The Internet of Things on AWS – Official Blog

Guidance on using ISA/IEC 62443 for IIoT projects

Introduction

With the increasing proliferation of Industrial Internet of Things (IIoT) systems and cloud services for innovation and digital transformation, government agencies and industrial customers are faced with protecting an expanding attack surface. The ISA/IEC 62443 series of standards were written before IIoT technologies were common but provide a strong basis for securing these environments. In this blog, we discuss the ISA/IEC 62443 standards, what is changing in the standards, and certifications to support the use of IIoT in Industrial Automation and Control Systems (IACS).

Background    

The ISA/IEC 62443 series of standards are developed jointly by ISA99 and IEC to address the need to design cybersecurity robustness and resilience into IACS. The goal in applying the 62443 series is to improve the safety, availability, integrity and confidentiality of components or systems used for industrial automation and control. In addition, they provide criteria for procuring and implementing secure industrial automation and control systems. Conformance with the requirements of the 62443 series is intended to improve cyber security and help identify and address vulnerabilities, reducing the risk of compromising confidential information or causing degradation or failure of the equipment (hardware and software) of processes under control. The 62443 series builds on established standards for the security of general-purpose information technology (IT) systems (e.g., the ISO/IEC 27000 series), identifying and addressing the important differences present in IACS. Many of these differences are based on the reality that cyber security risks with IACS may have Health, Safety, or Environment (HSE) implications and the response should be integrated with other existing risk management practices.

ISA/IEC 62443 is “consensus-based,” comprehensive, and widely used across industries. Today, the growing availability of IIoT has widened the array of technologies and methodologies available for use in industrial automation environments. This growth increases the attack surface, which inherently increases the risk of compromise in these environments. To secure environments that use IIoT in IACS, a thorough understanding of IACS cybersecurity lifecycle is beneficial. The ISA/IEC 62443 series can provide a risk-based, defense-in-depth, and performance-based approach that can assist asset owners and their service providers in navigating the use of IIoT in industrial automation and control systems.

Understanding the ISA/IEC 62443 Standards

ISA/IEC 62443, officially ANSI/ISA/IEC 62443, is a set of standards and technical reports that deal with industrial cybersecurity. Holistically, ISA/IEC 62443 is designed to help asset owners (end users), system integrators, and manufacturers reduce the risk of deploying and operating an IACS. Figure 1 gives an idea of the different parts of the standard. You can see that it is a multi-part standard.

Figure 1: ISA/IEC 62443 documents (Courtesy of ISA)

Figure 1: ISA/IEC 62443 documents (Courtesy of ISA)

These documents are arranged in four groups, corresponding to the primary focus and intended audience/role. It’s helpful to consider the structure of these standards and how the hierarchy defines the roles and responsibilities for providing a robust IACS security posture.

  1. General – This group includes documents that address topics that are common to the entire series.
  2. Policies and Procedures – Documents in this group focus on the policies and procedures associated with IACS security.
  3. System Requirements – The documents in the third group address requirements at the system level.
  4. Component Requirements – The fourth and final group includes documents that provide information about the more specific and detailed requirements associated with the development of IACS products.

The benefit of these standards is that asset owners can more easily (than on their own) define a required security level that references to a specific threat level, a measure that provides tighter security controls for higher risk functions. The benefit for service providers is that the standards provide clear explicit language of the requirements specified from the end user. And the benefit for product or component manufacturers is that they can more clearly describe the functionality of their products (from a security perspective) and differentiate themselves competitively, all of which is better than simply providing a long list of security features.

PERA model and ISA TR 62443-4-3 (draft)

Today, with the growing use of IIoT in Operational Technology (OT) environments, there is a need for the standards to be updated to support IIoT. Even though the standards were written before IIoT technologies were common, most concepts remain applicable or can be adapted for that environment. ISA 99 Working Group 9 published a Technical Report ISA TR 62443-4-3 (draft) which IEC calls IEC PAS 62443-4-3 (draft) which address the use of IIoT technology in IACS.

Previously, the Purdue Enterprise Reference Architecture (PERA) popularly referred to as the Purdue Model was used as a reference model for IACS. That model was rooted in several assumptions about technology and connections that IIoT technology can upset. With the advent of IIoT technology, the norms of the PERA model have been blurred as conventional thinking of physical network segregation and levels of functionality are changed by the internet-connected nature of IIoT technology.  IIoT technology has not rendered the model’s illustration of functionality obsolescent but has blurred the network architecture analogy made during the 1990s on where these functionalities can reside. For example, in that model, the devices at Level 0 (the field level) were not as smart and had no connectivity directly to external systems. Today, however, a small temperature or vibration sensor can also be an IIoT device, that can connect to the cloud directly, bypassing all higher levels of the PERA model. The PERA model was used to describe functionality of existing IACS, but it began to be used as a model to implement a secured architecture, which was not originally envisaged.

Figure 2: IIoT upsets the traditional Purdue (PERA) model (Adapted from ISA/IEC 62443-4-3 (draft))

Figure 2: IIoT upsets the traditional Purdue (PERA) model (Adapted from ISA/IEC 62443-4-3 (draft))

Assessing OT and IIoT cybersecurity risk, provides an example of zones and conduits in IACS with IIoT systems and discusses how asset owners can use ISA/IEC 62443-3-2, Security Risk Assessment for System Design. This is a key step in the risk assessment process by partitioning the System Under Consideration (SUC) into separate Zones and Conduits. The intent is to identify those assets which share common security characteristics in order to establish a set of common security requirements that reduce cybersecurity risk. Partitioning the SUC into Zones and Conduits can also reduce overall risk by limiting the impact of a cyber incident. Zone and conduit diagrams can assist in detailed IIoT cyber security risk assessments and help in identifying threats, and vulnerabilities, determining consequences and risks and providing remediations or control measures to safeguard assets from cyber events.

The draft Technical Report 62443-4-3 provides several examples of security capabilities which can be offered by Cloud Providers which asset owners can take advantage of for securing their IIoT solutions to achieve their security level targets. Refer to the table enclosed for a description of these security capabilities and AWS resources available to asset owners:

IIoT cloud-based functionality (CBF) Security Controls Explanation
Identity management

Cloud providers can provide identity management capabilities for IIoT. These capabilities can include both the management of identity for devices as well as authentication and authorization for user access.

EXAMPLE: The cloud service provider can support the use of hardware security modules (HSM), rotation of credentials.

AWS resources

AWS provides the following assets and services to help with identity management:

  1. Security and Identity for AWS IoT
  2. Amazon Cognito is a service that provides authentication, authorization, and user management for your web and mobile apps.
  3. AWS Identity and Access Management (IAM) is a service that enables you to manage access to AWS services and resources securely.
  4. Device authentication and authorization for AWS IoT Greengrass.
  5. AWS Secrets Manager is a service that can be used to securely store and manage secrets in the cloud and encrypts the secrets using AWS KMS.
  6. Identifying IoT device certificates with a revoked intermediate CA blog
  7. How to manage IoT device certificate rotation with AWS IoT blog
  8. Enhancing IoT device security using HSM and AWS IoT Device SDK blog
Authorization management for components

Cloud providers can provide rights management capabilities to control access and authorization within the cloud and, in some cases, to IIoT CBF equipment.

AWS resources

AWS provides the following assets and services to help with authorization management for components:

  1. Security and Identity for AWS IoT
  2. Amazon Cognito is a service that provides authentication, authorization, and user management for your web and mobile apps.
  3. AWS Identity and Access Management (IAM) is a service that enables you to manage access to AWS services and resources securely.
  4. Device authentication and authorization for AWS IoT Greengrass.
  5. AWS IoT Core Authorization
Data protection policies Cloud providers can provide capabilities to assist asset owners in protecting data availability, integrity, privacy and confidentiality in IIoT CBF including use of encryption for data in transit and at rest.
EXAMPLE: Supporting asset owner’s data classification and safeguardingAWS resourcesAWS provides the following assets and services to help with data protection:

  1. AWS Shared Responsibility Model for security and compliance.
  2. AWS Data Privacy
  3. AWS Compliance Programs and Offerings
  4. AWS Compliance Solutions Guide
  5. AWS KMS enables you to easily create and control the keys used for cryptographic operations in the cloud.
  6. Data protection in AWS IoT SiteWise
  7. Amazon Macie to discover and protect sensitive IIoT data at scale.
  8. Privacy Features of AWS Services
Data residency policies

Cloud providers can provide the capability for asset owners to establish residency controls for data in the cloud.

