Lifecycle Requirements for Industrial Systems #Part 1 “Automated vulnerability testing”

In the area of ISO/IEC 62443-4-1 (Secure product development lifecycle requirements), so-called vulnerability tests are indispensable. In the 4-1 standard, this is defined under ‘Practice 5 – Security verification and validation testing’ in the requirement ‘SVV-3 Vulnerability testing’.

The process of “Vulnerability Testing” requires that at least the following areas are considered:

  • Unexpected malicious input: Tests should be performed to identify vulnerabilities generated by unexpected input. All external interfaces should be tested. Fuzzing tools are used for this purpose.
  • Attack surface analysis: The attack interface should be analysed regularly to identify all incoming and outgoing connections. In addition, it should be determined whether unplanned services are running or whether the active services have the correct rights.
  • Blackbox tests: So-called blackbox tests are designed to identify and remove known system vulnerabilities. Automated vulnerability scanners can be used for this purpose.
  • Compiled software tests: If compiled program parts are available, the executable data must be checked. At least known vulnerabilities, known vulnerable libraries and compiler settings must be checked.
  • Dynamic runtime tests: Dynamic tests are necessary to identify vulnerabilities that cannot be identified by static code analysis tests. Among other things, possible DoS attacks, memory leaks and similar vulnerabilities are to be identified. These tests are to be implemented, if it is possible with tools.

One tool is not sufficient to cover this extensive portfolio. Rather, a combination of different types of tools is required.

  • Fuzzing Tools: The use of a fuzzing software makes sense for testing the unexpected harmful input. Fuzzing software generates semi-random data that can be used as input parameters.
  • Service Scanner: To analyze the attack surface, it is recommended to use a service scanner that is able to identify services and confirm that they are up-to-date.
  • Vulnerabilities Scanner: For black box testing, it makes sense to use an automated testing tool to identify known vulnerabilities.

Limes Security recommends

Companies use different analysis tools to comply with the ISO/IEC 62443-4-1 standard in the SVV-3 requirement. Which ones exactly can be found in part #2 in one of the next blogposts.

 



Should you encounter any inconsistencies or requirements in your company that cannot be handled alone, the IT/OT specialist team at Limes Security is at your disposal – call us today!

 

Everything you need to know about the IEC 62443 standard

IEC 62443 is the security standard for operators, integrators and manufacturers in the industrial sector. It is a set of rules that is intended to provide adequate security for those who implement it. 

Why is the ISO/IEC standard 62443 so important?

Why, one might ask, is there so much fuss about the ISO/IEC standard? Quite simply: in most cases this is about industrial plants that – if they fail – will have an immediate impact on the population. These include, of course, energy suppliers, health care, water suppliers and the manufacturing industry.

IEC 62443 consists of four sub-areas

IEC 62443-1 contains general concepts, terminologies and methods.
To this end, the first standard part defines what constitutes an industrial system at all and deals with the two “general prerequisites” which must be taken into account at all times.

  • Support of the essential functions
    Security measures shall not interfere with the basic functions of the industrial system.
  • Compensation through countermeasures
    If necessary, compensatory countermeasures must be taken. These are particularly important if a system (e.g. an legacy component) cannot implement certain security mechanisms itself (e.g. authentication) and is therefore protected by the function of another component (e.g. a firewall).

In addition, other important security concepts are described in more detail:

  • Security goals
  • Defense in depth
  • Least privilege
  • Risk analysis
  • Supply chain security

IEC 62443-2 is aimed at plant operators and contains organizational measures and processes that are relevant as part of a defense in depth concept. The measures described are addressed to the operators themselves or to the organisation responsible for operation and maintenance. The standard parts 2-1 and 2-2 describe specifications and implementation recommendations for setting up an ISMS (Information Security Management System) for the OT (Operational Technology) area. The standard part 2-3 deals with topics in the area of patch management, the standard part 2-4 is intended as a vendor’s tray in which service providers find specifications for processes that can for example be demanded by an operator.

IEC 62443-3 addresses integrators. It deals with security-relevant requirements for the functional capabilities of automation systems. These can be found in the standard part 3-3 under the term “Foundational Requirements (FR)” and contain system requirements on the topics of identification and authentication, system integrity, restricted data flow or timely reaction to events.
Among other things, Part 3 also includes a technical report on current security techniques, in which topics such as authentication and authorization, encryption, remote access or monitoring and logging are addressed and placed in the context of industrial systems. Standard Part 3-2 describes a risk analysis and zoning process. The document describes procedures for dividing an industrial system into zones, assessing security risks, defining planned security levels and establishing security requirements.

Finally, IEC 62443-4 is aimed at manufacturers of hardware and software components for industrial plants. IT security is discussed as an integral part of the development process for these parts and the requirements and functional capabilities of the product are defined in the 4-1 standard part in order to prevent weak points. Ideally, this is already included in the development phase of a product, since the topic of a Secure Development Lifecycle with all related topics (called “Practices” in the standard) is dealt with extensively. In addition, standard part 4-2 contains an extension of the system requirements from IEC 62443-3-3, which deals with the particular features of the following component classes that are used in industrial solutions: Software applications, host devices, embedded devices and network components.
Within the standard, so-called security levels (SL 1-4) are presented, which describe an approach to specify the protection of a zone, a solution or a system.
Level 1 is the minimum requirement a system must meet to prevent accidental misuse. In Level 4, on the other hand, you are already in a high-security area, so to speak, which can only be achieved with considerable effort, but can then only be hacked with very high skills and motivation. From experience Limes Security can state that reaching level 3 is already an excellent security level.

Limes Security is a specialist in the field of ISO/IEC 62443 standards and is happy to support you in achieving your desired security level.
Read more about our #cooperation with TÜV.
We would be delighted to provide you with a comprehensive summary of the most important elements of the IEC 62443 standard in the form of an overview poster – simply send a short e-mail to office@limessecurity.com .