application firewalls. We continuously refine our approach based on sub-requirements and security requirement enhancements to reach actual security levels that surpass our targets.

As we apply this framework to endpoints, it becomes clear that it facilitates effective configuration, hardening, and security of these crucial components. The process begins with identifying all endpoints in the environment, defining their zones, and establishing target security levels. Subsequently, we design the appropriate security controls and discuss how to apply these requirements to each specific endpoint.”

Verve’s Role in OT Endpoint Security

Next, we typically integrate the Verve platform, allowing us to assess the current security status against the established security and functional requirements. We evaluate factors such as patching, user and account controls, application whitelisting, antivirus signature updates, and more. This assessment helps us prioritize security requirements that can be immediately implemented, like securing application whitelisting, while identifying those that may require compensating controls, such as extensive patching.

Once the assessment is complete, we proceed to implementation. The Verve platform plays a crucial role in this phase, enabling us to take action. We can perform tasks like patching, configuration hardening, user and account management, closing unnecessary ports or services, and more. Following implementation, we conduct a reassessment to determine if we’ve reached our target security level and what additional measures may be needed.

The most critical aspect of this process is maintaining these security levels over time. With the Verve platform in place, we can achieve real-time visibility into our progress, continuously ensuring alignment with IEC 62443 standards. We can swiftly respond to deviations, such as newly released patches or configuration changes, to regain compliance with our security level targets. Additionally, we have the flexibility to adjust these targets as needed, accommodating changing security requirements and enhancing overall security.

Visualizing Security Progress

In a visual representation, this control over endpoints significantly contributes to risk reduction and threat response. We can identify and eliminate unauthorized accounts, remove risky software, detect dual NIC devices causing vulnerabilities, ensure up-to-date backups, and monitor for anomalies like unauthorized file access or encryption changes. By focusing on endpoints and applying IEC 62443 principles, we elevate our security posture in risk reduction and threat response.

So, how do we achieve this? We utilize the Verve Security Center, an OT security management platform. It begins with obtaining deep visibility into the inventory, going beyond mere network awareness to understanding user accounts, patch status, and more. This thorough inventory enables vulnerability identification, including missing patches, improving our security levels, and configuring devices securely. We can close ports, stop unnecessary services, and enforce password policies. Managing users and accounts becomes more effective, as we can take actions like removing users or restricting their access. We review anti-malware solutions, such as whitelisting or antivirus software. Monitoring logs for potential threats and rapid incident response capabilities are also integrated into the platform.

The Verve Security Center, refined over 15 years in the control system world, is tailored to ensure compliance with IEC 62443 standards effectively. Now, I’ll hand it over to Ryan, who will demonstrate how this platform empowers you to secure OT endpoints.

Demonstrating IEC 62443 SLAs

Ryan Zahn
Let’s take a closer look at the IEC 62443 SLAs. I’ll guide you through the console to demonstrate the impact of applying these SLAs in two different zones: one where the SLAs have been implemented, and another where they have not.

First, let’s examine the protected zone. In this section, you’ll see outstanding patches by asset, focusing on the top 20 assets. It’s important to note that there are no critical patches displayed; the metric for outstanding critical patches is zero. The figure for outstanding patches is 200 because not all patches are security-related. Some may be workarounds or configuration changes, but we aim to provide comprehensive data. Now, moving on to vulnerability data, you’ll find outstanding vulnerabilities for the same top 20 assets. Similar to patches, there are no critical vulnerabilities, indicating zero critical vulnerabilities.

We also consider user-related factors, such as users with expired accounts. In this case, all assets show a count of zero, aligning with the data presented in the previous visuals. Alongside the traditional IEC 62443 requirements, we assess compensating controls. For instance, we evaluate Application Whitelisting. In this environment, all machines are in lockdown mode, ensuring that no unauthorized applications or executables can run. Additionally, the backup status is all green, indicating that backups are successful and reliable.

Now, let’s compare this data to the unprotected zone, where SLAs haven’t been applied. Here, outstanding patches are showcased for the top 20 assets, and the severity varies, including critical, important, high, medium, and low patches. The total count of outstanding patches stands at 1500, covering all types of patches. This corresponds to vulnerability data, where we see 1900 critical vulnerabilities out of a total of 2000.

Further down, we explore compensating controls and user accounts. Among the 20 machines listed, four have user accounts with passwords older than 180 days, including the administrator account. Additionally, we assess Application Whitelisting status, where none are in lockdown mode. Several machines are in modes other than disabled, but a significant subset remains disabled.

Lastly, we examine the backup status, revealing that there are no successful backups within this group of 20 machines. Most are marked as warnings or failures, necessitating investigation and the application of IEC 62443 requirements.

Key Takeaways

John Livingston
Thank you, Ryan, for illustrating how to effectively apply IEC 62443 at the endpoint level. We have a few key takeaways to share with you today:

• OT Security Management Facilitates IEC 62443 Implementation: Managing OT security can simplify the implementation of IEC 62443 on endpoints. While IEC 62443 may seem daunting, adopting a platform approach allows you to efficiently assess the current status and apply security requirements to endpoints.
• Effective Risk Reduction Requires Endpoint Management: True risk reduction involves more than just identifying and tracking assets; it requires actively securing endpoints through concrete security actions. This includes hardening these devices, and a platform approach like the one demonstrated can greatly assist in achieving this goal.
• IEC 62443-Based Cybersecurity Enhances Security Posture: Building a cybersecurity program based on the foundations of IEC 62443 can significantly enhance your overall security posture. While assessing risks can be complex and nuanced, having a standardized program in place enables you to make rapid progress.

We appreciate your participation today. If you have any questions, please feel free to ask. Thank you for joining us.