Enhancing OT Network Security through IEC 62443
- Cybersecurity in Operational Technology (OT) networks is of utmost importance across various sectors such as manufacturing, energy, and utilities. The IEC 62443 standards provide comprehensive guidelines for ensuring the security of these Industrial Control System (ICS) networks.
- The application of microsegmentation in the context of the IEC 62443 standards adds an additional layer of security by limiting the lateral movement of threats within the OT network, protecting critical applications, and helping meet compliance requirements.
- The IEC 62443-3-2 standard, focusing on security risk assessment for system design, forms the basis for effective microsegmentation. It aids in defining a system under consideration (SUC), partitioning the SUC into zones and conduits, assessing the risk for each zone and conduit, and establishing the technical measure security level targets for each zone and conduit.
- Device visibility, a critical aspect of network security, involves gaining insight into the traffic, devices, and behaviors in complex enterprise IT networks. This is especially crucial in OT networks, which are constantly evolving and continually connecting more and more networked devices.
- Despite the clear benefits, implementing IEC 62443 microsegmentation and device visibility comes with its challenges. These include the complexity of managing and securing an increasing number of connected devices, ensuring cross-functional IT support, and dealing with the evolving landscape of cyber threats.
CISOs and IT decision-makers embarking on projects involving IEC 62443 microsegmentation and device visibility should:
- Acknowledge the importance of the IEC 62443 standards in providing a globally recognized framework for the security of ICS networks, and understand how microsegmentation and device visibility fit into this framework.
- Grasp the principles and processes outlined in the various parts of the IEC 62443 series, particularly the ones focusing on risk assessment, system security requirements, and technical security requirements for IACS components.
- Prepare for the challenges involved in implementing IEC 62443 microsegmentation and device visibility, including the complexity of managing an increasing number of connected devices, ensuring cross-functional IT support, and staying abreast of the evolving landscape of cyber threats.
- Leverage the expertise of trusted advisors and industry experts to navigate the education, research, and purchasing decision process related to IEC 62443 microsegmentation and device visibility technologies. This will help them to efficiently and effectively address compliance requirements, regulations, or recovery from breaches.
Download this White Paper
In today's digital age, the integrity, availability, and confidentiality of Operational Technology (OT) networks in sectors such as manufacturing, energy, and utilities are crucial. These networks, comprising Industrial Control Systems (ICS), control and monitor industrial processes that are often the backbone of essential services. Ensuring the cybersecurity of these systems is not just a technical necessity, but a strategic imperative that has serious implications for public safety, economic stability, and national security.
The IEC 62443 series of standards, developed by the International Electrotechnical Commission, provides a comprehensive framework for securing ICS networks. It offers a systematic approach to managing cybersecurity risks associated with these systems, focusing on various aspects such as risk assessment, system design, technical security requirements, and secure product development lifecycle requirements.
In the context of the IEC 62443 standards, microsegmentation and device visibility are two critical elements for enhancing the security of OT networks. Microsegmentation, a security technique that divides a network into multiple isolated segments or zones, can limit the lateral movement of threats within the network, thereby reducing the attack surface. Device visibility, on the other hand, refers to gaining insight into the traffic, devices, and behaviors in the network, which is essential for identifying potential vulnerabilities and threats.
This white paper, authored by Dana Yanch, provides an in-depth analysis of the application of microsegmentation in line with the IEC 62443 standards, the importance of device visibility, the challenges involved in implementing these strategies, and recommendations on how to effectively navigate this complex landscape. The insights presented in this paper will be invaluable for CISOs and IT decision-makers looking to enhance the cybersecurity posture of their OT networks.
The Role of IEC 62443 in OT Network Security
The IEC 62443 series of standards has emerged as the global benchmark for securing ICS networks. Developed by the International Electrotechnical Commission, these standards provide a comprehensive framework to help organizations reduce the risk of failure and exposure of ICS networks to cyber threats. The standards are organized into four groups—General, Policies and Procedures, System, and Component—each addressing specific aspects of ICS security.
The 'General' category defines the core terminology, concepts, models, and standard conformance metrics. This is essential for establishing an organization's common understanding and approach to ICS security. 'Policies and Procedures' lays out the requirements for effective ICS cybersecurity management, spanning the systems' design and operational life cycle. The focus is establishing an IACS security program and managing security-related patches.
