The virtual event ‘Securing Your Automation and Controls Using ISA/IEC 62443’ was held during a four week period, late 2020, hosted by Saudi Aramco and ISASecure, the cyber security arm of the International Society of Automation.
Dan DesRuisseaux (Schneider Electric) and Kevin Staggs (Honeywell) offered a supplier’s perspective of the complex, evolving cyber security regulatory environment that differs from country to country and even state to state. Regulations are likely to be a major influencer on cybersecurity* in the near term and regulatory demand leads to customer demand. There are 11 different state regimes in the US with varied definitions and requirements. Multiple standards are being created in China, and the relationship between all of the above is unclear. Today’s regulatory disharmony is not going to change in the foreseeable future as cyber nationalism predominates over international standardization.
Customer requirements are likely to specify a plethora of standards and protocols. Certification to a particular IEC 62443 security level has been a commercial differentiator in the past. This is now changing with increased customer demand and looming regulatory requirements. The number of certified offerings has steadily increased over time and the authors expect ‘continued acceleration’.
The reason for the change is the increased risk from the advanced persistent threat (APT), where an actor gains unauthorized access to the network, remaining undetected, gathering intelligence or preparing sabotage. Equipment vendors typically subscribe to threat intelligence platforms which provide APT details that can be used to harden their kit. One recent APT example, Dragonfly 2.0 (with Beserk Bear and Dymalloy) has targeted the US energy sector by spear phishing attacks on the supply chain. Such APT risk can be mitigated by firmware signing, code signing, device genuine-ness and secure boot. Of course, internal IT policies and training also play a role in educating users against phishing.
Of increasing interest is cyber risk insurance. Coverage assessments help companies discover cyber risks and conditional coverage forces clients to address gaps, in order to get reasonable coverage terms. The more operators undergo the underwriting process, the sooner cybersecurity baselines will emerge. Access to meaningful cybersecurity insurance at affordable rates becomes a motivator to continuously improve cybersecurity performance.
* Not so much for the hackers!
William Goble (Exida) gave an overview of IEC 62443, the ‘global’ automation cybersecurity standard. The standard has four levels – general terminology, policies and procedures, system-level security and component-level. The focus is operational technology as opposed to IT. Different parts of the IEC stack will be addressed by different communities, from product/device supplier through system integrator to operator. IEC 62443 addresses network robustness testing to demonstrate safe and correct operation. Products and systems must have cybersecurity protection mechanisms. Engineering processes must be defined and documented to minimize design errors. A certification methodology is available for the various aspects of the standard. This can be self-certified by the manufacturer or (better) by an accredited third party, such as Exida, the ‘first ISA Secure-accredited cybersecurity certification body’.
Camilo Gómez (Yokogawa) explained how OPAS (a.k.a OPAF*), The Open Group/ExxonMobil process control standard is approaching cyber security. OPAS is to leverage existing industry standards ‘whenever possible and practical’. OPAS components are expected to meet or exceed the security requirements of the system owner. OPAS ‘shall allow’ for the development of OPAS components using secure programming practices and restrictions. OPAS has defined standards for components at the IEC 62443 SL2 Security Level. OPAS leverages a combination of OPC UA, Redfish and IEC 62443 security mechanisms (OPC UA and Redfish have been mapped to IEC 62443-4-2). Gómez stated that OPAS is ‘moving away from the device mentality’ and asked ‘are external certifications ready for OPAS component types/products?’ OPAS is currently evaluating external certification against certification by The Open Group. ISASecure involvement in OPAS certification appears likely as OPAF has signed a memorandum of understanding with ISASecure in a ‘commitment to cooperate on a component cybersecurity assessment/testing program’. This will dovetail with the relevant OPAS specifications and associated certification program. ISASecure is to assess the security conformance of OPAS products using IEC 62443-derived certification specifications.
* OPAS is the Open Process Automation Standard that is managed by OPAF, The Open Group’s Open Process Automation Forum.
ISASecure, a.k.a. the Security Compliance Institute of the International Society of Automation is an operating unit of the ISA’s Automation Standards Compliance Institute. Members include Aramco, Exxon, Chevron and YPF.
The ISA Global Cybersecurity Alliance is a collaborative forum to advance cybersecurity awareness, education, readiness, and knowledge sharing. The objectives of the ISA Global Cybersecurity Alliance include the acceleration and expansion of standards, certification, education programs, advocacy efforts, and thought leadership.
ISA Security Compliance Institute (ISCI), a not-for-profit automation controls industry consortium, manages the ISASecure conformance certification program. ISASecure independently certifies industrial automation and control (IAC) products and systems to ensure that they are robust against network attacks and free from known vulnerabilities.
Securing Your Automation and Controls Using ISA/IEC 62443 event home page.
© Oil IT Journal - all rights reserved.