Blog

How to Construct the Cornerstone of OT Cybersecurity Using ISA/IEC 62443

Jun 29, 2023

Blog-How to Construct the Cornerstone of OT Cybersecurity Using ISA-IEC 62443

Understanding of ISA/IEC 62443

The ISA/IEC 62443 is concerned with security for industrial automation and control systems (IACS), i.e., control systems that use automated or remotely controlled/monitored assets. These IACS can be found in manufacturing and process plants/facilities, utilities that are geographically spread out, pipelines and petroleum production and distribution facilities and other industries like transportation networks. “Security” refers to the preventions of illegal or unwanted penetration, interference (intentional or otherwise), or unauthorized access to confidential information. To home in further, the ISA/IEC 62443 series includes several standards and technical reports, each discussing a specific aspect of the cybersecurity of Industrial Automation and Control Systems (IACS). The overall objective is to reduce the risk of cyber threats and safety failures in IACS. The standard consists of 14 documents divided into four groups: general, policies and procedures, system, and component.

1. General: This group explains the common elements across the series.

a. ISA/IEC 62443-1-1, first released in 2007, introduces the concepts and modules of the ISA/IEC 62443 series.

b. ISA/IEC 62443-1-2 is a technical report that explains the proprietary terms and acronyms used in the ISA/IEC 62443 series.

c. ISA/IEC 62443-1-3 describes the standards of basic and system-related quantification methods for the ISA/IEC 62443 series.

d. ISA/IEC 62443-1-4 uses examples to illustrate the lifecycle safety technical report of the IACS component layer.

 

2. Policies and Procedures: This group explains the policies and procedures related to IACS security.

a. ISA/IEC 62443-2-1, first released in 2009, outlines the requirements and definitions for the IACS network security management system, including the responsibilities of users and device owners.

b. ISA/IEC 62443-2-2 provides guidelines for the operation requirements of the IACS network security management system.

c. ISA/IEC 62443-2-3 was jointly published by ISA and IEC in 2015 as an update management guidance report for IACS.

d. ISA/IEC 62443-2-4 is a standard for requirements guidelines for other control system suppliers.

 

3. System Requirements: This group emphasizes security requirements at the system level.

a. ISA/IEC 62443-3-1 describes the security technical report used in the IACS environment.

b. ISA/IEC 62443-3-2 emphasizes the standard for IACS system security design and risk assessment.

c. ISA/IEC 62443-3-3, released in 2013, is a standard for system security and security level requirements.

 

4. Component Requirements: This group emphasizes the security requirements for IACS-related product development.

a. ISA/IEC 62443-4-1 is a standard for product development requirements.

b. ISA/IEC 62443-4-2 is a standard for system specification requirements for subsystems, system components, and other control system suppliers.

 

Broad Industry Applicability

This standard is applicable across various industries, demonstrating its versatility. Whether a business operates in the energy sector, water treatment, manufacturing, or any other field that uses IACS, ISA/IEC 6244 remains relevant.

  • Oil and gas
  • Renewables
  • Energy and power
  • Utilities
  • Manufacturing
  • Electrical and electronic equipment

 

 

Important Principles of Protection in ISA/IEC 62443

From the perspective of its scope, ISA/IEC 62443 is composed of 14 different standards or technical reports, with the overall goal of reducing cybersecurity risks within Industrial Automation and Control Systems (IACS). Each standard is designed to regulate a specific aspect/purpose, simply divided into four groups: General, Policies and Procedures (CSMS), System Security, and Component Product Security. Among nearly 1000 pages of the standard system, we have extracted its important principles of protection, as outlined below:

1. Establish Zones and Conduits

ISA/IEC 62443 proposes an industrial control system architecture corresponding to the Purdue model, dividing these functional levels into “zones” and “conduits”. According to the standard, a zone is a collection (group) of assets that physically or logically have common security requirements. All assets in IACS must be located within a zone. Conduits facilitate communication between zones. A conduit is a communication channel between two or more zones.

 

2. Implement Defense-in-Depth

Achieving cybersecurity objectives is usually impossible through the use of a single countermeasure or technology. A better approach is to employ the concept of defense-in-depth, which involves the layered or staggered application of multiple countermeasures. For example: Intrusion detection systems can be used to detect penetrations of firewalls, and network isolation can be employed to prevent spread of malware.

