Guidance on using ISA/IEC 62443 for IIoT projects
With the increasing proliferation of Industrial Internet of Things (IIoT) systems and cloud services for innovation and digital transformation, government agencies and industrial customers are faced with protecting an expanding attack surface. The ISA/IEC 62443 series of standards were written before IIoT technologies were common but provide a strong basis for securing these environments. In this blog, we discuss the ISA/IEC 62443 standards, what is changing in the standards, and certifications to support the use of IIoT in Industrial Automation and Control Systems (IACS).
The ISA/IEC 62443 series of standards are developed jointly by ISA99 and IEC to address the need to design cybersecurity robustness and resilience into IACS. The goal in applying the 62443 series is to improve the safety, availability, integrity and confidentiality of components or systems used for industrial automation and control. In addition, they provide criteria for procuring and implementing secure industrial automation and control systems. Conformance with the requirements of the 62443 series is intended to improve cyber security and help identify and address vulnerabilities, reducing the risk of compromising confidential information or causing degradation or failure of the equipment (hardware and software) of processes under control. The 62443 series builds on established standards for the security of general-purpose information technology (IT) systems (e.g., the ISO/IEC 27000 series), identifying and addressing the important differences present in IACS. Many of these differences are based on the reality that cyber security risks with IACS may have Health, Safety, or Environment (HSE) implications and the response should be integrated with other existing risk management practices.
ISA/IEC 62443 is “consensus-based,” comprehensive, and widely used across industries. Today, the growing availability of IIoT has widened the array of technologies and methodologies available for use in industrial automation environments. This growth increases the attack surface, which inherently increases the risk of compromise in these environments. To secure environments that use IIoT in IACS, a thorough understanding of IACS cybersecurity lifecycle is beneficial. The ISA/IEC 62443 series can provide a risk-based, defense-in-depth, and performance-based approach that can assist asset owners and their service providers in navigating the use of IIoT in industrial automation and control systems.
Understanding the ISA/IEC 62443 Standards
ISA/IEC 62443, officially ANSI/ISA/IEC 62443, is a set of standards and technical reports that deal with industrial cybersecurity. Holistically, ISA/IEC 62443 is designed to help asset owners (end users), system integrators, and manufacturers reduce the risk of deploying and operating an IACS. Figure 1 gives an idea of the different parts of the standard. You can see that it is a multi-part standard.
Figure 1: ISA/IEC 62443 documents (Courtesy of ISA)
These documents are arranged in four groups, corresponding to the primary focus and intended audience/role. It’s helpful to consider the structure of these standards and how the hierarchy defines the roles and responsibilities for providing a robust IACS security posture.
- General – This group includes documents that address topics that are common to the entire series.
- Policies and Procedures – Documents in this group focus on the policies and procedures associated with IACS security.
- System Requirements – The documents in the third group address requirements at the system level.
- Component Requirements – The fourth and final group includes documents that provide information about the more specific and detailed requirements associated with the development of IACS products.
The benefit of these standards is that asset owners can more easily (than on their own) define a required security level that references to a specific threat level, a measure that provides tighter security controls for higher risk functions. The benefit for service providers is that the standards provide clear explicit language of the requirements specified from the end user. And the benefit for product or component manufacturers is that they can more clearly describe the functionality of their products (from a security perspective) and differentiate themselves competitively, all of which is better than simply providing a long list of security features.
PERA model and ISA TR 62443-4-3 (draft)
Today, with the growing use of IIoT in Operational Technology (OT) environments, there is a need for the standards to be updated to support IIoT. Even though the standards were written before IIoT technologies were common, most concepts remain applicable or can be adapted for that environment. ISA 99 Working Group 9 published a Technical Report ISA TR 62443-4-3 (draft) which IEC calls IEC PAS 62443-4-3 (draft) which address the use of IIoT technology in IACS.
Previously, the Purdue Enterprise Reference Architecture (PERA) popularly referred to as the Purdue Model was used as a reference model for IACS. That model was rooted in several assumptions about technology and connections that IIoT technology can upset. With the advent of IIoT technology, the norms of the PERA model have been blurred as conventional thinking of physical network segregation and levels of functionality are changed by the internet-connected nature of IIoT technology. IIoT technology has not rendered the model’s illustration of functionality obsolescent but has blurred the network architecture analogy made during the 1990s on where these functionalities can reside. For example, in that model, the devices at Level 0 (the field level) were not as smart and had no connectivity directly to external systems. Today, however, a small temperature or vibration sensor can also be an IIoT device, that can connect to the cloud directly, bypassing all higher levels of the PERA model. The PERA model was used to describe functionality of existing IACS, but it began to be used as a model to implement a secured architecture, which was not originally envisaged.
Figure 2: IIoT upsets the traditional Purdue (PERA) model (Adapted from ISA/IEC 62443-4-3 (draft))
Assessing OT and IIoT cybersecurity risk, provides an example of zones and conduits in IACS with IIoT systems and discusses how asset owners can use ISA/IEC 62443-3-2, Security Risk Assessment for System Design. This is a key step in the risk assessment process by partitioning the System Under Consideration (SUC) into separate Zones and Conduits. The intent is to identify those assets which share common security characteristics in order to establish a set of common security requirements that reduce cybersecurity risk. Partitioning the SUC into Zones and Conduits can also reduce overall risk by limiting the impact of a cyber incident. Zone and conduit diagrams can assist in detailed IIoT cyber security risk assessments and help in identifying threats, and vulnerabilities, determining consequences and risks and providing remediations or control measures to safeguard assets from cyber events.