The 'System' group concentrates on cyber secure ICS system-level design and risk assessments. It outlines security technologies for IACS, procedures for security risk assessment in system design, and details system security requirements and security levels. This set of standards provides guidance on understanding various cybersecurity tools, mitigation measures, and technologies that can be effectively applied to modern IACSs.
Finally, the 'Component' category focuses on securing product development and the ongoing life cycle maintenance of intelligent devices in an ICS. The standards in this group specify secure product development lifecycle requirements and provide detailed technical security requirements for IACS components.
The IEC 62443 standards provide a structured and comprehensive approach to securing ICS networks. Implementing these standards in their entirety enables organizations to develop a robust cybersecurity management system that can effectively mitigate the risks associated with ICS environments.
Deep Dive into IEC 62443
Understanding the depth and breadth of the IEC 62443 series of standards requires a closer examination of its components. Each standard within the four categories—General, Policies and Procedures, System, and Component—provides a specific set of guidelines and best practices for securing ICS networks.
The general standard (IEC/TS 62443-1-1) outlines the terminology, concepts, and models for IACS security. It provides the foundation for the rest of the standards in the IEC 62443 series.
Policies and Procedures
The policies and procedures standards detail the requirements for effective ICS cybersecurity management:
- IEC 62443-2-1 deals with establishing an IACS security program that outlines the elements necessary to initiate a cybersecurity management system (CSMS) for IACS environments.
- IEC TR 62443-2-3 covers security for IACS product suppliers that have established and are maintaining an IACS patch management program.
- IEC 62443-2-4 highlights requirements for security capabilities that IACS service providers should offer during the integration and maintenance activities of an automation solution.
The system standards focus on the technical requirements at the system level:
- IEC 62443-3-1 offers an assessment of various cybersecurity tools, mitigation countermeasures, and technologies that may effectively apply to modern IACSs.
- IEC 62443-3-2 sets requirements for defining a system under consideration (SUC) for an IACS and establishes the technical measure security level targets (SL-T) for each zone and conduit.
- IEC 62443-3-3 outlines the requirements for control system capability security levels SL-C (control system). These requirements are used by various stakeholders of the IACS community when developing the appropriate control system target SL, SL-T(control system), for a specific asset.
The component standards focus on securing product development and the ongoing life cycle maintenance of the intelligent devices in an ICS:
- IEC 62443-4-1 specifies the process requirements for the secure development of products used in IACS, including security requirements definition, secure design, secure implementation, and product end-of-life.
- IEC 62443-4-2 provides detailed technical control system component requirements (CRs) and defines the requirements for control system capability security levels and their components, SL-C (component).
The Concept of Microsegmentation
Microsegmentation is a network security strategy that divides a network into multiple smaller, isolated segments or microsegments. Each of these segments can be secured separately, thereby limiting the lateral movement of potential security threats within the network. This approach significantly reduces the attack surface, making it harder for an attacker to move through the network once they've breached the perimeter defenses.
Microsegmentation allows for fine-grained security policies to be assigned to data center applications, down to the workload level. This technique is becoming increasingly popular in modern data center and cloud environments due to the granular control it provides over network traffic, enabling better security and isolation of network workloads.
The concept of microsegmentation is highly relevant when discussing the IEC 62443 standards, particularly when applied to the definition of zones and conduits.
In the IEC 62443-3-2 standard, a system under consideration (SUC) for an IACS and its associated networks are partitioned into zones and conduits. A zone is defined as a group of assets sharing common security requirements based on factors such as their functionality, information flow, control requirements, and risk levels. A conduit, on the other hand, represents a logical or physical path for information flow between zones.
When applied to this standard, microsegmentation could be viewed as a method of implementing highly granular zones within an IACS network. Each microsegment could be considered a zone with highly specific security requirements. Moreover, the network paths or conduits connecting these microsegments can be tightly controlled and monitored, further enhancing the overall security of the IACS network.
By applying the principle of microsegmentation, organizations can create highly secure, customized zones within their network that align with the guidance provided in the IEC 62443 standards. This approach not only enhances network security but also aids in regulatory compliance by providing detailed control over information flow within the network.
Device Visibility and Risk Assessment
Device visibility is a critical aspect of network security, particularly in complex Industrial Automation and Control Systems (IACS) environments, where a variety of devices from different operational owners might be interconnected. It refers to the ability to identify and monitor the traffic, devices, and behaviors in a network, which is constantly evolving and continually connecting more and more networked devices. Without proper visibility, organizations may not be aware of all the devices on their network, let alone be able to secure them effectively.
