Project :IEC 62443 Guidelines Date : 17.05.23 iPLONIndia 1 1 Project :IEC 62443 Guidelines Date : 17.05.23 VERSION HISTORY Created By Sathya Narayanan Revision Date May 17,2023 Reason Creation of Document iPLONIndia 2 2 Project :IEC 62443 Guidelines Date : 17.05.23 Contents 1, IEC 62443 basics, setup context, roles and responsibilities .............................. 4 2, IEC 62443 all clauses ..........................................................................................5 3, Level Indicators for security and control system....................................................6 4, Maturity level, zones and conduits.......................................................................7 5, Foundational requirements and IEC 62443-2-1....................................................8 6, IEC 62443-2-4.....................................................................................................10 7, Foundational requirement for IEC 62443-3-3.......................................................12 8, Foundational requirement and Security levels for IEC 62443-4-2........................23 9, Authentication and authorization technologies for IEC 62443-3-1........................47 10, Network protection technologies from 62443-3-1 ...............................................60 11, Encryption technologies and data validation from 62443-3-1 .............................64 12, Management, audit, ,measurement and detection tool from 62443-3-1...............68 13, Zones, Conduits and risk assessment from 62443-3-2........................................71 14, Cyber security requirements and techniques used.............................................. 79 iPLONIndia 3 3 Project :IEC 62443 Guidelines Date : 17.05.23 IEC 62243 Industrial automation and control systems (IACS) (Cyber Security) – – – – – The standard is mainly to safeguard industry automation and control system and operation technology (OT) on scope of cyber security This is critical for infrastructures like powerplants, oil and gas industry, wind power, manufacturing food processing for mitigation of risk based on cyber security This standard provides a framework for implementing, setup requirements and control, weakness identification and risk assessment and mitigation and risk reduction for operating IACS This standard clearly defines the roles of organization, policies and processes and procedures applicable. This also defines the security levels (SL) that can be applied or operated on. Structural hierarchy The key roles provided in IACS defines roles as follows -Asset Owner -Maintenance Service Provider -Integration Service Provider -Product Supplier Roles and Responsibilities Asset Owner- They are the sole account of plant operation and overall policy and procedure governing all automation and its components (including hardware and software). (Accountable for operation, policy and procedure) Maintenance Service Provider- They maintain the plant and its capability of automation solution operation as such all software and hardware (including mechanical, electrical and software etc) (Maintain the operation and automation solution and capability) Integration Service Provider- They are responsible for commissioning , validating all the automation solution, and to design and deploy the automation systems (can be multiple OEMs, Companies) (Commission and validation , Design and deploy) Product Supplier- They work on component model and the service of the component,which includes (all hardware, software) from development till the End of Life (EOL) for the component. (Develop and Support component from start till end of service life) iPLONIndia 4 4 Project :IEC 62443 Guidelines Date : 17.05.23 IEC 62443 -1 (General) # IEC 62443-1-1- Introduce the concepts and model used # IEC 62443-1-2- Master Glossary of terms and abbreviations # IEC 62443-1-3 Describe series of quantitative metrics derived from foundational requirement, system requirement and other guidance material # IEC 62443-1-4 Provide more detailed description of underlying life-cycle of IACS security and use cases IEC 62443 -2 (Policy and Procedures) # IEC 62443 -2-1 Describe the requirement to define and implement effective IACS and cybersecurity management # IEC 62443 -2-2 Provide methodology for evaluating the protectrion level provided by operational IACS against CS threat and requirement based on 2-1 # IEC 62443 -2-3 Provide Guidance on Patch Management # IEC 62443 -2-4 Requirement for supplier of IACS system and related components # IEC 62443 -2-5 Guidance on requirement to operate an effective IACS cyber security management system IEC 62443 -3 (System Requirements) # IEC 62443 -3-1 Describes the application of various security technology in IACS Environment # IEC 62443 -3-2 Address security risk assessment and system design for IACS # IEC 62443 -3-3 Provide the foundation for assessing the security level provded by automation system IEC 62443 -4 (Component Requirements) # IEC 62443 -4-1 Describe the derived requirement that are applicable to development o the product # IEC 62443 -4-2 Contains set of derived requirement that provide detailed mapping of system requirement to subsystem and component of system under consideration iPLONIndia 5 5 Project :IEC 62443 Guidelines Date : 17.05.23 Levels and Indicators Security Levels The security levels are classified into 5 types based on scale from SL0-SL4 Security Levels Classification SL0 No requirement or security protection needed SL1 Protection against casual or coincidental violation (lapse) SL3 Protection against intentional violation using sophisticated means with moderate resources, IACS specific skills and moderate motivation SL4 Protection against intentional violation using sophisticated means with extended resources, IACS specific skills and high motivation SL2 Protection against intentional violation using simple means with low resources, generic skills and low motivation Types of Security Levels This security level is based on the target security assessment and capability SL T (Target) Security Level SL A (Achieved) SL C (Capability) Classification Desired level of security for automation solution, outcome of risk assessment and determine the level of security Actual level of security for automation solution, can be assessed for current state of automation system or design to verify actual security level Capability level of security for automation solution, can be achieved by proper configuration of existing control without adding new control Levels of Control System The level is based on control of actual devices and its process Levels L0 Classification Actual physical process, sensor, actuator, those directly connected to the process and its equipment (Field Devices) iPLONIndia 6 6 Project :IEC 62443 Guidelines Date : 17.05.23 L1 Logic control including sensing, manipulating the physical process, DC control PLC and RTU (Basic Process Control safety) L2 Supervisory control level including the function involved in monitoring and controlling the physical process (Site Monitoring Display and Supervisory control) L3 Operations management including functions of managing work flow to produce desired end product and production scheduling reliability assurance and site wide operations (Operation/system management) Enterprise business systems, including the functions involved i business related activities needed to manage an manufacturing process (Business Enterprise system/ Third party system) L4 Maturity Levels Based on the system security maturity with respect to guidelines Maturity Levels Context Classification -scope ML1 Without a documented process Poorly controlled -Initial ML2 With formal documentation process Evidence of expertise of trained person- Manged ML3 Use of defined, established and documented process Well defined training schema for personnel - Defined ML4 Demonstration of continuous improvement Conduction of internal audit - Improving Zones and Conduits Conduit - is a single service like a single ethernet network / multiple data carriers Zone - is grouping of assets tht share common security requirements Zone Levels Context Zone Process Includes L4 Enterprise Zone Business enterprise system, Third party system, SAP/ BI/ OS PI L3 Demilitarized Zone Operation/ system management iPLONIndia 7 7 Project :IEC 62443 Guidelines Date : 17.05.23 L2 Industrial Network Zone Supervisory control, site monitoring display L1 Industrial Network Zone Business process control, safety and protection(SIS/HIPPS) L0 Industrial Network Zone Process Equipment under control (Field Devices) ***The flow in this table is descending from L4 to L0 based on zonal control Foundational Requirements i. Identification and authentication ii. Use Control iii. Timely Response to Events v. Resource Availability iv. System Integrity vi. Data Confidentiality vii. Restricted Data Flow IEC 62443-2-1 This standard provides the requirement on how the asset owner should manage, practices and personnel, as part of the owners cybersecurity program as “Cyber security management system” This defines the elements necessary to establish a security program, for IAC’s and provide a guidance on how to develop them and need for consistency between practices with IT security, the elements of the