Securing the Systems that Control Critical Infrastructures: The ISA/IEC 62443 Standard

Digital attacks confronting Industrial Control Systems (ICS) are on the rise. In its 2020 X-Force Threat Intelligence Report, for instance, IBM found that the digital attacks targeting ICS and Operational Technology (OT) had increased by over 2000% since 2018. Exploits of known vulnerabilities affecting Supervisory Control and Data Acquisition (SCADA) assets along with password spraying techniques featured prominently in those attacks. Along those same lines, IBM Security X-Force and Dragos found that the number of ransomware attacks on “ICS entities and supporting organizations” had increased by 75% between 2018 and October 2020.

Why Do ICS Attacks Matter?

The statistics cited above are significant given the functionality of ICS. As noted elsewhere on this website, ICS is an umbrella term for control systems like distributed control systems (DCS), SCADA systems and configurations in the control systems including Programmable Logic Controllers (PLC). These assets consist of multiple components that work together to achieve an objective in industrial sectors like water, gas & oil, electric, chemical and transportation. As such, ICS underpins the availability of critical national infrastructures that shape the lives of ordinary people within a host country.

Nation-state actors, digital criminals and other malicious individuals know this. That explains the multitude of threats confronting ICS today. Individuals acting on behalf of rival organizations, terrorist groups or other malicious parties could target ICS in order to disrupt the victim’s industrial processes. Such an attack could result in financial losses for the affected organization and/or undermine its reputation. Depending on the nature of the victim’s work and the extent of the disruption, however, the attack could also have broader effects such as threatening the public safety and/or the national security of the host country.

External attackers aren’t the only ones that constitute a threat to organizations’ ICS. Indeed, malicious actors could conduct a supply chain attack and prey upon an industrial organization by compromising the accounts/systems of one of its trusted vendors, suppliers or partners first. There’s also the issue of insiders inadvertently or knowingly using their privileges in a way that jeopardizes the security of their employer.

How Can Organizations Defend Themselves?

Organizations can defend themselves against the threats discussed above, among others, by following two complementary strategies. First, they can use IEC 62443. A webpage on this site notes that IEC 62443 is a series of standards, reports and information that provide organizations with guidance on how to secure their Industrial Automation and Control Systems (IACS). The standards included in IEC 62443 consist of the following four verticals:

• General: This section includes foundations for implementing the standards including relevant models and applicable terminologies.

• Policies & Procedures: Within this section, organizations receive guidance on multiple aspects surrounding the creation of an effective Cyber Security Management System.

• System: This category of the standards focuses on guiding principles that organizations can use to securely develop and integrate their systems.

• Component: The final section of IEC 62443 focuses on the technical guidelines that manufacturers can implement in the process of developing their products. It follows that end users and organizations can also use this category to purchase components and technologies that complement their security requirements.

Second, organizations can focus on ICS defense-in-depth. The Industrial Control Systems Cyber Emergency Response Team at the Department of Homeland Security (DHS) names nine different practices towards achieving this depth of ICS security. These are as follows:

• Risk Management and ICS: The purpose behind this step is to gain an understanding of the business risks surrounding an organization’s ICS and to manage those risks accordingly. Organizations can best do this by adopting a three-tiered approach to ICS risk management that addresses business risk at the organization level, the mission/business process level and the information system level.

• Asset Inventory and Risk Characterization: With that program, they can first identify the systems and components that they deem to be business-critical. They can then rank the criticality of those assets before performing a risk analysis to understand the vulnerabilities and other factors that threaten those resources.

• Physical Security: Organizations need to make sure they’re taking the proper steps to protect their physical assets such as their plant equipment and tools. They can do this by implementing physical controls to defend against unauthorized access to their sensitive locations. Doing so will help to prevent malicious actors from modifying ICS, plant equipment and other industrial resources.

• ICS Network Architecture: There are risks involved with connecting IT components of the organization to the ICS domain. Indeed, organizations risk exposing their industrial assets over the Internet in doing so. In response, organizations might consider segmenting their networks into separate zones for the enterprise and for manufacturing.

• Security Architectures: Once they have the network architecture in place, organizations can deploy security controls to protect their connected systems and assets. These include using firewalls to monitor network traffic and disallow untrusted communications as well as access controls to limit who can connect to the network.

• Host Security: This aspect of ICS defense-in-depth consists of traditional host security elements. These include keeping operating systems up to date, implementing patches on a timely basis, choosing strong passwords for all relevant accounts and maintaining/testing backups of critical systems on an ongoing basis.

• Security Monitoring: Notwithstanding the presence of firewalls, malicious actors could nonetheless gain access to the network and move laterally to assets of interest. Organizations need to address this threat by using security monitoring. Doing so can help to identify anomalous network activity such as the exfiltration of sensitive information.

• Vendor Management and Security: It’s important that organizations strengthen the security of their supply chains. They can do so by using service level agreements to specify the types of security-related roles and responsibilities that vendors, suppliers and partners need to follow in order to do business with the organizations.

• The Human Element: Employees need to understand their responsibilities with respect to upholding their employer’s ICS security. Organizations can emphasize this point by enshrining employees’ roles and responsibilities in their security policies and using security awareness training to educate their employees about these policies.

All of this is a lot for organizations to do. It’s not easy for them to do it alone. Organizations need help from someone who has experience setting up these types of ICS security programs.

That’s where Ampcus Cyber comes in. Its experts have the knowledge and experience to develop security policies, procedures and awareness training that help to protect their ICS assets. They can also help organizations comply with IEC 62443 as well as implement defense in depth.

Learn more about how Ampcus Cyber can strengthen organizations’ ICS security here or watch a short video about the approach.