 

3. Application of Risk Analysis

The concept of risk analysis based on Criticality, Likelihood, and Impact is not new. It has been used to address risks related to production infrastructure, production capability (production downtime), impacts on people (injuries, death), and the environment (pollution). However, this technique needs to be extended to cybersecurity to address inherent risks of automated industrial control systems. ISA/IEC-62443 3-2 describes a method for cybersecurity risk assessment of Industrial Automation and Control Systems (IACS). Adhering to this method also facilitates the division of zones and conduits.

 

4. Principle of Least Privilege

This principle only grants users (humans, software, and devices) the permissions required to perform their tasks, in order to prevent unnecessary access to data or programs and to block or slow down attacks when users are under threat.

 

5. Establishing Basic Cybersecurity Requirements

The combination of various technologies within a cybersecurity solution is intended to meet basic cybersecurity requirements. These combinations of cybersecurity requirements are defined in ISA/IEC 62443 3-3 as seven Foundational Requirements (FRs), which help to ensure the security of IACS:

  • FR1 – Identification and Authentication Control (IAC): Identifies and verifies all users (humans, software, and devices) through protective mechanisms, preventing unauthenticated entities from accessing the system.
  • FR2 – Use Control (UC): Enforces the specified permissions of authenticated users (humans, software, and devices) to operate the IACS upon request, and monitors these permissions.
  • FR3 – System Integrity (SI): Ensures the integrity of the industrial automation and control system to prevent unauthorized actions.
  • FR4 – Data Confidentiality (DC): Ensures data encryption of communication channels and databases to prevent unauthorized disclosure.
  • FR5 – Restricted Data Flow (RDF): Divides control systems by regions and channels to limit unnecessary data flow.
  • FR6 – Timely Response to Events (TRE): Notifies the appropriate enforcement agencies when a cybersecurity violation is detected, reports the evidence needed for the violation, and takes corrective measures in a timely manner.
  • FR7 – Resource Availability (RA): Ensures the availability of the control system, mitigating degradation of performance or denial of access to critical services.

The Challenges of Implementing ISA/IEC 62443

Challenge 1: Management Support

The first hurdle in implementing ISA/IEC 62443 is to nail down the business perspective enough to gain management support. To secure this support, organizations need to clearly understand the systems, subsystems, and corresponding product components that are crucial for OT/ICS and cybersecurity. If this cannot be achieved, it is difficult to clearly communicate to management the potential consequences of cybersecurity threats, such as answering: what are the potential threats? What could be the impact on the business? What are the estimated losses stemming from an attack, or the costs of compensatory cybersecurity measures? Without answers to these questions, it is impossible to acquire the participation and commitment of management. Without management support, the success rate of implementing ISA/IEC 62443 will be very low.

 

Challenge 2: The Specificity of the OT Domain

The importance of OT cybersecurity is prioritized by availability, and OT is inherently fragile. To address these vulnerabilities, adherence to standard requirements often results in availability challenges. Organizations must strike a balance between availability and security, making the search for appropriate OT solutions crucial, such as:

1. OT systems operate on outdated equipment: Many older OT/ICS endpoints perform critical operations or decisions on production lines. However, due to possible unsupported operating systems or application software, new vulnerabilities cannot be fixed. As OT systems always need to be operational, regardless of how serious the vulnerabilities are, the choice may be made to not update or patch. This issue requires a new approach to resolve this complexity.

2. IT tools need connectivity, not suitable for manufacturing domains: General cybersecurity services are overly dependent on the Internet, which is not consistent with manufacturing settings (offline environments). Therefore, using IT solutions in a manufacturing context is challenging, for example: how to solve the problem of updating virus engine and virus pattern in an offline environment?

3. Manufacturers’ original equipment cannot install any software: The strict restrictions of original equipment manufacturers and warranty contract requirements not to install any software create difficulties in cybersecurity detection and incident resolution.

These difficulties require solutions that match these real-life scenarios, or cybersecurity vendors on hand that can assist with cybersecurity improvements and compliance requirements.

 

Challenge 3: Protection is Necessary in Addition to Visibility

Understanding the content that needs protection (asset discovery) and existing risks (vulnerabilities and threats) has always been crucial for any IT or OT cybersecurity plan. As a result, many OT visibility solutions have emerged, but they are not enough to meet the full requirements of the standard.

