An Imminent Task in 2023: How to Protect OT Systems with IEC 62443-2-4 & 3-3

With the proactive engagement by the manufacturing sector in digital transformation, the line between operational technology (OT) and information technology (IT) has been blurring in recent years. As a result, the manufacturing sector has suffered more and more cyberattacks on industrial control systems (ICS), leading to incidents such as operational interruptions and production shutdowns. As one of the global manufacturing hubs, Taiwan has to fortify its OT security immediately to address supply chain attacks, which have become even more complex in 2023. Enterprises should also formulate security guidelines for internal personnel in accordance with the IEC 62443 standard, building a solid foundation for ICS security.
 

The so-called industrial automation and control systems (IACS) consist of different hierarchy levels: field devices (Level 0); industrial controllers such as PLCs or IPCs (Level 1); monitoring systems, including SCADA and MES (Levels 2 to 3); and IT (Level 4). Between Levels 3 and 4, there is a red boundary called Industrial Demilitarized Zone (IDMZ), similar to the DMZ separating Internet and Intranet in enterprises. IDMZ, however, aims to separate the levels of IT and OT. For example, when updating OT equipment or IACS-related data from the IT level, enterprises usually set up mechanisms in the IDMZ.

To pursue smart manufacturing as well as automatic control and monitoring systems, the OT environment is now connected to the internet. For that reason, the global industrial IoT (IIot) is vulnerable to several malicious threats, including distributed denial-of-service attacks (DDoS), man-in-the-middle (MitM) attacks, malware, and data tampering in AIoT devices, sometimes even advanced persistent threats (APT) and supply chain attacks. In response to these threats, IEC 62443-2-4 and IEC 62443-3-3 can be considered the cyber security standards.

There’re 12 Domains in IEC 62443-2-4:

Here are some useful examples of IEC 62443-2-4 provided by Onward Security. SP.07.01 in IEC 62443-2-4 refers to the security tools and software requirements concerning remote access. That is, IACS service providers should be able to ensure that all remote access applications used in automation solutions can be trusted, have passed the inspections, and are accepted by security and industrial automation communities. As for SP.07.02, service providers must deliver detailed instructions for installing, configuring, operating, and terminating remote access applications used in automation solutions.
 

IEC 62443-3-3, used for standardizing system security requirements and classification, comprises plenty of control items. The protection levels are categorized as SL1 to 4, referring to different levels of capability to counter threats.

For proper assessment, IEC 62443-3- defines three types of security levels:

Take the assessment of a factory’s cyber security level, for example. We must go through the risk assessment procedures first. In doing so, we are allowed to identify the security level of its structure and communication channels and measure the gap between the goal and the current situation. Finally, we can choose a suitable control plan or process to achieve the expected security level.

It is worth noting that during the design and implementation of IACS control measures, the limiting factors differ greatly from those of an ordinary IT environment. Therefore, consideration should be given to whether it would impact the availability and integrity of the OT environment. Take the IT environment, for example. The account is usually locked after several login failures to prevent brute-force attacks. However, this method does not apply to the OT environment to avoid system interruption. In a nutshell, any security records or control measures planned in an OT environment are not allowed to affect essential functions adversely.

Specifically, IEC 62443-3 contains seven foundational requirements (FR1 to 7). They are identification and authentication control, usage control, system integrity, data confidentiality, data flow restrictions, timely response, and resource availability. Take SR 1.1 of FR1, for example. It requires the control system to have the capability to identify and verify all human users. The 3 levels of advanced requirements (RE) for capabilities are as follows:

The RE 3 requirement mentioned above indicates that all networks are untrustworthy, also known as the Zero Trust model initiated by various sectors. For that reason, it is necessary to implement multi-factor authentication, while the combination of at least two of the following is required: Apps, biometrics, OTP, hardware tokens, and location-based authentication.

According to Onward Security, it’s insufficient for enterprises pursuing ICS cybersecurity to adopt IEC 62443-2-4 and IEC 62443-3-3 only. They should further build a cyber security management system (CSMS), creating a set of consistent information security management frameworks capable of incorporating both IT and OT. Such frameworks involve ISO 27001 domains, including cyber security policy, organization, asset management, identity authentication & access control, and data flow protection. In addition, the frameworks also involve IEC 62443 domains, including the OT security management related to personnel, data, processes, systems, and components. On the other hand, in order to prevent CSMS system failure, it can be considered to set up a high availability (HA) architecture at the important convergence between IT and OT to avoid the single point of failure (SPOF).

By complying with IEC 62443, enterprises can greatly reduce their cybersecurity risk. Onward Security has successfully assisted Advantech, D-Link, and other well-known ICS and network communication clients to adopt the secure software development lifecycle (SSDLC) and obtain the IEC 62443 certificate. As the first Taiwanese cybersecurity services provider (CSSP) to obtain the IEC 62443 CBTL qualification, Onward Security can provide comprehensive localized services, including IT/OT cybersecurity compliance consulting, technical support, and product testing, helping customers obtain international certifications more swiftly and meet increasingly stringent cyber security requirements.