In the context of IEC 62443, effective device visibility is essential for defining a system under consideration (SUC) and its associated networks, partitioning the SUC into zones and conduits, and assessing the risk for each zone and conduit. This requires an understanding of the different devices within the network, their behaviors, and the traffic patterns between them.
Risk assessment is a key element of IACS security under IEC 62443. It involves identifying vulnerabilities, threats, and the potential consequences of a successful attack, ranking risks, and implementing mitigation measures to lower risks to tolerable levels. Good risk management starts with a proposed design based on company standards and practices and/or recognized and generally accepted good engineering practices (RAGAGEP).
Device visibility feeds directly into risk assessment. By knowing what devices are on the network, how they behave, and how they interact with each other, organizations can better understand their vulnerabilities and potential threats. This allows them to make more informed decisions about how to manage risk, including where to apply microsegmentation techniques to enhance network security.
Furthermore, tools and technologies that provide device visibility can often also aid in risk assessment. For example, they can help identify unusual or suspicious behavior that might indicate a security threat, or they can help identify devices that are out of compliance with security policies, both of which are important factors in assessing and managing risk.
In conclusion, device visibility and risk assessment are essential components of network security in IACS environments. By leveraging the guidelines provided in the IEC 62443 standards and adopting techniques such as microsegmentation, organizations can significantly enhance their network security posture.
Implementation of IEC 62443
Implementing the IEC 62443 standard is a comprehensive process that requires understanding the complex interplay of various components of an Industrial Automation and Control Systems (IACS) environment. It involves initiating and maintaining a comprehensive cybersecurity management system (CSMS), developing and applying suitable technical security requirements, and managing product lifecycles, among other aspects.
The first step towards implementing the IEC 62443 standard is to establish an IACS security program. This involves profiling the necessary elements to initiate a CSMS for IACS environments and providing recommendations on how to develop these elements. The goal is to ensure that all aspects of the IACS, from the overarching system to individual components, have appropriate security measures in place.
An important aspect of the implementation process is patch management. The IEC 62443 standard provides guidance on distributing information about security patches from asset owners to IACS product suppliers, the development of patch information, and the deployment and installation of patches. This helps ensure that all components of the IACS are up-to-date and protected against known vulnerabilities.
The implementation of the IEC 62443 standard also involves defining the security requirements for service providers during the integration and maintenance of an automation solution. This helps to ensure that all parties involved in the management of the IACS are aligned on security standards.
At the system level, the IEC 62443 standard requires a comprehensive assessment of various cybersecurity tools, mitigation countermeasures, and technologies that can be applied to IACS. This involves understanding the types of products available, their advantages and disadvantages, and providing preliminary recommendations for their use.
Moreover, the implementation of the IEC 62443 standard involves a detailed risk assessment process. This process includes defining a system under consideration (SUC) and its associated networks, partitioning the SUC into zones and conduits, assessing the risk for each zone and conduit, and establishing technical security level targets for each.
Finally, at the component level, the IEC 62443 standard specifies the secure development lifecycle (SDL) requirements for products intended for use in IACS. This includes elements such as security requirements definition, secure design, secure implementation, verification and validation, defect management, patch management, and product end-of-life.
In summary, implementing the IEC 62443 standard involves a comprehensive approach to cybersecurity, encompassing all aspects of an IACS environment. It requires a thorough understanding of the standard, careful planning, and ongoing management to ensure that the IACS remains secure in the face of evolving cybersecurity threats.
Case Study: Dynamic Edge Segmentation (DES) at GSK
GSK, a leading pharmaceutical company, leveraged Dynamic Edge Segmentation (DES) technology to secure their network after witnessing the impact of the NotPetya attack on Merck, which cost the company $1.4 billion. The board of GSK tasked Michael Elmore, CISO at GSK, to lead the initiative for what they call Dynamic Edge Segmentation.
This case study highlights how GSK and security startup Elisity collaborated on the DES initiative. The content was submitted as an award entry for the CSO Online 2023 CSO50 awards.
Dynamic Edge Segmentation (DES) is an innovative cybersecurity approach co-developed by GSK and security startup Elisity. DES focuses on reducing security control implementation friction for critical manufacturing and R&D applications. It enables asset (device) discovery & auto-classification, least privileged security policies, and dynamic microsegmentation for flexibility, scale, and speed to adoption.