cyber security and what shall be included in the program which include and Policy Procedure Practice Person Related iPLONIndia 8 8 Project :IEC 62443 Guidelines Date : 17.05.23 This is guideline map for cyber security management system program, Risk Analysis- Assessment for identification of risk. Address with CSMS- Based on the risk identified can be classified on policy and training including awareness programs, organizational security policy, counter measures, access controls, technical resource availability Implementation- managing the risk, system development and maintenance, documentation and incident planning Monitoring and improvement- Conformance to adherence, review improve and maintain CSMS The standard is much of the content related to ISO 27001 is also applicable and related to IACS, and this standard classifies the difference between IACS and general business/ IT system. This introduces the concept of cyber risk with IACS having implications on health, safety and environment (HSE) can be integrated with other existing risk management practices that cover these risks. iPLONIndia 9 9 Project :IEC 62443 Guidelines Date : 17.05.23 IEC 62443-2-4 This standard provides the requirement for implementing the security program and is expected to be independent of different release of the product used in automation solution, this also defines the capability of these security programs that are required to provide This also addresses the fact that since security programs evolve form manual to formal processes they are addressed by assigning a maturity model to be used with application of this standard, Service provider and asset owner should negotiate the terms of capability to provide and show the security requirements of the system and encourage service provider to implement required capability so they are adaptable to wide variety of asset Maturity model allow asset owner to understand the maturity of specific service provider capability better and contain security requirement for provider of integration and maintenance service for IACS iPLONIndia 10 10 Project :IEC 62443 Guidelines Date : 17.05.23 Standard specific requirement for security capability of IACS service provider can offer asset owner during integration and maintenance activity of automation solution and is related to IEC 62443-2-1 This can be used by the asset owner to request specificity security capability from the service provider and determine if the service provider is capable of providing in cyber security method Dependenices: These are dependencies that are interconnected with this standard ranging from IEC 62443-2-1 to 62243-4-2, this provides the method of work flow and orchestration of event management and interconnection along with incident management iPLONIndia 11 11 Project :IEC 62443 Guidelines Date : 17.05.23 Foundational Requirement for IEC 62443-3-3 i. Identification and authentication Asset owner will develop a list of valid and authorized user (human, software process and devices) including privileges and require identification and authorization for each zone and prevent unauthorized access and check access rights before authentication SR1 -User Identification and AuthenticationAll user must be unique and authenticated and setup in control system application SR1.1 RE - Multi Factor Authentication VPN) It is required if accessing from untrusted network (Can be complied using SR 1.2 Software process and device identification and authentication This must be implemented on all devices that will access and be accessing the control system network – For Linux: user/group management – For Windows: user/group management, local security policy, windows defender SR 1.3 Account Management The system must be able to manage all users, can be managed in OS using kerberos, EAP or Active directory, including account on switches,firewall and other third party components SR 1.4 Identifier Management Management of user, groups, role or control system interface identifier must be supported, already available in Linux and windows, local policy and procedure must be established iPLONIndia 12 12 Project :IEC 62443 Guidelines Date : 17.05.23 SR 1.5 Authenticator Manager Must have procedure to verify authentications are unique such as password are unique and are not stored, transmitted or shared in any medium (usage of password vaults and password management solution) SR 1.6 Wireless Access Management Connection to wireless network must be authenticated and identified, can be done using EAP method, IPSec or Kerberos SR 1.7 Strength of password based authentication Check the strength of password and is enforced using minimum length, variety of character and lifetime, can also be enforced in OS level or using EAP SR 1.10 Authentication Feedback When password are being entered or authenticated it should not display the character and replaced with asterisk * , compatible with new version of linux and windows SR 1.11 Unsuccessful login attempts Set maximum number of unsuccessful login account after which it will be locked out with certain cooling period, configured for user account in OS SR 1.12 System Use notification System must display about itself about its use and use of that machine is for so and responsible uses only further unauthorized use can be prohibited and subject to civil or criminal penalties, system usage can be recorded and monitored, consent of usage of system and not to include too much information about the criticality of the system which may make it a target to hacker or external sources SR 1.13 Access via untrusted Network The ability to monitor and control all method of access from untrusted network, which should be blocked and protected, multifactor authentication can also be used and secured also not to over hinder the availability of the system by racking up security parameters iPLONIndia 13 13 Project :IEC 62443 Guidelines Date : 17.05.23 SR 1.13 RE -1 Explicit Access Request Approval The operator must have the ability to see if a remote session is going on and be made available for the role to terminate the session if needed, the UI must have some way to show this, third party hardware solutions are there to accommodate this requirement ii. Use Control Once the user is authenticated, the control system must restrict and allow actions based on privileged access to each (human, software, process, group, role) as assigned by the asset owner, thus restircting againt unauthorized action by verification of privilege (Privilege here means (Read, Write, Download program, settings, configuration, etc) this can vary for user based on location, time and means of access) SR 2.1 Authorization Enforcement User and role to be configured and authorization enforcement can be set as a system down to a specific individual enforcement setting or object, the organization must have procedure and policy for this SR 2.2 Wireless Use Control The wireless network should be monitored and authorize to enforce usage restriction as per EAP, kerberos or IPSec Protocol, and cover all wireless form of comms including (bluetooth, zigbee, radio etc) SR 2.3 Use control for portable and mobile devices The IACS must be designed in such a way that usage of portable and mobile devices must be controlled, specific authorization can be setup for data transfer using USB should be restricted (include all electrical and electronics device) SR 2.4 Mobile Code Software should not run on any code executable through mobile device, and take care of the files are retrieved from outside of control system, or exchanged within iPLONIndia 14 14 Project :IEC 62443 Guidelines Date : 17.05.23 the system and to ensure they are finger printed to prevent tampering (SHA, MD5) SR 2.5 Session Lock Session lock should not be used on system where critical function reside and perform emergency operation, if needed session lock can be setup in OS for lockout and re authenticate after certain timeout SR 2.6 Remote session Termination It must be possible to setup remote session such that it can terminate automatically after certain time of inactivity or timeout, or manually terminate by the initiator, can be configure in OS and Third party access solutions SR 2.8 Auditable Events The control system should have a record of auditable event in system log, prohibited access, changes to files and control system are included, a SIEM system can be set up to handle the event from there SR 2.9 Audit Storage Capacity The storage for audit must be large enough to hold the required logs, mechanism should be in place to prevent it from exceeding SR 2.10 Response to audit processing failures Failure in audit processing system should alert operators and not cause loss of main systems, alarm can be setup when disks are nearing full capacity SR 2.11 Time stamps Timestamps should be in all audit records, control system can be configured to use alternate time source apart from OS clock, this must be protected from unauthorized manipulation and tampering , GPS spoofing and time manipulation is a possibility taken into account iii. System Integrity Asset owners are responsible for maintaining the integrity of the system with different levels of protection to different systems, communication channels and iPLONIndia 15 15 Project :IEC 62443 Guidelines