In the era of Industry 4.0, preparations need to be made for any negative event that may affect OT/ICS and how to recover as soon as possible after the event occurs. Therefore, in addition to visibility, more attention must be paid to event prevention, detection, containment, remediation, and recovery. This approach requires organizations to carry out fingerprinting and micro-segmentation processes on devices/assets according to data flow, location, critical functions, trust levels, ownership management, and/or other business logic combinations. In addition, organizations also need to consider how to ensure that regional and isolation configurations do not affect daily operations, security, and response capabilities.

Therefore, organizations must consider integrating endpoint and network defense to get closer to the concept of defense in depth. For example, organizations can consider advanced OT/ICS micro-segmentation (enhancing horizontal visibility of all assets) and zero-trust security, establishing OT default violation models, verifying all identities/devices, using the principle of least privileges, and having continuous monitoring and real-time response capabilities.

 

How to Leverage TXOne Networks to Implement ISA/IEC 622443 in Digital Manufacturing

The ISA/IEC 62443 series of standards provides a framework for gradually implementing industrial cybersecurity best practices and promoting continuous improvement. This includes control systems used in manufacturing, processing plants, public utilities (i.e., electricity, gas, and water), as well as pipeline and oil production and distribution facilities. However, the cybersecurity framework and requirements provided by ISA/IEC 62443 may seem daunting. Nevertheless, business leaders can establish a clear roadmap, devising an OT security improvement plan for the relevant organizational team members. The first step is to conduct a risk analysis to understand the differences between the organization’s current state and the ISA/IEC 62443 standards, identifying weak links or non-compliant areas. This may involve modifying processes, implementing new technologies, or conducting employee training. Ultimately, a phased approach allows for the execution of a compliance plan based on available resources, rather than trying to achieve all goals immediately.

A key part of this is ISA/IEC 62443 3-3, which describes the security functions that OT/ICS should implement. TXOne’s OT zero trust solution simplifies compliance with ISA/IEC 62443 3-3, effectively protecting critical and important entity OT/ICS endpoints and network systems, ensuring operational availability, integrity, and confidentiality, while protecting the entity from supply chain impact attacks.

a) Security Inspection: Portable Inspector uses a removable approach to provide effective malware scanning with independent computer and physical isolation. It can detect and remove malicious software by being inserted into the USB port of any Windows and Linux device without the need for software installation or rebooting the target system. In addition, Portable Inspector can collect asset information to generate an inventory list to increase IT/OT visibility and eliminate shadow IT/OT. With its use of an AES 256 hardware encryption engine and scanning of all files before storing data, it ensures that data is free from malware before being securely placed in storage.

b) Endpoint Protection: Stellar offers organizations an all-in-one OT solution for long-term endpoint security coverage, securing modernized assets with a library of ICS applications and certificates. For fixed-use and legacy systems, Stellar locks them down so that they can only conduct tasks related to their role, and StellarOne empowers smooth management throughout the asset lifecycle from a single pane of glass.

c) Network Defense: Edge series employs auto-rule learning technology to assist organizations in automatically generating a network trust list, and allows organizations to create and edit L2-L3 network policies strictly based on which assets need to communicate in order to do their work, highlighting all suspicious or potentially harmful activity. The Edge series also supports a wide range of industrial protocols and deeply analyzes network packets, enabling organizations to effectively block malicious behavior and errors without affecting production line operations. To protect legacy devices and production systems that are vulnerable to attack due to unpatched vulnerabilities, Edge series uses industry-leading signature-based virtual patching technology. In addition, Edge series minimizes the time required to configure and manage devices and can be easily deployed in an organization’s existing OT environment.

 

You can also gain in-depth information from the “Securing Digital Manufacturing: The Essence of ISA/IEC 62443 Implementation” report. TXOne Networks, with its skilled OT/ICS cybersecurity professionals and technologies, is committed to maintaining the availability, stability, and security of critical infrastructure and the manufacturing industry. This enables us to overcome cybersecurity challenges and ensure continuous operations. Our automated solutions can assist businesses in effectively responding to the requirements of the ISA/IEC 62443 standards, and align with an organization’s cybersecurity upgrade roadmap.

TXOne image
TXOne Networks

Need Assistance with OT Security ?

Our team is here to assist with OT security challenges and provide guidance on implementing effective solutions.​