AWS resources

AWS provides the following assets and services to help with data residency requirements:

  1. AWS Global Infrastructure
  2. AWS Data Residency whitepaper
  3. Addressing Data Residency with AWS blog
  4. AWS Outposts allows you to extend and run native AWS services on premises
  5. AWS Hybrid Cloud services extends AWS infrastructure and services to on premises and at the edge
Secure communications management

Cloud providers can offer services such as VPNs or other secure communication capabilities for IIoT CBF communications. These capabilities can include a service to convert insecure automation protocols into secure communication protocols before transmission.

AWS resources

AWS provides the following assets and services to help with secure communications management:

  1. AWS IoT SDKs to help you securely and quickly connect devices to AWS IoT.
  2. FreeRTOS Libraries for networking and security in embedded applications.
  3. Security best practices for AWS IoT SiteWise
  4.  AWS Virtual Private Network (VPN) solutions establish secure connections between industrial plants and AWS global network.
  5. AWS Direct Connect is a cloud service solution that makes it easy to establish a dedicated network connection from your premises to AWS.
  6. AWS IoT SiteWise gateway allow you to ingest data using industrial protocols such as OPC-UA, Modbus TCP and Ethernet/IP, etc.
  7.  Machine to Cloud Connectivity Framework
Audit and monitoring services

Cloud providers can offer audit and monitoring capabilities for IIoT CBF, including the ability to centrally log events and provide analysis. This can also include threat detection and behavior anomalies.

AWS resources

AWS provides the following assets and services to help with audit and monitoring:

  1. AWS IoT Device Defender to monitor and audit your fleet of IoT devices.
  2. Monitoring AWS IoT with CloudWatch Logs to centralize the logs from all of your systems, applications, and AWS services that you use, in a single, highly scalable service.
  3. Logging AWS IoT API Calls with AWS CloudTrail to provide a record of actions taken by a user, a role, or an AWS service in AWS IoT.
  4. Monitoring with AWS IoT Greengrass logs
  5. AWS Config to assess, audit, and evaluate the configurations of your AWS resources.
  6. Amazon GuardDuty to continuously monitor for malicious activity and unauthorized behavior to protect your AWS accounts and workloads.
  7. AWS Security Hub to automate AWS security checks and centralize security alerts.
  8. Implement security monitoring across OT, IIoT and cloud blog
Incident response

Cloud providers can provide capabilities to supplement asset owner’s incident response activities

AWS resources

AWS provides the following assets and services to help with incident response:

  1. AWS Security Incident Response Guide
  2.  AWS Systems Manager provides a centralized and consistent way to gather operational insights and carry out routine management tasks.
  3.  Enable compliance and mitigate IoT risks with automated incident response blog
  4. AWS Incident response blogs
  5. AWS Customer Incident Response Team blog
Patch management

Cloud providers can provide patching capabilities for IIoT CBF equipment.

AWS resources

AWS provides the following assets and services to help with patch management:

  1. FreeRTOS Over-the-Air Updates
  2. AWS IoT Greengrass Core Software OTA Updates
  3. AWS IoT jobs to define a set of remote operations that you send to and execute on one or more devices connected to AWS IoT.
  4. AWS Systems Manager Patch Manager automates the process of patching managed instances with both security related and other types of updates such as operating systems and applications.
  5. Schedule remote operations using AWS IoT Device Management Jobs blog
Security analytics

Cloud providers can provide the capability to identify anomalies to gain insights on complex events which can be used to improve the security posture of your IIoT Cloud Based Functionality (CBF). This can enable the asset owner to detect and respond to incidents in a timely manner.

