Over the last couple of years,
the industry has been undergoing significant transformations, driven by the digitalization
of the manufacturing process. It brings so many new opportunities,
fundamentally changing the way the industry is operated. By utilizing the
industrial-grade network, the entire system becomes interconnected, allowing
communication between each production segment and thus, a high level of process
automation. Having large scale integration and connectivity at all levels
undoubtedly offers numerous benefits; however, without the implementation of
appropriate security measures, it can also pose a serious risk for the entire
system. This is where robust, yet flexible and well-thought security standards
such as the IEC 62443 can make a huge difference.
IEC 62443 successfully addresses specific requirements of the industrial
security
Unlike the office environment
where time is not a critical parameter and where the focus is the
confidentiality, industrial cyber-security must provide continuous operation of
the production line, protecting the integrity of essential automation
functions. The IEC 62443 standard series developed by the ISA99 committee
provides a robust and flexible security standard framework that covers various
aspects of a typical Industrial Automation Control System (IACS), offering a
cohesive, holistic protection concept.
The best security solution is the one with no implementation gaps
An effective security solution includes both technical and organizational
security measures. It cannot be implemented by neglecting the importance of the
roles that the stakeholders must perform, starting with the Product Supplier,
over the System Integrator and ultimately – the Asset Owner. The IEC 62443
standard series recognizes these roles and describes a set of actions in
various cases for each of them, as illustrated in the picture below:
Figure 1) IEC 62443 addresses all stakeholders for a holistic protection concept
Segmented and layered security solution offers the highest level of
protection
The IEC 62443 standard series
also recognizes the need for a layered, partitioned implementation of technical
security solutions, preventing over-protection of less critical parts of the
system and increasing the overall effectiveness of the implemented security
solution. Based on the risk assessment process, the entire IACS is partitioned
into “zones” and “conduits”. Each partition is assigned a Target
SL (SL-Target or SL-T). Once the SL-T has been determined for a particular
partition, System Integrator continues the design process using components from
the Product Supplier. To achieve a specific SL-T, System Integrator must use
components with sufficient SL Capabilities (SL-C). Once deployed, the achieved
Security Level (SL-Achieved or SL-A) of the partition is measured and
evaluated. This process is repeated until the SL-A reaches the SL-T.
Generally speaking, SLs are
sorted from SL 0 to SL 4 according to the immunity they provide against
third-party attackers with different amounts of motivation, expertise, and with
different amounts of resources invested. Note, that IEC 62443 does not
prescribe any strict rules for achieving a specific SL, allowing implemented
security measures to evolve dynamically in relation to the severity of the
attacks. The standard does, however, provide a mechanism for the continuous
evaluation of the SL ratings based on the well-accepted “Plan-Do-Check-Act”
or PDCA evaluation model.
From an organizational perspective, the IEC 62443 standard series describes four “Maturity Level” ratings (ML 1 – ML 4). The ML rating system is used to evaluate how well an organization defines and describes security processes and how well the processes are followed by the personnel involved: ML 1 describes organization with unpredictable, poorly controlled and reactive processes, while ML 4 describes organization with well defined, measured, controlled, and continuously improved processes.
The IEC 62443 standard series offers a holistic protection concept, taking
all the external factors into account
A holistic protection concept such as the IEC 62443 relies on
implementing appropriate security solutions at each level. This involves
technology, processes, and people. Technology alone, without properly trained
staff or with poorly defined processes and procedures, is not sufficient to
achieve the desired level of protection, regardless of its capabilities. The
same applies if the selected components and systems lack the required security
capabilities. Therefore, the overall protection level directly depends on all three
factors mentioned above: technology, processes, and people. The Protection
Level (PL) rating is used to qualitatively describe how well protected the
production plant is during the operation, taking into account both ML and SL
ratings, together with relevant technical and organizational safety measures.
Figure 2) Relation between the achieved technological Security Levels (SL), Maturity Levels of an organization (ML),and the resulting Protection Levels (PL)
The IEC 62443 is a flexible and dynamic security framework
The IEC 62443 standard series
does not prescribe any strict methods for dealing with security threats.
Instead, the standard offers a solid framework for developing a complete
security solution for an industrial environment. The standard reaches far
beyond what is presented in this short article, outlining various methods for
maintaining a consistent level of protection throughout the entire lifecycle of
an IACS, and much more.
