Safety design according to the IEC 62443 standards

If the design of security concepts is about defining the necessary measures, many standards and norms recommend a risk-based approach. But when it comes to risk management concepts like risk tolerance, probability of occurrence, damage potential or threat analysis, most people tend to ignore them. The subject turns out to be relatively simple.

Eugen Giesbrecht, Industrial Security & Network Services, Competence Center Services, Phoenix Contact Germany GmbH, Blomberg

Each individual assesses risks on a daily basis and derives goals from them. The umbrella is taken when increased cloud formation is observed. All passengers fasten their seat belts after entering the car. When leaving the house, the residents lock the door. Such actions are omitted only because the actors have more or less consciously decided to be able to live with the possible consequences for themselves and other people. So decisions follow the following pattern: What can happen? Is this acceptable? If not: what measures – umbrella, belt, lock – should be implemented? Not thinking about possible threats does not change the risks. It only has the effect of accepting consequences that the actor and his surroundings may not agree with.

With the numerous cyber-attacks that have taken place on German companies in recent years, the question arises: are the attackers good, or were countermeasures not even considered? The short answer: both. But first things first. When it comes to security in industrial communication networks, one standard – or rather: a series of standards – has recently attracted international attention: IEC 62443. There have been established frameworks in general IT for a long time – for example the ISO 27000 series – however, the goals of classic office IT cannot always be directly transferred to industrial networks due to different framework conditions. An example: software updates can usually be installed on office computers quickly and without problems. However, few operators want to risk system downtime just to install an update, given that there are still updates to the hardware, some of which are more than 20 years old.

the roles of the main characters

The IEC 62443 series of standards is divided into different categories and focuses in the respective parts on the roles essential in the life cycle of an automation system. First of all, there is the operator of a plant or system, who must establish the necessary safety activities. The relevant requirements and recommendations can normally be found in part 62443-2-1 of the standard. This includes procedural, personal and technological skills that must be implemented and maintained in such a way that the individual IT risks can be reduced to a level that is acceptable to him. The top priority is therefore: risk minimization. The operator cannot avoid the subject of risk management, because the specific measures are derived from an individual analysis of the scope. The standard (understandably) does not contain precisely described instructions and step-by-step instructions. However, the subject areas to be considered are listed.

The component manufacturer also plays an important role. The standard parts 62443-4-1 and 62443-4-2 turn out to be primarily relevant to him. While Part -4-1 lists requirements for topics such as secure development (including testing, documentation, provision of patches, and how to handle security holes and vulnerabilities), Part -4-2 lists technical security features against which a component is checked. . The evaluation results in a classification according to the so-called safety levels (SL), which are also of great importance in the wider context of IEC 62443.

Finally, a service provider/integrator combines the components, often from different manufacturers, into one system. In the first step, part 62443-2-4 of the standard is relevant to him. The requirements for the service provider’s security program are defined there. In Part -2-4 there are many points of intersection with the requirement elements in Part 62443-2-1. Here, too, it is not only technological aspects that are decisive. Requirements are also placed on the staff and the necessary processes – for example patch management. If a service provider meets these requirements and wants to appear as a certified provider, it must implement an exemplary architecture as a reference. At this point, both the subject areas of IEC 62443-2-1 and functional safety functions according to IEC 62443-3-3 should be covered.

Other parts of the standard prove important for multiple roles. They provide recommendations for implementation of special topics, such as Technical Guideline (TR) 62443-2-3 on patch management.

Individual steps for implementation
of a security concept

What might a possible path to a risk-based security concept look like? A first measure, which is always sensible, is to take stock (1), following the motto: You can only protect what you know. This step sounds easy, but in practice it is a big challenge for many system operators. Although most of the inventory documentation is available, it is not necessarily up to date. Especially in larger systems, the manual recording is complex. Technical assistants could support. After that, basic measures (2) should be specified, which are interesting regardless of the respective scope. This includes topics from IEC 62443-2-1 and -2-4, such as protection against malware.

The following activities aim to specify the individual requirements for the system. As part of an analysis of protection requirements (3), critical areas can be identified on the basis of data classification. For example, prescription data is subject to a high level of protection in terms of confidentiality. A threat analysis (4) helps to identify relevant threats to the system, whereby the threats are then evaluated in a risk analysis (5). In this context, various factors play a role, so the individual context is essential: What measures already exist? Is access regulated? What network connections are there? As a result, the operator receives a specific risk, which he either accepts or not. Further actions are then derived, especially with regard to the identified risks, which, in addition to the basic measures of step 2, represent a complete security concept (6). This must be implemented (7), tested (8) and – very importantly – checked regularly (9).

Controlling a process always makes sense, but especially in the security context, factors such as a highly dynamic threat situation and protective measures that may no longer be fully effective must be taken into account. Therefore, a cyclical and pragmatic approach to the analyzes is recommended instead of an overly detailed consideration with complex tools that may require training. With its know-how, templates and processes, a service provider certified according to IEC 63443-24 can provide support in all phases of conception.

Significantly higher level of protection
already through basic measures

Back to the question of why cyber attacks have increased so rapidly in recent years: Not all criminals have suddenly become good hackers. However, in addition to the possibilities of cryptocurrencies, an extensive and freely available “hacker service” has been developed that can be used by anyone with sufficient criminal energy. Extortion with encryption Trojan horses have now proven to be as lucrative as the drug business. There are also politically motivated attacks. On the part of facility operators, studies make it clear that successful attacks could have been prevented or at least reduced with basic measures such as network segmentation, increased employee awareness or strict requirements for service providers. (give)

Messe SPS: Hall 9, Stand 310

More details on the topic:

Here you can find more about:

Leave a Comment