IIC, ISA update IoT security maturity model; guide security of industrial automation and control systems
The Industry IoT Consortium (IIC) and the International Society of Automation (ISA) announced Wednesday updates to the IoT Security Maturity Model (SMM): ISA/IEC 62443 Mappings for Asset Owners and Product Suppliers and Service Suppliers. The updates also consider significant updates to the 62443-2-1 standard for industrial automation and control systems (IACS) security programs.
Mapping the SMM with the IEC 62443 requirement framework for industrial automation and control systems is useful to enable 62443 requirements to be related to SMM target setting and assessment. The ISA/IEC 62443-2-1 removes material on the information security management program (ISMS), allowing stakeholders to rely on ISO/IEC 27001 for the information security program and ISO/IEC 27002 for related controls. ISA/IEC 62443-2-1 retains OT-specific requirements for security programs.
Correspondingly, the SMM mappings add a new section of SMM practice mappings to Edition 2 of ISA/IEC 62443-2-1 and relevant ISO/IEC 27001 and 27002 requirements. The SMM: ISA/IEC 62443 Mappings for Asset Owners, Product Suppliers, and Service Suppliers retains Edition 1 mappings and other corrections and clarifications.
“If you determine that you need to achieve an SMM comprehensiveness level 3 for your identity management capability, such a mapping then allows you to identify the appropriate security measures that you can apply to achieve this comprehensiveness level,” the whitepaper titled ‘IoT Security Maturity Model: ISA/IEC 62443 Mappings for Asset Owners, Product Suppliers and System Integrators’ disclosed. “Since you need to also apply the mechanisms of comprehensiveness levels 1 and 2 to reach level 3, this provides a clear roadmap of what investment in technologies and processes must be made, and which ones must work together to achieve the business requirements.”
The SMM provides a means to set maturity targets and perform assessments to manage security efforts better. The 62443 standards offer requirements that can be used to achieve specific SMM comprehensiveness levels for practices. Used together the two offer an approach toward achieving a suitable security approach.
In the whitepaper, the domains of governance, enablement, and hardening determine the priorities of security maturity enhancements at the strategic level.
Governance is the establishment of policies, and continuous monitoring of their proper implementation, by the members of the governing body of an organization. It influences and informs every security practice including business processes, legal and operational issues, reputation protection, and revenue generation. The culture of the organization is reflected in the governance and the degree of importance placed on security.
Enablement is the implementation of security mechanisms and procedures needed to create a system meeting the policy and operational requirements. Enablement uses architectural design to address business risks and specific practices to enable operations.
Hardening is the use of security practices during system operation. This includes identifying ongoing risks through situational awareness, monitoring system operation, and managing changes in the system, such as patching.
The document provides two orthogonal dimensions to the evaluation of security maturity: comprehensiveness and scope.
Comprehensiveness captures the degree of depth, consistency, and assurance of security practices. The use of comprehensiveness in this model reduces complexity by considering different aspects together such as organizational security awareness, degree of implementation of practices, and assurance of the practices (and their evolution). On the other hand, scope reflects the degree of fit to the industry or system needs. This captures the degree of customization of the security measures that support security maturity domains, subdomains, or practices. Such customizations are typically required to address industry-or system-specific constraints of the IoT system.
The white paper identifies that comprehensiveness and scope help manage and prioritize security maturity practices. “Certain systems may not require certain practices at all, yet this can still reflect a high level of security maturity when that decision is appropriate. Avoiding unnecessary mechanisms reduces costs and lowers complexity, which will reduce risks. The security maturity of the system should be determined against the requirements that best meet its purpose and intended use,” it added.
The 62443 standards are designed to support participants in the IACS ecosystem to ensure that all aspects of the system are considered from a holistic security perspective. The asset owners who operate control systems have operational requirements (62443-2-1 Ed 1), the product suppliers have requirements for the security capabilities of system and component products (62443-3-3 and 62443-4-2), and the product development lifecycle process (62443-4-1). The system integrators have requirements for the development of solutions (62443-2-4, 62443-3-2) and the solution itself has requirements that all parties must consider (62443-3-3).
Given the importance of making the requirements and maturity analysis actionable for various ecosystem participants, it makes sense to orient the SMM 62443 mappings to the specific parties. A mapping document for a product supplier, for example, will need to consider the mapping of 62443 requirements directly affecting the product development life cycle (62443-4-1) and those of the security capabilities of the products (62443-3-3 and 62443-4-2).
For asset owners, the SMM addresses organizations responsible for the operational technology (OT) environment, especially IACS.
The 62443-2-1 provides requirements on how the asset owner should manage processes, practices, and personnel as part of the asset owner’s security program. The 62443-2-1 standard emphasizes the need for consistency between the practices to manage IACS cybersecurity with IT security. ISO/IEC 27001 is a widely accepted standard that describes IT cybersecurity management. Much of the content in 27001 applies to IACS as well.
The 62443-2-1 standard addresses some of the important differences between IACS and general business/information technology systems. It introduces the concept that cybersecurity risks with IACS may have implications for health, safety and the environment (HSE) and should be integrated with other existing risk management practices addressing these risks.
“Together with IoT SMM industry profiles, the mappings are a powerful tool to allow organizations to identify what they need to accomplish within their industries and when deploying certain types of solutions, such as digital twins,” Ron Zahavi, CEO, Auron Technologies and one of the SMM authors, said in a media statement.
“This new guidance extends the previously published IoT Security Maturity Model (SMM): ISA/IEC62443 Mappings for Asset Owners, Product Suppliers, and Service Suppliers by incorporating updates to the 62443-2-1 standard, thus giving practical guidance to practitioners who wish to improve their security maturity,” Frederick Hirsch, co-chair of the joint IIC-ISA SMM group and co-author of the paper, said. “The updated IoT SMM document extends the guidance of the IoT Security Maturity Model and its profiles so that once maturity level targets and assessments are understood, organizations may use the current ISA/IEC 62443 guidance to help achieve maturity targets.”
“It’s not about adding more security but about implementing the appropriate security measures,” Pierre Kobes, an ISA99 and IEC Technical Committee 65 member, said. “The updated IoT SMM: ISA/IEC 62443 Mappings for Asset Owners and Product Suppliers helps companies select the adequate security levels commensurate with their expected level of risk. The ISA/IEC 62443 standards are significant for industrial automation and control system security programs, providing proven and accepted engineering practices, increasing the power of using the IoT Security Maturity Model.”
Last month, the U.S. administration announced a cybersecurity certification and labeling program to help Americans choose smart devices that are safer and less vulnerable to cyberattacks. The new ‘U.S. Cyber Trust Mark’ program proposed by Jessica Rosenworcel, Federal Communications Commission (FCC) chairwoman, would raise the bar for cybersecurity across common devices, including smart refrigerators, smart microwaves, smart televisions, smart climate control systems, and smart fitness trackers.
The National Electrical Manufacturers Association (NEMA) announced last month a memorandum of understanding with the ISA to promote cybersecurity standards and practices for OT and industrial control systems (ICS), especially around the ISA/IEC 62443 series of standards. The deal is focused on boosting policies that reference the ISA/IEC 62443 series of standards in the establishment of codes, incentives, and mandates for cybersecurity OT/ICS automation and systems.
Related