As one of the leading global
technology solutions provider, EBV Elektronik offers services beyond
distribution: if you are looking for more detailed information and an in-depth
explanation of the IEC 62443 standard series, you can always get in touch with
EBV Security & Identification specialists who will gladly help with your
IACS security-related designs.
What is the IEC 62443 standard?
Over the last couple of years, the industry has been undergoing significant transformations, driven by the digitalization of the manufacturing process. It brings so many new opportunities, fundamentally changing the way the industry is operated. By utilizing the industrial-grade network, the entire system becomes interconnected, allowing communication between each production segment and thus, a high level of process automation. Having large scale integration and connectivity at all levels undoubtedly offers numerous benefits; however, without the implementation of appropriate security measures, it can also pose a serious risk for the entire system. This is where robust, yet flexible and well-thought security standards such as the IEC 62443 can make a huge difference.
IEC 62443 successfully addresses specific requirements of the industrial security
Unlike the office environment where time is not a critical parameter and where the focus is the confidentiality, industrial cyber-security must provide continuous operation of the production line, protecting the integrity of essential automation functions. The IEC 62443 standard series developed by the ISA99 committee provides a robust and flexible security standard framework that covers various aspects of a typical Industrial Automation Control System (IACS), offering a cohesive, holistic protection concept.
The best security solution is the one with no implementation gaps
An effective security solution includes both technical and organizational security measures. It cannot be implemented by neglecting the importance of the roles that the stakeholders must perform, starting with the Product Supplier, over the System Integrator and ultimately – the Asset Owner. The IEC 62443 standard series recognizes these roles and describes a set of actions in various cases for each of them, as illustrated in the picture below:
Segmented and layered security solution offers the highest level of protection
The IEC 62443 standard series also recognizes the need for a layered, partitioned implementation of technical security solutions, preventing over-protection of less critical parts of the system and increasing the overall effectiveness of the implemented security solution. Based on the risk assessment process, the entire IACS is partitioned into “zones” and “conduits”. Each partition is assigned a Target SL (SL-Target or SL-T). Once the SL-T has been determined for a particular partition, System Integrator continues the design process using components from the Product Supplier. To achieve a specific SL-T, System Integrator must use components with sufficient SL Capabilities (SL-C). Once deployed, the achieved Security Level (SL-Achieved or SL-A) of the partition is measured and evaluated. This process is repeated until the SL-A reaches the SL-T.
Generally speaking, SLs are sorted from SL 0 to SL 4 according to the immunity they provide against third-party attackers with different amounts of motivation, expertise, and with different amounts of resources invested. Note, that IEC 62443 does not prescribe any strict rules for achieving a specific SL, allowing implemented security measures to evolve dynamically in relation to the severity of the attacks. The standard does, however, provide a mechanism for the continuous evaluation of the SL ratings based on the well-accepted “Plan-Do-Check-Act” or PDCA evaluation model.
From an organizational perspective, the IEC 62443 standard series describes four “Maturity Level” ratings (ML 1 – ML 4). The ML rating system is used to evaluate how well an organization defines and describes security processes and how well the processes are followed by the personnel involved: ML 1 describes organization with unpredictable, poorly controlled and reactive processes, while ML 4 describes organization with well defined, measured, controlled, and continuously improved processes.
The IEC 62443 standard series offers a holistic protection concept, taking all the external factors into account
A holistic protection concept such as the IEC 62443 relies on implementing appropriate security solutions at each level. This involves technology, processes, and people. Technology alone, without properly trained staff or with poorly defined processes and procedures, is not sufficient to achieve the desired level of protection, regardless of its capabilities. The same applies if the selected components and systems lack the required security capabilities. Therefore, the overall protection level directly depends on all three factors mentioned above: technology, processes, and people. The Protection Level (PL) rating is used to qualitatively describe how well protected the production plant is during the operation, taking into account both ML and SL ratings, together with relevant technical and organizational safety measures.
The IEC 62443 is a flexible and dynamic security framework
The IEC 62443 standard series does not prescribe any strict methods for dealing with security threats. Instead, the standard offers a solid framework for developing a complete security solution for an industrial environment. The standard reaches far beyond what is presented in this short article, outlining various methods for maintaining a consistent level of protection throughout the entire lifecycle of an IACS, and much more.
As one of the leading global technology solutions provider, EBV Elektronik offers services beyond distribution: if you are looking for more detailed information and an in-depth explanation of the IEC 62443 standard series, you can always get in touch with EBV Security & Identification specialists who will gladly help with your IACS security-related designs.
Related Posts