Procurement of secure plant components with IEC 62443
Secure OT operation starts already with procurement, we’re therefore looking into the relevance of procurement of secure industrial components with IEC62443 in this post. From the asset owner’s point of view, the IEC 62443-4 part is particularly important for the procurement process. This part addresses component manufacturers and the security capabilities of components. This includes on the one hand requirements for a secure development process (62443-4-1), as well as requirements on the technical security properties of industrial components (62443-4-2).
This article is intended to give a brief insight into the usage of 62443-4-2 and the definition of requirements based on the standard.
Overview of IEC 62443-4-2
Generally, the 4-2 standard is aimed at all industrial components, which are divided into four device categories:
- Embedded devices (e.g. PLC, sensors, DCS)
- Host devices (e.g. PC, workstation)
- Network devices (e.g. industrial routers / switches)
- Software applications (e.g. configuration software, historian software)
Requirements are divided into foundational requirements (FR), which define general component requirements (CR), as well as specific requirements for each device type (e.g. network device requirements).
Definition of requirements for the plant design
For this purpose, a risk analysis according to the process model of IEC 62443-3-2 should be performed, and based on the identified risks, a system design should be created. In order to mitigate the identified risks, the necessary requirements for the components can be derived. This set of requirements can be specifically defined using a selection of requirements (CR).
Based on the criticality and specific protection needs (e.g. legislation), the so-called security level (SL 1-4) should be defined for each component and the requirements adjusted accordingly. This list of requirements forms the basis for the procurement of components. Mature component vendors who align their products along with 62443-4 provide the requirements and security levels (SL-C) that can be achieved by their products. Of course, there will be cases in which different requirements cannot be met by a specific component – in this case, compensating measures should be planned and implemented to ensure the protection of the component and the system. The selection of components corresponding to the desired security level however forms already the basis for secure plant operation.
In the industrial environment, the IEC 62443-4 part is becoming more and more established, with numerous product certifications, including well-established vendors like Siemens, Phoenix Contact, Rockwell and Cisco.
Limes Security is specialized in the field of IEC 62443 standards and is happy to support you with achieving your desired security level through professional consulting.
Everything you need to know about the IEC 62443 standard
IEC 62443 is the security standard for operators, integrators and manufacturers in the industrial sector. It is a set of rules that is intended to provide adequate security for those who implement it.
Why is the ISO/IEC standard 62443 so important?
Why, one might ask, is there so much fuss about the ISO/IEC standard? Quite simply: in most cases this is about industrial plants that – if they fail – will have an immediate impact on the population. These include, of course, energy suppliers, health care, water suppliers and the manufacturing industry.
IEC 62443 consists of four sub-areas
IEC 62443-1 contains general concepts, terminologies and methods.
To this end, the first standard part defines what constitutes an industrial system at all and deals with the two “general prerequisites” which must be taken into account at all times.
- Support of the essential functions
Security measures shall not interfere with the basic functions of the industrial system.
- Compensation through countermeasures
If necessary, compensatory countermeasures must be taken. These are particularly important if a system (e.g. an legacy component) cannot implement certain security mechanisms itself (e.g. authentication) and is therefore protected by the function of another component (e.g. a firewall).
In addition, other important security concepts are described in more detail:
- Security goals
- Defense in depth
- Least privilege
- Risk analysis
- Supply chain security
IEC 62443-2 is aimed at plant operators and contains organizational measures and processes that are relevant as part of a defense in depth concept. The measures described are addressed to the operators themselves or to the organisation responsible for operation and maintenance. The standard parts 2-1 and 2-2 describe specifications and implementation recommendations for setting up an ISMS (Information Security Management System) for the OT (Operational Technology) area. The standard part 2-3 deals with topics in the area of patch management, the standard part 2-4 is intended as a vendor’s tray in which service providers find specifications for processes that can for example be demanded by an operator.
IEC 62443-3 addresses integrators. It deals with security-relevant requirements for the functional capabilities of automation systems. These can be found in the standard part 3-3 under the term “Foundational Requirements (FR)” and contain system requirements on the topics of identification and authentication, system integrity, restricted data flow or timely reaction to events.
Among other things, Part 3 also includes a technical report on current security techniques, in which topics such as authentication and authorization, encryption, remote access or monitoring and logging are addressed and placed in the context of industrial systems. Standard Part 3-2 describes a risk analysis and zoning process. The document describes procedures for dividing an industrial system into zones, assessing security risks, defining planned security levels and establishing security requirements.
Finally, IEC 62443-4 is aimed at manufacturers of hardware and software components for industrial plants. IT security is discussed as an integral part of the development process for these parts and the requirements and functional capabilities of the product are defined in the 4-1 standard part in order to prevent weak points. Ideally, this is already included in the development phase of a product, since the topic of a Secure Development Lifecycle with all related topics (called “Practices” in the standard) is dealt with extensively. In addition, standard part 4-2 contains an extension of the system requirements from IEC 62443-3-3, which deals with the particular features of the following component classes that are used in industrial solutions: Software applications, host devices, embedded devices and network components.
Within the standard, so-called security levels (SL 1-4) are presented, which describe an approach to specify the protection of a zone, a solution or a system.
Level 1 is the minimum requirement a system must meet to prevent accidental misuse. In Level 4, on the other hand, you are already in a high-security area, so to speak, which can only be achieved with considerable effort, but can then only be hacked with very high skills and motivation. From experience Limes Security can state that reaching level 3 is already an excellent security level.
Limes Security is a specialist in the field of ISO/IEC 62443 standards and is happy to support you in achieving your desired security level.
Read more about our #cooperation with TÜV.
We would be delighted to provide you with a comprehensive summary of the most important elements of the IEC 62443 standard in the form of an overview poster – simply send a short e-mail to firstname.lastname@example.org .