Introduction to the IEC 62443 Guide for Cyber Systems

Industrial control and automation systems are constantly expanding in the digital space as power plants increase their capacity to meet future needs. Expansion and interconnection with external systems and networks, like cloud and third-party systems, make the system vulnerable to external attacks. These systems have become more complex and distributed in nature than conventional OT/IT systems.

The IEC-62443 is a framework particularly covering the critical infrastructure and assets by protecting and securing the industrial automation and control systems across the entire system life cycle of product development. The framework clearly states and promotes the multilayer of security measures to protect the control system.

 

Defining OT vs. IT

The industrial control system has three main stakeholders, often termed as roles: Who manufactures the equipment (the manufacturer), who builds the complete system and solution (the system integrator), and who ultimately runs and operates the plant (the asset owner).

For this reason, strong and dynamic cybersecurity measures become more important for each role. The commitment to providing a secure solution to the industry users, partners, and regulatory bodies is illustrated by the coordination between the asset owner, product supplier, and system integrator to uphold the IEC-62443 framework.

 

Figure 1. While they share many similar terms and devices, IT and OT have inherently different priorities. Image used courtesy of Adobe Stock

 

The information technology (IT) system encompasses laptops, servers, computers, smartphones, databases, and the cloud, which today is used to manage and store data online.

IT differs from operational technology (OT) in many aspects. The OT system includes PLCs, RTUs, controllers, IEDs, digital relays, metering systems, vibration systems, HMIs, and control systems that are deployed in the plant facilities to control and operate physical processes and real-world electrical equipment like generators, rotors, transformers, and breakers/isolators. Every plant has a different infrastructure and technology; as you can imagine, the control system for a steel manufacturing plant is quite different from that of a substation automation switchyard.

 

IT and OT Security Triad

When we talk about cybersecurity in IT, we often refer to the acronym CIA: confidentiality, integrity, and availability. Let's quickly describe these three terms of the IT/OT security focus:

 

Confidentiality

Only authorized users or services are allowed to access particular resources and information. For example, consider a user or service wanting to access the database, so security mechanisms such as authentication and role-based authorization are deployed in order to grant access to authorized users only and block unauthorized users.

 

Integrity

In simple words, we must prevent tampering with or changing of information, or the erasure of critical records. Some of the applications include digital signatures and access controls to control data modification.

 

Availability

Authorized users must have access to resources, like servers or services, in a way that they need. A “denial of service attack” is one example, which compromises the system's availability.

 

Figure 2. Cyber triad as it appears for OT frameworks.

 

OT Availability

For OT networks, the triad is typically represented in a reverse direction, or AIC. The attributes are the same as for the IT triad, but the priority order is changed. For industrial controls, the primary goal is availability: keeping the system or physical process in service, like a generator transformer, grid, or control system, in a running state.

 

OT Integrity

The data must be accurate and consistent. For example, an incorrect wicket gate or limit position on the governor control system may lead to the unit tripping.

 

OT Confidentiality

This attribute is less prioritized in the OT system. Many old legacy systems are still using legacy protocols, like Modbus RTU/ASCII, which lack data security features. OT systems are designed for availability, reliability, and safety purposes, leaving data confidentiality as an afterthought.

 

Industrial Automation and Control System (IACS)

The components that make up the control system are categorized in four ways:

• Embedded devices, like PLCs, field devices, RTUs, controllers, and IEDs
• Host devices (workstations and servers)
• Network devices (switches, firewalls, routers)
• Software applications (GUI applications, historians, web servers, database services, etc.)

The aforementioned components are used to build the complete control systems. Control systems are hardware and software components of industrial automation and are usually referred to as SCADA and DCS.

 

ISA/IEC 62443 Framework

Like never before (at least for industrial control systems), cybersecurity is now a core component of any IACS. Knowledge of this framework, whether as an end-user, supplier, or product manufacturer, is absolutely essential.

The IEC 62443 was developed by the ISA 99 committee and later adopted by the IEC. Those two renowned standards development organizations, the ISA (International Standards for Automation) and IEC (International Electrotechnical Commission), closely work on the IEC 62443 standard, which is specific to ICS cybersecurity.

The ISA/IEC standard defines the roles of organizations, policies, and processes. The ISA/IEC 62443 Framework is a four-tier framework and has the following sections, denoted by suffixes 1 to 4. All sections have multiple sub-sections as shown in Figure 2.

 

General

This section gives an overview of the framework and defines the terminologies, concepts, and abbreviations.

 

Policies & Procedures

This section provides guidelines for creating and maintaining a secure industrial control system by adopting security policies and risk management. This is helpful for the asset owner.

 

System

The system standard section guides by including the cybersecurity technologies and methods for IACS. This section is quite relevant to system integrators.

 

Components

This section covers industrial life cycle development for products and components, and is primarily intended for device manufacturers.

 

Figure 3. IEC 62443 framework for securing critical OT infrastructure.

 

Certification and Career Paths for SCADA Engineers

As an asset owner, whether you are buying a complete turnkey solution or a standalone individual component like a relay, gateway, or PLC, the IEC 62443 standard covers all industries and is a globally applicable standard for almost every sector or service. There are also other frameworks, NERC CIP, NIST, and ISO 27001; the common purpose of all these is to enhance security for industrial systems.

The benefits of skills, training, and certification are relevant anywhere. The IEC 62443 certification opens the door to new opportunities and verifies skillset credibility with employers. There are many great online resources and topics to learn about the standard. The first one is the official site of the ISA (International Society of Automation), which contains a generic overview of the ISA IEC 62443 standard. The official standards, documents, and reports can also be found on the page. The ISA offers a multiple level certifications from basic fundamentals to expert level.

 

Figure 4. Certifications offered by ISA. Image used courtesy of ISA

 

The good thing is that there is no formal prerequisite in order to pursue the certification, but, of course, having a few years of control and instrumentation background can make the certification path much easier.