This is the first article in a series, introducing the IEC 62443 standard to those interested in cybersecurity for industrial infrastructures. This first one will be looking at the IEC 62443 standard in general, with later articles looking into some of the individual documents in more detail. My goal with this series, is to provide you all with enough insight, that you can focus on which of the many documents that are part of IEC 62443 that might be of use to you.
For many years we have been focusing on the cybersecurity of IT systems, something that has become increasingly important with IT becoming ever more integrated into society. That integration has been extended to integrating IT with systems that have historically been separated from IT systems, namely industrial systems.
Industrial systems, or OT/ICS systems, are the infrastructure that, for instance, make sure we have water on the tap and electricity in our sockets. Industrial systems are responsible for a plethora of things we take for granted daily. Manufacturing of cars is done with industrial systems, the same goes for windmills and countless other physical products.
The historical separation between IT and OT/ICS systems is no longer applicable, as the economics of integrating these separate infrastructures, convenience and money saved, has pushed for integrating these infrastructures. This has exposed the traditional OT/ICS systems to the threats that we have seen against IT for decades.
You could ask, why the threats are that great, aren’t OT/ICS systems running on completely different protocols and the like? (See the appendix for a list of OT/ICS protocols and terms) That is very true, but the systems managing these protocols and systems are running standard IT components. Unfortunately, when a new factory is being built, the expectation is that it will run for decades, without updating the hardware and software assisting with running the factory.
So, the PLC’s valves and anything else within the factory will be running old versions of code, and with the integration between IT and OT/ICS, that old code will be exposed to the same threats we see against IT infrastructures. I know of one company that built a factory back in the 90’s, that is still using Windows 95, as the interface to the various factory components. This, combined with the fact that updating OT/ICS gizmos with the lates code, if these gizmos are even still being supported by the vendor, is a manual process in most cases, means that most, if not all, OT/ICS systems are inherently vulnerable to cyber threats.
We cannot apply our normal processes to OT/ICS infrastructures, we must protect them in another way, and that is what this book is about. As cybersecurity professionals, we will be ever more involved with protecting OT/ICS infrastructures, along with the normal IT infrastructures. This part of the book focuses on IEC 62443, a security standard aimed at OT/ICS infrastructure protection. IEC 622443 is like ISO 27001, just bigger, much bigger, the full standard is 1000+ pages, not something you can just read in an evening.
This book will serve as an introduction to the standard, but a Rapid will not be able to cover all of the nooks and crannies in IEC 62443, what we can do, is to point you to the various important parts, and help you focus you efforts, when you need to dig into the details of the various areas of IEC 62443. Now, let’s begin our look at the IEC 62443 standard.
This chapter will describe what IEC 62443 is, as well as an overview of the various components within IEC 62443. Unlike ISO 27001, IEC 62443 consists of many individual documents under the umbrella of IEC 62243:
As new versions are released, there are years added to the title to these documents. Lets look at some of the details of IEC 62443.
IEC 62443 is a series of standards focused on securing Industrial Automation and Control Systems (IACS). Developed by the International Electrotechnical Commission (IEC), these standards aim to provide a structured framework to manage and mitigate risks associated with industrial cyber security. The series covers various aspects, from general concepts and models to technical requirements for specific components, as well as procedures for implementing security measures.
Scope and Models: IEC 62443 applies to all types of Industrial Control Systems, including Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS), and other types of control systems used in industrial sectors like manufacturing, energy, chemical, and others. The standards present models and concepts that define how industrial systems should be organized and protected.
Security Levels: The standards define four Security Levels (SLs), from SL 1 to SL 4, each corresponding to a set of threats and security capabilities. Lower levels (SL 1, SL 2) are concerned with preventing accidental or non-sophisticated intentional attacks, while higher levels (SL 3, SL 4) address more sophisticated and targeted attacks.
Risk Assessment and System Design: One of the core components of IEC 62443 is the emphasis on risk assessment and the systematic design of security measures. It encourages organizations to identify potential vulnerabilities in their systems, evaluate the risks associated with those vulnerabilities, and implement appropriate security measures to mitigate those risks.
Component and System Requirements: The standards specify detailed technical requirements for both the components that make up industrial systems (like controllers, sensors, and software) and the systems. These requirements include aspects like authentication, authorization, data integrity, confidentiality, and monitoring.
Policies and Procedures: Beyond technical measures, IEC 62443 also covers the need for organizational policies, procedures, and training to support industrial cybersecurity. This includes incident response planning, security patch management, and user training and awareness programs.
Certification and Compliance: Various certification schemes exist to verify compliance with IEC 62443 standards. These certifications help organizations demonstrate their commitment to cybersecurity best practices and can be a prerequisite in certain industries or for certain clients.
The IEC 62443 series is considered crucial for the cybersecurity of industrial environments, especially given the increasing connectivity of these systems and the potential consequences of cyberattacks on critical infrastructure. It provides a comprehensive framework that helps organizations in various industrial sectors to identify, mitigate, and manage cybersecurity risks effectively.
Let’s look at some of the details of the individual sections of IEC 62443 before digging into some of them later in this part of the book.
IEC 62443-1
The IEC 62443-1 standard is part of the IEC 62443 series, which focuses on the cybersecurity of Industrial Automation and Control Systems (IACS). The series provides a structured set of guidelines and technical specifications to secure industrial automation systems across their lifecycle. It addresses various aspects from terminology and concepts to technical requirements and security levels.