Date : 17.05.23 information, it should also be maintained in transit and at rest including when connected over the network, while in a data repository includes all the software, files, reports, codes etc SR 3.1- Communication Integrity The transmitted information must be protected, can be achieved by using IPSec to encapsulate the information SR 3.1 RE-1 Cryptographic integrity protection The transmitted information should be protected using encryption using IPSec, usually to prevent MTM attacks to prevent data modification and is required in must if comms take place in untrusted network SR 3.2 Malicious code protection Malicious code can be prevented using malware and AV programs, the priority must be set such as this does not interfere with IACS behavior and operations and allow list of god applications should beset up in OS SR 3.2 RE-1 Malicious Code protection and entry and exit point Malicious code protection can be enforced by setting up malware and AV programs, by disabling autoplay and automount can be seen as mitigating actions on top level systems SR 3.3 Security Functionality Verification The solution to provide a way to support safe verification of the security function, at least during test and schedule maintenance certifications from TUV etc SR 3.4 Software and information integrity The control system shall have the ability to detect, record, report and protect against unauthorized change to software and information at rest SR 3.5 Input Validation The control system should validate any input which is of process related or directly impacts the action of system, validation of input that are externally modified, input includes all process data values, scripts, queries db, any material that can be changed iPLONIndia 16 16 Project :IEC 62443 Guidelines Date : 17.05.23 via tampering which can change the working of the system, A reporting SIEM system can be setup to report anomalies to indicate tampering and security breach SR 3.6 Deterministic output It should be ensured that the output go to a predefined state if normal operation cannot be maintained due to attack, the I/O units and control applications can be set to automatically correct the output if the connection or power to system is lost, thus to maintain a safe operation of system (safe state) SR 3.8 Session Integrity Session based protocol to be protected and shall reject invalid session IDs, can be done using IPSec or buying encrypted transmission, can be avoided on places deemed necessary SR 3.8 RE-1 Invalidation of Session IDs after Session Termination When session based protocol are used, session IDs must be invalid after use, make sure to not reuse session IDs after session termination SR 3.8 RE-2 Unique Session ID Generation Unique session ID shall be created for each session, randomness of ID must be ensured to prevent MTM attacks and session hijacks CR 3.10 Support for updates Update support is must and is applicable to all devices, the IACS must have a secure way to update and upgrade the system to remain harder against security exploits, the update process must also be by itself not easily exploitable CR 3.14 Integrity of boot process The IACS must be in such a way that the integrity of firmware, software and configure data are verified during runtime booting of the system (TPM etc) iv. Data Confidentiality To prevent unauthorized disclosure IACS shall provide the necessary capability to ensure confidentiality of the information, comms channel and data storage need to be secured when in rest and motion SR 4.1 Information Confidentiality iPLONIndia 17 17 Project :IEC 62443 Guidelines Date : 17.05.23 Confidential information must be secured while in rest and motion, this includes user ids, passwords, private keys etc, process and policy to be set to prevent exposure of data, IEE 802.1X port based network solution to be used as guard mechanism over access network SR 4.3 Use of Cryptography Usage of industry standard, or better encryption methods when applicable, WPA3 or better encryption can be used for wireless networks, I/O servers, system backups and backup keys to be setup using industrial standard encryption v. Restricted Data Flow Asset owner need to determine the information flow restriction and configure conduits user to deliver the information, IACS provides the capability to segment the control system via zones and conduits to limit information flow including disconnection of business network from public or business network using data diode, firewall and creation of Demilitarized zones SR 5.1 Network Segmentation Network must be segmented and isolated logically where applicable routers, switches and virtual segmentation using VLAN is preferred so that traffic from one segment does not intermix with other segment, if mixing happens a risk evaluation can be done to reduce and see barriers that cause a cyber incident SR 5.1 RE-1 Physical Network Segmentation Network segment must be physically isolated as to confirm that control system network and other networks dont mix together SR 5.2 Zone boundary protection This needs to be enforced by using RADIUS, Trusted network connect or other Network access protocols SR 5.2 RE-1 Deny by default, allow by exception Network devices must be configured to deny traffic by default and allow by exception with addition to EAP, IPSec, Kerberos make it difficult to hack (firewall) iPLONIndia 18 18 Project :IEC 62443 Guidelines Date : 17.05.23 SR 5.2 RE-2 Island Mode The IACS must have the capability to isolate itself from other network to reduce risk of being compromised when attack is detected SR 5.3 General purpose person-to-person communication restriction To mitigate attack vector the IACS must be capable to prevent p2p messaging from IACS, if messaging is required counter measures such as isolation, bandwidth limiting can be employed SR 5.4 Application partitioning Control applications must be partitioned based on criticality for zoning, recommend using modularity of system, Docker, hypervisor can segregate application running on same hardware and assess any security and realtime performance implications vi. Timely Response to Events Asset owner to establish security policy and procedure and proper line of communication and control to handle security violations and breach, use of monitoring tools and methods should not interfere with the control system and degrade the system performance SR 6.1 Audit Log accessibility The audit logs must be only accessed by authorized user from a read-only device, no options or ways to modify the logs other than appending log data, access control list or third party system can be used to enforce this requirement vii. Resource Availability To ensure that the control system is guarded against various resource consuming attack like Ddos Denial of service, and to prevent partial or total unavailability of the system, encourage use of high redundancy network availability at network level and high priority to server, firewalls and applications SR 7.1 Denial of service protection The IACS must have a way to request information from or notify by boundary devices to detect that a cyber attack is ongoing, if detected a DOS attack the IACS must operate in iPLONIndia 19 19 Project :IEC 62443 Guidelines Date : 17.05.23 degraded mode, risk evaluation can be done to safely degrade the system without affecting other safety-related systems SR 7.2 Resource Management The IACS should provide resource management capability to mitigate resource exhaustion caused bu security related process such as running AV and similar, security function should not cause IACS to misbehave during operation SR 7.3 Control System backup The IACS must have up-to-date backup for full system recovery in case of failure or misconfiguration, this includes audit logs and other forensic informations, the backup must be encrypted and the system must be in safe state during backup SR 7.4 Control system recovery and reconstitution There must be a way to quickly recover the control system to a secure state after any disruption or failure, for industrial controller this is to restore the latest backup other devices such as switches, I/O must have the ability to match operation of last known secure state, firmware and settings must be available to restore and match it with a correct configuration to swap out defective unit incase of hardware system SR 7.5 Emergency Power The IACS must be able to switch to emergency power supply without affecting the existing security state, risk assessment can be done to determine the probable cause of failure and implement barrier to mitigate these SR 7.6 Network and Security Configuration settings The solution shall provide guideline for network and security configuration and IACS to be configured accordingly, including the OS and IACS to be set to monitor these in accordance with security policy and procedures (including OS, hardening etc) SR 7.7 Least Functionality The IACS should restrict use of unnecessary functions. Firewall must be setup to allow only known devices, addresses, services and ports (removal of unwanted programs incl games, calculators other misc applications) – – For linux this can be done using IP tables/ nftables /UFW For windows can be done using firewall iPLONIndia 20 20 Project :IEC 62443 Guidelines Date : 17.05.23 Case study: Risk assessment of AB oil Scenario: AB oil company is located in middle east does refining and export of petrol and other fuel gases, this assessment carries the entire plant proudction Scope: Location Alpha U101 Connection located to U102, 105, 107 for normal data exchange Received documents: – – System architecture Inventory details General Observations Documentation: – – – The current asset inventory is incomplete and missing important infos Proper architecture and network diagrams are not available to reveal logical and physical network connection between assets Interconnection between U101-U105 is not available Anti-virus – Most endpoints have AV – Stand-alone system don't have AV but has other manual scan procedures – No central management for AV Backups – Network connected computer based system are auto backup using WSUS – Most HMI panel dont have backup abilities – For PLCS there is manual backup procedure DCS and system safety – The DCS network is not segregated from safety network on each location – Only one engineer knows to reset and retrieve password – Same user name and password is used by all workstation operator iPLONIndia 21 21 Project :IEC 62443 Guidelines Date : 17.05.23 Operating System Configuration – – – All windows OS are hardened by vendor guidelines, but no control to verify it this is still the case No one hardening procedure different vendor different hardening procedures Logs are not enabled Network Management – – – Process engineer using telnet to access network switch in level 2 Network connecting PLC to HMI is single and routed using metal conduits and seperate cable tray Engineer in U101 can take RDP of workstation of U105 without any approval from U105 and was editing log rotation of machine Assessment Calculate and visualize above data with all the requirements in all terms needed below attached a sample iPLONIndia 22 22 Project :IEC 62443 Guidelines Date : 17.05.23 Foundational Requirement for IEC 62443-4-2 Identification and Authentication – – – – All human user need to be identified and authenticated for all access to application and devices, including access through network protocol HTTP, HTTPS, FTP, SFTP and protocol used by device config tools Components using password authentication must enforce password policy (minimum character and variety etc) Components using public-key authentication must ensure certificate validity and strength of cipher suite used complies with encryption requirements Monitor remote access and authentication attempts on over clear text OT and IT protocol including HTTP, HTTPS, FTP, SFTP,SMB, Telnet etc all failed and succeed attempts must be logged for analysis to ensure critical systems are accessed using individual credentials Use case of FR-1 Assumptions: Node, Switch, Forwarder, Gateway, Border gateway are up in security levels 1.1, Identification and authentication SL1 Requirement ISA 62443-4-2 CR 1.1 – Enforce IDs and access on interface that provide access Test: – – Verify device cannot be operated without logging in with specific account Verify normal user account is always logged in in manned control rooms dont have admin access other than those provided for operation SL2&3 Requirement ISA 62443-4-2 CR 1.1 (1) – Enforce unique ID and access of each human user Test: – Verify that no public, default credentials to be used to authenticate the device, enumerate all user IDs and verify shared accounts are not used iPLONIndia 23 23 Project :IEC 62443 Guidelines Date : 17.05.23 SL4 Requirement ISA 62443-4-2 CR 1.1 (1)(2) – Enforce multi-factor authentication for each user Test: – Verify that different path of authentication and info are not easy to tamper with 1.2, Application or device identification and authentication SL1 NA SL2 Requirement ISA 62443-4-2 CR 1.2 – Identify and authenticate itself when interfacing other components Test: – Use the method/ protocol as SNMP, LLDP for discovery and 802.1x for authentication specified by vendor to retrieve and verify component type SL3&4 Requirement ISA 62443-4-2 CR 1.2 (1) – Uniquely identify and authenticate itself when interfacing other components Test: – Use the method/ protocol as SNMP, LLDP for discovery and 802.1x for authentication specified by vendor to retrieve and verify component type and its Unique ID 1.3, Account management SL 1,2,3,4 ISA 62443-4-2 CR 1.3 – Provide management of accounts directly in component or support such management in common system Test: – Login using existing account on target device, disable the account used to login and retry login with this account it should not login as account is disabled 1.4 Identifier management SL 1,2,3,4 ISA 62443-4-2 CR 1.4 iPLONIndia 24 24 Project :IEC 62443 Guidelines Date : 17.05.23 – Provide management of identifier by user, group, role or control system interface either directly by component or support integration into common system providing such identifier management Test: – Verify that component supports identification on any entity using a central identifier management solution or directly 1.5 Secure authenticator management SL 1,2, ISA 62443-4-2 CR 1.5 – Support secure management of authenticator content as password Test: – Default install authenticator can be modified – Authenticator content storage and transmission is protected – Periodic authenticator change to be set SL 3,4 ISA 62443-4-2 CR 1.5 (1) `Hardware based authenticator can be used (Smart cards etc) Test: – Confirm that by removing hardware authenticator device is not able to operate the component 1.6 Wireless Access Assumptions: Node, Switch, Forwarder, Border gateway NA only applicable to Gateway SL 1 ISA 62443-4-2 NDR 1.6 – Wireless gateway shall be able to identify and authenticate all wireless connections Test: – – Verify human user must log in to access wireless gateway Use method specified by vendor to verify that the application or device must identify and authenticate itself to access the gateway SL 2,3,4 ISA 62443-4-2 NDR 1.6(1) – Unique verification and authentication of wireless connection to be provided iPLONIndia 25 25 Project :IEC 62443 Guidelines Date : 17.05.23 Test: – Verify that all wireless connection require unique identification 1.7 Strength of passwords SL 1,2, ISA 62443-4-2 CR 1.7 For component using password based authentication it shall be possible to enforce password policy (Strength and variety) by itself or other systems, password must not be stated in documents Test: – After applying password using central configuration system, try changing password from other system and verify SL 3 ISA 62443-4-2 CR 1.7 (1) Human user cannot reuse same password used priorly Test: – Verify that system disallow change of password to previous set of passwords and configure the system for some sort of password expiration cycle SL 4 ISA 62443-4-2 CR 1.7 (1)(2) Password lifetime restriction is applicable for all users Test: – Verify that system has possibility to configure expiration for no human users 1.8 Public key infrastructure (PKI) certificates SL1 NA SL 2,3,4 ISA 62443-4-2 CR 1.8 When PKI is used it must be i accordance with this section Test: – Verify that certificate expiry dates are acceptable 1.9 Strength of public key authentication SL 1 ISA 62443-4-2 CR 1.9 - NA iPLONIndia 26 26 Project :IEC 62443 Guidelines Date : 17.05.23 SL 2 ISA 62443-4-2 CR 1.9 When PKI used the validation certificates must follow the requirements in refereed standard Test: – Verify certification using invalid, revoked certificates SL 3,4 ISA 62443-4-2 CR 1.9 (1) It shall be possible to protect private keys using hardware Test: – Verify keys are tamper proof during installation or in storage 1.10 Obscure authentication information SL 1,2,3,4 ISA 62443-4-2 CR 1.10 During authentication or entering passwords the system shall not give any credential or feedback which can include the reason for unsuccessful login, which can be exploited with Test: – Verify valid authentication and enter invalid authentication to see if any user name or password is used for authentication, and no data is leaked when brute forced 1.11 Unsuccessful Login Attempts SL 1,2,3,4 ISA 62443-4-2 CR 1.11 During authentication the system shall restrict the number of consecutive login attempts applicable for all users, applications etc, the limit must be configurable and when reached shall block the account for a specific period of time Test: – Verify that failed consecutive login leads to lockout 1.12 System use notification SL 1,2,3,4 ISA 62443-4-2 CR 1.12 The capability of the system to display the consequences of unauthorized logins even after a successful login and access to the system , can be done using warning posters etc, also no much information about the system should be exposed iPLONIndia 27 27 Project :IEC 62443 Guidelines Date : 17.05.23 Test: – Observe that all the warning posters are displayed before login 1.13 Access via untrusted network SL 1,2,3,4 ISA 62443-4-2 CR 1.13 Any attempt of access from insecure or uncontrolled network shall be monitored and managed by the gateway Test: – Attempt to access from untrusted network once logged in verify that its is monitored in the system 1.14 Strength of Symmetric key authentication SL 1 ISA 62443-4-2 CR 1.14 NA SL 2 ISA 62443-4-2 