In our previous article we highlighted the complicated relationship between the Industry 4.0 and solutions for Industrial Cyber Security. We stated that the only way to apply the most adequate countermeasures in order to protect control systems, such as PLC, SCADA and HMI, is by analyzing the actual cyber risk for the OT world, Operational Technology. Although many companies are still skeptical regarding the prevention from cyber attacks, we can say that the international standard IEC 62443 is “hacker-proof”. We will now discuss the key points of this standard.
What the IEC standard aims at in terms of Industrial Cyber Security
The IEC 62443 is the international standard for the protection of industrial control systems. This standard is therefore the only reliable solution for Cyber Security in the field of industrial automation.
This standard was set up almost twenty years ago by a group of volunteers belonging to the SP99 Committee, established by ISA, International Society Automation & Control. It was later reviewed and adopted by the IEC, the International Electrotechnical Commission; hence the original name was ISA 99/IEC 62443.
Even if not mandatory for companies, the application of this standard makes industrial control systems immune against cyber threats. In the current scenario, where the number of hazards for this type of technologies is significantly growing, the application of the IEC standard ensures that companies are immune from any potential hazards that may cause, among other things, the breakdown of equipment, freeze in production, as well as unexpected costs related to the repairing of control systems, and profit loss.
This international standard was therefore set up to protect the Industry 4.0 making the sharing of data from outwards to inwards, and vice-versa, safe and reliable.
The Cyber Security Lifecycle according to IEC Requirements
Before examining which specifications of the Industrial Cyber Security standard are the most relevant for the Industry 4.0, it is necessary to clarify some fundamental terms to better understand this field.
IACS: literally Industrial Automation Control System, also known as ICS, Industrial Control System. In a broader meaning, IACS is synonymous with OT (Operations Technology) being a technology that interfaces with an operational process. In this context, the term is used to distinguish an IACS from an IT device that aims at receiving and transmitting information. Examples of IACS are industrial devices such as PLCs, HMIs or SCADAs.
IACS Security Lifecycle: it is the Security Lifecycle of an IACS, namely the set of phases that must be carried out in order for the IACS protection to be in compliance with the Cyber Security requirements defined by the IEC standard. The phases of the IACS Security Lifecycle are Assess, Implement and Maintain.
CSMS: it is the Cyber Security Management System which represents the set of practices and actions aiming at identifying cyber risks and defining the most correct countermeasures.
IACS Security Lifecycle
The international IEC standard covers all phases of the IACS Security Lifecycle. It begins with the assessment of risks and vulnerabilities and ends with the maintenance of the security level performances in the long term.
The Assess Phase consists in the set of activities aiming at identifying high-level risks and analyzing vulnerabilities and low-level risks. It ends with the allocation of minimum Cyber Security requirements required for each component of the IACS system.
1. Risk Assessment
2. Vulnerability Assessment
3. Penetration Test
4. Threat Modeling
5. Security Level Allocation
It is during the Implement Phase that companies wishing to protect themselves from cyber attacks shall define the entire CSMS, Cyber Security Management System, as well as adopt procedures and strategies aiming at preventing cyber attacks and protecting their own industrial control systems.
1. Defence Strategy
3. Security Level verification
Cyber Security is however a process that needs to be constantly monitored and periodically implemented by means of maintenance activities (Maintain Phase) related to the safety level of industrial plants. This is the only way to ensure that data flow, which can be shared outwards, is safe from cyber threats, therefore avoiding catastrophic consequences for companies.
2. Follow up
Why companies should adopt the IEC 62443 Standard
The application of the IEC 62443 international standard represents a guarantee both for the security of OT data to be shared with the IT and the entire production sector. It is therefore possible to avoid any possible contamination with “infected” data.
However, when looking at the future, industrial product safety may only be a mirage if we don’t apply an adequate protection from cyber attacks to the industrial sector. For this reason, we all have to be aware of this scenario.
As consultants in the field, we have created a dedicated team of certified specialists in accordance with the ISA99/IEC62443 Cybersecurity Fundamentals Specialist and ISA99/IEC62443 Cybersecurity Risk Assessment Specialist standards. Our goal is to help companies adopt real safety measures which are long-lasting and compliant to the requirements provided by the IEC 62443 standard for each single phase of the IACS Security Lifecycle.
Back to the Blog