IEC 62443
How IEC 62443 Security Standards Protect OT Environments
Cyber security continues to be one of those most important safety issues facing the United States and other countries around the world. Critical manufacturing and energy sectors are often targeted by malicious actors who can cause widespread damage within a facility and, ultimately, endanger the public.
What is IEC 62443
To combat widespread cyber security threats, a series of standards has been created for implementation in industrial and manufacturing environments. Formally known as ISA 99, the IEC 62443 series of standards is a framework for a comprehensive security strategy for industrial communication networks and industrial automation and control systems (IACS). The standards cover a broad range of cyber security aspects with special emphasis on the importance of risk mitigation and system resiliency. The goal of the standard is to improve the safety, availability, integrity, and confidentiality of components used in industrial automation and control. Because it is internationally supported, major system integrators are adopting IEC 62443 in the design of industrial control systems.
Intended to cover a broad range of industrial sectors including power distribution, transportation, and manufacturing, the IEC 62443 standards also consider top-to-bottom security within industrial facilities including on individual computer terminals, internal networks, and all configurable devices that can be accessed on the network, such as specialized equipment for power monitoring, sensors, and other devices. Its “secure by design” approach is considered the absolute best way to prevent illegal, inappropriate, or unwanted access to sensitive industrial systems which is why selecting devices with integrated security features that align with the IEC 62443 standards is key to maintaining high security.
IEC 62443 defines five levels of security designed to protect critical systems from intrusion ranging from casual access by a negligent employee all the way up to a coordinated, sophisticated attack from a nation state. The level of protection may vary throughout the network depending on the risk level.
| Security Level | Target | Skills | Motivation | Means | Resources |
|---|---|---|---|---|---|
| SL0 | Public | No specific requirements or security protection measures required | |||
| SL1 | Casual, Careless Employee or Contractor | No Attack Skills | Mistakes | Non-Intentional | Individual |
| SL2 | Cyber Criminal, Hacker | Generic | Low | Simple | Low (Isolated Individual) |
| SL3 | Hacktivist, Terrorist | ICS Specific | Moderate | Sophisticated (Attack) | Moderate (Hacker Group) |
| SL4 | Nation State | ICS Specific | High | Sophisticated (Campaign) | Extended (Multi-Disciplinary Teams) |
In addition, there are seven security level Foundation Requirements that must be met for each of the security levels listed in the above table to ensure that an industrial network has proper security in place. Higher security levels have an increased number of conditions that must be met for each foundational requirement. The foundational requirements are as follows:
| Foundational Requirement | Description | |
|---|---|---|
| FR1 | Identification and Authentication Control | Reliably identify all users/devices who access the industrial network. This can include personnel, software, and equipment. |
| FR2 | Use Control | Proper administration of assigned privileges for each authenticated user/device on the industrial network. Continuously monitor the use of privileges; ensure the privileges are appropriate for each user. |
| FR3 | System Integrity | Secure the integrity of the industrial network to prevent unauthorized access. |
| FR4 | Data Confidentiality | Maintain confidentiality of all data communicated within the industrial network and stored within servers or databases. Safeguard against unauthorized access and prevent sharing of sensitive information. |
| FR5 | Restricted Data Flow | The control system should be separated into zones and data in between zones should be limited to only what is necessary to maintain operations. |
| FR6 | Timely Response to Events | Swiftly respond to unauthorized access or other security breaches. Notify proper authorities when necessary and take immediate corrective action to prevent further incidents. |
| FR7 | Resource Availability | Ensure the industrial network is available and operational to provide the essential services necessary to maintain business operations. |
Further IEC 62443 outlines four Maturity Level requirements for processes based on the CMMI (Capability Maturity Model Integration) framework which can be used to guide process improvements across individual projects or organizations. Maturity Levels are used to document how effective (“mature”) an organization is at carrying out a specified process. Briefly, the Maturity Levels are as follows:
| Maturity Level | Description | |
|---|---|---|
| ML1 | Initial | Ad-hoc process; Processes are undocumented, or not fully documented, by organizations. |
| ML2 | Managed | An organization can follow written guidelines for various processes. People involved in the process have training or expertise and can follow written procedures. Processes may be repeatable. |
| ML3 | Defined (Practiced) | Processes are practiced and repeatable. Documentation supports that processes are consistently followed throughout an organization. |
| ML4 | Improving | The effectiveness and performance of processes is continuously monitored through process-appropriate metrics. Continuous improvement is demonstrated. |
Based on a holistic approach, the IEC 62443 standards emphasize security at both the device level and protocol level. Utilizing encryption technology for both devices and protocols ensures that information remains secure and cannot be read by unauthorized individuals.
Besides the networking challenges that any modern office might encounter, an industrial network’s additional complexity requires special attention in several areas to mitigate cyber security threats. IEC 62443 brings these concerns to the forefront.
Absence of Device Security Features
Devices used in industrial settings are often designed with an emphasis on reliability, but less focus on overall security considerations. These devices may lack the ability to encrypt data or may have poor password support. They also may be older, legacy devices without upgrade capabilities, such as over-the-air (OTA) firmware updates. Without measures in place to prevent unauthorized access, these devices can leave an entire system vulnerable to attack. Such devices do not align with IEC 62443 security standards and will require an additional layer of protection (such as a firewall) to maintain network security.
Insecure Network Design
Overlap between the Information Technology (IT) and Operational Technology (OT) realms is characteristic in industrial environments. When these two networks are openly connected without proper firewalls in place, the cybersecurity risk increases across the entire network. Maintaining a network topology that isolates segments of the network and separates the “enterprise zone” (IT) from the “manufacturing zone” (OT) is crucial to security and can prevent malicious software, such as trojans or viruses, from spreading across the entire network, causing unintended shutdowns. IEC 62443 compliance requires that infrastructure be segmented into zones to increase security.
Poor Security Management Over the Network’s Lifespan
It is expected that a network be properly configured when it is first implemented. At the outset, hardware and firmware are up to date, best practices are followed when configuring network topology, and “band aid” fixes are unnecessary because the network runs as intended.
Unfortunately, a network is not a static thing. It grows and adapts as personnel, equipment, and demands change within a company. Without proper oversight, this can lead to critical security gaps. Concerns such as outdated firmware and software, malfunctioning or inadequate hardware, and poor documentation from IT or OT personnel can all increase security risks. For these reasons, it is crucial to audit the network regularly to ensure that passwords and security protocols remain updated. Implementing hardware that supports the IEC 62443 standard, installing software/firmware updates, ensuring employees have proper credentials and training, maintaining firewalls and network segmentation, documenting network architecture, and optimizing network topology are all important steps to maintaining security.
Conclusion
Industrial network security remains at the forefront of cyber security concerns for the United States and other countries around the world. The IEC 62443 standard outlines industry-leading security recommendations for critical networks and is steadily gaining adoption by the leading system integrators. By taking a holistic approach to describe security features from the device level to the network level, IEC 62443 addresses common security gaps that can leave industrial networks open to cyber security threats. Regular auditing, proper network configuration, and employee training can reduce security risks and keep critical data secure.