Strategically deployed IEC 62443 standards can assist ICS, OT environments bolster cybersecurity posture

Escalating threat landscape brought about by persistent cybersecurity incidents, malware and ransomware attacks, hardware vulnerabilities, and the trickle-down effect of supply chain attacks, further exasperated by the deteriorating geopolitical turbulence, makes it viable for the industrial cybersecurity sector to pore over and scrutinize the comprehensive and exhaustive set of IEC 62443 standards. These benchmarks, when appropriately adopted, can help tackle the cybersecurity challenges prevalent across industrial automation and control systems (IACS) and operational technology (OT) environments.

Built over the years to meet performance and availability requirements over equipment lifetime, the International Electrotechnical Commission (IEC) 62443 series provides overarching guidance to industrial frameworks with comprehensive guidelines on the ICS (industrial control system) technology while considering risk and threat factors. Apart from addressing the technology comprising control systems, the IEC 62443 standards also contend with industrial processes, countermeasures, and employees behind these processes. 

The standards adopt a risk-based approach to cybersecurity, which is based on the notion that it is neither efficient nor sustainable to try to protect all assets in equal measure. Instead, users must identify what is most valuable and requires the most significant protection and find those security gaps and hardware vulnerabilities. Once this is done, they must erect defense-in-depth multiple layered techniques to delay or prevent a cyber attack in the industrial network. The architecture model will help ensure business continuity in industrial processes while strengthening the cybersecurity posture of the industrial environment.

Industrial Cyber reached out to industrial cybersecurity experts to estimate whether the ongoing spate of cybersecurity incidents and ransomware attacks led to greater adoption of the IEC 62443 standards. It also looked into whether the specifications helped enhance cyber resilience for manufacturers and smart factories to mitigate risk for industrial communication networks.

“While there is little doubt that increased reporting of attempted attacks and incidents has led to greater awareness of the risk, it is difficult to make projections or observations about adoption of the standards,” Eric C. Cosman, principal consultant at OIT Concepts and co-chair of the ISA99 Committee, told Industrial Cyber. “Anecdotal reports would indicate that there is general interest in and acceptance of the 62443 standards as the basis of such programs. However, companies do not always – or often – document the details of their cybersecurity programs,” he added. 

To confirm adoption rates, Cosman added that it would be necessary to conduct some sort of survey as part of a planned research project.

“The adoption we see in the field is undoubtedly aimed at the proper adoption of IEC 62443, but the actual underlying driver is awareness surrounding system vulnerabilities,” Ilan Barda, founder and CEO at Radiflow, told Industrial Cyber. “Throughout an initial asset visibility project, many organizations become very aware that they are unable to handle all their inherent vulnerabilities. With that, we help these organizations implement a risk-based approach to prioritize the security controls, addressing the key risk in the most critical areas within their OT network. These are based on safety, financial contribution, or even brand protection- whichever matters most to them,” he added.

The IEC 62443 standards are a “perfect fit for such an approach since you can define different SLT (Security Level Target) per group of assets and measure according to the IEC62443 standard,” according to Barda. “This is critical in securing the security controls that best help you improve your SLA (Security Level Achieved) vs. the defined SLT,” he added.

“Yes, I believe we have seen more organizations and nations look to ISA/IEC 62443,” Isiah Jones, principal security engineer – ICS security integrator, told Industrial Cyber. “It is fair to infer that recent events have helped drive that wider adoption,” he added.

Last November, the IEC 62443 standards received significant acknowledgement when the International Society of Automation (ISA) and the ISA Global Cybersecurity Alliance (ISAGCA) announced that the Geneva-based IEC recognized industrial cybersecurity standards series as having ‘horizontal’ capability. The move helped establish primacy across IEC standards projects on matters related to cybersecurity in industrial and related applications, enabling deployment across relevant committees to ensure consistency and coherence in IEC standards.

“Actually, ISA has considered the 62443 standards to be ‘horizontal’ – in the sense that they apply across multiple technical disciplines – since the inception of the ISA99 committee in 2002,” Cosman said. 

“It was the International Electrotechnical Commission (IEC) that confirmed a similar designation in 2021,” according to Cosman. “IEC has formed a special task force to determine the full implications of this designation and it is reasonable to expect that this will further increase awareness of the standards as they are considered for application in various sectors,” he added.

