Reading Time: 6 minutes Difficulty: Advanced
16 May 2019
16 May 2019
Reading Time: 6 minutes Difficulty: Advanced

Considering the impact of Industry 4.0 on Industrial Cyber Security, the only way to apply the most adequate countermeasures in order to create a security plan in accordance with IEC 62443 for industrial automation control system, is by analyzing the actual cyber risk.

What the IEC 62443 standard aims at

The IEC 62443 is the international standard for the security of industrial automation control systems. This standard is therefore the only reliable solution for Cyber Security in the field of industrial automation.

This standard was set up almost twenty years ago by a group of volunteers belonging to the SP99 Committee, established by ISA, International Society Automation & Control. It was later reviewed and adopted by the IEC, the International Electrotechnical Commission; hence the original name was ISA 99/IEC 62443.

Even if not mandatory for companies, the application of this standard makes industrial control systems immune to cyber threats. In the current scenario, where the number of hazards for this type of technology is significantly growing, the application of the IEC standard ensures that companies are immune from any potential hazards that may cause, among other things, the breakdown of equipment, freeze in production, as well as unexpected costs related to the repairing of control systems, and profit loss.

This international standard was therefore set up to protect Industry 4.0 making the sharing of data from outwards to inwards, and vice-versa, safe and reliable.

 

IEC 62443 compliance and Cyber Security Lifecycle

Before examining which specifications of the Industrial Cyber Security standard are the most relevant for Industry 4.0, it is necessary to clarify some fundamental terms to better understand this field.

IACS: literally Industrial Automation Control System, also known as ICS, Industrial Control System. In a broader meaning, IACS is synonymous with OT (Operations Technology) being a technology that interfaces with an operational process. In this context, the term is used to distinguish an IACS from an IT device that aims at receiving and transmitting the information. Examples of IACS are industrial devices such as PLCs, HMIs, or SCADAs.

IACS Security Lifecycle: it is the Security Lifecycle of an IACS, namely the set of phases that must be carried out in order for the IACS protection to be in compliance with the Cyber Security requirements defined by the IEC standard. The phases of the IACS Security Lifecycle are Assess, Implement, and Maintain.

CSMS: it is the Cyber Security Management System that represents the set of practices and actions aiming at identifying cyber risks and defining the most correct countermeasures.

The international IEC standard covers all phases of the IACS Security Lifecycle. It begins with the assessment of risks and vulnerabilities and ends with the maintenance of the security level performances in the long term.

The Assess Phase consists of a set of activities aiming at identifying high-level risks and analyzing vulnerabilities and low-level risks. It ends with the allocation of minimum Cyber Security requirements required for each component of the IACS system.

Assess

1. Risk Assessment

2. Vulnerability Assessment

3. Penetration Test

4. Threat Modeling

5. Security Level Allocation

 

It is during the Implement Phase that companies wishing to protect themselves from cyberattacks shall define the entire CSMS, Cyber Security Management System, as well as adopt procedures and strategies aiming at preventing cyberattacks and protecting their own industrial control systems.

 

Implement

1. Defense Strategy

2. CSMS

3. Security Level verification

Cyber Security is however a process that needs to be constantly monitored and periodically implemented by means of maintenance activities (Maintain Phase) related to the safety level of industrial plants. This is the only way to ensure that data flow, which can be shared outwards, is safe from cyber threats, therefore avoiding catastrophic consequences for companies.

 

Maintain

1. Auditing

2. Follow up

 

Why companies should comply with the IEC 62443 Standard

The compliance with the IEC 62443 international standard represents a guarantee both for the security of OT data to be shared with the IT and the entire production sector. It is therefore possible to avoid any possible contamination with “infected” data.

 

What some of our customers say

 

“It is with great pleasure that I have the opportunity to recommend H-ON Consulting for the implementation of Cyber Security for Industrial Automation and Control System (IACS). Their expertise was valuable and I would highly recommend them…” Sirio Sistemi Elettronici – Download file

 

 

Do you need immediate assistance in regard to Industrial Cyber Security?

Go back to the blog
Send this to a friend