IEC 62443: the essential standard for industrial cybersecurity
Published on: 29 07 2020 | Modified on: 02 12 2020
For many years, cyber risks in the industrial world seemed to apply only to sensitive areas such as the energy or nuclear sectors. However, recent cyberattacks have shown the reverse to be true: regardless of the nature of the operational networks and their scope of application, they can find themselves exposed to criminal digital acts at any time… and all the more so as they increasingly overlap with the world of IT. The IEC 62443 standard forms an automatic part of this discussion regarding the issue of cybersecurity in industrial installations. We explain why.
A common foundation for industrial cybersecurity
In 2007, the first standards specific to industrial cybersecurity were created, at the initiative of the ISA’s 99 committee. A few years later, the IEC 62443 international standard was born. It provides an in-depth cyberdefence benchmark for industrial systems of all kinds, whether employed by your local artisan chocolate producer, a water purification plant or a transport network. “A cyberattack, even on a small bottling plant, can result in disruptions to production; and consequently, a financial impact which in turn could potentially have fatal consequences for the company”, explains Khobeib Ben Boubaker, Head of Industrial Security Business Line at Stormshield.
Up until that point, there had been two standards: one was for information security management systems (ISO 27000), and the other for industrial safety (operational reliability and functional safety with IEC 61508 and sector-related standards). The IEC 624443 standard now serves as a link between these two environments, which are indeed seeing increasing convergence. It forms a virtuous circle for managing cybersecurity risks in industrial installations as a whole. However, this area of overlap between OT and IT is still a complex one. “The world of IT has a strong focus on confidentiality and integrity: in the case of suspected attacks; there is an immediate tendency to disconnect the system. A factory, by contrast, needs to maintain uninterrupted production, and has to deal with both human and environmental risks,” points out Fabien Miquet, Product and Solution Security Officer at Siemens.
The world of IT has a strong focus on confidentiality and integrity: in the case of suspected attacks; there is an immediate tendency to disconnect the system. A factory, by contrast, needs to maintain uninterrupted production, and has to deal with both human and environmental risksFabien Miquet, Product and Solution Security Officer at Siemens
However, the IEC 62443 standard is a set of recommendations; it is not binding upon either manufacturers or their critical infrastructure. This flexibility ensures that the standard can be adapted to the specific characteristics and contexts of critical installations. “The IEC 62443 standard is a useful cybersecurity benchmark for industrial installations, because it provides a common foundation. It can be used partially, depending on requirements, or be supplemented by another business standard. For example, IEC 61850 refers to electrical installations, which will take different practical forms in the context of a sub-station, a Smart Building, or a hospital”, Khobeib Ben Boubaker points out. This standard therefore seems to provide a necessary framework, especially as “the industrial world is very heterogeneous in terms of the number of different trades it encompasses, says Anthony Di Prima, Senior Manager at Wavestone. Components and systems will differ between, say, the worlds of chemistry and energy. The IEC 62443 standard incorporates a proposed harmonisation of best cyber practice for this fragmented market, which is used to operating inside closed systems. This standard enables a move towards greater interoperability, and with international scope.”
IEC 62443: what it's all about
The IEC 62443 standard consists of several documents – for informed audiences – grouped into four sections.
- “General 62443-1”: this first section groups together documents covering general concepts, terminology and methods. In particular, it defines a glossary;
- “Policies & procedures 62443-2”: this second section specifies structural measures, and is aimed at operators and maintainers of automation solutions. It also contains recommendations for corrections and updates to system components, in compliance with the specific characteristics of critical industrial infrastructure (IEC-62443-2-3);
- “System 62443-3”: this third section focuses on operational security methods for ICSs (Industrial Control Systems) – or rather, IACSs (Industrial Automation and Control Systems, not to be confused with SCADA), as the standard provides its own definition of command and control infrastructures. It provides an up-to-date assessment of the various cybersecurity tools, describes the method and resources for structuring their architecture into zones and channels, and provides an inventory of cyberattack protection techniques. In this way, it provides a means of segmenting IACSs into zones, based on equipment criticality levels (62443-3-2), yet with an understanding that these zones can then communicate with one another – whether by USB key, network cable or VPN link. It is certainly the most interesting part, in its in-depth examination of the components of a cyberdefence system;
- “Component 62443-4”: lastly, this fourth section is intended for manufacturers of command and control solutions: PLCs, monitoring systems, engineering stations and other switching equipment. This part describes the safety requirements for such equipment, and sets out best practice for product development.