AWS resources

AWS provides the following assets and services to help with security analytics:

  1. AWS IoT Device Defender helps you identify and respond to IoT security issues
  2.  AWS IoT Events helps you detect and respond to events from IoT sensors and applications
  3. Amazon GuardDuty protects your AWS accounts with intelligent threat detection
  4.  Amazon Security Lake helps you centralize security data for analytics
  5.  AWS services for security analytics
Backup and Recovery of OT and IIoT data

Cloud providers can provide backup and recovery options for IIoT CBF data.

AWS resources

AWS provides the following assets and services to help with backup and recovery of OT and IIoT data:

  1.  Resilience in AWS IoT Greengrass to help support data resiliency and backup needs.
  2.  Backup and Restore Use Cases with AWS
  3. CloudEndure Disaster Recovery for fast and reliable recovery into AWS.
  4. AWS Backup to centrally manage and automate backups across AWS services.
  5. Disaster Recovery for AWS IoT solution guidance

Figure 3: Examples of security capabilities offered by cloud providers (from TR-62443-4-3) along with AWS services and guidance.

Other useful AWS resources for asset owners include the AWS Well Architected Framework, IoT Lens to design, deploy, and architect IIoT workloads aligned with architectural best practices and AWS Security Best Practices for Manufacturing OT whitepaper.

ISASecure IIoT Component Security Assurance (ICSA)

The ISASecure program announced a new ISASecure certification for Industrial Internet of Things (IIoT) components based on the ISA/IEC 62443 series of standards. The certification addresses the need for industry-vetted IIoT certification program. The ISASecure IIoT Component Security Assurance (ICSA) is a security certification program for IIoT devices and IIoT gateways. ICSA is based upon the 62443 standard and a component that meets the requirements of the ISASecure ICSA specification will earn the ISASecure ICSA certification; a trademarked designation that provides recognition of product security characteristics and capabilities, and provides an independent industry stamp of approval similar to a ‘Safety Integrity Level’ Certification (ISO/IEC 61508). The ICSA is based on 62443-4-1 and 62443-4-2 with some exceptions and extensions. The extensions clarify the application of 62443 principles to IIoT environments. Examples are creating “internal” zones using compartmentalization technologies, controlling application of software updates, securing remote management, device authentication strength, and component resilience to cloud services or the cloud interface. In addition, an ongoing security maintenance audit is required to maintain certification. Cloud services are not in scope for this certification.

Conclusion

Asset owners are increasingly connecting OT to IT/Cloud and using IIoT to improve operational efficiencies and stay competitive. This convergence of OT with IT introduces new risks which needs to be properly managed and is driving changes to ISA/IEC 62443 standards and certifications. AWS is working actively with the ISA Global Cybersecurity Alliance (ISAGCA), ISA Security Compliance Institute (ISCI), the ISA99 standards committee, and industry partners to update the ISA/IEC 62443 series of standards and certifications to ensure that all parties properly address the emerging IIoT security requirements.

It can be beneficial to asset owners, IIoT product and system suppliers, and service providers to be aware of these evolving security and compliance standards resulting from OT/IT convergence. The ISASecure IIoT Component Security Assurance (ICSA) based on the 62443 standards is one example. Comments and feedback on the TR 62443-4-3 (draft) and IEC PAS 62443-4-3 (draft) can provide guidance to ISA and IEC workgroup members to create requirements for new editions to the standard. Readers are encouraged to join various ISA 99 committees and working groups as it provides a tremendous learning and networking opportunity with industry peers in addition to getting early access to documents such as the ISA TR 62443-4-3 (draft). Note that the 62443-4-3 numbering may change when it becomes part of the ISA/IEC 62443 standards.

Additional Reading

Sameer Kumar Headshot1.jpg

Ryan Dsouza

is a Principal Solutions Architect for industrial IoT at AWS. Based in New York City, Ryan helps customers design, develop, and operate more secure, scalable, and innovative solutions using the breadth and depth of AWS capabilities to deliver measurable business outcomes. Ryan has more than 25 years of experience in digital platforms, smart manufacturing, energy management, building and industrial automation, OT/IT convergence and IIoT security across a diverse range of industries. Before AWS, Ryan worked for Accenture, SIEMENS, General Electric, IBM, and AECOM, customers for their digital transformation initiatives.