“Critical Infrastructure operators usually define their security plans according to the specific standards they need to comply with,” Barda said. Examples of these are NERC CIP, NIS Directive, and others. Some of these standards are quite detailed regarding the required security measures (NERC CIP), while others (NIS Directive) do not provide clear implementation guidelines.

In cases where the standards are not clear enough, “we indeed encountered recent instances in which critical infrastructure operators have used the IEC62443 standard,” according to Barda. “Being able to prove IEC 62443 as a baseline will ensure that best practices are being followed and that their security improvement plan will meet the regulator’s expectations,” he added.

“We have seen this in a case of an EU power plant that prepared a CAF (Cyber Assessment Framework for NIS Directive) assessment report and a proposed improvement plan to close the critical gaps but was rejected by the regulator,” Barda said. By building off the IEC62443 standards, “it allowed us to provide the asset owner with an updated assessment report and a security plan that he submitted to the regulator and was approved,” he added.

“Yes, absolutely,” Jones said. “Instead of duplicate confusing and competing standards we will now have one core standard with sector and use case-based profiles built horizontally across all sectors that use some form of automation and control systems,” he added.

Exploring how the IEC 62443 standards help enhance cyber resilience for manufacturers and smart factories as it works on mitigating risk for industrial communication networks, Cosman said that “a risk-based response to protecting automation systems from cyber threats is a fundamental tenet at the foundation of the 62443 standards.” 

“The title of the ISA-62443-3-2 standard is ‘Security risk assessment for system design.’ This standard describes a risk-based approach to assigning security levels and identifying and applying security countermeasures to reduce that risk to tolerable levels,” he added.

A communication network is the most popular way of attacking a production facility, according to Barda. “This can be done by directly accessing the network from an external source or by gaining physical access to an OT asset that is connected to an internal network,” he added.

“The physical close-range route will most likely have a more damaging effect, making it harder to identify and quarantine the attack,” Barda said. “As such, implementing security controls for an industrial network, such as network segmentation, for example, would be a major step in developing critical steps in the kill-chain of any attack flow,” he added.

“Various parts of ISA/IEC 62443 such as 3-2 identifying security zones and conduits during a risk assessment and threat modeling a system during early design phases, 4-1 for improved maturity in product design from OEMs and suppliers, 3-3 with foundational functionality requirements for systems and 4-2 for components and devices are examples of part of 62443 that can really improve the quality of multifunctional components and diverse environments, especially in hybrid and converged environments where MES and SCADA are in the cloud or virtualized on-premise etcetera,” Jones pointed out. “3-2, 4-1, 3-3, and 4-2 are going to become especially important in these IIoT, Cyber-Physical Systems and Industry 4.0 times we are living in,” he added.

“This is especially important to safety systems as well as 62443 and 84.00.09 cross-collaboration has been occurring,” according to Jones. “Great detailed updates are coming in both standards to account for these hybrid multifunctional use cases and can be applied horizontally anywhere,” he added.

The IEC 62443 standards currently do not address the unique issues with legacy process sensors or process measurement integrity. Analyzing how industrial enterprises have dealt with this shortcoming over the years, Cosman said that while the standards do not identify legacy process sensors as a specific class or category, they do describe the security requirements for components of an automation system. 

“Specifically, component-level requirements are described in ISA/IEC 62443-4-2 (Technical security requirements for IACS components). These are intended for application to components at all levels and in all subsystems of the automation systems, including process sensors,” he added.

Detection of anomalies in the process values can be indeed an indication of a cyber attack, but it is not necessarily so since there are many normal changes in the production that result in changes in process values, according to Barda.

“We have addressed this by working with our customers to try and create as much of a ‘normal’ baseline for their process values as possible,” Barda said. “With baselines constantly shifting, time and experience are required for the cybersecurity teams to recognize what is an anomaly and what is a shift in ‘normal’ variation of process values. For this reason, most customers prefer first to implement more deterministic security controls, then address the process sensors and process values at a later stage once teams are ready,” he added.

“While 62443 doesn’t explicitly call out legacy level 0 and 1 components and devices, many of the principles in 3-2 and 3-3 can still be used by those of us who are asset owners when trying to do retrofits, new designs, integration between new and legacy assets, zones and conduits and consequence-based risk determinations etcetera,” Jones said. 

“Additionally deploying tools now focused on level 0 out-of-band signal monitoring can be leveraged as part of a 3-2 and 3-3 strategy especially when new and legacy are both operating in one of our manufacturing plants,” he concluded.