IEC 62443 Security for Industrial Automation and Control Systems

Everybody nowadays is aware of the possibility to hack IT products. Organizations that use this type of IT products in their infrastructure have two policy related questions. First questions is whether the new IT product can violate the security policy of their infrastructure, e.g. by giving non-authorised people access to certain data and as such a stepping stone for attacks on the infrastructure. Second question concerns risk management: is the effort, skills and tools needed to hack the IT product less than what the companies’ acceptable risks level.

The payment industry (e.g. banking cards, payment terminals) and governments (e.g. epassports) have a defined process to answer these questions for decades. In essence their solution is to have the security technology of the products evaluated in a standardized manner, focused on exploitable vulnerabilities and based on their risk assessment. For the developers of IT products in these areas it is clear for what they need to design. The organizations themselves do not take the technology in consideration but also comply to security management requirements, as for example in ISO27001.

In the world of Industrial Automation the infrastructure of the operational technology (OT) was relatively independent. The introduction of IoT changes this. The risk that hackers can use IoT products as a stepping stone to hack the infrastructure of a company or to use it as device to set-up e.g. DDoS attacks to other companies. This development asks for organizing the security management and understanding the security quality of IoT products. IEC 62443 Security for Industrial Automation and Control Systems (IACS) is defined for this purpose: device level (ISA/IEC 62443-4-x), system level (ISA/IEC 62443-3-x) and processes (ISA/IEC 62443-2-x).

Early 2018 detailed technical control system component requirements for IACS were added to the long existing IACS security standard ISA/IEC 62443, created by the International Society of Automation (ISA). The IACS community created this standard recognizing the changing security landscape and seeing the need for clear procurement of secure IACS components. ISA/IEC-62443 is a collection of multi-industry standards focused on cybersecurity protection methods and techniques. With that ISA/IEC 62443 supports secure integration of components in IACS. The new addition provides technical (cyber)security requirements for components in an IACS, such as embedded devices, network components and software applications. The standard defines levels of security capabilities to mitigate threats. The standard also defines Life-Cycle for Product Security Development.

The good reader sees similarities of the needs and requirements defined by the payment industry (e.g. PCI, EMVCO) and more in general ISO15408/Common Criteria, but for a different type of industry products and strongly related to the existing infrastructure. Brightsight can therefore re-utilize the knowledge gained in our evaluations to demonstrate compliance of products to ISA/IEC 62443. Brightsight is in the process of getting accredited and be able to provide globally recognized certificates. Although ISA/IEC 62443 is becoming the norm for critical infrastructures, it is not generally mandated. ISA/IEC 62443 is supporting Brightsight customers to show that there premium products are well-suitable for IACS.