Avatar

Cyber attacks targeting industrial networks increased by 2000% from 2018 to 2019. Attacks on operational technology (OT) can interrupt production and revenue, expose proprietary information, or taint product quality. They can even put employees in harm’s way or damage the environment. Attacks on critical infrastructure—water, power, and transportation—can inflict devastating effects on the economy and public health.

Barriers to industrial cybersecurity

Securing industrial operations is now top of mind. But converting good intentions to action can be challenging, for two main reasons. First, industrial networks are often managed by OT teams that don’t have advanced cybersecurity skills. They might also be concerned that the IT team will take actions that reduce operational uptime. Unlike a 2-hour outage to an email server, whose costs are measured in lost productivity and annoyance, a 2-hour unplanned outage to an assembly line can bring output and revenue to a halt.

The other barrier is not knowing where to start. Industrial networks are very complex. Should you start by adding cybersecurity controls to the easiest systems to protect, for a quick win, or to the most critical systems? Does the bigger payoff come from segmenting the network? Detecting anomalous activity? Authorizing users? Something else?

Framework for stronger cybersecurity with nominal disruption

Fortunately, the International Society of Automation (ISA) put together the ISA99 set of standards for building secure industrial automation and control systems (IACS). The International Electrotechnical Commission (IEC) built on that work to introduce IEC 62443.

Some think the ISA/IEC 62443 set of standards is too detailed and complex. We at Cisco like it because it gives IT and OT common ground to work together. It’s a framework to implement industrial cybersecurity best practices step by step, for continuous improvement. The standard defines a secure network architecture, functional requirements, and guidelines to measure your maturity level for each requirement. OT contributes its knowledge about which assets need to communicate and how critical they are, and IT contributes its cybersecurity expertise and technology.

The standards lay out a four-step framework:

  1. Take an asset inventory. You can’t secure an asset unless you know it exists. The first step is for the OT team to list all assets and rank their criticality to operations. Invest the most in the most critical assets.
  2. Define zones. A zone is a group of devices with similar security requirements, a clear physical border, and the need to talk to each other (figure 1). Imagine a plant with one production line for welding and another for painting. There’s no need for the machines in the two lines to communicate, so all machines in production line 1 would be in one zone, and all machines in production line 2 would be in another. Segmenting the network into zones contains damage if the network is attacked.
  3. Define conduits. These are the communications links between zones that must talk to each other. In the plant floor example, both zones need to talk to a supervisory console. Call that zone 3. One conduit connects zone 1 and 3, and another connects zone 2 and 3. No need for a conduit between zones 1 and 2. Once IT and OT have defined zones and conduits, network deployment and security enforcement become straightforward.
IEC 62443 zones and conduits isolate threats
Figure 1: IEC 62443 zones and conduits isolate threats
  1. Add controls for each zone. Start with the zones containing equipment used for your most critical processes. For each zone, add controls as time and budget permits—for user control, data integrity, data confidentiality, restricted data flow (that’s where conduits come in), timely response to security events, and maintaining resource availability during denial-of-service attacks. The IEC 62443 defines four levels of maturity for zones. At a given time, some of your zones might be at maturity level 1 (most basic) while others are at levels 2, 3, 4, or 5 (most mature).

Significantly, the IEC 62443 doesn’t call the highest maturity level “mature” or “advanced.” Instead, the highest maturity level is “improving,” highlighting the fact that cybersecurity is never done. To stay ahead of ever-more-sophisticated attacks, OT and IT teams should plan to continually strengthen protection.

How to get started

Implementing ISA/IEC 62443 requires asset visibility, defining zones and conduits, and assigning controls to zones. IT and OT can do this collaboratively using Cisco Cyber Vision, as described in this blog.

I have summarized the main points of the ISA/IEC62443 standards in this short white paper. Have a look and let’s beef up your industrial security posture.

For more technical reports on IoT/OT Security

Visit IoT Security Research Lab

Subscribe to the Cisco IoT Security Newsletter



Authors

Antoine Amirault

Engineering Leader, IoT Security

Cisco IoT