The draft Technical Report 62443-4-3 provides several examples of security capabilities which can be offered by Cloud Providers which asset owners can take advantage of for securing their IIoT solutions to achieve their security level targets. Refer to the table enclosed for a description of these security capabilities and AWS resources available to asset owners:
|IIoT cloud-based functionality (CBF) Security Controls||Explanation|
Cloud providers can provide identity management capabilities for IIoT. These capabilities can include both the management of identity for devices as well as authentication and authorization for user access.
EXAMPLE: The cloud service provider can support the use of hardware security modules (HSM), rotation of credentials.
AWS provides the following assets and services to help with identity management:
|Authorization management for components||
Cloud providers can provide rights management capabilities to control access and authorization within the cloud and, in some cases, to IIoT CBF equipment.
AWS provides the following assets and services to help with authorization management for components:
|Data protection policies||Cloud providers can provide capabilities to assist asset owners in protecting data availability, integrity, privacy and confidentiality in IIoT CBF including use of encryption for data in transit and at rest.
EXAMPLE: Supporting asset owner’s data classification and safeguardingAWS resourcesAWS provides the following assets and services to help with data protection:
|Data residency policies||
Cloud providers can provide the capability for asset owners to establish residency controls for data in the cloud.
AWS provides the following assets and services to help with data residency requirements:
|Secure communications management||
Cloud providers can offer services such as VPNs or other secure communication capabilities for IIoT CBF communications. These capabilities can include a service to convert insecure automation protocols into secure communication protocols before transmission.
AWS provides the following assets and services to help with secure communications management:
|Audit and monitoring services||
Cloud providers can offer audit and monitoring capabilities for IIoT CBF, including the ability to centrally log events and provide analysis. This can also include threat detection and behavior anomalies.
AWS provides the following assets and services to help with audit and monitoring:
Cloud providers can provide capabilities to supplement asset owner’s incident response activities
AWS provides the following assets and services to help with incident response:
Cloud providers can provide patching capabilities for IIoT CBF equipment.
AWS provides the following assets and services to help with patch management:
Cloud providers can provide the capability to identify anomalies to gain insights on complex events which can be used to improve the security posture of your IIoT Cloud Based Functionality (CBF). This can enable the asset owner to detect and respond to incidents in a timely manner.
AWS provides the following assets and services to help with security analytics:
|Backup and Recovery of OT and IIoT data||
Cloud providers can provide backup and recovery options for IIoT CBF data.
AWS provides the following assets and services to help with backup and recovery of OT and IIoT data:
Figure 3: Examples of security capabilities offered by cloud providers (from TR-62443-4-3) along with AWS services and guidance.
Other useful AWS resources for asset owners include the AWS Well Architected Framework, IoT Lens to design, deploy, and architect IIoT workloads aligned with architectural best practices and AWS Security Best Practices for Manufacturing OT whitepaper.
ISASecure IIoT Component Security Assurance (ICSA)
The ISASecure program announced a new ISASecure certification for Industrial Internet of Things (IIoT) components based on the ISA/IEC 62443 series of standards. The certification addresses the need for industry-vetted IIoT certification program. The ISASecure IIoT Component Security Assurance (ICSA) is a security certification program for IIoT devices and IIoT gateways. ICSA is based upon the 62443 standard and a component that meets the requirements of the ISASecure ICSA specification will earn the ISASecure ICSA certification; a trademarked designation that provides recognition of product security characteristics and capabilities, and provides an independent industry stamp of approval similar to a ‘Safety Integrity Level’ Certification (ISO/IEC 61508). The ICSA is based on 62443-4-1 and 62443-4-2 with some exceptions and extensions. The extensions clarify the application of 62443 principles to IIoT environments. Examples are creating “internal” zones using compartmentalization technologies, controlling application of software updates, securing remote management, device authentication strength, and component resilience to cloud services or the cloud interface. In addition, an ongoing security maintenance audit is required to maintain certification. Cloud services are not in scope for this certification.
Asset owners are increasingly connecting OT to IT/Cloud and using IIoT to improve operational efficiencies and stay competitive. This convergence of OT with IT introduces new risks which needs to be properly managed and is driving changes to ISA/IEC 62443 standards and certifications. AWS is working actively with the ISA Global Cybersecurity Alliance (ISAGCA), ISA Security Compliance Institute (ISCI), the ISA99 standards committee, and industry partners to update the ISA/IEC 62443 series of standards and certifications to ensure that all parties properly address the emerging IIoT security requirements.
It can be beneficial to asset owners, IIoT product and system suppliers, and service providers to be aware of these evolving security and compliance standards resulting from OT/IT convergence. The ISASecure IIoT Component Security Assurance (ICSA) based on the 62443 standards is one example. Comments and feedback on the TR 62443-4-3 (draft) and IEC PAS 62443-4-3 (draft) can provide guidance to ISA and IEC workgroup members to create requirements for new editions to the standard. Readers are encouraged to join various ISA 99 committees and working groups as it provides a tremendous learning and networking opportunity with industry peers in addition to getting early access to documents such as the ISA TR 62443-4-3 (draft). Note that the 62443-4-3 numbering may change when it becomes part of the ISA/IEC 62443 standards.
- IoT Lens – AWS Well-Architected Framework
- Securing Internet of Things (IoT) with AWS
- Industrial Internet of Things
- Smart Manufacturing
- Security Best Practices for Manufacturing OT
- How to implement zero trust IoT solutions with AWS IoT
- Ten security golden rules for Industrial IoT solutions
- Building an industrial Internet of Things (IIoT) digital transformation strategy
- Managing Organizational Transformation for Successful OT/IT Convergence
- ISASecure product certifications
- IIoT Component Certification Report