CR 1.14 When symmetric key authentication is used, validation of shared secret shall follow this rules stated, Exempted for MF5, SHA-0,1, DES, 3DES, and avoid usage of proprietary encryption, the asymmetric encryption algorithm must be atleast 2048 bit key length with atleast RSA level encryption and shall provide atleast 256 bit key length with atleast AES level encryption Test: – – See OWASP for encryption guides Verify that private keys or certificates stored on file system cannot be imported without access SL 3,4 ISA 62443-4-2 CR 1.14 (1) ISO /IEC 19700 level 3 security for symmetric key is required Test: – It must be possible to protect private keys via hardware Use case of FR-2 Component shall provide the ability to generate audit records relevant to security protocols including access control, request error, control system events, backup and restore events, configuration changes, audit log events iPLONIndia 28 28 Project :IEC 62443 Guidelines Date : 17.05.23 Logs must include timestamps, source device, category, type and event ID and result Also continuous monitoring of network and device activity in real time for all access authorized and unauthorized, attempts, errors from all devices from the system and updates including firmware and software SL 1 ISA 62443-4-2 CR 2.1 The component shall enforce authorization for human user based in assigned roles and privileges Test: – If user with different privilege level exist , then select the highest privilege user account and use it to see all access and features and similarly for lower privilege and verify that some features are blocked for lower privilege account as defined in supporting documents SL 2 ISA 62443-4-2 CR 2.1 (1)(2) Enforce authorization for all user and component shall be able to authorize role to define and modify permission for all human user Test: – Verify by observing that authorized role exist with above ability SL 3 ISA 62443-4-2 CR 2.1 (1)(2)(3) The component shall provide support for manual override by supervisor, this ability shall expire after performing the action or event or time Test: – Authentication mechanism for supervisor shall be described in documentation, and verified in type test SL 4 ISA 62443-4-2 CR 2.1 (1)(2)(3)(4) The component shall allow for approval by two different roles for action can result in serious, safety related impacts of control process Test: – Any action which require dual authentication must be described in document and demonstrated in type test iPLONIndia 29 29 Project :IEC 62443 Guidelines Date : 17.05.23 2.2 Wireless usage SL 1,2,3,4 ISA 62443-4-2 CR 2.2 If the component support wireless communication it shall support appropriate authorization, monitoring andusage restriction mechanism, unique identification of all users is needed Test: – Confirm there are no generic or unlisted user in config – Confirm monitoring and logging functions – Confirm authentication strength and usage restriction provided by device 2.3 Portable and mobile devices SL 1,2,3,4 ISA 62443-4-2 CR 2.3 Any component which support use of mobile device shall have capability to prevent or restrict use of such device (mobiles etc) Test: – Enable portable device restriction supported by the device, check with USB device that no data can be transferred 2.4 Mobile code SL 1,2 ISA 62443-4-2 CR 2.4 Any component that uses mobile code as java, pdf, vbscript etc shall have capability to authenticate, authorize and restrict execution of mobile code including transfer to and from the system Test: – Enable blocking of mobile code, verify no mobile code is copied and executable via network verify java,activex and vbscript blocking as minimum incase of absence of other mobile codes SL 3,4 ISA 62443-4-2 CR 2.4 (1) The host shall be capable of verifying the integrity of mobile code before execution iPLONIndia 30 30 Project :IEC 62443 Guidelines Date : 17.05.23 Test: – Enable blocking of mobile code, verify no mobile code is copied and executable via network verify java,activex and vbscript blocking as minimum incase of absence of other mobile codes 2.5 Session lock SL 1,2,3,4 ISA 62443-4-2 CR 2.5 The component shall have capability to implement session lock Test: – Verify that time based session lock is configured and works 2.6 Remote session termination SL1 NA SL 2,3,4 ISA 62443-4-2 CR 2.6 Remote access to applications or component from outside the trusted network shall be in such a way that the user initiating can have he access to terminate the session, components having the remote session ability must also have some timeout configs Test: – Verify that session is torn down after specific time – Monitor the network that it is relevant – Verify that user can terminate the session 2.7 Concurrent session control SL1,2 NA SL 3,4 ISA 62443-4-2 CR 2.7 It shall be possible to configure the maximum number of session that can run simultaneously to prevent Ddos Test: iPLONIndia 31 31 Project :IEC 62443 Guidelines Date : 17.05.23 – Monitor the network that it is relevant after attaining maximum session check that another instance is not allowed 2.8 Audit information SL 1,2,3,4 ISA 62443-4-2 CR 2.8 It shall be possible to generate audit records of security events provided by components Test: – Verify that log entries are verbose and matches respect of event and content of records 2.9 Audit storage SL 1,2 ISA 62443-4-2 CR 2.9 The component shall have sufficient audit storage capacity and prevent failure if exceeded Test: – Generate event till storage is full and check the functionality of the system SL 3,4 ISA 62443-4-2 CR 2.9 (1) An alarm shall be generated if the system storage for logs is exceeding the threshold Test: – Generate event till storage is full and check the functionality of the alarm 2.10 Audit processing SL 1,2,3,4 ISA 62443-4-2 CR 2.10 The component shall have capability to detect failure in generating,processing audit records, it should respond to safe state in case of failure Test: – Verify that the product documentation says this and can be tested on required fuctions 2.11 Timestamps SL 1,2 ISA 62443-4-2 CR 2.11 iPLONIndia 32 32 Project :IEC 62443 Guidelines Date : 17.05.23 Component shall have the ability to timestamp security events Test: – Simulate event to generate logs and verify the timestamps up-to five alarms SL 3 ISA 62443-4-2 CR 2.11 (1) The timestamp must be in sync with system wide time (eg;NTP) Test: – Simulate event to generate logs and verify the timestamps and check that the time is correctly synced with event from logs SL 4 ISA 62443-4-2 CR 2.11 (1)(2) Any alteration to time sync mechanism to subject to authorization and unauthorized change is logged as event Test: – Modify external time source and check event logging 2.12 Non-repudiation for user actions SL 1, NA SL 2 ISA 62443-4-2 CR 2.12 Component shall be able to determine if action taken is done by human user Test: – Modify three settings in device configuration and review the log and verify they are entried SL 3,4 ISA 62443-4-2 CR 2.12 (1) Component shall provide non-repudiation capability to all users Test: – Modify three settings in device configuration and review the log and verify they are entried with user identification iPLONIndia 33 33 Project :IEC 62443 Guidelines Date : 17.05.23 Use case of FR-3 System Integrity: The network device shall provide protection from malicious code, if needed it must use compensation control and need not to support protection from malicious code directly The component shall validate the syntax and content of input used as industrial process control input and identify and handle error condition in manner such that effective troubleshooting can occur, signature and anomaly based detection used to alert in real time for all known and unknown malware exploits over the network 3.1 Communication Integrity SL 1,2 ISA 62443-4-2 CR 3.1 The device shall be capable of protecting integrity of data transmitted and received Test: – Verify that data transmitted or received via common or proprietary protocol has integrity checking inform of CRC protection SL 3,4 ISA 62443-4-2 CR 3.1 (1) Authentication of communicated data shall be supported bu encryption Test: – Verify by monitoring data transmitted/ received is encrypted and other mechanism to authenticate data shall be verified by manufacturer documents and test program 3.2 Malicious code protection SL 1,2,3,4 ISA 62443-4-2 SAR 3.2 /EDR 3.2/ HDR 3.2/NDR 3.2 Malware protection must be provided either as part of component or compensated controls (eg: OS lockdown, REDS security measure, application and process whitelist) implemented in system and security policy, these measure should not interfere with device control function, host device must support such protection and report to such protection software Test: iPLONIndia 34 34 Project :IEC 62443 Guidelines Date : 17.05.23 – Evaluate threat vector and compensation controls and verify that no malicious code can be executed on component by using EICAR sample and file transfer 3.4 Software and information integrity SL 1 NA SL 2 ISA 62443-4-2 CR 3.4(1) The component shall have the ability to perform and support report integrity check of software, configuration and other data, in addition to authenticity of software, configuration Test: – If the device support configuration via