IEC 62443: How to achieve the highest levels of industrial security

April 16, 2020

Posted by: Anasia D'mello

Steve Hanna of TCG’s
Embedded Systems Work Group

With the emergence of industry 4.0 and the ever-increasing adoption of the Industrial Internet of Things (IIoT), says Steve Hanna, co-chair of TCG’s Embedded Systems Work Groupthe Industrial Automation and Control Systems industry faces some exciting opportunities ahead.

Driven by factors such as technological advancements in semiconductor and electronic devices, increased use of cloud computing platforms, standardisation of IPv6 and growing support from governments for research and development activities related to IIoT, the global IIoT market is forecast to be worth US$110.6 billion (€101.6 billion) by 2025.

Connectivity and intelligence drives innovation

As technological advancements continue, industrial operators can expect to see and utilise a growing number of Industrial IoT innovations. These will range from highly individualised products to data mining, deep learning and cost reductions due to the increased use of cloud services within the IIoT sector. Subsequently, this additional connectivity and intelligence will lead to continuous innovation and new business models and services for industrial operators and suppliers, including pay-per-play services and predictive maintenance.

New opportunities enabled by lightweight sensors, ubiquitous communications, cloud intelligence, smart equipment and remote software updates could lead to new revenue streams for industrial operators worldwide. However, with these opportunities for growth come greater security threats; industrial environments must be prepared for rising cyberattacks to prevent equipment damage, downtime and safety issues.

Universal standards could be the key

In recent years, there has been an increasing number of industrial cyberattacks taking place across the globe. For example, the Stuxnet virus was released on Iran’s nuclear plant while Triton malware shut down critical infrastructure in the Middle East. Industrial operators need to seriously consider the impact that a cyberattack could have on their current infrastructure and the barriers that they have in place to prevent this from happening.

To address the ever-increasing rate at which industrial cyberattacks are happening, industrial security experts have developed authoritative guidance on industrial security – the IEC 62443 international industrial security standard. This provides a thorough set of recommendations for defending industrial networks against the threats of today and tomorrow.

The IEC 62443 is a series of standards including technical reports to secure Industrial Automation and Control Systems. Providing a systematic and practical approach to cybersecurity for industrial systems, every stage and aspect of industrial security is covered, from risk assessment to operations. Using the techniques described in these documents, industrial operators can assess the cybersecurity risks to their systems and decide the best way to approach those risks.

Not every system is equally critical

Just as not every industrial system is created equal, neither are the cyberattacks that can penetrate them. While all attacks can cause equipment damage, downtime and safety issues, the true extent of the damage will depend on the scale of the attack and the security measures that industrial operators have in place.

Recognising that not every system is equally critical, the IEC 62443 defines five security levels from zero (no security) to four (resistant against nation-state attacks). Each security level has specific security requirements defined, ensuring that every industrial system has the right security – protecting uptime, safety and intellectual property.

The future may be uncertain but security is guaranteed

You cannot build a solid building out of weak bricks and the same can be said for building a secure industrial infrastructure. Noticeably, the number of attacks against Industrial Control Systems (ICS) has increased in recent years and with no signs of slowing down, it is imperative that operators ensure the safety of these critical systems.

Utilising the guidance set out in the IEC 62443, industrial operators stand a better chance of ensuring the safety and security of its industrial systems against the increasing sophistication of the cyberattacks.

Building on the helpful stages and guidance set out in the IEC 62443, Trusted Computing Group (TCG) is currently working on its latest guidelines and best practices for securing Industrial Control Systems, ensuring that the IIoT systems of today are secured against the cyberattacks of tomorrow.

The author is Steve Hanna, co-chair of TCG’s Embedded Systems Work Group.

Comment on this article below or via Twitter @IoTGN