Professional Documents
Culture Documents
7.1. Presentation
The target audience for this standard is the industrial control system (ICS)
stakeholder community: asset owners and operators, system integrators,
product suppliers, service providers, and even government agencies and
regulatory bodies with the legal authority to conduct audits to ensure
compliance with applicable laws and regulations. Each of them will use the
standard on a part of the equipment or at a specific stage of the lifecycle, in
particular:
– operators or owners of assets, to carry out a management of the security
and express security requirements for the different parts of the installation;
168 Cybersecurity of Industrial Systems
The requirements and guidelines of the IEC 62443 standard are defined
for persons who have responsibilities related to the implementation,
operation, maintenance or decommissioning of industrial automation and
control systems. This includes operators, product suppliers, system
integrators, system users and suppliers.
(ICS) system
deploys
Integrator
Components
Product
develops
Network
PLCs Software HMI …
provider Devices
Policy & Procedures 62433-2-1 Requirements for an IACS security management system
62433-2-2 Implementation guidance for an IACS security management system
62433-2-3 Patch management in the IACS environment
System 62433-2-4 Requirements for IACS solution suppliers
In the context of IEC 62443, ICSs are called IACS (Industrial Automation
and Control System). Mastering cybersecurity in an IACS requires
the involvement of all relevant stakeholders, who share “a responsibility” for
all phases of the cybersecurity lifecycle:
170 Cybersecurity of Industrial Systems
IEC 62443 is composed of several parts (ISA 2018; Hauet n.d. a, 2012).
Its structure is shown in Figure 7.4. The grayed elements are those that define
the standard, the others are technical reports. Some parts continue to evolve.
The standard is divided into several parts that are articulated on four levels.
Master Glossary of
System Security Security Life Cycle
Concepts and Models Terms and
Compliance Metrics and Use Cases
Abbreviations
Procedures
Policies &
ISA-62443-4-1 ISA-62443-4-2
Product Technical Security
Development Requirements for
Requirements IACS Components
Global analysis
Is the level
tolerable? Detailed analysis of each
No
zone and conduit
Carry out detailed analysis
of the zone and deducing
its objective SL-T security
level
To assess the security level of a component or system for one of the seven
FRs, the standard provides a list of criteria to be validated. A subset of the
criteria is required to obtain level 1, 2 or 3. The higher the level, the more
criteria have to be met.
Functional SIL
Safety Integrity
safety Level
PFD
Probability of Failure on Demand
Information SL
security Security Level FR1 : Identification and Authentication Control (IAC)
FR2 : Use Control (UC)
FR3 : System Integrity (SI)
FR4 : Data Confidentiality (DC)
FR5 : Restrict Data Flow (RDF)
FR6 : Time Response to an Event (TRE)
FR7 : Resource Availability (TA)
The security levels (SL) represent the confidence that can be placed in the
ability of a system, zone and/or its components to provide a certain degree of
security in relation to the fundamental requirements (FR).
As mentioned above, the idea is to propose the equivalent of the SIL level
(Chapter 8) for cybersecurity. This indicator, called SL, has several
components, one for each FR. Each component can have a value from 0 to 4
(Figure 7.7). A component or system will be characterized by an SL level,
which can be written as {2 1 2 1 1 1 1 0 2}. This means that the level for FR1
is 2, for FR2 is 1, etc. The SL may concern an equipment, the software, a
zone or any element or group of elements belonging to the installation. The
SL of an element, such as a PLC, or a zone, is noted as follows:
SL(PLC1) = { 1 1 2 1 0 0 1 } or SL(Zone10) = { 1 1 2 1 0 0 1 }
The standard defines the security level to be achieved SL-T (target), the
level achieved SL-A (achieved) and the possible level SL-C (capability):
– the risk analysis of the installation makes it possible to determine the
level of cybersecurity required for each zone and each conduit. For example,
a facility that can cause significant damage to the population and uses an SIS
is at high risk. In this case, the required security level, written as SL-T
(target), will be level 4;
178 Cybersecurity of Industrial Systems
– the SL-A level is the level actually reached by the automated system. A
list of approximately 100 technical criteria is used to quantify the SL of a
system for each of the components corresponding to a FR. Countermeasures
are determined in such a way that the SL of the installation with these
countermeasures achieves the set SL-T objective. This analysis is carried out
by zones;
– the SL-C is used to characterize a component (hardware or software)
and represents the level of security that can be achieved if the component is
implemented correctly.