IEC 62443-1, specifically, deals with the general aspects of the standard, including terminology, concepts, and models that are foundational for the rest of the series. It sets the stage for a common understanding and framework within which the more detailed and specific parts of the standard operate.
IEC 62443-1 is not a core requirement if you are an experienced ICS security p[professional, for those new to the area, this section provides the terminology that is used heavily in later parts of IEC 62443.
IEC 62443-2
The IEC 62443-2 part of the standard, specifically IEC 62443-2-1 and IEC 62443-2-4, focuses on the security management and service provider aspects within Industrial Automation and Control Systems (IACS).
IEC 62443-2-1 is targeted at operators of automation solutions. It outlines the requirements for maintaining security during the operation of industrial plants. This part is aligned with the principles found in ISO/IEC 27001, emphasizing the management of security processes and the establishment of a security program tailored to the needs of asset owners (Wikipedia).
IEC 62443-2-4, on the other hand, details the security program requirements for IACS service providers. It specifies the capabilities that service providers should offer to asset owners during the integration and maintenance of an automation solution. This part of the standard was developed in collaboration with various international bodies and committees and focuses on aspects such as assurance, architecture, security engineering systems, configuration management, remote access, and patch management, among others (Industrial Cyber) (Wikipedia).
Both parts are integral in ensuring that both asset owners and service providers within the IACS ecosystem adhere to a consistent set of security practices, thus enhancing the overall security posture of industrial environments.
This can all be boiled down to the fact that IEC 62443-2 is dealing with the softer areas of cybersecurity, namely the policy and procedures part of it. These areas might not be as sexy as the more technical parts, but they are the basis for the later sections of IEC 62443.
IEC 62443-3
The IEC 62443-3 part of the standard focuses on various aspects of security for Industrial Automation and Control Systems (IACS). It includes IEC 62443-3-1, which deals with security technologies for IACS. This part provides a current assessment of cybersecurity tools, mitigation countermeasures, and technologies that could be effectively applied to modern electronically based IACSs across various industries and critical infrastructure environments. It encompasses several categories of control system-centric cybersecurity technologies, outlining the types of products available, their advantages and disadvantages, and preliminary recommendations for their use (Industrial Cyber).
IEC 62443-3-2 sets out the requirements for defining a system under consideration (SUC) for an IACS and its associated networks. It involves partitioning the SUC into zones and conduits, assessing the risk for each, and establishing security level targets for each zone and conduit. This part is also concerned with documenting the security requirements needed to design, implement, operate, and maintain adequate technical security measures, emphasizing the importance of risk management in IACS security (Industrial Cyber).
Lastly, IEC 62443-3-3 defines detailed technical control system requirements associated with seven foundational requirements described in the broader IEC 62443 framework. It outlines the requirements for control system capability security levels, providing guidance for various stakeholders in the IACS community, including end-users and service providers (Wikipedia) (Industrial Cyber).
These components of the IEC 62443-3-part work together to ensure a comprehensive approach to assessing, implementing, and maintaining cybersecurity measures within industrial automation and control systems, addressing both the technological and procedural aspects of security.
This section is where the security engineers are becoming involved. IEC 62443-2 is more aimed at business, although not exclusively.
IEC 62443-4
The IEC 62443-4 part of the standard is dedicated to the secure product development lifecycle and technical security requirements for Industrial Automation and Control Systems (IACS) components.
IEC 62443-4-1 focuses on establishing a framework for secure product development to ensure that products used within IACS are developed with security considerations from the start. It covers various aspects such as management of development, defining security requirements, designing security solutions, secure development, testing security features, handling vulnerabilities, and documenting security features. The goal is to guide manufacturers in creating products that are secure by design, thus contributing to the overall security of industrial automation systems (Wikipedia) (Industrial Cyber).
IEC 62443-4-2, on the other hand, details the technical requirements for IACS components, ensuring they meet specific security standards. This part defines what is required of the components in terms of security capabilities, taking into consideration their role within the larger system. It includes common component security constraints that must be met for components to be compliant with the standard. These constraints ensure components consider the general security characteristics of the systems they are used in, meet technical requirements through system-level compensating countermeasures, if necessary, apply the principle of least privilege, and are developed following compliant processes (Wikipedia).
Together, these parts of the IEC 62443 standard aim to enhance the security of industrial automation systems by ensuring both the processes involved in product development and the technical specifications of the components adhere to rigorous security standards.
When you initially look at the various documents constituting the IEC 62443 standard, getting an overview of how they fit together can be challenging! There is of course the obvious choice of ‘just’ reading all of them, end to end. The number of pages in the complete set of documents is 1000+, making that a multi-week endeavor. Below is a figure that provides an overview of how the individual documents fit together and can focus the reading effort.
Unlike ISO 27001, which is only some 80-90 pages long, IEC 62443, with all the sections, covers 1000+ pages. This makes covering the entire standard in some 50 pages challenging, to say the least. Therefore, the coming chapters in this part will be focusing on some of the subsections of IEC 62443, specifically some of the parts in IEC 62443-2, 3 and -4, why?
The terminologies in IEC 62443-1 is just reading, the softer parts of ICE cybersecurity in IEC 62443-2 are not that different from what is used in IT cybersecurity, but are exponentially more important. The design and technology covered in IEC 62443-3 and development and requirements covered in IEC 62443-4 will be much more interesting and much different from what we are used to when securing normal IT infrastructures. We will begin in the next chapter with IEC 62443-3.