DES addresses the challenges faced by traditional network edge segmentation, such as deteriorating security over time, business impediments, deployment disruptions, escalating operational expenses, and complexity. By concentrating on user identity and incorporating adaptive, on-demand security policies, DES offers location-independent protection and dynamic discovery of users and systems in both IT/IoT and manufacturing (OT/ICS) environments.
Project Description and Business Problem
The DES project aimed to address the limitations of traditional network segmentation by eliminating the need to carve layer 3 railroad tracks (VLANs and VRFs) through the network. Instead, it implemented a modern software-defined cybersecurity control plane and overlay that enhances security, flexibility, efficiency, and speed to adoption.
By focusing on both user and device identity and creating adaptive, on-demand security policies, the project sought to provide location-independent protection based on identity rather than place in the network, dynamic discovery of users and systems, continuous authorization, and real-time enforcement. This approach represents a complete shift from implicit trust to explicit trust policies aligned with business logic.
Challenges and Solutions
The most significant challenge encountered during this project was the lengthy deployment time and complexity associated with a traditional segmentation solution, which required an end-to-end HW refresh and significant disruption to the underlying network architecture. To address this challenge, the team collaborated with the forward-thinking security startup, Elisity, to co-create a solution that fulfilled GSK's use cases for Microsegmentation and Network Access Control at the true edge of the network. This cutting-edge solution is now commercially available and utilized by numerous Fortune 500 companies.
The DES project is innovative due to its focus on user/device identity and adaptive security policies, significantly enhancing security and flexibility compared to traditional network edge segmentation approaches, while simplifying maintenance of security hygiene. The DES strategy allows for location-independent protection, enabling security to follow users and systems as they join or leave the network. Additionally, this approach simplifies policy management and reduces operational expenses, leading to a more efficient and cost-effective solution.
Measurable Business Results
The DES project delivered significant business value. Some key measurable results include:
- Rapid time to value, deploying a site in less than one day with no network outages, additional hardware, or network redesign.
- Reduced operational expenses due to simplified policy management and decreased firewall complexity and install base.
- Significant cost savings and future cost avoidance.
- Improved security by integrating user identity and adaptive, on-demand policies for more granular security policies.
- Enhanced flexibility with location-independent protection and dynamic user and system discovery.
The DES project stands out due to its innovative approach to addressing the limitations of traditional network edge segmentation and network access control. By co-developing the solution with an early-stage startup, GSK rapidly innovated
and leap-frogged what was previously available from legacy vendors in the market. Focusing on user identity, adaptive security policies, non-disruptive deployments, and cost-effective solutions, the project has substantially and positively impacted GSK’s overall cybersecurity strategy.
Compared to the traditional way of segmentation and network access control, DES reduces time to value by 300%, while simultaneously increasing security capabilities. The project’s successful implementation across multiple use cases inside GSK demonstrates its potential to serve as a blueprint for other organizations facing similar segmentation challenges.
Primary Products and Services Used
The project primarily used Elisity's services, with support infrastructure from Palo Alto Networks, Cisco and ServiceNow.
Relevance to IEC 62443
The relevance of this project to IEC 62443, a series of standards on Industrial Communication Networks - Network and System Security, lies in the innovative use of dynamic edge segmentation to secure the network. DES, with its focus on user and device identity, allows for continuous authorization and real-time enforcement of security policies, aligning well with the principles of IEC 62443.
IEC 62443 emphasizes the need for robust security for industrial automation and control systems (IACS). By implementing DES, GSK has shown how adaptive, on-demand security policies can provide location-independent protection and dynamic discovery of users and systems, elements that are crucial for the security of IACS. This case study, therefore, provides a practical example of how the principles of IEC 62443 can be applied in a real-world situation to enhance network security.
Lessons Learned and Future Plans
The DES project has demonstrated the power of focusing on user and device identity in network security. The traditional approach of network segmentation, which relied heavily on hardware upgrades and architectural changes, was both time-consuming and disruptive. In contrast, the software-defined DES approach, developed with Elisity, significantly reduced deployment times and was less disruptive to existing operations.
The successful implementation of DES has led to a paradigm shift in GSK's approach to cybersecurity. The focus is now on creating an adaptive security environment that is dynamic and responsive to the ever-changing landscape of threats. This project has served as a blueprint for future cybersecurity initiatives within GSK and is expected to be a model for other organizations facing similar network security challenges.
Looking ahead, GSK plans to continue the deployment of DES across its global sites throughout 2023 and 2024. The goal is to provide secure, flexible, and scalable network access control for all connected devices across the organization. GSK's experience with DES has shown that a proactive and adaptive approach to cybersecurity can result in significant operational efficiencies and cost savings, while also enhancing the overall security posture of the organization.
The Dynamic Edge Segmentation project at GSK is a prime example of an organization leveraging innovative technology to address critical cybersecurity challenges. By focusing on user and device identity and implementing adaptive, on-demand security policies, GSK was able to significantly improve network security while reducing operational complexities and costs.
This case study highlights the potential of such innovative approaches to reshape the cybersecurity landscape. It provides a roadmap for other organizations looking to enhance their network security strategies and underlines the importance of adopting a proactive and adaptive approach to dealing with cybersecurity threats in today's digital age.
The Value of IEC 62443 Compliance
IEC 62443 compliance offers a multitude of benefits for organizations that rely on Industrial Control Systems (ICS). These advantages range from enhanced cybersecurity measures to better risk management, streamlined operations, and improved stakeholder confidence.
- Robust Cybersecurity Protection: Complying with the IEC 62443 standard provides organizations with a robust framework for protecting their ICS from potential cyber threats. By following the guidelines and requirements outlined in the standard, organizations can ensure they have implemented the necessary security measures to protect their systems against a wide range of cyber threats.
- Reduced Operational Risk: The IEC 62443 standard provides a comprehensive approach to risk assessment, guiding organizations to identify, classify, and mitigate potential vulnerabilities in their ICS. This comprehensive risk management approach helps to reduce the likelihood of operational disruptions due to cyber incidents.
- Regulatory Compliance: Compliance with the IEC 62443 standard can also help organizations meet other regulatory requirements related to cybersecurity. Given the global recognition of the standard, it can serve as a benchmark for demonstrating an organization's commitment to cybersecurity, potentially easing the process of regulatory compliance.
- Stakeholder Confidence: Compliance with a globally recognized standard like IEC 62443 can significantly boost stakeholder confidence. Customers, partners, and investors can trust that the organization takes cybersecurity seriously and has implemented internationally recognized best practices to protect its ICS.
- Increased Operational Efficiency: The structured approach to cybersecurity that the IEC 62443 standard provides can lead to more efficient operations. By identifying and addressing potential vulnerabilities, organizations can prevent disruptions that could impact productivity. Furthermore, the standard promotes a lifecycle approach to cybersecurity, which includes considerations for the secure development, operation, and maintenance of ICS, further contributing to overall operational efficiency.
- Future-Proofing: With the rapid evolution of technology and the ever-changing cybersecurity landscape, it's crucial for organizations to stay ahead. The IEC 62443 standard is regularly updated to reflect the latest developments in technology and threat patterns, helping organizations future-proof their cybersecurity strategies.
In conclusion, compliance with the IEC 62443 standard is not just about checking a box for cybersecurity. It's about adopting a comprehensive, structured, and effective approach to securing Industrial Control Systems. The value derived from this compliance goes beyond enhanced security, contributing to operational efficiency, regulatory compliance, stakeholder confidence, and future-proofing against emerging threats.
In an era where digitalization is redefining industries and cyber threats are evolving rapidly, the need for robust and comprehensive industrial cybersecurity has never been more critical. The adoption of the IEC 62443 standard represents a significant stride toward securing Industrial Control Systems (ICS) and safeguarding our critical infrastructures.
The standard provides a comprehensive framework for managing cybersecurity risks associated with ICS. It addresses everything from fundamental terminology and concepts to the specifics of system and component security, as well as the procedures and policies required to maintain a secure ICS environment.
The adoption of microsegmentation as a key principle of network security and the importance of device visibility and risk assessment further enhance the security stature of organizations. They offer granular control over network traffic and provide insights into potential vulnerabilities, significantly reducing the attack surface.
While the journey to IEC 62443 compliance might seem complex, the benefits it yields are significant. It offers organizations a pathway to enhanced cybersecurity protection, reduced operational risks, increased stakeholder confidence, and greater operational efficiency. It also helps in meeting regulatory compliance and future-proofing cybersecurity strategies.
As we navigate the complexities of our digital age, the adoption of globally recognized standards like IEC 62443 will be pivotal. It's not just about securing our present but also about ensuring the resilience and sustainability of our future.
Download this White Paper
Director of Product Management
From Our Blog
Stay up to date with what is new in our industry, learn more about the upcoming products and events.