The need to protect your infrastructure and services from disruption is a critical priority, especially considering increasing connectivity prevalent in industrial environments. To build OT resilience, asset owners oftentimes engage with specialized consultants. These OT security researchers, testers, certification groups and consultants can work together to fulfill a holistic risk mitigation strategy.
Recent changes to international standards in the industrial security arena are helping operators consistently procure and manage control systems security expertise. Understanding these changes and how they can apply to your situation is useful as you evolve your operational technology (OT) security posture.
Nearly a year ago, I mentioned that with the ratification of IEC 62443, both industrial operators and suppliers would have better methods to more efficiently invest in such security expertise. Since then, updates to this international industrial controls standard have been published to move systems integration work forward.
Here are some common questions we hear from our customers about IEC 62443-2-4, and a perspective based on our experience in working with both standards bodies and operators to improve operational security:
What critical infrastructure standard has changed and how might I benefit?
The existing standard, IEC 62443, is focused on industrial automation and control systems security (IACS). The new section, Part 2-4 (IEC 62443-2-4) has added security program requirements for IACS service providers.
By working from specifications identified in this standard, operator organizations can better clarify what work areas they need to scope for industrial automation and control systems security improvements. With these standards to draw from, organizations can potentially avoid “one off” costs or variations in bids as they pursue critical infrastructure security expertise.
Specifically, IEC 62443-2-4 defines a standard set of security services (capabilities) for integration and maintenance activities, thus allowing asset owners to select those most appropriate for their sites. As a result, they can ask their integrators and maintenance contractors for standard requirements. Vendors can tailor their service offerings around these standard activities, rather than customizing their offerings specifically for each customer.
Is this a cyber security standard?
IEC 62443 standards are specific to industrial automation control systems, which are operational technology (OT) systems as opposed to IT systems. By hardening OT environments, risks such as unauthorized access to control systems, false commands to operating equipment, and read/write of proprietary device data can be minimized.
What kind of systems or equipment does IEC 62443-2-4 address?
IEC 62443-2-4 addresses the processes and activities used to install (integrate) and maintain industrial control systems and their components. These components can include workstations, controllers, and network devices.
Is this applicable to my organization? Who does this standard affect?
Anyone running critical services is likely to need hardened security to prevent disruption from attacks, accidents, and nation-state incidents. IEC 62443 provides standardization to help with critical infrastructure security, and IEC 62443-2-4 offers specific guidance to integrators and maintenance contractors.
Specifically, IEC 62443-2-4 is written for integrators and maintenance contractors performing industrial automation control systems security work. It also applies to those asset owners who choose to do their own integration and maintenance.
What should operators do with this standard?
Operators should first review this standard – either on their own or preferably with knowledgeable sources – and use it to select requirements for their own critical infrastructure security programs.
Subsequently, they should implement security hardening work, across the categories defined, to enforce their new policies.
What is my next step for adhering to this standard?
While IEC 62443-2-4 provides the “what” for addressing critical infrastructure security, by defining and standardizing integration and maintenance capabilities, your organization still needs to determine the “how and why” to define your own security program. This includes the subset of these capabilities applicable to your specific needs.
For example, IEC 62443-2-4 defines Critical Infrastructure Security categories including Architecture and Staffing, and provides detailed requirements for each, such as administration of network devices and data protection. Yet it does not define how you will set up your network devices and who will be allowed access, nor the type and strength of passwords you choose to use for data protection.
Initial standards work can begin quickly. Yet implementation of the appropriate parts of the standard to meet the customer’s requirement span more long-term time horizons. Specialized expertise can bring deep knowledge, discipline, and best practices for a more robust security posture. IEC 62443-2-4 brings much needed clarity to the integrator and maintenance areas.
In summary, protecting your infrastructure and services from disruption is an important priority, especially considering the increasing connectivity prevalent in operational environments. Standards can help distinguish what work types and expertise areas you can engage to improve your operations security posture.