Securing Industrial Control Systems with the ISA/IEC-62443 Standard

ICS Security Standard IEC-62443

In recent years, industrial process control networks alongside supervisory control and data acquisition (SCADA) systems have become steadily more integrated with web technologies such as Ethernet and TCP/IP. The consequences of this integration have seen these systems become increasingly vulnerable to the numerous types of cyber threats at the disposal of malicious hackers. Phishing, malware and ransomware, brute force or man-in-the-middle attacks, unfortunately the majority of industrial automation and control systems are vulnerable to these attacks due to their increasing number of potential attack vectors. The Internet of Things (IoT) has transformed the way in which many different industries approach automation and control systems and there are a vast number of different security solutions available for differing security architectures. However, the increasing threat posed by cyber-attacks and malevolent hackers has caused end users to call for “security-by-design” equipment frameworks to be employed so as to enable them to create the most secure environments possible for their industrial control and automation systems.

This where cyber-security standards come in. In 2002, the International Society for Automation created and distributed the ISA-99 cyber security document to those in industrial automation sectors in order to inform them of how to protect themselves from the cyber security threats of the time. In its present state, the ISA/IEC-62443 standard is made up of a series of standards, reports, and other documentation that define the procedures required to enable network operators to implement secure industrial automation and control systems. One of the biggest strengths to the ISA/IEC-62443 standard is that it has been written to cover multiple industrial sectors in its scope and can also be used within similar control systems in adjacent markets. Because of this, it has become the go-to standard recognized and incorporated by multiple countries and organizations.

Outlining the Goals of the IEC-62443 Series

So, what does the ISA/IEC-62443 standard aim to do? Much like the original 2002 ISA-99 document, the objective of the ISA/IEC-62443 standard is to improve the safety, integrity, confidentiality, and availability of systems, devices, and components that make up industrial automation and control systems. It also aims to provide criteria for the procurement and implementation of industrial automation and control systems and, by conforming to the requirements of the ISA/IEC-62443 standard, it is hoped that electronic security will be improved while also helping to identify and deal with vulnerabilities. Another aim of the standard is to reduce the risk of confidential data becoming compromised as well as reduce the risk of hardware or software degradation or the failure of control systems or processes. Major equipment suppliers such as Schneider Electric, Honeywell, Siemens, and Yokogawa have chosen to back the ISA/IEC-62443 standard as a foundational standard that could drive enhancements to device security as well as adding features to their own technologies in order to become compliant with the ISA/IEC-62443 standard.

The standard itself is organized into four elements; General, Policies and Procedures, System, and Component. These groups correspond with their overall focus and intended audience.

General

The general group contains the standard elements that are commonly found throughout the entire series such as descriptions of an industrial automation and control system security lifecycle and use cases illustrating their applications.

Policies & Procedures

The policies and procedures group focusses on industrial automation and control systems security procedures such as cyber security and patch management as well as requirements for suppliers of industrial automation and control systems. Both the general and policies and procedures groups are primarily aimed at asset owners.

System

The system group is self-explanatory in that it covers cyber security requirements at the system level. These include aspects such as environmental technologies, risk assessment, and system design. The system group is primarily aimed at system integrators.

Component

The final component group covers the specific details and requirements for the design and development of industrial automation and control system products covering topics such as the derived requirements applicable to the development of products. The component group is primarily aimed at component suppliers.

The ISA/IEC-62443 standard looks to improve the operation, production, and management of industrial automation and control systems and positive steps are being made with it increasingly being adopted by businesses and organizations across various industries. This adoption by network administrators, component suppliers, and system integrators is proof that standards such as the ISA/IEC-62443 are much needed in a world currently embracing swift and disruptive technological innovation and advancement.


Related Posts