“IEC 62443 is the most comprehensive standard on the market: it takes into account both pure IT security and operational reliability. It is pragmatic. In industrial environments, unlike office environments, you can't implement a cybersecurity system without taking operational reliability into account. That's one of the main reasons why the IEC 62443 standard really comes into its own when talking about the security of industrial IT systems,” Khobeib Ben Boubaker points out. So it’s vitally important to define the zones and channels of each industry’s infrastructure and the level of risk for each of these zones, and to apply the related security measures as defined in IEC 62443-3-3.
The seven fundamental requirements of the IEC 62443 standard should be added to this zone distribution:
- identify and authenticate all users (people, software processes and devices) before authorising access to a system;
- control use (enforce the privileges assigned to an authenticated user);
- ensure the integrity of data, software and equipment;
- ensure the confidentiality of information in data flows, and in data storage spaces;
- restrict unnecessary data flows;
- respond to attacks by informing the competent authority in a timely manner;
- and ensure that the system is resilient against a DDoS attack.
To address most of these security requirements, “the firewall is one of the most appropriate security measures. However, it needs to be optimised and hardened physically. A traditional firewall can't be deployed in a refinery or water network, because the physical constraints are not the same as in a traditional computer room. It needs to be able to withstand extremes of temperature, dust and electromagnetism,” explains Simon Dansette, Product Manager at Stormshield.
A plea for in-depth cyber defence
The principle of defence is the clear message that embodies the standard; it amounts in practical terms to ensuring that each sub-assembly of the system is secure. It stands in contrast to a perimeter-based view of system security. “A system's security must not be based on one single barrier,” Fabien Miquet says. And that’s why the IEC 62443 standard advocates this principle of defence in depth. Compliance with this standard is therefore an assurance of maturity in terms of cybersecurity.”
As an actor with a commitment to the protection of sensitive systems, Siemens was one of the first major groups to make use of the IEC 62443 standard to certify its development processes for automation and drive products, including industrial software. “The IEC 62443 standard is one of the only standards to cover security at an industrial level for not only an individual product, but a group of products – a system, a solution – and even the development process for the product. In addition, it is internationally recognised across the entire industrial sector: which is perfect for Siemens, whose activities cover diverse areas such as energy, health, pure industry (food, drink, etc.) and construction. That made it an obvious choice, Fabien Miquet continues. Siemens has around thirty IEC 62443-certified factories. We have a lot of confidence in this standard, as do our customers: and that ensures we're all on the same page.”
But it must not be forgotten that the industrial sector is a complex one: most factories lack maturity in terms of cybersecurity, particularly as a result of systems introduced for long periods of service (20 to 30 years, or even longer), which are becoming obsolete. For this reason, the challenge is not to set up cybersecurity systems for the processes operated by the factories of tomorrow; but rather, for those of the factories of today and yesterday. Changing machines and controllers would represent an expenditure of millions of euros – something likely not to be within many companies’ reach at the present time. Today, the important thing is to implement an initial level of cybersecurity before it ultimately becomes an essential requirement in the factory's development strategy.
IEC 62443: a constantly-evolving standard
Although the IEC 62443 standard was drafted several years ago, it is still ongoing. The standard is the fruit of working groups from the ISA (International Society of Automation), or more specifically, the GCA (Global Cybersecurity Alliance) ISA under the aegis of the IEC (International Electrotechnical Commission). “Like other standards, the IEC 62443 standard needs to be continually re-assessed, even during its development process. Regular updates are required, especially in an industrial environment. An environment – and more generally, a 4.0 industry – in which more and more objects communicate with the outside world, and in which sensitive subjects such as the IIoT, the cloud and even remote systems must be constantly re-examined,” says Anthony Di Prima. “The more new functions and new modes of operation there are, the more the standard will evolve; and as it does, so will its adoption rate: many domestic and international calls for tenders now make reference to the IEC 62443 standard. There has been a real trend in this direction over the last five years,” Khobeib Ben Boubaker says.
Indeed, developing “secure by design” products means thinking about cybersecurity from the start of the process. “The traditional approach of designing the product first, and considering security issues later, is now out of date. Cybersecurity is no longer an option: it has become an operational performance requirement in its own right,” concludes Fabien Miquet.