files, attempt to load a corrupt file and verify that change is not possible with corrupted files, other implemented check such as incompatible software, config details etc is to be present in documentation SL3,4 ISA 62443-4-2 CR 3.4(1)(2) If the component itself performs the integrity check it shall issue an alarm upon violation Test: – Verify that appropriate alarm are issued when corrupted config is loaded 3.5 Input validation SL 1,2,3,4 62443-4-2 CR 3.5 Input validation shall be implemented and applied for input from human user and other compoents, sufficient validation is to be done in network interface of device for supported protocols, device must handle malformed traffic on protocol and interface without getting to no responsive state Test: – Demonstrate robustness according to ISASecure EDSA-310 and EDSA-401 through 406 (refer documentations) 3.6 Deterministic output Only Node is Yes iPLONIndia 35 35 Project :IEC 62443 Guidelines Date : 17.05.23 SL 1,2,3,4 62443-4-2 CR 3.6 A node shall be capable of setting output that control a process to a pre determined safe state for continuing normal operation Test: – Monitor the output of device during abnormal state and document it and shall describe the abnormal state and corresponding fail safe state responses 3.8 Session integrity SL 1 NA SL2 ISA 62443-4-2 CR 3.8 The component shall protect authenticity of communication session and validity of data transferred Test: – Demonstrate mechanism described in the component and system document SL3 ISA 62443-4-2 CR 3.8 (1)(2) Session identifiers shall be unique for each session and invalidated upon logout or termination of session, only system generated identifier shall be recognized by component Test: – Verify session are invalid after logout SL4 ISA 62443-4-2 CR 3.8 (1)(2)(3) Random session identifier shall be generated Test: – – Verify that no patterns from random generation of session ID is observable See OWASP and OTG-SESS-001 iPLONIndia 36 36 Project :IEC 62443 Guidelines Date : 17.05.23 3.9 Audit information integrity SL1 NA SL 2,3 ISA 62443-4-2 CR 3.9 Audit information such as record, logs ,reports etc are to be protected from unauthorized access Test: – Access audit logs and tools supported by the device with a standard and highest privilege account and verify it is not possible to modify it SL 4 ISA 62443-4-2 CR 3.9 (1) It shall be possible to store audit logs on write-once media Test: – Verify that physical write-once media is utilized for storing logs 3.11 Physical tampering SL1 NA SL 2 ISA 62443-4-2 EDR 3.11/HDR3.11/NDR 3.11 Component shall be designed to detect and prevent physical tampering Test: – Such property shall be verified by physical inspection SL 3,4 ISA 62443-4-2 EDR 3.11(1)/HDR3.11(1)/NDR 3.11(1) Automatic detection and monitoring of physical tampering, enable event log and report to authorized personnel Test: iPLONIndia 37 37 Project :IEC 62443 Guidelines Date : 17.05.23 – Verify by document, assessment the nature of physical tampering be implemented, the event shall be logged and reported. If non-destructive capability can be tested 3.17 Firmware change SL 1,2,3,4 62443-4-2 CR 3.17 There shall be no possibility for unauthenticated firmware change and replacement of physical media Test: – Verify physical protection of firmware storage media and update from removable media or network requires authentication in secure to prevent MTM attacks Use case of FR-4 Data confidentiality Component shall protect the confidentiality of information at rest and in transit If cryptography is is required component shall use cryptographic security mechanism according to internationally recognized practices Enable user to verify that sensitive information is communicated using secure encrypted protocols and cipher suites, ensure that encrypted communication in monitored network follow international standard and recognized security practices 4.1 Data Confidentiality SL 1,2,3,4 ISA 62243-4-2 CR 4.1 The component shall be able to protect confidentiality of information and avoid data exposure to unauthorized parties, (for eg: if device has SNMP protocol it should not leak other than crucial data to SNMP request) Test: – Verify that device doesnot leak critical information via supported services, protocols (eg: most common are HTTPS, NetBIOS, SNMP connect to device and fetch data without authentication) iPLONIndia 38 38 Project :IEC 62443 Guidelines Date : 17.05.23 4.2 Purging of authentication information fro end of life components SL 1 NA SL 2 ISA 62243-4-2 CR 4.2 Upon decommission of the component it shall be possible to purge all information which has been defined by policies as subject to authorization Test: – Test factory default reset function, and verify that all data in it is gone SL 3,4 ISA 62243-4-2 CR 4.2 (1)(2) Specific mechanism shall be implemented to ensure that volatile shared memory is confirmed purged to avoid unintended transfer of information Test: – Verify that content of volatile storage are not available after its removal or after shutdown 4.3 Cryptography SL 1,2,3,4 ISA 62443-4-2 CR 4.3 If the component utilizes encryption the following are the requirements Algorithms not to be used MD5, SHA-0,1, DES,3DES Proprietary encryption algorithms must not be used An asymmetric encryption algorithm shall provide atleast 2048-bit key length, with encryption strength atleast as strong as RSA, for symmetric encryption shall provide atleast 256-bit key length with encryption strength atleast of AES class Test: – Inspect traffic from/to component and verify its encrypted properly Use case of FR-5 Restricted Data Flow: iPLONIndia 39 39 Project :IEC 62443 Guidelines Date : 17.05.23 Component shall support a segmented network to support broader network architecture on logical segmentation ad criticality A network device at zone boundary shall monitor and control communications at zone boundaries to enforce the compartmentalization defined in risk-based zones and conduit model, it should also have the ability to prevent general purpose, person-to-person message from being received from user or external systems to control system Generate an automatic and accurate visualization of all active network IP- connected devices and traffic flows, facilitating the identification of security parameters , access points, group of functionality and logically related devices 5.1 Network Segmentation SL 1,2,3,4 ISA 62443-4-2 CR 5.1 The component shall support provision of segmented network, can be employed to improve performance and security of overall network, by supporting multiple zones with varying risk requirement in network Test: – Demonstrate that a probe placed in one network segment cannot be reached from another segment, depending on technology used for segmentation, use appropriate probe and initiation 5.2 Firewall SL1 ISA 62443-4-2 NDR 5.2 The device providing boundary protection shall be capable of filtering and monitoring traffic Test – Verify that the component has functionality to configure blocking and monitoring of given network stream trans-versing it SL2 ISA 62443-4-2 NDR 5.2 (1) iPLONIndia 40 40 Project :IEC 62443 Guidelines Date : 17.05.23 The component shall be by default deny all network traffic crossing the zone boundary and permit only traffic by exception Test: – Verify that direct connections to protected network are disabled by default SL3 ISA 62443-4-2 NDR 5.3 (1)(2)(3) The component shall be able to work in island mode where no traffic can cross the boudnary, the component shall respond to failure in boundary protection in fail-safe manner and revert to island mode on needed Test: – Verify firewall abilities by full scan of TCP/UDP ports and IP fragmentation Scan – Test tunneling from secure side using ICMP, DNS, SSH or HTTP – – ACI mapping by fire-walking from both insecure and secure zones If possible to configure the component with invalid config (Delete all ACL rules), verify all connections is denied in fail state SL4 ISA 62443-4-2 The component shall have state-of-art firewall functions such as stateful inspection, deep packet inspection (DPI) Test: – Verify advanced firewall capability atleast testing with ICMP, DNS or HTTP tunneling 5.5 Guarded DHCP service SL123 If the device is running a DHCP server the service shall be guarded i.e an unauthorized unit shall not get an IP address assigned automatically from the device Test: – Verify that it is possible to configure and enforce a list of clients (by MAC address) that are allowed to gain IP access SL4 Rouge DHCP server shall bot be detected iPLONIndia 41 41 Project :IEC 62443 Guidelines Date : 17.05.23 Test: – Simulate a rouge DHCP server (Eg. DHCP replay and advertisement) and verify that it is detected 5.6 Switch Loop prevention SL 1,2,3,4 IEC 61162-460 Sec 5.2.2 The switch shall have capabilities for preventing switching loops in all interfaces such as RSTP, MSTP or other protocols Test: – – IEC 61162-460 Sec 10.6.2 Refer to verification and test described by reference standard Use case of FR-6 Timely response to events: Component shall provide the ability for authorized human or tools to access audit logs on read-only basis, and continuously monitor ad detect, characterize and report security breaches in timely manner, monitoring can be achieved though variety