Standard IEC 62443, Series of standards that define procedures for
implementing electronically secure Industrial Automation and Control
Systems (IACS). *Equivalence to ISO 27001 and NIST Cybersecurity Framework.
3. IACS Cybersecurity Standards
Cybersecurity Standards Deliver:
✓ Common Industry Language and Terminology
✓ Standardized Methodology
✓ Guidance on how to answer:
What is my current risk?
What would be a more acceptable level of
risk for my organization?
How do I get to that more acceptable level?
6. Align with industry framework
Compliance & standards
Applies to those responsible for designing, manufacturing,
implementing or managing industrial control systems:
• End-users (i.e. asset owner)
• System integrators
• Security practitioners
• ICS product/systems vendors
ISA/IEC 62443: Series of standards that define procedures for
implementing electronically secure Industrial Automation and Control
Systems (IACS).
*Equivalence to ISO 27001 and NIST Cybersecurity Framework
7. based on a holistic Defense in depth concept
IEC 62443
8. A secure application depends on multiple layers of diverse protection and industrial security must be
implemented as a system
Defense-in-Depth
Deploying Network Security
▪ Defense in Depth
▪ Shield targets behind multiple levels of diverse security countermeasures to
reduce risk
▪ Openness
▪ Consideration for participation of a variety of vendors in our security solutions
▪ Flexibility
▪ Able to accommodate a customer’s needs, including policies & procedures
▪ Consistency
▪ Solutions that align with Government directives and Standards Bodies
DURING
BEFORE AFTER
13. The IEC62443/ISO27001 based method
Identification and
Business Impact Assessment
Definition of
Target Level
Risk
Assessment
Development and
Implementation of
Protection Concept
Definition of
Scope
Getting started
14. What’s at risk?
▪ Loss of Life
▪ Stolen Intellectual Property
▪ Production Loss
▪ Unscheduled Downtime
▪ Damaged Equipment
▪ Environmental Impact
15. Business rationale Risk identification classification and assessment
Risk analysis
Conformance Review, improve and maintain the CSMS
Monitoring and improving the CSMS
16. Understanding Risk
High-Level Security Risk Assessments 62443 3-2
What is your current level of risk?
Impact Remote Unlikely Possible Likely Certain
Trivial 1 2 3 4 5
Minor 2 4 6 8 10
Moderate 3 6 9 12 15
Major 4 8 12 16 20
Critical 5 10 18 20 25
17. “A good overview”
More info: https://www.ncsc.gov.uk/collection/risk-management-collection/component-system-driven-approaches/understanding-component-driven-risk-management
Risk methods and
frameworks
18. NIST
Cybersecurity
Framework
Detect
Organization understands what the current state
and risk is to systems, assets, and data
Implement safeguards to ensure delivery of
critical infrastructure services
Implement appropriate activities to
identify a cybersecurity event
Implement activities to take action
regarding a detected cybersecurity event
Implement activities to maintain plans for
resilience and to restore capabilities
20. 1-1 Terminology,
concepts and models
2-1 Security program
requirements for IACS asset
owners
4-1 Secure product
development lifecycle
requirements
3-1 Security technologies for
IACS
1-2 Master glossary
of terms and
abbreviations
2-2 IACS security
program ratings
4-2 Technical security
requirements for IACS
components
3-2 Security risk assessment
and system design
1-3 System security
compliance metrics
2-3 Patch
management in the
IACS environment
3-3 System security
requirements and security
levels
2-4 Security program
requirements for IACS service
providers
General
Policies
and
procedures
System
Compo-
nents
Definition and metrics
Processes / procedures
Functional requirements
1-4 IACS
security lifecycle and use-
cases
The structure of IEC 62443?
21. Protection Level
(PL)
• Based on IEC 62443-2-4
and ISO27001
• Maturity Level 1 - 4
Security process Security functions
• Based on IEC 62443-3-3
• Security Level 1 - 4
Protection Levels are the key criteria and cover security
functionalities and processes
22. Protection Levels are the key criteria and cover security
functionalities and processes
Maturity
Level
4
3
2
1
PL 2
PL 3
PL 4
PL 1
Security Level
23. Understanding Risk
High-Level Security Risk Assessment
What is your Target Security Level (SL-T)?
Protect Against Intentional Unauthorized Access by Entities using Sophisticated Means with
Extend Resources, IACS specific Skills & High Motivation
Security Level 4
Protect Against Intentional Unauthorized Access by Entities Using Sophisticated
Skills with Moderate Resources, IACS specific skills & Moderate Motivation
Security Level 3
Protect Against Intentional Unauthorized Access by Entities Using
Simple Means with Low Resources, Generic Skills, & Low Motivation
Security Level 2
Protect Against Casual or Incidental Access by
Unauthorized Entities
Security Level 1
24. Consequences –
Some randomly selected points
PL 2
A distributed Firewalls concept has to be implemented
Inventory and Network Management are mandatory
Capability to automate the backup are mandatory …
Even way more…
Even more…
PL 3
PL 4
PL 1
Use of VLAN, network hardening, managed switches and
capability to backup are mandatory …
25. IEC 62443 Security measures
It is unambiguous …
PL 1
PL 2
PL 3
PL 4
Revolving doors with
card reader and PIN;
Video Surveillance
and/or IRIS Scanner at
door
Revolving doors with
card reader
Doors with card reader
Locked building/doors
with keys
Awareness training (e.g.
Operator Aware. training) Network segmentation
(e.g. VLAN)
Security logging on all
systems
Backup / recovery
system
Mandatory rules on USB
sticks (e.g. Whitelisting) …
…
Automated backup /
recovery
No Email, No WWW, etc.
in Secure Cell
…
2 PCs (Secure Cell/outside)
…
Remote access with
cRSP or equivalent
Monitoring of all
human interactions
Dual approval for
critical actions Firewalls with Fail
Close(e.g. Next
Generation Firewall)
Monitoring of all
device activities
Online security
functionality
verification
…
Persons responsible for
security within own
organization
Continuous monitoring
(e.g. SIEM)
Backup verification
Mandatory security
education
…
Physical network
segmentation or
equivalent (e.g.
SCALANCE S) Remote access
restriction (e.g. need to
connect principle)
+
Organize
Security
Secure Solution
Design
Secure
Operations
Secure Lifecycle
management
Secure Physical
Access
+
+
Page 25
26. Cybersecurity Essentials
Equipment built
with security in
mind
Network Design
& Segmentation
Asset Inventory Vulnerability
Identification
Patch
Management
Password
Management
Phishing
Identification
Training
Disaster
Recovery
Upgrade Aging
Infrastructure
Limiting
Privileges
27. IEC62443
ISO27001
NIST 800-30
Well known IT-
security standard
The OT-security
standard
Risk assessment
framework
A piece of a bigger picture
The Functional
Safety standard
28. IEC 62443
3-3 System security
requirements and Security
levels
3-2 Security risk assessment
and system design
4-2 Technical security
requirements for IACS products
4-1 Product development
requirements
Achieved SLs
Target SLs
Automation solution
Capability SLs
Product
supplier
System
Integrator
Asset
Owner
Recap- Contributions of the stakeholders
Control System
capabilities