SL-C(RA, PLC) = 4
Figure 7.7. Security levels. For a color version of this figure, see
www.iste.co.uk/flaus/cybersecurity.zip
The Approach Proposed by Standard 62443 179
Very often, and especially for complex ICS, it is not necessary to require
the same level of security for all elements. To manage these different levels,
the standard proposes to break the installation down into zones. These zones
are connected by conduits. The level of security required for a zone will be
provided by the risk analysis and the conduits are secured in such a way as to
allow the coexistence of zones of different levels.
the second, for virtual zones, functional or other criteria are used to group
them together.
A zone can be divided into subzones, which defines security layers and
allows for defense-in-depth.
Enterprise
…
Internet/WAN
DMZ
Supervision
SCADA
SIS BPCS
Engineering station
Engineering station
Figure 7.9. Example of division into zones and conduits. For a color version of
this figure, see www.iste.co.uk/flaus/cybersecurity.zip
182 Cybersecurity of Industrial Systems
A conduit is defined by its border, its end points (physical equipment and
applications) that use communication channels, the data flows it carries, the
connected zone and its assets.
Level 4
Improving
Level 3
Defined
(Practiced)
Level 2
Managed
Level 1
Initial
Figure 7.10. Maturity levels. For a color version of this figure, see
www.iste.co.uk/flaus/cybersecurity.zip
The Approach Proposed by Standard 62443 183
1 PL cannot be determined
1 2 3 4
Similar approaches
ISA -62443 -4 -1 ISA-62443 -4-2
to the system
Product Technical Security
Development Requirements for
level/component
Requirements IACS Components
Figure 7.12. Component and system level documents. For a color version of
this figure, see www.iste.co.uk/flaus/cybersecurity.zip
The Approach Proposed by Standard 62443 185
The second step consists of carrying out a global risk analysis of the SuC.
The objective is to identify the worst case, as well as the risk generated by a
malfunction of the IACS. It is of course possible to rely on industrial risk or
functional safety analyses (Chapter 8). The level of risk is assessed with a
risk matrix and allows us to situate it in relation to what is tolerated by the
organization.
The ZCR3 step consists of partitioning the SuC into zones and conduits.
This breakdown is done in accordance with the definitions in section 7.5.3,
the objective being to prepare the detailed analysis. We are therefore aiming
to obtaina a given level of security for the zone. Important rules are:
– to separate the IT zone from the OT zone(s);
– to define specific zones for the SIS;
– to define specific zones for temporarily connected equipment;
– to define zones for wireless networks;
– to separate the zones connected via external networks.
186 Cybersecurity of Industrial Systems
Step ZCR4 is to determine if the overall risk level exceeds the tolerable
level. If the answer is yes, a detailed analysis of each zone is performed in
step ZCR5. The result of this analysis is, for each zone and conduit, an SL-T
target security level, defined according to the risk level of the zone or conduit
in question. This step is detailed in section 7.6.2.
The last step ZCR7 consists of obtaining approval of the risk analysis by
the persons in charge of IACS responsible for the security, integrity and
reliability of the process controlled by the SuC.
1
SL-T = 4, −
188 Cybersecurity of Industrial Systems
For a tolerable risk level of 4, we obtain the table given in Figure 7.14.
However, this approach should be used with caution (Braband 2017).
7.6.4. Countermeasures
When the SL-T, target level, is determined, the next step is to analyze the
zone using Table 7.1, or the one given in Appendix 5. The basic levels SR
define the security measures to be taken to achieve a level of at least 1, and to
increase this level, Requirement enhancements (RE) are required. SR and RE
can be found in the table defining the FR in Appendix 5.
Risk Matrix
Severity or Impact
1 2 3 4 5 1 2 3 4 5
Likelihood Likelihood
Figure 7.14. Determination of SL-T with CRRF. For a color version of this
figure, see www.iste.co.uk/flaus/cybersecurity.zip
The Approach Proposed by Standard 62443 189
Then, for each class, requirements are defined based on those of ISO
27001 for generic requirements, or specifically if they are specific to IACS.
For example, for ORG 3 (Table 7.4), the requirements are those of ISO
27001, except for the one concerning access to IACS, which is not an issue
for a conventional computer system.
and technical. For an existing facility, they can be evaluated based on the
observation of the IACS and its organizational functioning. Organizational
measures are assessed on the maturity scale, from 1 to 4, while technical
measures are assessed on the security level scale, from 1 to 4. For each class,
a list of associated requirements is built:
– from standard 62443-2-1 for organizational requirements for ISMS
implementation;
– from standard 62433-2-4 for service provider requirements;
– from standard 62443-3-2 for risk analysis requirements;
– from standard 62443-3-3 for technical system requirements;
– from standard 62443-4-1 for product development requirements;
– from standard 62433-4-2 for technical requirements at component level.
7.9.1. Certification