Critical infrastructure systems like those driving electricity and renewable power generation, water treatment, and other platforms are becoming a potential target for cyber-attacks as they increasingly connect with other networks. The rule of thumb is - the more popular a system, the more lucrative the attack is, as it can often be reused.
Because of the interlinking of the enterprise network with the production network and the integration of the process control networks with web technologies, the need for securing the Industrial Automation Control Systems (IACS) has substantially increased. This crosslink makes the critical system in the process control network open to cyber-attacks, causing the whole system to shut down and even impact the environment.
The Security in the IACS refers to securing the industrial plants from physical and digital attacks. The attacks can be either due to negligence, through unintentional behavior from an employee, or criminal and intentional. The purpose of the Industrial Control System Security is to achieve three security objectives:
- Confidentiality
- Integrity
- Availability
In IACS, availability of data/services has the top priority. The goal is to ensure that even in case of a cyber-attack or a failure in the system, the production continues to run smoothly.
The ISA/IEC 62443 standard
ISA/IEC 62443 deals with industrial control systems' security, also known as 'Industrial Automation and Control System.' The term IACS involves systems used in processing and manufacturing facilities, and operations such as gas, electricity, and water using automated, remote-controlled, or monitored assets.
The ISA/IEC 62443 standard aims to ensure that all three major roles in Process Industry - Product Supplier, System Integrator and Asset Owner - follow an efficient method for a secured process with emphasis on the safety of the personnel and environment, as well as the IACS' availability, efficiency, and quality of production.
The roles define and connect different parts of the ISA/IEC 62443 standard, namely, a product developed by the Product Supplier relates to the maintenance and an integration capability by the Integrator and its operation by the Asset Owner.
To be precise, the product supplier is responsible for developing and testing the control system, the system integrator is responsible for integrating and commissioning the product into automation, and the asset owner is responsible for the operational and maintenance capabilities.
The structure of ISA/IEC 62443 is divided into four parts:
- General Management System (policies and procedures)
- Industrial IT Security
- IACS (system requirements)
- Embedded Security
Concepts used in ISA/IEC 62443
- Defense in Depth
This concept is a layered security mechanism that enhances the security of the whole system. Its benefit is that during an attack, if one layer gets compromised, other layers can still detect, react, and protect against as many attacks.
- Zones and Conduits
Security zones are physical or logical grouping of assets that share standard security requirements and isolating the critical control systems components. Conduits control the access to the zone by resisting several attacks, like Denial of Service, and protects the integrity and confidentiality of the network traffic.
- Cybersecurity Life Cycle for IACS using PDCA
The Plan, Do, Check, and Act method of security measure must be followed by each of the three roles defined in the standard. The PDCA cycle for the product supplier is the
product life cycle, as it is product/devices specific. For the integrator and asset owner, it is the plant life cycle, as it concentrates on the entire plant.
If you want to learn more about the security of industrial control systems, and how they can be kept safe, or want to ensure cybersecurity regulations and ISA/IEC 62443 security standards compliance for your business, reach out to specialized security partners.