Deconstructing IEC 62443

The Industry 4.0 and IoT paradigm offers ICS companies many opportunities but also cybersecurity threats. Industrial and critical infrastructure environments must prepare for the growing number of cyberattacks to avoid problems with quality, safety of people/environment, or decreased productivity.

The IEC 62443 is a set of standards to offer a systematic approach to industrial cybersecurity: from risk auditing to operations.

Using the techniques explained in IEC 62443, security managers can address the risks for each system and decide how to act accordingly.

In this post, we will explain what the main concepts of the standard are that we will use as a basis to build, in later entries, a reference architecture for Wonderware.

IEC62443 Structure

The set of documents that are part of IEC62443 are classified into 4 categories:

1. General: Fundamental concepts, reference models, and terminology
2. Policies and procedures: A guide is detailed to build and maintain a cybersecurity management program and reinforces the importance of having policies.
3. System: Protection technologies and requirements to achieve a certain level of security.
4. Components: Technical cybersecurity requirements in the product development lifecycle.

Objectives

The main objective of the standard is to reduce the risks that may affect the assets that generate value in an industrial or critical infrastructure environment.

To achieve this objective, it must be understood that:

• Asset = physical (equipment, machines), logical (information), people (know-how) whose existence and operation add value to the process. To assess the impact of a threat, it must be assessed both quantitatively and qualitatively.
• Risk = the probability that a threat will occur due to the existence of vulnerabilities that allow it, producing a negative effect on the assets of the process
• Threat = event or action that is harmful to an asset or system.
• Vulnerability = inherent weakness of an asset or system that can be exploited, intentionally or not, for a threat to be carried out.
• Countermeasure = action or system intended to eliminate vulnerabilities or the effects of associated threats. They can be technical (authentication, IDS, anti-malware, …), administrative (policies, procedures) or physical (barriers, doors, …)

Basic Concepts

The basic security procedure of an industrial infrastructure, according to IEC 62443, consists (in a summarized and simplified way) of the following steps:

1. Identify the zones, conduits, and channels.

• Zone

Logical grouping of assets that share the same security requirements. They can have subzones that inherit their characteristics and allow developing in-depth defense strategies.

• Conduit

Logical grouping of assets that share the same security requirements. They can have subzones that inherit their characteristics and allow developing in-depth defense strategies.

• Channel

Logical grouping of assets that share the same security requirements. They can have subzones that inherit their characteristics and allow developing in-depth defense strategies.

2. Identify the desired level of protection for each zone and conduit.

IEC 62443 indicates that for each zone, conduit, it must be decided what is the desired level of protection for each of the fundamental protection requirements.

The security levels defined in the standard are:

The fundamental security requirements defined by IEC 62443 are:

Therefore, the desired security level is represented by: