Uploaded by Uno Hiroshi

IEC 62443 guidelines

advertisement
Project :IEC 62443 Guidelines
Date : 17.05.23
iPLONIndia
1 1
Project :IEC 62443 Guidelines
Date : 17.05.23
VERSION HISTORY
Created
By
Sathya
Narayanan
Revision
Date
May 17,2023
Reason
Creation of Document
iPLONIndia
2 2
Project :IEC 62443 Guidelines
Date : 17.05.23
Contents
1, IEC 62443 basics, setup context, roles and responsibilities .............................. 4
2, IEC 62443 all clauses ..........................................................................................5
3, Level Indicators for security and control system....................................................6
4, Maturity level, zones and conduits.......................................................................7
5, Foundational requirements and IEC 62443-2-1....................................................8
6, IEC 62443-2-4.....................................................................................................10
7, Foundational requirement for IEC 62443-3-3.......................................................12
8, Foundational requirement and Security levels for IEC 62443-4-2........................23
9, Authentication and authorization technologies for IEC 62443-3-1........................47
10, Network protection technologies from 62443-3-1 ...............................................60
11, Encryption technologies and data validation from 62443-3-1 .............................64
12, Management, audit, ,measurement and detection tool from 62443-3-1...............68
13, Zones, Conduits and risk assessment from 62443-3-2........................................71
14, Cyber security requirements and techniques used.............................................. 79
iPLONIndia
3 3
Project :IEC 62443 Guidelines
Date : 17.05.23
IEC 62243 Industrial automation and control systems (IACS) (Cyber Security)
–
–
–
–
–
The standard is mainly to safeguard industry automation and control system and
operation technology (OT) on scope of cyber security
This is critical for infrastructures like powerplants, oil and gas industry, wind power,
manufacturing food processing for mitigation of risk based on cyber security
This standard provides a framework for implementing, setup requirements and control,
weakness identification and risk assessment and mitigation and risk reduction for
operating IACS
This standard clearly defines the roles of organization, policies and processes and
procedures applicable.
This also defines the security levels (SL) that can be applied or operated on.
Structural hierarchy
The key roles provided in IACS defines roles as follows
-Asset Owner
-Maintenance Service Provider
-Integration Service Provider
-Product Supplier
Roles and Responsibilities
Asset Owner- They are the sole account of plant operation and overall policy and procedure
governing all automation and its components (including hardware and software).
(Accountable for operation, policy and procedure)
Maintenance Service Provider- They maintain the plant and its capability of automation
solution operation as such all software and hardware (including mechanical, electrical and
software etc)
(Maintain the operation and automation solution and capability)
Integration Service Provider- They are responsible for commissioning , validating all the
automation solution, and to design and deploy the automation systems (can be multiple OEMs,
Companies)
(Commission and validation , Design and deploy)
Product Supplier- They work on component model and the service of the component,which
includes (all hardware, software) from development till the End of Life (EOL) for the component.
(Develop and Support component from start till end of service life)
iPLONIndia
4 4
Project :IEC 62443 Guidelines
Date : 17.05.23
IEC 62443 -1 (General)
# IEC 62443-1-1- Introduce the concepts and model used
# IEC 62443-1-2- Master Glossary of terms and abbreviations
# IEC 62443-1-3 Describe series of quantitative metrics derived from foundational requirement,
system requirement and other guidance material
# IEC 62443-1-4 Provide more detailed description of underlying life-cycle of IACS security and
use cases
IEC 62443 -2 (Policy and Procedures)
# IEC 62443 -2-1 Describe the requirement to define and implement effective IACS and
cybersecurity management
# IEC 62443 -2-2 Provide methodology for evaluating the protectrion level provided by
operational IACS against CS threat and requirement based on 2-1
# IEC 62443 -2-3 Provide Guidance on Patch Management
# IEC 62443 -2-4 Requirement for supplier of IACS system and related components
# IEC 62443 -2-5 Guidance on requirement to operate an effective IACS cyber security
management system
IEC 62443 -3 (System Requirements)
# IEC 62443 -3-1 Describes the application of various security technology in IACS Environment
# IEC 62443 -3-2 Address security risk assessment and system design for IACS
# IEC 62443 -3-3 Provide the foundation for assessing the security level provded by automation
system
IEC 62443 -4 (Component Requirements)
# IEC 62443 -4-1 Describe the derived requirement that are applicable to development o the
product
# IEC 62443 -4-2 Contains set of derived requirement that provide detailed mapping of system
requirement to subsystem and component of system under consideration
iPLONIndia
5 5
Project :IEC 62443 Guidelines
Date : 17.05.23
Levels and Indicators
Security Levels
The security levels are classified into 5 types based on scale from SL0-SL4
Security Levels
Classification
SL0
No requirement or security protection needed
SL1
Protection against casual or coincidental violation (lapse)
SL3
Protection against intentional violation using sophisticated means
with moderate resources, IACS specific skills and moderate
motivation
SL4
Protection against intentional violation using sophisticated means
with extended resources, IACS specific skills and high motivation
SL2
Protection against intentional violation using simple means with low
resources, generic skills and low motivation
Types of Security Levels
This security level is based on the target security assessment and capability
SL T (Target)
Security Level
SL A (Achieved)
SL C (Capability)
Classification
Desired level of security for automation
solution,
outcome of risk assessment and determine
the level of security
Actual level of security for automation
solution,
can be assessed for current state of
automation system or design to verify
actual security level
Capability level of security for automation
solution,
can be achieved by proper configuration of
existing control without adding new control
Levels of Control System
The level is based on control of actual devices and its process
Levels
L0
Classification
Actual physical process, sensor, actuator, those directly
connected to the process and its equipment (Field Devices)
iPLONIndia
6 6
Project :IEC 62443 Guidelines
Date : 17.05.23
L1
Logic control including sensing, manipulating the physical process,
DC control PLC and RTU (Basic Process Control safety)
L2
Supervisory control level including the function involved in
monitoring and controlling the physical process (Site Monitoring
Display and Supervisory control)
L3
Operations management including functions of managing work flow
to produce desired end product and production scheduling reliability
assurance and site wide operations (Operation/system
management)
Enterprise business systems, including the functions involved i
business related activities needed to manage an manufacturing
process (Business Enterprise system/ Third party system)
L4
Maturity Levels
Based on the system security maturity with respect to guidelines
Maturity Levels
Context
Classification -scope
ML1
Without a
documented
process
Poorly controlled -Initial
ML2
With formal
documentation
process
Evidence of expertise of trained person- Manged
ML3
Use of defined,
established and
documented
process
Well defined training schema for personnel - Defined
ML4
Demonstration of
continuous
improvement
Conduction of internal audit - Improving
Zones and Conduits
Conduit - is a single service like a single ethernet network / multiple data carriers
Zone - is grouping of assets tht share common security requirements
Zone Levels
Context Zone
Process Includes
L4
Enterprise Zone
Business enterprise system, Third party system, SAP/
BI/ OS PI
L3
Demilitarized Zone
Operation/ system management
iPLONIndia
7 7
Project :IEC 62443 Guidelines
Date : 17.05.23
L2
Industrial Network
Zone
Supervisory control, site monitoring display
L1
Industrial Network
Zone
Business process control, safety and
protection(SIS/HIPPS)
L0
Industrial Network
Zone
Process Equipment under control (Field Devices)
***The flow in this table is descending from L4 to L0 based on zonal control
Foundational Requirements
i.
Identification and authentication
ii.
Use Control
iii.
Timely Response to Events
v.
Resource Availability
iv.
System Integrity
vi.
Data Confidentiality
vii.
Restricted Data Flow
IEC 62443-2-1
This standard provides the requirement on how the asset owner should manage,
practices and personnel, as part of the owners cybersecurity program as “Cyber
security management system”
This defines the elements necessary to establish a security program, for IAC’s
and provide a guidance on how to develop them and need for consistency
between practices with IT security, the elements of the cyber security and what
shall be included in the program which include and




Policy
Procedure
Practice
Person Related
iPLONIndia
8 8
Project :IEC 62443 Guidelines
Date : 17.05.23
This is guideline map for cyber security management system program,
 Risk Analysis- Assessment for identification of risk.
 Address with CSMS- Based on the risk identified can be classified on policy and
training including awareness programs, organizational security policy, counter
measures, access controls, technical resource availability
 Implementation- managing the risk, system development and maintenance,
documentation and incident planning
 Monitoring and improvement- Conformance to adherence, review improve and
maintain CSMS
The standard is much of the content related to ISO 27001 is also applicable and related to
IACS, and this standard classifies the difference between IACS and general business/ IT
system.
This introduces the concept of cyber risk with IACS having implications on health, safety
and environment (HSE) can be integrated with other existing risk management practices
that cover these risks.
iPLONIndia
9 9
Project :IEC 62443 Guidelines
Date : 17.05.23
IEC 62443-2-4
This standard provides the requirement for implementing the security program
and is expected to be independent of different release of the product used in
automation solution, this also defines the capability of these security programs
that are required to provide
This also addresses the fact that since security programs evolve form manual to
formal processes they are addressed by assigning a maturity model to be used
with application of this standard,
Service provider and asset owner should negotiate the terms of capability to
provide and show the security requirements of the system and encourage service
provider to implement required capability so they are adaptable to wide variety of
asset
Maturity model allow asset owner to understand the maturity of specific service
provider capability better and contain security requirement for provider of
integration and maintenance service for IACS
iPLONIndia
10 10
Project :IEC 62443 Guidelines
Date : 17.05.23
Standard specific requirement for security capability of IACS service provider can
offer asset owner during integration and maintenance activity of automation
solution and is related to IEC 62443-2-1
This can be used by the asset owner to request specificity security capability
from the service provider and determine if the service provider is capable of
providing in cyber security method
Dependenices:
These are dependencies that are interconnected with this standard ranging from
IEC 62443-2-1 to 62243-4-2, this provides the method of work flow and
orchestration of event management and interconnection along with incident
management
iPLONIndia
11 11
Project :IEC 62443 Guidelines
Date : 17.05.23
Foundational Requirement for IEC 62443-3-3
i.
Identification and authentication
Asset owner will develop a list of valid and authorized user (human,
software process and devices) including privileges and require
identification and authorization for each zone and prevent unauthorized
access and check access rights before authentication
SR1 -User Identification and AuthenticationAll user must be unique and authenticated and setup in control system
application
SR1.1 RE - Multi Factor Authentication
VPN)
It is required if accessing from untrusted network (Can be complied using
SR 1.2 Software process and device identification and authentication
This must be implemented on all devices that will access and be
accessing the control system network
– For Linux: user/group management
– For Windows: user/group management, local security policy, windows
defender
SR 1.3 Account Management
The system must be able to manage all users, can be managed in OS using
kerberos, EAP or Active directory, including account on switches,firewall and other
third party components
SR 1.4 Identifier Management
Management of user, groups, role or control system interface identifier must be
supported, already available in Linux and windows, local policy and procedure
must be established
iPLONIndia
12 12
Project :IEC 62443 Guidelines
Date : 17.05.23
SR 1.5 Authenticator Manager
Must have procedure to verify authentications are unique such as password are
unique and are not stored, transmitted or shared in any medium (usage of
password vaults and password management solution)
SR 1.6 Wireless Access Management
Connection to wireless network must be authenticated and identified, can be done
using EAP method, IPSec or Kerberos
SR 1.7 Strength of password based authentication
Check the strength of password and is enforced using minimum length, variety of
character and lifetime, can also be enforced in OS level or using EAP
SR 1.10 Authentication Feedback
When password are being entered or authenticated it should not display the
character and replaced with asterisk * , compatible with new version of linux and
windows
SR 1.11 Unsuccessful login attempts
Set maximum number of unsuccessful login account after which it will be locked
out with certain cooling period, configured for user account in OS
SR 1.12 System Use notification
System must display about itself about its use and use of that machine is for so
and responsible uses only further unauthorized use can be prohibited and subject
to civil or criminal penalties, system usage can be recorded and monitored,
consent of usage of system and not to include too much information about the
criticality of the system which may make it a target to hacker or external sources
SR 1.13 Access via untrusted Network
The ability to monitor and control all method of access from untrusted network,
which should be blocked and protected, multifactor authentication can also be
used and secured also not to over hinder the availability of the system by racking
up security parameters
iPLONIndia
13 13
Project :IEC 62443 Guidelines
Date : 17.05.23
SR 1.13 RE -1 Explicit Access Request Approval
The operator must have the ability to see if a remote session is going on and be
made available for the role to terminate the session if needed, the UI must have
some way to show this, third party hardware solutions are there to accommodate
this requirement
ii.
Use Control
Once the user is authenticated, the control system must restrict and allow
actions based on privileged access to each (human, software, process,
group, role) as assigned by the asset owner, thus restircting againt
unauthorized action by verification of privilege
(Privilege here means (Read, Write, Download program, settings,
configuration, etc) this can vary for user based on location, time and
means of access)
SR 2.1 Authorization Enforcement
User and role to be configured and authorization enforcement can be set as a
system down to a specific individual enforcement setting or object, the
organization must have procedure and policy for this
SR 2.2 Wireless Use Control
The wireless network should be monitored and authorize to enforce usage
restriction as per EAP, kerberos or IPSec Protocol, and cover all wireless form of
comms including (bluetooth, zigbee, radio etc)
SR 2.3 Use control for portable and mobile devices
The IACS must be designed in such a way that usage of portable and mobile
devices must be controlled, specific authorization can be setup for data transfer
using USB should be restricted (include all electrical and electronics device)
SR 2.4 Mobile Code
Software should not run on any code executable through mobile device, and take
care of the files are retrieved from outside of control system, or exchanged within
iPLONIndia
14 14
Project :IEC 62443 Guidelines
Date : 17.05.23
the system and to ensure they are finger printed to prevent tampering (SHA,
MD5)
SR 2.5 Session Lock
Session lock should not be used on system where critical function reside and
perform emergency operation, if needed session lock can be setup in OS for
lockout and re authenticate after certain timeout
SR 2.6 Remote session Termination
It must be possible to setup remote session such that it can terminate
automatically after certain time of inactivity or timeout, or manually terminate by
the initiator, can be configure in OS and Third party access solutions
SR 2.8 Auditable Events
The control system should have a record of auditable event in system log,
prohibited access, changes to files and control system are included, a SIEM
system can be set up to handle the event from there
SR 2.9 Audit Storage Capacity
The storage for audit must be large enough to hold the required logs, mechanism
should be in place to prevent it from exceeding
SR 2.10 Response to audit processing failures
Failure in audit processing system should alert operators and not cause loss of
main systems, alarm can be setup when disks are nearing full capacity
SR 2.11 Time stamps
Timestamps should be in all audit records, control system can be configured to
use alternate time source apart from OS clock, this must be protected from
unauthorized manipulation and tampering , GPS spoofing and time manipulation
is a possibility taken into account
iii.
System Integrity
Asset owners are responsible for maintaining the integrity of the system with
different levels of protection to different systems, communication channels and
iPLONIndia
15 15
Project :IEC 62443 Guidelines
Date : 17.05.23
information, it should also be maintained in transit and at rest including when
connected over the network, while in a data repository includes all the software,
files, reports, codes etc
SR 3.1- Communication Integrity
The transmitted information must be protected, can be achieved by using IPSec
to encapsulate the information
SR 3.1 RE-1 Cryptographic integrity protection
The transmitted information should be protected using encryption using IPSec,
usually to prevent MTM attacks to prevent data modification and is required in
must if comms take place in untrusted network
SR 3.2 Malicious code protection
Malicious code can be prevented using malware and AV programs, the priority
must be set such as this does not interfere with IACS behavior and operations
and allow list of god applications should beset up in OS
SR 3.2 RE-1 Malicious Code protection and entry and exit point
Malicious code protection can be enforced by setting up malware and AV
programs, by disabling autoplay and automount can be seen as mitigating
actions on top level systems
SR 3.3 Security Functionality Verification
The solution to provide a way to support safe verification of the security function,
at least during test and schedule maintenance certifications from TUV etc
SR 3.4 Software and information integrity
The control system shall have the ability to detect, record, report and protect
against unauthorized change to software and information at rest
SR 3.5 Input Validation
The control system should validate any input which is of process related or directly
impacts the action of system, validation of input that are externally modified, input
includes all process data values, scripts, queries db, any material that can be changed
iPLONIndia
16 16
Project :IEC 62443 Guidelines
Date : 17.05.23
via tampering which can change the working of the system, A reporting SIEM system
can be setup to report anomalies to indicate tampering and security breach
SR 3.6 Deterministic output
It should be ensured that the output go to a predefined state if normal operation cannot
be maintained due to attack, the I/O units and control applications can be set to
automatically correct the output if the connection or power to system is lost, thus to
maintain a safe operation of system (safe state)
SR 3.8 Session Integrity
Session based protocol to be protected and shall reject invalid session IDs, can
be done using IPSec or buying encrypted transmission, can be avoided on
places deemed necessary
SR 3.8 RE-1 Invalidation of Session IDs after Session Termination
When session based protocol are used, session IDs must be invalid after use,
make sure to not reuse session IDs after session termination
SR 3.8 RE-2 Unique Session ID Generation
Unique session ID shall be created for each session, randomness of ID must be
ensured to prevent MTM attacks and session hijacks
CR 3.10 Support for updates
Update support is must and is applicable to all devices, the IACS must have a
secure way to update and upgrade the system to remain harder against security
exploits, the update process must also be by itself not easily exploitable
CR 3.14 Integrity of boot process
The IACS must be in such a way that the integrity of firmware, software and
configure data are verified during runtime booting of the system (TPM etc)
iv.
Data Confidentiality
To prevent unauthorized disclosure IACS shall provide the necessary capability to
ensure confidentiality of the information, comms channel and data storage need
to be secured when in rest and motion
SR 4.1 Information Confidentiality
iPLONIndia
17 17
Project :IEC 62443 Guidelines
Date : 17.05.23
Confidential information must be secured while in rest and motion, this includes user ids,
passwords, private keys etc, process and policy to be set to prevent exposure of data,
IEE 802.1X port based network solution to be used as guard mechanism over access
network
SR 4.3 Use of Cryptography
Usage of industry standard, or better encryption methods when applicable, WPA3 or
better encryption can be used for wireless networks, I/O servers, system backups and
backup keys to be setup using industrial standard encryption
v.
Restricted Data Flow
Asset owner need to determine the information flow restriction and
configure conduits user to deliver the information, IACS provides the
capability to segment the control system via zones and conduits to limit
information flow including disconnection of business network from public
or business network using data diode, firewall and creation of Demilitarized
zones
SR 5.1 Network Segmentation
Network must be segmented and isolated logically where applicable routers,
switches and virtual segmentation using VLAN is preferred so that traffic from
one segment does not intermix with other segment, if mixing happens a risk
evaluation can be done to reduce and see barriers that cause a cyber incident
SR 5.1 RE-1 Physical Network Segmentation
Network segment must be physically isolated as to confirm that control system
network and other networks dont mix together
SR 5.2 Zone boundary protection
This needs to be enforced by using RADIUS, Trusted network connect or other
Network access protocols
SR 5.2 RE-1 Deny by default, allow by exception
Network devices must be configured to deny traffic by default and allow by
exception with addition to EAP, IPSec, Kerberos make it difficult to hack (firewall)
iPLONIndia
18 18
Project :IEC 62443 Guidelines
Date : 17.05.23
SR 5.2 RE-2 Island Mode
The IACS must have the capability to isolate itself from other network to reduce
risk of being compromised when attack is detected
SR 5.3 General purpose person-to-person communication restriction
To mitigate attack vector the IACS must be capable to prevent p2p messaging
from IACS, if messaging is required counter measures such as isolation,
bandwidth limiting can be employed
SR 5.4 Application partitioning
Control applications must be partitioned based on criticality for zoning,
recommend using modularity of system, Docker, hypervisor can segregate
application running on same hardware and assess any security and realtime
performance implications
vi.
Timely Response to Events
Asset owner to establish security policy and procedure and proper line of
communication and control to handle security violations and breach, use of monitoring
tools and methods should not interfere with the control system and degrade the system
performance
SR 6.1 Audit Log accessibility
The audit logs must be only accessed by authorized user from a read-only device, no
options or ways to modify the logs other than appending log data, access control list or
third party system can be used to enforce this requirement
vii.
Resource Availability
To ensure that the control system is guarded against various resource consuming attack
like Ddos Denial of service, and to prevent partial or total unavailability of the system,
encourage use of high redundancy network availability at network level and high priority
to server, firewalls and applications
SR 7.1 Denial of service protection
The IACS must have a way to request information from or notify by boundary devices to
detect that a cyber attack is ongoing, if detected a DOS attack the IACS must operate in
iPLONIndia
19 19
Project :IEC 62443 Guidelines
Date : 17.05.23
degraded mode, risk evaluation can be done to safely degrade the system without
affecting other safety-related systems
SR 7.2 Resource Management
The IACS should provide resource management capability to mitigate resource
exhaustion caused bu security related process such as running AV and similar, security
function should not cause IACS to misbehave during operation
SR 7.3 Control System backup
The IACS must have up-to-date backup for full system recovery in case of failure or
misconfiguration, this includes audit logs and other forensic informations, the backup
must be encrypted and the system must be in safe state during backup
SR 7.4 Control system recovery and reconstitution
There must be a way to quickly recover the control system to a secure state after any
disruption or failure, for industrial controller this is to restore the latest backup other
devices such as switches, I/O must have the ability to match operation of last known
secure state, firmware and settings must be available to restore and match it with a
correct configuration to swap out defective unit incase of hardware system
SR 7.5 Emergency Power
The IACS must be able to switch to emergency power supply without affecting the
existing security state, risk assessment can be done to determine the probable cause of
failure and implement barrier to mitigate these
SR 7.6 Network and Security Configuration settings
The solution shall provide guideline for network and security configuration and IACS to
be configured accordingly, including the OS and IACS to be set to monitor these in
accordance with security policy and procedures (including OS, hardening etc)
SR 7.7 Least Functionality
The IACS should restrict use of unnecessary functions. Firewall must be setup to allow
only known devices, addresses, services and ports (removal of unwanted programs incl
games, calculators other misc applications)
–
–
For linux this can be done using IP tables/ nftables /UFW
For windows can be done using firewall
iPLONIndia
20 20
Project :IEC 62443 Guidelines
Date : 17.05.23
Case study: Risk assessment of AB oil
Scenario: AB oil company is located in middle east does refining and export of
petrol and other fuel gases, this assessment carries the entire plant proudction
Scope: Location Alpha U101
Connection located to U102, 105, 107 for normal data exchange
Received documents:
–
–
System architecture
Inventory details
General Observations
Documentation:
–
–
–
The current asset inventory is incomplete and missing important infos
Proper architecture and network diagrams are not available to reveal logical and physical
network connection between assets
Interconnection between U101-U105 is not available
Anti-virus
–
Most endpoints have AV
–
Stand-alone system don't have AV but has other manual scan procedures
–
No central management for AV
Backups
–
Network connected computer based system are auto backup using WSUS
–
Most HMI panel dont have backup abilities
–
For PLCS there is manual backup procedure
DCS and system safety
–
The DCS network is not segregated from safety network on each location
–
Only one engineer knows to reset and retrieve password
–
Same user name and password is used by all workstation operator
iPLONIndia
21 21
Project :IEC 62443 Guidelines
Date : 17.05.23
Operating System Configuration
–
–
–
All windows OS are hardened by vendor guidelines, but no control to verify it this is still
the case
No one hardening procedure different vendor different hardening procedures
Logs are not enabled
Network Management
–
–
–
Process engineer using telnet to access network switch in level 2
Network connecting PLC to HMI is single and routed using metal conduits and seperate
cable tray
Engineer in U101 can take RDP of workstation of U105 without any approval from U105
and was editing log rotation of machine
Assessment
Calculate and visualize above data with all the requirements in all terms needed
below attached a sample
iPLONIndia
22 22
Project :IEC 62443 Guidelines
Date : 17.05.23
Foundational Requirement for IEC 62443-4-2
Identification and Authentication
–
–
–
–
All human user need to be identified and authenticated for all access to
application and devices, including access through network protocol HTTP,
HTTPS, FTP, SFTP and protocol used by device config tools
Components using password authentication must enforce password policy
(minimum character and variety etc)
Components using public-key authentication must ensure certificate validity and
strength of cipher suite used complies with encryption requirements
Monitor remote access and authentication attempts on over clear text OT and IT
protocol including HTTP, HTTPS, FTP, SFTP,SMB, Telnet etc all failed and
succeed attempts must be logged for analysis to ensure critical systems are
accessed using individual credentials
Use case of FR-1
Assumptions: Node, Switch, Forwarder, Gateway, Border gateway are up in security
levels
1.1, Identification and authentication
SL1 Requirement ISA 62443-4-2 CR 1.1
–
Enforce IDs and access on interface that provide access
Test:
–
–
Verify device cannot be operated without logging in with specific account
Verify normal user account is always logged in in manned control rooms dont have
admin access other than those provided for operation
SL2&3 Requirement ISA 62443-4-2 CR 1.1 (1)
–
Enforce unique ID and access of each human user
Test:
–
Verify that no public, default credentials to be used to authenticate the device,
enumerate all user IDs and verify shared accounts are not used
iPLONIndia
23 23
Project :IEC 62443 Guidelines
Date : 17.05.23
SL4 Requirement ISA 62443-4-2 CR 1.1 (1)(2)
–
Enforce multi-factor authentication for each user
Test:
–
Verify that different path of authentication and info are not easy to tamper with
1.2, Application or device identification and authentication
SL1 NA
SL2 Requirement ISA 62443-4-2 CR 1.2
–
Identify and authenticate itself when interfacing other components
Test:
–
Use the method/ protocol as SNMP, LLDP for discovery and 802.1x for authentication
specified by vendor to retrieve and verify component type
SL3&4 Requirement ISA 62443-4-2 CR 1.2 (1)
–
Uniquely identify and authenticate itself when interfacing other components
Test:
–
Use the method/ protocol as SNMP, LLDP for discovery and 802.1x for authentication
specified by vendor to retrieve and verify component type and its Unique ID
1.3, Account management
SL 1,2,3,4 ISA 62443-4-2 CR 1.3
–
Provide management of accounts directly in component or support such management in
common system
Test:
–
Login using existing account on target device, disable the account used to login and
retry login with this account it should not login as account is disabled
1.4 Identifier management
SL 1,2,3,4 ISA 62443-4-2 CR 1.4
iPLONIndia
24 24
Project :IEC 62443 Guidelines
Date : 17.05.23
–
Provide management of identifier by user, group, role or control system interface
either directly by component or support integration into common system providing
such identifier management
Test:
–
Verify that component supports identification on any entity using a central identifier
management solution or directly
1.5 Secure authenticator management
SL 1,2, ISA 62443-4-2 CR 1.5
–
Support secure management of authenticator content as password
Test:
–
Default install authenticator can be modified
–
Authenticator content storage and transmission is protected
–
Periodic authenticator change to be set
SL 3,4 ISA 62443-4-2 CR 1.5 (1)
`Hardware based authenticator can be used (Smart cards etc)
Test:
–
Confirm that by removing hardware authenticator device is not able to operate the
component
1.6 Wireless Access
Assumptions: Node, Switch, Forwarder, Border gateway NA only applicable to Gateway
SL 1 ISA 62443-4-2 NDR 1.6
–
Wireless gateway shall be able to identify and authenticate all wireless connections
Test:
–
–
Verify human user must log in to access wireless gateway
Use method specified by vendor to verify that the application or device must identify and
authenticate itself to access the gateway
SL 2,3,4 ISA 62443-4-2 NDR 1.6(1)
–
Unique verification and authentication of wireless connection to be provided
iPLONIndia
25 25
Project :IEC 62443 Guidelines
Date : 17.05.23
Test:
–
Verify that all wireless connection require unique identification
1.7 Strength of passwords
SL 1,2, ISA 62443-4-2 CR 1.7
For component using password based authentication it shall be possible to enforce password
policy (Strength and variety) by itself or other systems, password must not be stated in
documents
Test:
–
After applying password using central configuration system, try changing password from
other system and verify
SL 3 ISA 62443-4-2 CR 1.7 (1)
Human user cannot reuse same password used priorly
Test:
–
Verify that system disallow change of password to previous set of passwords and
configure the system for some sort of password expiration cycle
SL 4 ISA 62443-4-2 CR 1.7 (1)(2)
Password lifetime restriction is applicable for all users
Test:
–
Verify that system has possibility to configure expiration for no human users
1.8 Public key infrastructure (PKI) certificates
SL1 NA
SL 2,3,4 ISA 62443-4-2 CR 1.8
When PKI is used it must be i accordance with this section
Test:
–
Verify that certificate expiry dates are acceptable
1.9 Strength of public key authentication
SL 1 ISA 62443-4-2 CR 1.9 - NA
iPLONIndia
26 26
Project :IEC 62443 Guidelines
Date : 17.05.23
SL 2 ISA 62443-4-2 CR 1.9
When PKI used the validation certificates must follow the requirements in refereed standard
Test:
–
Verify certification using invalid, revoked certificates
SL 3,4 ISA 62443-4-2 CR 1.9 (1)
It shall be possible to protect private keys using hardware
Test:
–
Verify keys are tamper proof during installation or in storage
1.10 Obscure authentication information
SL 1,2,3,4 ISA 62443-4-2 CR 1.10
During authentication or entering passwords the system shall not give any credential or
feedback which can include the reason for unsuccessful login, which can be exploited with
Test:
–
Verify valid authentication and enter invalid authentication to see if any user name or
password is used for authentication, and no data is leaked when brute forced
1.11 Unsuccessful Login Attempts
SL 1,2,3,4 ISA 62443-4-2 CR 1.11
During authentication the system shall restrict the number of consecutive login attempts
applicable for all users, applications etc, the limit must be configurable and when reached shall
block the account for a specific period of time
Test:
–
Verify that failed consecutive login leads to lockout
1.12 System use notification
SL 1,2,3,4 ISA 62443-4-2 CR 1.12
The capability of the system to display the consequences of unauthorized logins even after a
successful login and access to the system , can be done using warning posters etc, also no
much information about the system should be exposed
iPLONIndia
27 27
Project :IEC 62443 Guidelines
Date : 17.05.23
Test:
–
Observe that all the warning posters are displayed before login
1.13 Access via untrusted network
SL 1,2,3,4 ISA 62443-4-2 CR 1.13
Any attempt of access from insecure or uncontrolled network shall be monitored and managed
by the gateway
Test:
–
Attempt to access from untrusted network once logged in verify that its is monitored in
the system
1.14 Strength of Symmetric key authentication
SL 1 ISA 62443-4-2 CR 1.14 NA
SL 2 ISA 62443-4-2 CR 1.14
When symmetric key authentication is used, validation of shared secret shall follow this rules
stated, Exempted for MF5, SHA-0,1, DES, 3DES, and avoid usage of proprietary encryption, the
asymmetric encryption algorithm must be atleast 2048 bit key length with atleast RSA level
encryption and shall provide atleast 256 bit key length with atleast AES level encryption
Test:
–
–
See OWASP for encryption guides
Verify that private keys or certificates stored on file system cannot be imported without
access
SL 3,4 ISA 62443-4-2 CR 1.14 (1)
ISO /IEC 19700 level 3 security for symmetric key is required
Test:
–
It must be possible to protect private keys via hardware
Use case of FR-2
Component shall provide the ability to generate audit records relevant to security
protocols including access control, request error, control system events, backup and
restore events, configuration changes, audit log events
iPLONIndia
28 28
Project :IEC 62443 Guidelines
Date : 17.05.23
Logs must include timestamps, source device, category, type and event ID and result
Also continuous monitoring of network and device activity in real time for all access
authorized and unauthorized, attempts, errors from all devices from the system and
updates including firmware and software
SL 1 ISA 62443-4-2 CR 2.1
The component shall enforce authorization for human user based in assigned roles and
privileges
Test:
–
If user with different privilege level exist , then select the highest privilege user account
and use it to see all access and features and similarly for lower privilege and verify that
some features are blocked for lower privilege account as defined in supporting
documents
SL 2 ISA 62443-4-2 CR 2.1 (1)(2)
Enforce authorization for all user and component shall be able to authorize role to define and
modify permission for all human user
Test:
–
Verify by observing that authorized role exist with above ability
SL 3 ISA 62443-4-2 CR 2.1 (1)(2)(3)
The component shall provide support for manual override by supervisor, this ability shall expire
after performing the action or event or time
Test:
–
Authentication mechanism for supervisor shall be described in documentation, and
verified in type test
SL 4 ISA 62443-4-2 CR 2.1 (1)(2)(3)(4)
The component shall allow for approval by two different roles for action can result in serious,
safety related impacts of control process
Test:
–
Any action which require dual authentication must be described in document and
demonstrated in type test
iPLONIndia
29 29
Project :IEC 62443 Guidelines
Date : 17.05.23
2.2 Wireless usage
SL 1,2,3,4 ISA 62443-4-2 CR 2.2
If the component support wireless communication it shall support appropriate authorization,
monitoring andusage restriction mechanism, unique identification of all users is needed
Test:
–
Confirm there are no generic or unlisted user in config
–
Confirm monitoring and logging functions
–
Confirm authentication strength and usage restriction provided by device
2.3 Portable and mobile devices
SL 1,2,3,4 ISA 62443-4-2 CR 2.3
Any component which support use of mobile device shall have capability to prevent or restrict
use of such device (mobiles etc)
Test:
–
Enable portable device restriction supported by the device, check with USB device that
no data can be transferred
2.4 Mobile code
SL 1,2 ISA 62443-4-2 CR 2.4
Any component that uses mobile code as java, pdf, vbscript etc shall have capability to
authenticate, authorize and restrict execution of mobile code including transfer to and from the
system
Test:
–
Enable blocking of mobile code, verify no mobile code is copied and executable via
network verify java,activex and vbscript blocking as minimum incase of absence of other
mobile codes
SL 3,4 ISA 62443-4-2 CR 2.4 (1)
The host shall be capable of verifying the integrity of mobile code before execution
iPLONIndia
30 30
Project :IEC 62443 Guidelines
Date : 17.05.23
Test:
–
Enable blocking of mobile code, verify no mobile code is copied and executable via
network verify java,activex and vbscript blocking as minimum incase of absence of other
mobile codes
2.5 Session lock
SL 1,2,3,4 ISA 62443-4-2 CR 2.5
The component shall have capability to implement session lock
Test:
–
Verify that time based session lock is configured and works
2.6 Remote session termination
SL1 NA
SL 2,3,4 ISA 62443-4-2 CR 2.6
Remote access to applications or component from outside the trusted network shall be in such a
way that the user initiating can have he access to terminate the session, components having the
remote session ability must also have some timeout configs
Test:
–
Verify that session is torn down after specific time
–
Monitor the network that it is relevant
–
Verify that user can terminate the session
2.7 Concurrent session control
SL1,2 NA
SL 3,4 ISA 62443-4-2 CR 2.7
It shall be possible to configure the maximum number of session that can run simultaneously to
prevent Ddos
Test:
iPLONIndia
31 31
Project :IEC 62443 Guidelines
Date : 17.05.23
–
Monitor the network that it is relevant after attaining maximum session check that
another instance is not allowed
2.8 Audit information
SL 1,2,3,4 ISA 62443-4-2 CR 2.8
It shall be possible to generate audit records of security events provided by components
Test:
–
Verify that log entries are verbose and matches respect of event and content of records
2.9 Audit storage
SL 1,2 ISA 62443-4-2 CR 2.9
The component shall have sufficient audit storage capacity and prevent failure if exceeded
Test:
–
Generate event till storage is full and check the functionality of the system
SL 3,4 ISA 62443-4-2 CR 2.9 (1)
An alarm shall be generated if the system storage for logs is exceeding the threshold
Test:
–
Generate event till storage is full and check the functionality of the alarm
2.10 Audit processing
SL 1,2,3,4 ISA 62443-4-2 CR 2.10
The component shall have capability to detect failure in generating,processing audit records, it
should respond to safe state in case of failure
Test:
–
Verify that the product documentation says this and can be tested on required fuctions
2.11 Timestamps
SL 1,2 ISA 62443-4-2 CR 2.11
iPLONIndia
32 32
Project :IEC 62443 Guidelines
Date : 17.05.23
Component shall have the ability to timestamp security events
Test:
–
Simulate event to generate logs and verify the timestamps up-to five alarms
SL 3 ISA 62443-4-2 CR 2.11 (1)
The timestamp must be in sync with system wide time (eg;NTP)
Test:
–
Simulate event to generate logs and verify the timestamps and check that the time is
correctly synced with event from logs
SL 4 ISA 62443-4-2 CR 2.11 (1)(2)
Any alteration to time sync mechanism to subject to authorization and unauthorized change is
logged as event
Test:
–
Modify external time source and check event logging
2.12 Non-repudiation for user actions
SL 1, NA
SL 2 ISA 62443-4-2 CR 2.12
Component shall be able to determine if action taken is done by human user
Test:
–
Modify three settings in device configuration and review the log and verify they are
entried
SL 3,4 ISA 62443-4-2 CR 2.12 (1)
Component shall provide non-repudiation capability to all users
Test:
–
Modify three settings in device configuration and review the log and verify they are
entried with user identification
iPLONIndia
33 33
Project :IEC 62443 Guidelines
Date : 17.05.23
Use case of FR-3
System Integrity:
The network device shall provide protection from malicious code, if needed it
must use compensation control and need not to support protection from
malicious code directly
The component shall validate the syntax and content of input used as industrial
process control input and identify and handle error condition in manner such that
effective troubleshooting can occur, signature and anomaly based detection used
to alert in real time for all known and unknown malware exploits over the network
3.1 Communication Integrity
SL 1,2 ISA 62443-4-2 CR 3.1
The device shall be capable of protecting integrity of data transmitted and received
Test:
–
Verify that data transmitted or received via common or proprietary protocol has integrity
checking inform of CRC protection
SL 3,4 ISA 62443-4-2 CR 3.1 (1)
Authentication of communicated data shall be supported bu encryption
Test:
–
Verify by monitoring data transmitted/ received is encrypted and other mechanism to
authenticate data shall be verified by manufacturer documents and test program
3.2 Malicious code protection
SL 1,2,3,4 ISA 62443-4-2 SAR 3.2 /EDR 3.2/ HDR 3.2/NDR 3.2
Malware protection must be provided either as part of component or compensated controls (eg:
OS lockdown, REDS security measure, application and process whitelist) implemented in
system and security policy, these measure should not interfere with device control function, host
device must support such protection and report to such protection software
Test:
iPLONIndia
34 34
Project :IEC 62443 Guidelines
Date : 17.05.23
–
Evaluate threat vector and compensation controls and verify that no malicious code can
be executed on component by using EICAR sample and file transfer
3.4 Software and information integrity
SL 1 NA
SL 2 ISA 62443-4-2 CR 3.4(1)
The component shall have the ability to perform and support report integrity check of software,
configuration and other data, in addition to authenticity of software, configuration
Test:
–
If the device support configuration via files, attempt to load a corrupt file and verify that
change is not possible with corrupted files, other implemented check such as
incompatible software, config details etc is to be present in documentation
SL3,4 ISA 62443-4-2 CR 3.4(1)(2)
If the component itself performs the integrity check it shall issue an alarm upon violation
Test:
–
Verify that appropriate alarm are issued when corrupted config is loaded
3.5 Input validation
SL 1,2,3,4 62443-4-2 CR 3.5
Input validation shall be implemented and applied for input from human user and other
compoents, sufficient validation is to be done in network interface of device for supported
protocols, device must handle malformed traffic on protocol and interface without getting to no
responsive state
Test:
–
Demonstrate robustness according to ISASecure EDSA-310 and EDSA-401 through 406
(refer documentations)
3.6 Deterministic output
Only Node is Yes
iPLONIndia
35 35
Project :IEC 62443 Guidelines
Date : 17.05.23
SL 1,2,3,4 62443-4-2 CR 3.6
A node shall be capable of setting output that control a process to a pre determined safe state
for continuing normal operation
Test:
–
Monitor the output of device during abnormal state and document it and shall describe
the abnormal state and corresponding fail safe state responses
3.8 Session integrity
SL 1 NA
SL2 ISA 62443-4-2 CR 3.8
The component shall protect authenticity of communication session and validity of data
transferred
Test:
–
Demonstrate mechanism described in the component and system document
SL3 ISA 62443-4-2 CR 3.8 (1)(2)
Session identifiers shall be unique for each session and invalidated upon logout or termination
of session, only system generated identifier shall be recognized by component
Test:
–
Verify session are invalid after logout
SL4 ISA 62443-4-2 CR 3.8 (1)(2)(3)
Random session identifier shall be generated
Test:
–
–
Verify that no patterns from random generation of session ID is observable
See OWASP and OTG-SESS-001
iPLONIndia
36 36
Project :IEC 62443 Guidelines
Date : 17.05.23
3.9 Audit information integrity
SL1 NA
SL 2,3 ISA 62443-4-2 CR 3.9
Audit information such as record, logs ,reports etc are to be protected from unauthorized access
Test:
–
Access audit logs and tools supported by the device with a standard and highest
privilege account and verify it is not possible to modify it
SL 4 ISA 62443-4-2 CR 3.9 (1)
It shall be possible to store audit logs on write-once media
Test:
–
Verify that physical write-once media is utilized for storing logs
3.11 Physical tampering
SL1 NA
SL 2 ISA 62443-4-2 EDR 3.11/HDR3.11/NDR 3.11
Component shall be designed to detect and prevent physical tampering
Test:
–
Such property shall be verified by physical inspection
SL 3,4 ISA 62443-4-2 EDR 3.11(1)/HDR3.11(1)/NDR 3.11(1)
Automatic detection and monitoring of physical tampering, enable event log and report to
authorized personnel
Test:
iPLONIndia
37 37
Project :IEC 62443 Guidelines
Date : 17.05.23
–
Verify by document, assessment the nature of physical tampering be implemented, the
event shall be logged and reported. If non-destructive capability can be tested
3.17 Firmware change
SL 1,2,3,4 62443-4-2 CR 3.17
There shall be no possibility for unauthenticated firmware change and replacement of physical
media
Test:
–
Verify physical protection of firmware storage media and update from removable media
or network requires authentication in secure to prevent MTM attacks
Use case of FR-4
Data confidentiality
Component shall protect the confidentiality of information at rest and in transit
If cryptography is is required component shall use cryptographic security mechanism
according to internationally recognized practices
Enable user to verify that sensitive information is communicated using secure encrypted
protocols and cipher suites, ensure that encrypted communication in monitored network
follow international standard and recognized security practices
4.1 Data Confidentiality
SL 1,2,3,4 ISA 62243-4-2 CR 4.1
The component shall be able to protect confidentiality of information and avoid data exposure to
unauthorized parties, (for eg: if device has SNMP protocol it should not leak other than crucial
data to SNMP request)
Test:
–
Verify that device doesnot leak critical information via supported services, protocols
(eg: most common are HTTPS, NetBIOS, SNMP connect to device and fetch data without
authentication)
iPLONIndia
38 38
Project :IEC 62443 Guidelines
Date : 17.05.23
4.2 Purging of authentication information fro end of life components
SL 1 NA
SL 2 ISA 62243-4-2 CR 4.2
Upon decommission of the component it shall be possible to purge all information which has
been defined by policies as subject to authorization
Test:
–
Test factory default reset function, and verify that all data in it is gone
SL 3,4 ISA 62243-4-2 CR 4.2 (1)(2)
Specific mechanism shall be implemented to ensure that volatile shared memory is confirmed
purged to avoid unintended transfer of information
Test:
–
Verify that content of volatile storage are not available after its removal or after shutdown
4.3 Cryptography
SL 1,2,3,4 ISA 62443-4-2 CR 4.3
If the component utilizes encryption the following are the requirements
Algorithms not to be used MD5, SHA-0,1, DES,3DES
Proprietary encryption algorithms must not be used
An asymmetric encryption algorithm shall provide atleast 2048-bit key length, with encryption
strength atleast as strong as RSA, for symmetric encryption shall provide atleast 256-bit key
length with encryption strength atleast of AES class
Test:
–
Inspect traffic from/to component and verify its encrypted properly
Use case of FR-5
Restricted Data Flow:
iPLONIndia
39 39
Project :IEC 62443 Guidelines
Date : 17.05.23
Component shall support a segmented network to support broader network
architecture on logical segmentation ad criticality
A network device at zone boundary shall monitor and control
communications at zone boundaries to enforce the compartmentalization
defined in risk-based zones and conduit model, it should also have the
ability to prevent general purpose, person-to-person message from being
received from user or external systems to control system
Generate an automatic and accurate visualization of all active network IP-
connected devices and traffic flows, facilitating the identification of security
parameters , access points, group of functionality and logically related
devices
5.1 Network Segmentation
SL 1,2,3,4 ISA 62443-4-2 CR 5.1
The component shall support provision of segmented network, can be employed to improve
performance and security of overall network, by supporting multiple zones with varying risk
requirement in network
Test:
–
Demonstrate that a probe placed in one network segment cannot be reached from
another segment, depending on technology used for segmentation, use appropriate
probe and initiation
5.2 Firewall
SL1 ISA 62443-4-2 NDR 5.2
The device providing boundary protection shall be capable of filtering and monitoring traffic
Test
–
Verify that the component has functionality to configure blocking and monitoring of given
network stream trans-versing it
SL2 ISA 62443-4-2 NDR 5.2 (1)
iPLONIndia
40 40
Project :IEC 62443 Guidelines
Date : 17.05.23
The component shall be by default deny all network traffic crossing the zone boundary and
permit only traffic by exception
Test:
–
Verify that direct connections to protected network are disabled by default
SL3 ISA 62443-4-2 NDR 5.3 (1)(2)(3)
The component shall be able to work in island mode where no traffic can cross the boudnary,
the component shall respond to failure in boundary protection in fail-safe manner and revert to
island mode on needed
Test:
–
Verify firewall abilities by full scan of TCP/UDP ports and IP fragmentation Scan
–
Test tunneling from secure side using ICMP, DNS, SSH or HTTP
–
–
ACI mapping by fire-walking from both insecure and secure zones
If possible to configure the component with invalid config (Delete all ACL rules), verify all
connections is denied in fail state
SL4 ISA 62443-4-2
The component shall have state-of-art firewall functions such as stateful inspection, deep packet
inspection (DPI)
Test:
–
Verify advanced firewall capability atleast testing with ICMP, DNS or HTTP tunneling
5.5 Guarded DHCP service
SL123
If the device is running a DHCP server the service shall be guarded i.e an unauthorized unit
shall not get an IP address assigned automatically from the device
Test:
–
Verify that it is possible to configure and enforce a list of clients (by MAC address) that
are allowed to gain IP access
SL4
Rouge DHCP server shall bot be detected
iPLONIndia
41 41
Project :IEC 62443 Guidelines
Date : 17.05.23
Test:
–
Simulate a rouge DHCP server (Eg. DHCP replay and advertisement) and verify that it is
detected
5.6 Switch Loop prevention
SL 1,2,3,4 IEC 61162-460 Sec 5.2.2
The switch shall have capabilities for preventing switching loops in all interfaces such as RSTP,
MSTP or other protocols
Test:
–
–
IEC 61162-460 Sec 10.6.2
Refer to verification and test described by reference standard
Use case of FR-6
Timely response to events:
Component shall provide the ability for authorized human or tools to access audit logs
on read-only basis, and continuously monitor ad detect, characterize and report security
breaches in timely manner, monitoring can be achieved though variety of tools such as
IDS, IPS, network monitoring mechanism, this includes remote access and comms
protocol to control system and components as well as file transfer operations
6.1 Audit information accessibility
SL 1,2 ISA 62443-4-2 CR 6.1
Audit records are required by sec 3 (2.8) shall be accessible on read –only basis subject to
authorization
Test:
–
Verify that manual read-only access to audit logs is available (subject to authorization)
SL 3,4 ISA 62443-4-2 CR 6.1 (1)
It shall be possible to access audit record using an application program interface (API) for
analysis and other event management purpose
Test:
iPLONIndia
42 42
Project :IEC 62443 Guidelines
Date : 17.05.23
–
Demonstrate access to audit logs using vendors API verify access is not possible without
appropriate credentials
6.2 Continuous monitoring
SL1 NA
SL 2,3,4 ISA 62443-4-2 CR 6.2
It shall be possible to continuously monitoring security mechanisms which are provided by a
component such monitoring to be performance by a dedicated intrusion detection system (IDS)
or Intrusion prevention system (IPS)
Test:
–
Manufacturer shall document and demonstrate that all implemented security mechanism
are and can be continuously monitored by event recording or other services
Use case of FR-7
Resource Availability:
Component shall maintain essential function in degraded mode during a DoS attack, it
shall restrict the use of unnecessary functions, ports, protocols and services, it must
provide the ability to support a control system component inventory with real time
detection of instances of DoS attacks, create port, protocol inventory for required service
and devices
7.1 Denial of service protection
SL1 ISA 62243-4-2 CR 7.1
The application or component must cope with a DoS event, if normal operation is not possible
depending on the DoS situation the component shall revert to a degraded mode where essential
functions, safety functions, local control functions are maintained any effect shall comply with
applicable fail-safe principles, component shall stay functional and can be operated as expected
by operator under networks stress, warnings or alarms can be issued for component that is
subjected to high network loads, maximum input and output bandwidth for node shall be stated
in manufacturer documentation
Test:
IEC 61162-460- Sec 10.5.2.2
iPLONIndia
43 43
Project :IEC 62443 Guidelines
Date : 17.05.23
–
To test DoS protection atleast load stress testing consisting of valid traffic shall be done,
it can be generated by, rate less than saturation load threshold specified by vendor (Eg:
simulating normal but busy plant conditions) or fully auto-negotiated link rate (Eg:
–
simulating an attack or malfunction)
Saturation rate testing are to be executed for durations long enough for saturation effect
to manifest, stress testing shall be deterministic traffic, and traffic generation shall cover
protocol supported by device
SL 2,3,4 ISA 62443-4-2 CR 7.2 (1)
Means provided to ensure operations of the node in DoS event shall be implemented and
described in manufacturer documentation such as rate limiting, DOS prevention method in
switch, forwarder and gateway shall be implemented and described in manufacturer documents
Test:
IEC 61162-460 Sec 10.6.3.2, 10.7.4.2, Sec 10.8.1 and Sec 10.12.3.7
–
Test network resilience with unicast, multicast and broadcast traffic addressing the
protocol relevant in network where component is going to be typically developed into,
this test should cover at least the following layers: Ethernet/data link layer, IPv4 network
–
layer, TCP, UDP transport layer
If applicable simulate the DoS conditions to verify that the implemented mitigation
mechanism are working
7.2 Resource Management
SL1,2,3,4 ISA 62443-4-2 CR 7.2
Component shall have the ability to manage resources such that low priority process are
prevented from interfering with high priority process
Test:
–
Manufacturer documents shall describe specific mechanism ensuring high priority
function are not affected by security functions, such resource management are tested as
part of as malicious code protection, DoS protection, audit storage, switch loop
–
prevention, backup
CPU consumption tolerance may be tested using software tools liike stress-ng or
consume.exe in unix and windows
iPLONIndia
44 44
Project :IEC 62443 Guidelines
Date : 17.05.23
7.3 Backup
SL 1 ISA 62443-4-2 NCR 7.3
The component shall support system level backup operations
Test:
–
Perform system backup and verify that backup is restored
SL 2 ISA 62443-4-2 NCR 7.3 (1)
Successful execution of backup shall be verified without need of manual actions, an alarm shall
be produced if faults have occurred during integrity of backup is compromised, also validate
backup before restore
Test:
–
Validation of backup information to be tested
SL 3,4 ISA 62443-4-2 NCR 7.3 (1)(2)
It shall be possible to perform a local backup of the component
Test:
–
Restore local backup
7.4 Retainment of configuration
SL 1,2,3,4 ISA 62443-4-2 CR 7.4
Upon restoration of power the component shall boot for intended operation without any
configuration loss, incase of failure it can be reverted to its safe and secure state
Test:
–
Document the components configuration setting , switch off and restart verify that it
starts completely with configuration
7.5 Network and Security Configuration setting
SL 1,2 ISA 62443-4-2 CR 7.6
Component shall be delivered with default network and security configuration, with
recommended manufacturer setting , modifications shall be in accordance with security policies
iPLONIndia
45 45
Project :IEC 62443 Guidelines
Date : 17.05.23
Test:
–
–
Verify the device default configuration as recommended by vendor
Verify configuration file required in Sec 2 (2.6)
SL 3,4 ISA 62443-4-2 CR 7.6 (1)
The component shall be able to generate a machine readable report or export its configuration
to a file with current security settings
Test:
–
Export the machine readable configuration report and import and read it by vendor
supplied tool or compatible tool
7.6 Least functionality
SL 1,2,3,4 ISA 62443-4-2 CR 7.7
Application or components serving essential and important function shall have capability to
prevent installation, enabling or use of unnecessary or irrelevant functions, ports, protocols and
services
Test:
–
Verify that no unnecessary UDP or TCP ports are open by scanning the device
7.7 Component Inventory
SL1 NA
SL 2,3,4 ISA 62243-4-2 CR 7.8
It shall be possible to identify the components hardware and software type and version,
including version, revision of configurable elements
Test:
–
Verify that the properties listed in requirement are reported by visible on the component
iPLONIndia
46 46
Project :IEC 62443 Guidelines
Date : 17.05.23
Authentication and authorization technologies for IEC 62443-3-1
Covered topics:
-# Authentication and authorization briefing
# Role based access control (RBAC)
# Password based
# Challenge response based (CHAP)
# Physical Token based
# Smart card based
# Biometric based
# Location bases
# Password distribution and management
# Device to device authentications
1, Authentication and authorization briefing
–
–
–
–
–
Authorization is initial step to protect ICS/OT systems
It can be specific to provide accesses to specific files in an application or as access to
entire ICS environment.
AA are fundamental to access control for a system.
Two components of Authentication: • User authentication
Network service authentication
2, Role based access control
“Role-based access control (RBAC) is a technology and tool that is attracting a great deal of
attention because of its potential for reducing the complexity and cost of security administration
in networks with large numbers of intelligent devices like some IACS systems
Benefits:
by assigning specific privileges ,user privilege management by security groups restrict users
from accessing unauthorized data.
iPLONIndia
47 47
Project :IEC 62443 Guidelines
Date : 17.05.23
–
Reduce security violations by improving overall access to the user and network device in
–
Provide uniform means to manage access to plant floor devices while reducing the cost
–
secured way
of maintaining individual device access levels and minimizing errors.
In dynamic environments where users enter and leave employment and contractors,
OEMs, system integrators, and vendors come and go. RBAC addresses this problem by
basing access on a user’s role or job responsibilities rather than customizing access for
–
–
everyone.
For example, machine operators may be able to view certain files, but not alter them.
The machine operators could view files on several devices, but the machine vendor’s
support engineers could access additional functions only on their specific machine.
Roles can also be set up based on location, projects, schedule, and management level.
iPLONIndia
48 48
Project :IEC 62443 Guidelines
Date : 17.05.23
3, Password Authentication
The password access should be managed according to the password policy enforced by the
organization these are typically enforced for all the user credentials and IDs requiring password
from all areas of access
Issues in deploying password protections
iPLONIndia
49 49
Project :IEC 62443 Guidelines
Date : 17.05.23
Industrial password management and risk assessment
Recommended Policy for Passwords
–
–
–
–
–
Passwords should have appropriate length and entropy characterization for the security
required.
They should not be able to be found in a dictionary or contain predictable sequences of
numbers or letters.
User authentication not subject to social engineering methods shall be employed. These
can include face-to-face ID authentication and voice-mail delivery.
Passwords should be used with care on operator interface devices such as control
consoles on critical processes.
The keeper of master passwords should be a trusted employee, available during
emergencies.
iPLONIndia
50 50
Project :IEC 62443 Guidelines
Date : 17.05.23
–
–
–
Authority to change higher-level passwords should be limited to trusted employees.
A password log, especially for master passwords, should be maintained separately from
the control systems, possibly in a notebook locked in a vault or safe.
In environments with a high risk of interception or intrusion (such as remote operator
interfaces in a facility that lacks local physical security access controls), users should
consider supplementing password authentication with other forms of authentication such
–
–
–
as two-factor authentication using biometric or physical tokens.
Passwords should not be sent across any network unless protected by some form of
strong encryption or salted cryptographic hash specifically designed to prevent replay
attacks.
It is assumed that the device used to enter a password is connected to the network in a
secure manner.
For network service authentication purposes, passwords should be avoided if possible.
There are more secure alternatives available, such as challenge/response or public-key
authentication.
4, Challenge response authentications (CHAP)
Security vulnerabilities addressed:
–
–
–
Vulnerabilities of traditional password authentication
Secret is known in advance and never sent in challenge/response systems, the risk of
discovery is eliminated
If the service provider can never send the same challenge twice, and the receiver can
detect all duplications, the risks of network capture and replay attacks are eliminated
Requirements:
Challenge/response authentication requires that the SERVICE REQUESTER, the IACS
OPERATOR, and SERVICE PROVIDER know a “secret” code in advance.
–
–
When service is requested, the service provider sends a random number or string as a
challenge to the service requester.
The service requester uses the secret code to generate a unique response for the
service provider.
iPLONIndia
51 51
Project :IEC 62443 Guidelines
Date : 17.05.23
–
If the response is as expected, it proves that the service requester has access to the
“secret” without ever exposing the secret on the network.
Issues and weakness:
–
–
Challenge/Response authentication cannot be used directly for user authentication
because users are not willing to manually combine their passwords and a challenge to
calculate a suitable response. This problem solved by PPP-CHAP. (PPP: Point to Point)
Greatest weakness in CHAP for network service authentication lies in any system that
allows a “roll-back attack”. In a rollback attack, the attacker causes the service provider
to use a weaker authentication, such as plain text passwords or no authentication at all.
Vulnerability can be avoided by restricting network service authentication by using
–
secure protocol.
A theoretical weakness in challenge/response authentication is that an attacker is
provided with both the challenge and the response to examine off-line. If a known
algorithm and key are used to create the response, an attacker can use this knowledge
to calculate the “secret.” Vulnerability can be avoided by using cryptographic algorithms
Future Directions
–
–
–
CHAP is used the same way as is Password Authentication Protocol, but CHAP provides
a higher degree security.
CHAP can be used by remote users, routers, and network access servers to provide
authentication before providing connectivity
Challenge/response authentication provides more security than encrypted passwords for
user authentication across a network.
Industrial password management and risk assessment
–
–
For user authentication the direct use of challenge/response authentication is not
feasible for control systems due to the possible latency that may be introduced in the
necessary fast dynamics required for access to a control system or industrial network.
For network service authentication, the use of challenge/response authentication is
preferable to more traditional password or source identity authentication schemes.
5, Physical token authentication
SECURITY VULNERABILITIES ADDRESSED:
–
Can prevent the secret from being easily duplicated or shared.
iPLONIndia
52 52
Project :IEC 62443 Guidelines
Date : 17.05.23
–
The secret within a physical token can be of more character, physically secure, and
–
Physical token is equal to password authentication
–
–
randomly generated. Also, it is embedded in material, it does have reduced risks
Technologies like smart card and token must be in hand to avail access to the system
Tokens support single factor authentication and two factor authentications which
requires additional pin or password to be authenticated
Issues and weakness:
–
Single factor authentication is vulnerable it token is in control of foreign entity
–
Dual factor authentication can be used only for high security applications
–
–
It is more secure when combined with other form of authentication (MFA, 2FA)
Tokens are expense to the company and requires additional servers to support
functioning
Recommendations:
–
–
–
–
Physical/token authentication has the potential for a strong role in IACS environments.
Single-factor methods such as passwords can be combined with physical/token
authentication to create a significantly more secure two-factor authentication system.
Ensure that the hardware implementation of the physical token is tamperproof, from X-
ray, reverse engineering, or tamper with the registers on the physical token where the
key and associated algorithms are stored.
If physical/token authentication is deployed, it is important to include sufficient resources
to manage issues regarding tokens, including token distribution, replacement and
returns.
iPLONIndia
53 53
Project :IEC 62443 Guidelines
Date : 17.05.23
6, Smart card authentication
SECURITY VULNERABILITIES ADDRESSED:
–
–
–
–
–
–
–
Smart cards enhance software-only solutions, such as password authentication, by
offering an additional authentication factor.
Enable portability of credentials and other private information between multiple computer
systems.
Provide tamper-resistant storage for protecting private keys and other forms of personal
information.
They are like token authentication with more functions
Can be configured to run multiple authentication roles (eg building, ID and authenticator)
They are credit card sized devices and personalized as needed
Smart can can be issued in house and personalized and can be purchased from vendors
iPLONIndia
54 54
Project :IEC 62443 Guidelines
Date : 17.05.23
Issues and weakness:
–
Using the smart card for other than intended purpose can create code access
–
If lost or stolen can provide some level of access, but without matching hardware are
–
–
vulnerability
rendered useless and can also create temporary block in services
It can be compromised bu using Differential Power Analysis (DPA) which id one by
monitoring the electrical signal to retrieve data secretly
It is vulnerable to attack if the workstation is compromised
7, Biometric authentication
SECURITY VULNERABILITIES ADDRESSED:
–
–
–
–
Like physical token and smart cards, biometric authentication enhances software-only
solutions, such as password authentication, by offering an additional authentication
factor and removing the human element in memorizing complex secrets. -
As biometric characteristics are supposedly unique to a given individual, biometric
authentication addresses the issues of lost or stolen physical token and smart cards
Biometric authentication technologies determine authenticity by determining presumably
unique biological characteristics of the human requesting access.
Usable biometric features include fingerprints, facial geometry, retinal and iris signatures,
voice patterns, typing patterns, and hand geometry.
iPLONIndia
55 55
Project :IEC 62443 Guidelines
Date : 17.05.23
Issues and weakness:
–
–
–
–
–
–
–
All biometric devices suffer from the need to detect a real object from a fake ( real
person from image and fingerprint)
All biometric devices are subject to type-I and type-II errors ( not recognizing valid
access in the first go and recognizing invalid access randomly)
In all cases, the user should attempt to implement biometric authentication devices that
have the lowest crossover between these two probabilities, also known as the crossover
error rate.
Temporary inability of the sensing device to acknowledge a legitimate user can prevent
needed access to the control system.
Some biometric devices are environmentally sensitive. As a result, temperature,
humidity, and other environmental factors can affect these devices.
Biometric scanners are reported to “drift” over time and may need occasional retraining.
Human biometric traits may also shift over time, necessitating periodic scanner
retraining.
Some biometric authentication devices are more “socially acceptable” than others. (For
example, retinal scans are very low on the scale of acceptability, while iris scanners and
fingerprint scanners are high on the scale of acceptability.)
8, Location based authentication
SECURITY VULNERABILITY ASSESED:
–
Password and pins are prone to vulnerabilities to guessing , hacking and interceptions,
–
Encryption and other system can also fail and including biometric systems
–
devices can be stolen too
Location based authentication systems can determine authentication based on physical
location of human or deice requesting access
iPLONIndia
56 56
Project :IEC 62443 Guidelines
Date : 17.05.23
–
Direct authentication is possible since location is a fixed go state
–
Geodetic solution and location signature add an additional layer invisible of access
–
Only a small portion of IACS control system are location based
protection and authentication
Issues and weakness:
–
–
–
–
–
–
Is of great use when users are authenticated from a wireless access point of view
The access to the system can be verified if only and within the Geo-boundary set, thus
practically severing the access if exceeds the boundary
Different roles and access can also be granted based on location
Engineer working on laptop in site can be only authorized for a read-only format if off site
Use of location can be potential track of location of user and device location
Requires hardware in both host and client devices which costs extra
9, Password distribution and management
SECURITY VULNERABILITIES ADDRESSED:
–
–
–
If passwords are properly generated, updated, and kept secret, they can provide
effective security.
Passwords are authentication based on what a user knows as opposed to something the
control system user has or is.
Updation of User ID and password are changed using password policy enforcement
iPLONIndia
57 57
Project :IEC 62443 Guidelines
Date : 17.05.23
Issues and weakness:
–
Attacker can listed to network traffic to retrieve information of password and can use
–
Access the password file located on authentication server thus exposing the credentials
–
–
–
–
replay attack
database
They are weak security mechanism
Brute force attack multiple password combination for access
Dictionary attack use file of words to possibly gain access
Social engineering is spamming the user for access over the system as phishing etc
Industrial Assessment
OTP based authenticators
Synchronous
Time based OTP generators
Asynchronous
Challenge code based OTP generators
Password is encrypted and decrypted
using time change parameter validity
Password is encrypted and decrypted
using challenge code validity
Time value creates a token device to
create password
Challenge nonce creates token device
to create password
Recommendations
– The degree of security needs to be consistent with the value of the information and the
–
process, and especially for control systems, with the critical industrial assets and
equipment that it protects.
Small, stand-alone control systems that do not contain valuable information or that are
connected to insignificant benign assets, do not control valuable processes, and are not
connected to the Internet can be protected with simple passwords.
iPLONIndia
58 58
Project :IEC 62443 Guidelines
Date : 17.05.23
– Systems interconnected and hold information need to have sophisticated security
–
passwords
In compensated process hacker intrusion could result in loss of millions and damage to
system and products and loss of information and harm to all
10, Device to device authentication
SECURITY VULNERABILITIES ADDRESSED:
– Mitigate vulnerability associated with data integrity
– Authentication technology will prevent any entity without the proper token from sending
–
–
–
–
–
–
authentic data, regardless of the data content (e.g., data could be telemetry, firmware,
files, SCADA commands, or other). Man-in-the-middle attacks are mitigated by this
technology.
If the authentication of data occurs at a device’s application layer, then authentication
technology will prevent some forms of attacks focused at corrupting the data before it is
sent.
If the authentication validates the user’s identification (such as biometric devices), then
this technology is further beneficial.
Device to device authentication ensures that malicious changes to data traveling
between two devices is recognized
Authentic data verified as authentic in originating device must be validated by receiving
device
This does not prevent malicious tampering of data, but denote it
This applies to all mobile devices, to identify users and type of application sending data
and sessions
Deployment
– Device to device deployed along with encryption, to achieve confidentiality with
encryption authentication only
Issues and weakness:
–
Device to device authentication does not guarantee mitigation of DoS attack, this must
not be confused with privilege or role based authentication control
Industrial Assesment:
–
Authentication technology widely used is TCP/IP , ICS protocol are IP based which have
–
Future progress in DNP3/ IEC 60870-5 protocol
–
some challenges in implementing
User must follow best practice as prescribed by vendor
Network protection technologies from 62443-3-1
Covered Topics;
# Network Firewalls
iPLONIndia
59 59
Project :IEC 62443 Guidelines
Date : 17.05.23
# Host based Firewalls
# Virtual Local Area Network (VLAN)
1, Network Firewalls:
Firewalls are most commonly used technology to enforce security, limit data from or to the
process, help in successful logging safely and enable network interaction through routing and
NAT
–
Firewall control access to and from network and protect system from unauthorized uses
–
It is important to have firewall in IACS separating enterprise network and internet
–
–
They block all traffic from network and allow only required network
Best practice is to allow server control the LAN access on enterprise network and firewall
placed between the DMZ
Issues and weakness:
–
–
–
Firewalls are not a solution to all intrusion problems in an IACS.
Firewalls are not designed for process industry applications (DCS, SCADA), making it
difficult to tailor the filtering for optimal security.
Software and hardware firewalls should be used in connection with other security
measures such as IDS-systems, monitoring systems, and computer software such as
Active Directory and VPNs.
iPLONIndia
60 60
Project :IEC 62443 Guidelines
Date : 17.05.23
–
–
–
Firewalls have evolved and become increasingly complex, sometimes requiring
specialized expertise for each different brand or model
Reviewing logs needs central monitoring systems
Patch management of firewalls are important as patching servers and clients
2, Host based firewall
Host-based firewalls are software solutions deployed on a workstation or controller to control
traffic that enters or leaves that specific device
SECURITY VULNERABILITIES ADDRESSED:
– It works on enforcing set of rules based on network control through controller or
device
– It enforces local access control policy bu blocking or permitting certain types of
traffic
– Protects the system installed from unauthorized comms and applications from
other system
– Act as host intrusion detection system
– Blocks inbound packets from processed
– Controls outbound traffic from host
– Record information for monitoring and detection
Issues and weakness:
–
–
–
–
Do not protect against data driven attack and some DoS, social engineering and insider
jobs
Cannot protect tunnel over allowed applications by infected applications
Firewall deployment does not remove need to implement software control in all networks
and servers
It does not help if access is not configured properly (ports and access)
iPLONIndia
61 61
Project :IEC 62443 Guidelines
Date : 17.05.23
–
Specialized IT personnel shall only be allowed to modify the firewall
Industrial Assessment
3, Virtual Local Area Networks (VLAN)
Virtual Local Area Networks divide physical networks into smaller logical networks to increase
performance, improve manageability, and simplify network design.
Categories of VLAN:
Static
Dynamic
assigned to VLAN and known to end user
determine the IP or hardware address
Also called as port-based, switch ports are
When device is connected to port it
automatically assumes VLAN to assigned
port and are used to reduce broadcast and
improve security
End device negotiates with switch to
Provide more flexibility allowing hosts to
roam the network, however setting up
VMPS server and MAC , server mapping is
bit tiring
SECURITY VULNERABILITIES ADDRESSED:
iPLONIndia
62 62
Project :IEC 62443 Guidelines
Date : 17.05.23
–
–
VLANs are not typically deployed to address host or network vulnerability in same way
as firewall or Intrusion detection system
Properly segmented network can also mitigate risk of broadcast storm may result in port
scanning and worm activity
Issues and weakness:
–
VLAN hopping is ability to inject frames to unauthorized ports.
–
Port based authentication can prevent this attack. (static)
–
–
–
This attack need physical access to ports.
Better to adhere with vendor practices
VLANs have been effectively deployed in plant floor networks with each
automation cell, even those containing Field area network assigned to a single
VLAN to limit unnecessary traffic flooding and allow network devices on the same
VLAN to span multiple switches.
Encryption technologies and data validation from 62443-3-1
Covered Topics:
# Virtual Private Networks
# Symmetric Key encryption
# Private key encryption
1, Virtual Private Network
A VPN is private network that operates as an overlay on a public infrastructure.
–
–
–
–
–
Authenticity & Authentication: Establish the validity of a transmission, message, or, or a
means of verifying an individual's authorization.
Integrity : Protection against unauthorized modification or destruction of information.
Confidentiality: Information is not disclosed to unauthorized persons, processes, or
devices.
Access Privileges granted to user or software service or any process.
Rights Granted : Rights granted to user to access in certain mode
Read/Write/Insert/Delete or to execute some executable file or program.
SECURITY VULNERABILITIES ADDRESSED:
iPLONIndia
63 63
Project :IEC 62443 Guidelines
Date : 17.05.23
–
–
–
Preventing man in middle attack by encrypting communication on public network.
Control access into trusted network via authentication
Maintain integrity of the trusted data on an untrusted network
Industrial assessment:
Issues and weakness:
VPNs do not protect a network and workstations against most data-driven attacks (i.e., viruses),
some denial-of-service attacks, social engineering attacks, and malicious
insiders.Interoperability,Setup and Support ,Maintenance also play a key role in upkeep of the
VPN service
iPLONIndia
64 64
Project :IEC 62443 Guidelines
Date : 17.05.23
2, Symmetric key encryption
Symmetric (or secret) key encryption involves transforming a digital message (called the plain
text) into an apparently uncorrelated bit stream known as the cipher text. A well defined
algorithm that has two input perform the reversible transformation
–
A receiving device in possession of a algorithm and key changes cipher text to original
plain text message, inverse transformation is not feasible without key, symmetric
encryption is due to fact they use reverse algorithm to both encrypt and decrypt plain
and cipher text, mostly used ones are FIPS 140-2, 3DES, AES
This is most effective when used a block to provide confidentiality
Link Encryptor
Is a hardware unit with two or more distinct
data ports
One port receives data to be encrypted in
plain text, the remaining ports is ciphertext
port, it sends the encrypted data stream to
other ciphertext port of one or more units.
-CISCO high assurance IP encryptor
Embedded Cryptography
Symmetric key embedded in a
cryptographic module inside the unit to be
protected, often on a special purpose chip.
–
Apple iphone
–
Honeywell experion PKS
–
–
ABB AC500 PLC
Siemens S7-1500
-Thales nShield connect
-Rockwell automation Stratix 5700
iPLONIndia
65 65
Project :IEC 62443 Guidelines
Date : 17.05.23
Industrial assessment:
3, Public Encryption and key distribution
In public key cryptography, a pair of different but related keys, usually known as a public-private
key pair, replaces that single key
SECURITY VULNERABILITIES ADDRESSED:
–
–
–
–
–
–
–
Open possibility of one of the participants being compromised, rely on secret being
secure.
Secret need to be shared securely, if not then there is no point. -
Public asymmetric key cryptography Addresses the weakness of shared secrets and one
way hashing algorithm
Pair of keys are used : Private and Public
Encryption using Private key
Decryption using Public key
Key holder circulates public key to other users but doesn’t reveal private key to other
users.
iPLONIndia
66 66
Project :IEC 62443 Guidelines
Date : 17.05.23
–
–
–
A constraint for using encryption in an IACS is the for time sensitive performance,
including control system response.
High performance load of public key cryptography restricts time-critical use of digital
signatures, with low computer power devices.
When authentication and non-repudiation are important than performance, digital
signatures is proper tool.
Issues and weakness:
-No major weakness, key length must be good and quality of algorithm must be good to
generate random key
–
–
Creation must be proper and usage must be monitored
Is not guarded against MTM attack then perpetrator can communicate through his public
and private key can be avoided by using PKI and Signed Certificates, can also use
Kerberos to find this weakness and patch up
iPLONIndia
67 67
Project :IEC 62443 Guidelines
Date : 17.05.23
Management, audit measurement, auditing and detection tools from
62443-3-1
Topics Covered:
# Log auditing utilities
# Virus and malicious code detection
# Intrusion detection system
# Vulnerability scanner - Nessus Demo
1, Log Auditing Utilities
KIND OF EVENTS CAN MONITOR:
–
Account events (account logon events)
–
Object access (object access)
–
–
–
–
–
–
–
Directory (directory service access)
Policy events (policy change) track changes to the local security policy;
Privilege events (privilege use)
Process (process tracking)
System events (system events)
Application events
Security Events
Audit monitoring and detection provide the ability to analyze security, vulnerabilities,
detect possible compromises. And forensically analyze compromise incidents
Event list
–
Anti virus system Intrusion detection system
–
Event correlation
–
–
–
–
–
–
Host logging
Network tools
Application white listing
Access controls
Malware prevention
Network devices
iPLONIndia
68 68
Project :IEC 62443 Guidelines
Date : 17.05.23
All system can give a log data to a centralized log server using SIEM ( Security Information and
event management) solutions, or a centralized syslog server for remote log and protected using
IACS standards of high priority
2, Virus and malicious code detection
SECURITY VULBERABILITY ADDRESSED:
–
It can detect known virus, trojan horse
–
Detection, isolation and safe shutdown of affected system
–
Alerts about a attack using virus, worm or trojan
Virus detection systems (VDS) can monitor and respond to one or more of these indicators.
Indicators can result directly from a specific virus payload, as a side effect of the virus payload,
or as a result of the virus’s attempt to spread. Indicators of virus infection include the following:
- Interface indicators: where a screen or sound generated by the virus appears on
several machines at once.
–
–
–
–
System indicators: where a host’s operating profile is changed, a file share becomes
unsecured suddenly, or a system function becomes disabled.
File indicators: the appearance of unknown files on a host, or changed parameters of an
executable file.
Network indicators: like network storms, email blasts or buffer flooding attempts.
Custom indicators: designed to address specific host functions or vulnerabilities.
iPLONIndia
69 69
Project :IEC 62443 Guidelines
Date : 17.05.23
Issues and weakness:
–
VDS can only function effectively when installed, running full time, and upgraded with
latest patches and signature. Configuration of scanning system, application and data
files with standard frequency, future scope include deploying AI based systems for virus
protection
Recommendations
–
–
–
VDS can be deployed alongside with firewall
Each VDS can be flexible with firewall and detect unauthorized system intrusion should
provide advance notice of a possible attack
The policy for critical system of IACS must be designed with mission and criticality of the
system and deploying and maintain VDS
3, Intrusion Detection systems
An intrusion is an attempt by someone/program to break into or misuse a computer system.
–
–
IDS monitor either traffic patterns on the network or files in host computers, looking for
signatures that indicate an intruder characteristics.
Detects unusual activity such as new open ports, unusual traffic patterns, or changes to
critical operating system files are brought to the attention to operator.
NIDS (Network)
Monitor network traffic and anomaly detection
HIDS (Host)
Monitors system or application and action of
user and malicious activity
Classificiation
Knowledge based systems:
–
IDS applies knowledge accumulated about a specific attack and system vulnerablility
(database)
Behavior based systems:
–
IDS assumes that intrusion is detected based on deviation from normal behaviour based
on smart processes
iPLONIndia
70 70
Project :IEC 62443 Guidelines
Date : 17.05.23
Issues and weakness:
–
–
–
–
–
–
Hackers may be able to identify IDS through port scan and create a DoS attack against
IDS and override it thorough encryption and fragmentation
False positives
Friendly fire – on enabling IDS a high accuracy is required that malicious activity is
blocked and legitimate activity is allowed
High bandwidth network might overrun the sensing capability f NIDS
Lack of standard testing procedure leads to large differences in performance of IDS
based on traffic profiles
Lack of HIDS for controller based OS and requires resources to deploy and manage in
wide system
4, vulnerability scan – Nessus Demo
Install Nessus and launch web page verify on demand video
Zones, Conduits and Risk Assessment 62443-3-2
1, How to implement
–
Developing a network diagram of the IACS
–
Understand the risk, tolerance and acceptability of
–
Maintain an up-to-date record of all devices compromising the
countermeasure as it may vary from every business and regions
IACS for future assessment
iPLONIndia
71 71
Project :IEC 62443 Guidelines
Date : 17.05.23
–
Establish the criteria for identification to which device cover the
–
Identify devices which are critical to the business process and
–
Classify assets and components based on availability, integrity
IACS
IACS including the IT system
and confidentiality as well as HSE impact (Health, Safety,
Environment)
–
Conduct a risk assessment in all stage of tech life cycle
–
Identify reassessment frequency or trigger criteria based on
(Development-implementation-updating-decommission)
technology, organization or industrial operation change
2,Flowchart of risk assessment
iPLONIndia
72 72
Project :IEC 62443 Guidelines
Date : 17.05.23
ZCR 1 Identification of System Under Consideration (SuC)
ZCR 1.1 The organization shall clearly identify the System under Consideration (SuC),
including clear definition of the security perimeter and identification of all access points
to the SuC (includes all system critical to the IACS)
Requirements:
–
Inventory of the premises
–
Ensure that all communication accessing a SuC and its devices pass from the intended
–
–
Identify current security perimeter and access points (gateways, firewalls)
access points.
Real time alerts are raised if communications violate flow and perimeter restrictions.
ZCR 2 High Level Risk Assessment
ZCR 2.1 The organization shall perform a high-level cybersecurity risk assessment of the
SuC in order to identify the worst case unmitigated cybersecurity risk that could result
from the interference with, disruption of, or disablement of mission critical IACS
operations.
Requirements:
–
Conduct Asset Inventory Assessments
–
Find out major risks and threats
–
Conduct Vulnerability Assessments
ZCR 3 Partition of SuC in Zones and conduits
ZCR 3.1 The organization shall establish zone and conduits by grouping IACS and
related assets, it shall be based on architecture and the high-level security assessment
carried out including criticality of assets, operational function, physical or logical
location, access required and responsible organization
ZCR 3.2 IACS shall be grouped into zones physically and logically from business and
enterprise system assets
ZCR 3.3 Safety assets to be grouped in zones that are separated from non safety related
assets
iPLONIndia
73 73
Project :IEC 62443 Guidelines
Date : 17.05.23
ZCR 3.4 Devices that are permitted to make temporary connections to SuC should be
grouped into separate zone and zones whose assets are intended for permanent
connection with IACS
ZCR 3.6 Devices that are permitted to make connection to SuC via external network to
SuC to be grouped into separate zone(s)
ZCR 3.7 The organization shall produce a drawing that illustrate zone and conduit
partitioning of the entire SuC and assign each asset to a zone and conduit
ZCR 3.8 Organization shall identify and document for each zone the follows:
–
Name or unique identifier
–
Define logical boundary, physical boundary
–
–
–
–
–
–
–
Accountable organization
Safety designation
List of all logical and physical access point
List of data flow associated with each access point, zones and conduits
List of assets and its classifications
Criticality and business value
Applicable security requirement and policy, assumption and external
dependencies
Requirements:
–
–
–
–
–
–
–
–
–
–
Understand the network operation and its risk
Identify security perimeters, access points and group of functionally and logically related
devices
Define zone and conduit based on risk on basis for network segmentation
User must identify open links and communication between the IACS system and
business network, related safety, and non safety assets as to mitigate risk for the
communication to be stopped
Verify whether two network or segment zone have active communication
Ensure that connection from certain zone to the IACS are not always active
If connection are allowed at pre-determined times then solution must initiate alert for
access time violations
User can edit group to define zone and visualize activity
User can easily spot device that have to be assigned to zone, conduit which may or may
not be present
User to identify logical boundary and network access point, list of data flow connected to
each access point, generate asset list, and business value
iPLONIndia
74 74
Project :IEC 62443 Guidelines
Date : 17.05.23
–
Info about accountable organization safety designation, applicable security requirement
and policies to make it available for internal and external compliance audit
ZCR 4 Detailed Risk Assessment
Perform a detailed cyber security risk assessment
DRAR1 A list of threat that could affect the asset contained in the zone or conduit shall
be developed, a description shall include a threat source, vectors and potentially affected
assets
DRAR 2 The zone or conduit shall be analyzed in order to identify and document the
known vulnerabilities in the assets contained within the zone or conduit including the
access point.
Requirements:
–
–
These vulnerabilities and threats are to be automatically matched with the asset
inventory information.
This list contains further details about the source, target and nature of the threat,
enabling an informed analysis and mitigation.
ZCR 5 Document cyber security requirements, assumptions and
constraints
ZCR 5.3 Cyber security requirements specifications (CSRS) shall identify and document
the physical and logical environment in which the SuC is located or planned to be
located. This shall provide a clear understanding of the networks, information
technology, protocols and IACS systems that may interface with the SuC.
ZCR 5.4 CSRS shall include a description of the threat environment that impacts the SuC.
The description shall include the source(s) of threat intelligence and include both current
and emerging threats.
Requirements:
–
Full visibility over the monitored environment (the SuC), including details about:
–
Communications and links across networks/zones.
–
–
–
All active IP-connected network devices, their function and their properties.
All protocols and services in use in each network/zone and by each device within that
zone.
Visual threat scenarios on the network map or inclusion in external documentation.
iPLONIndia
75 75
Project :IEC 62443 Guidelines
Date : 17.05.23
–
Each threat and vulnerability obtained from external sources contains a clear reference
to the threat intelligence source or identifier.
Challenges:
– Design of solution during assessment
– Minimizing or overstating the consequence
– Failing to gain consensus on the risk assessment results
–
Assessing the system without considering the assessment results
from other similar systems
RISK OUT Design:
– Reduce the risk
– Accept the risk
– Transfer or share the risk
– Eliminate or fix outdated risk and control measures
3, SL Target calculation, risk matrix and template creation
iPLONIndia
76 76
Project :IEC 62443 Guidelines
Date : 17.05.23
The risk assessment carried out by the asset owner and cyber
security personnel to assess the risk
iPLONIndia
77 77
Project :IEC 62443 Guidelines
Date : 17.05.23
iPLONIndia
78 78
Project :IEC 62443 Guidelines
Date : 17.05.23
Cybersecurity requirements and techniques Use cases
Security Level 1
Requirements and Analysis
iPLONIndia
79 79
Project :IEC 62443 Guidelines
Date : 17.05.23
Sample Plant before Deployment of IEC 62443 in IACS
iPLONIndia
80 80
Project :IEC 62443 Guidelines
Date : 17.05.23
Sample plant after deployment of IEC 62443 in IACS SL-1
Modifications carried out
In this example, the control zone from the sample network has been broken into seven smaller
zones highlighted in grey. New elements are highlighted in green.
–
Demilitarized Zone (DMZ)
–
Security Appliance Zone
–
–
–
Plant/Process Zone
Wireless Zone
Controller Zones Industrial grade firewalls (highlighted in green) have been added to
segment the network.
iPLONIndia
81 81
Project :IEC 62443 Guidelines
Date : 17.05.23
Security Level 2
Modifications carried out:
A unified account management appliance, Certificate Authority, Back-up Server, Event Server,
and Network Intrusion Detection System have been added to the network and highlighted in
green below. In addition, the control network has been segmented into two separate networks
iPLONIndia
82 82
Project :IEC 62443 Guidelines
Date : 17.05.23
Sample plant after deployment of IEC 62443 in IACS SL- 2
iPLONIndia
83 83
Project :IEC 62443 Guidelines
Date : 17.05.23
Security Level 3
Modifications carried out:
The event server that was added at security level 2 will have to be updated to a SIEM server to
accommodate security level 3 requirements.In addition, a GPS time source and a wireless
threat device have to be added.
iPLONIndia
84 84
Project :IEC 62443 Guidelines
Date : 17.05.23
Sample plant after deployment of IEC 62443 in IACS SL- 3
Attached reference documents:
–
Use case of industrial firewall
(2021-TeleTrusT-IEC_62443-4-
2_Use_Case_Industrial_Firewall.pdf)
–
Availability of 62443 standards
(ISAGCA QuickStart Guide FINAL.pdf)
(2020-ODVA-
Conference_CIP_Security_and_IEC_62443_Visoky_Wiberg_Final
.pdf)
iPLONIndia
85 85
Download