of tools such as IDS, IPS, network monitoring mechanism, this includes remote access and comms protocol to control system and components as well as file transfer operations 6.1 Audit information accessibility SL 1,2 ISA 62443-4-2 CR 6.1 Audit records are required by sec 3 (2.8) shall be accessible on read –only basis subject to authorization Test: – Verify that manual read-only access to audit logs is available (subject to authorization) SL 3,4 ISA 62443-4-2 CR 6.1 (1) It shall be possible to access audit record using an application program interface (API) for analysis and other event management purpose Test: iPLONIndia 42 42 Project :IEC 62443 Guidelines Date : 17.05.23 – Demonstrate access to audit logs using vendors API verify access is not possible without appropriate credentials 6.2 Continuous monitoring SL1 NA SL 2,3,4 ISA 62443-4-2 CR 6.2 It shall be possible to continuously monitoring security mechanisms which are provided by a component such monitoring to be performance by a dedicated intrusion detection system (IDS) or Intrusion prevention system (IPS) Test: – Manufacturer shall document and demonstrate that all implemented security mechanism are and can be continuously monitored by event recording or other services Use case of FR-7 Resource Availability: Component shall maintain essential function in degraded mode during a DoS attack, it shall restrict the use of unnecessary functions, ports, protocols and services, it must provide the ability to support a control system component inventory with real time detection of instances of DoS attacks, create port, protocol inventory for required service and devices 7.1 Denial of service protection SL1 ISA 62243-4-2 CR 7.1 The application or component must cope with a DoS event, if normal operation is not possible depending on the DoS situation the component shall revert to a degraded mode where essential functions, safety functions, local control functions are maintained any effect shall comply with applicable fail-safe principles, component shall stay functional and can be operated as expected by operator under networks stress, warnings or alarms can be issued for component that is subjected to high network loads, maximum input and output bandwidth for node shall be stated in manufacturer documentation Test: IEC 61162-460- Sec 10.5.2.2 iPLONIndia 43 43 Project :IEC 62443 Guidelines Date : 17.05.23 – To test DoS protection atleast load stress testing consisting of valid traffic shall be done, it can be generated by, rate less than saturation load threshold specified by vendor (Eg: simulating normal but busy plant conditions) or fully auto-negotiated link rate (Eg: – simulating an attack or malfunction) Saturation rate testing are to be executed for durations long enough for saturation effect to manifest, stress testing shall be deterministic traffic, and traffic generation shall cover protocol supported by device SL 2,3,4 ISA 62443-4-2 CR 7.2 (1) Means provided to ensure operations of the node in DoS event shall be implemented and described in manufacturer documentation such as rate limiting, DOS prevention method in switch, forwarder and gateway shall be implemented and described in manufacturer documents Test: IEC 61162-460 Sec 10.6.3.2, 10.7.4.2, Sec 10.8.1 and Sec 10.12.3.7 – Test network resilience with unicast, multicast and broadcast traffic addressing the protocol relevant in network where component is going to be typically developed into, this test should cover at least the following layers: Ethernet/data link layer, IPv4 network – layer, TCP, UDP transport layer If applicable simulate the DoS conditions to verify that the implemented mitigation mechanism are working 7.2 Resource Management SL1,2,3,4 ISA 62443-4-2 CR 7.2 Component shall have the ability to manage resources such that low priority process are prevented from interfering with high priority process Test: – Manufacturer documents shall describe specific mechanism ensuring high priority function are not affected by security functions, such resource management are tested as part of as malicious code protection, DoS protection, audit storage, switch loop – prevention, backup CPU consumption tolerance may be tested using software tools liike stress-ng or consume.exe in unix and windows iPLONIndia 44 44 Project :IEC 62443 Guidelines Date : 17.05.23 7.3 Backup SL 1 ISA 62443-4-2 NCR 7.3 The component shall support system level backup operations Test: – Perform system backup and verify that backup is restored SL 2 ISA 62443-4-2 NCR 7.3 (1) Successful execution of backup shall be verified without need of manual actions, an alarm shall be produced if faults have occurred during integrity of backup is compromised, also validate backup before restore Test: – Validation of backup information to be tested SL 3,4 ISA 62443-4-2 NCR 7.3 (1)(2) It shall be possible to perform a local backup of the component Test: – Restore local backup 7.4 Retainment of configuration SL 1,2,3,4 ISA 62443-4-2 CR 7.4 Upon restoration of power the component shall boot for intended operation without any configuration loss, incase of failure it can be reverted to its safe and secure state Test: – Document the components configuration setting , switch off and restart verify that it starts completely with configuration 7.5 Network and Security Configuration setting SL 1,2 ISA 62443-4-2 CR 7.6 Component shall be delivered with default network and security configuration, with recommended manufacturer setting , modifications shall be in accordance with security policies iPLONIndia 45 45 Project :IEC 62443 Guidelines Date : 17.05.23 Test: – – Verify the device default configuration as recommended by vendor Verify configuration file required in Sec 2 (2.6) SL 3,4 ISA 62443-4-2 CR 7.6 (1) The component shall be able to generate a machine readable report or export its configuration to a file with current security settings Test: – Export the machine readable configuration report and import and read it by vendor supplied tool or compatible tool 7.6 Least functionality SL 1,2,3,4 ISA 62443-4-2 CR 7.7 Application or components serving essential and important function shall have capability to prevent installation, enabling or use of unnecessary or irrelevant functions, ports, protocols and services Test: – Verify that no unnecessary UDP or TCP ports are open by scanning the device 7.7 Component Inventory SL1 NA SL 2,3,4 ISA 62243-4-2 CR 7.8 It shall be possible to identify the components hardware and software type and version, including version, revision of configurable elements Test: – Verify that the properties listed in requirement are reported by visible on the component iPLONIndia 46 46 Project :IEC 62443 Guidelines Date : 17.05.23 Authentication and authorization technologies for IEC 62443-3-1 Covered topics: -# Authentication and authorization briefing # Role based access control (RBAC) # Password based # Challenge response based (CHAP) # Physical Token based # Smart card based # Biometric based # Location bases # Password distribution and management # Device to device authentications 1, Authentication and authorization briefing – – – – – Authorization is initial step to protect ICS/OT systems It can be specific to provide accesses to specific files in an application or as access to entire ICS environment. AA are fundamental to access control for a system. Two components of Authentication: • User authentication Network service authentication 2, Role based access control “Role-based access control (RBAC) is a technology and tool that is attracting a great deal of attention because of its potential for reducing the complexity and cost of security administration in networks with large numbers of intelligent devices like some IACS systems Benefits: by assigning specific privileges ,user privilege management by security groups restrict users from accessing unauthorized data. iPLONIndia 47 47 Project :IEC 62443 Guidelines Date : 17.05.23 – Reduce security violations by improving overall access to the user and network device in – Provide uniform means to manage access to plant floor devices while reducing the cost – secured way of maintaining individual device access levels and minimizing errors. In dynamic environments where users enter and leave employment and contractors, OEMs, system integrators, and vendors come and go. RBAC addresses this problem by basing access on a user’s role or job responsibilities rather than customizing access for – – everyone. For example, machine operators may be able to view certain files, but not alter them. The machine operators could view files on several devices, but the machine vendor’s support engineers could access additional functions only on their specific machine. Roles can also be set up based on location, projects, schedule, and management level. iPLONIndia 48 48 Project :IEC 62443 Guidelines Date : 17.05.23 3, Password Authentication The password access should be managed according to the password policy enforced by the organization these are typically enforced for all the user credentials and IDs requiring password from all areas of access Issues in deploying password protections iPLONIndia 49 49 Project :IEC 62443 Guidelines Date : 17.05.23 Industrial password management and risk assessment Recommended Policy for Passwords – – – – – Passwords should have appropriate length and entropy characterization for the security required. They should not be able to be found in a dictionary or contain predictable sequences of numbers or letters. User authentication not subject to social engineering methods shall be employed. These can include face-to-face ID authentication and voice-mail delivery. Passwords should be used with care on operator interface devices such as control consoles on critical processes. The keeper of master passwords should be a trusted employee, available during emergencies. iPLONIndia 50 50 Project :IEC 62443 Guidelines Date : 17.05.23 – – – Authority to change higher-level passwords should be limited to trusted employees. A password log, especially for master passwords, should be maintained separately from the control systems, possibly in a notebook locked in a vault or safe. In environments with a high risk of interception or intrusion (such as remote operator interfaces in a facility that lacks local physical security access controls), users should consider supplementing password authentication with other forms of authentication such – – – as two-factor authentication using biometric or physical tokens. Passwords should not be sent across any network unless protected by some form of strong encryption or salted cryptographic hash specifically designed to prevent replay attacks. It is assumed that the device used to enter a password is connected to the network in a secure manner. For network service authentication purposes, passwords should be avoided if possible. There are more secure alternatives available, such as challenge/response or public-key authentication. 4, Challenge response authentications (CHAP) Security vulnerabilities addressed: – – – Vulnerabilities of traditional password authentication Secret is known in advance and never sent in challenge/response systems, the risk of discovery is eliminated If the service provider can never send the same challenge twice, and the receiver can detect all duplications, the risks of network capture and replay attacks are eliminated Requirements: Challenge/response authentication requires that the SERVICE REQUESTER, the IACS OPERATOR, and SERVICE PROVIDER know a “secret” code in advance. – – When service is requested, the service provider sends a random number or string as a challenge to the service requester. The service requester uses the secret code to generate a unique response for the service provider. iPLONIndia 51 51 Project :IEC 62443 Guidelines Date : 17.05.23 – If the response is as expected, it proves that the service requester has access to the “secret” without ever exposing the secret on the network. Issues and weakness: – – Challenge/Response authentication cannot be used directly for user authentication because users are not willing to manually combine their passwords and a challenge to calculate a suitable response. This problem solved by PPP-CHAP. (PPP: Point to Point) Greatest weakness in CHAP for network service authentication lies in any system that allows a “roll-back attack”. In a rollback attack, the attacker causes the service provider to use a weaker authentication, such as plain text passwords or no authentication at all. Vulnerability can be avoided by restricting network service authentication by using – secure protocol. A theoretical weakness in challenge/response authentication is that an attacker is provided with both the challenge and the response to examine off-line. If a known algorithm and key are used to create the response, an attacker can use this knowledge to calculate the “secret.” Vulnerability can be avoided by using cryptographic algorithms Future Directions – – – CHAP is used the same way as is Password Authentication Protocol, but CHAP provides a higher degree security. CHAP can be used by remote users, routers, and network access servers to provide authentication before providing connectivity Challenge/response authentication provides more security than encrypted passwords for user authentication across a network. Industrial password management and risk assessment – – For user authentication the direct use of challenge/response authentication is not feasible for control systems due to the possible latency that may be introduced in the necessary fast dynamics required for access to a control system or industrial network. For network service authentication, the use of challenge/response authentication is preferable to more traditional password or source identity authentication schemes. 5, Physical token authentication SECURITY VULNERABILITIES ADDRESSED: – Can prevent the secret from being easily duplicated or shared. iPLONIndia 52 52 Project :IEC 62443 Guidelines Date : 17.05.23 – The secret within a physical token can be of more character, physically secure, and – Physical token is equal to password authentication – – randomly generated. Also, it is embedded in material, it does have reduced risks Technologies like smart card and token must be in hand to avail access to the system Tokens support single factor authentication and two factor authentications which requires additional pin or password to be authenticated Issues and weakness: – Single factor authentication is vulnerable it token is in control of foreign entity – Dual factor authentication can be used only for high security applications – – It is more secure when combined with other form of authentication (MFA, 2FA) Tokens are expense to the company and requires additional servers to support functioning Recommendations: – – – – Physical/token authentication has the potential for a strong role in IACS environments. Single-factor methods such as passwords can be combined with physical/token authentication to create a significantly more secure two-factor authentication system. Ensure that the hardware implementation of the physical token is tamperproof, from X- ray, reverse engineering, or tamper with the registers on the physical token where the key and associated algorithms are stored. If physical/token authentication is deployed, it is important to include sufficient resources to manage issues regarding tokens, including token distribution, replacement and returns. iPLONIndia 53 53 Project :IEC 62443 Guidelines Date : 17.05.23 6, Smart card authentication SECURITY VULNERABILITIES ADDRESSED: – – – – – – – Smart cards enhance software-only solutions, such as password authentication, by offering an additional authentication factor. Enable portability of credentials and other private information between multiple computer systems. Provide tamper-resistant storage for protecting private keys and other forms of personal information. They are like token authentication with more functions Can be configured to run multiple authentication roles (eg building, ID and authenticator) They are credit card sized devices and personalized as needed Smart can can be issued in house and personalized and can be purchased from vendors iPLONIndia 54 54 Project :IEC 62443 Guidelines Date : 17.05.23 Issues and weakness: – Using the smart card for other than intended purpose can create code access – If lost or stolen can provide some level of access, but without matching hardware are – – vulnerability rendered useless and can also create temporary block in services It can be compromised bu using Differential Power Analysis (DPA) which id one by monitoring the electrical signal to retrieve data secretly It is vulnerable to attack if the workstation is compromised 7, Biometric authentication SECURITY VULNERABILITIES ADDRESSED: – – – – Like physical token and smart cards, biometric authentication enhances software-only solutions, such as password authentication, by offering an additional authentication factor and removing the human element in memorizing complex secrets. - As biometric characteristics are supposedly unique to a given individual, biometric authentication addresses the issues of lost or stolen physical token and smart cards Biometric authentication technologies determine authenticity by determining presumably unique biological characteristics of the human requesting access. Usable biometric features include fingerprints, facial geometry, retinal and iris signatures, voice patterns, typing patterns, and hand geometry. iPLONIndia 55 55 Project :IEC 62443 Guidelines Date : 17.05.23 Issues and weakness: – – – – – – – All biometric devices suffer from the need to detect a real object from a fake ( real person from image and fingerprint) All biometric devices are subject to type-I and type-II errors ( not recognizing valid access in the first go and recognizing invalid access randomly) In all cases, the user should attempt to implement biometric authentication devices that have the lowest crossover between these two probabilities, also known as the crossover error rate. Temporary inability of the sensing device to acknowledge a legitimate user can prevent needed access to the control system. Some biometric devices are environmentally sensitive. As a result, temperature, humidity, and other environmental factors can affect these devices. Biometric scanners are reported to “drift” over time and may need occasional retraining. Human biometric traits may also shift over time, necessitating periodic scanner retraining. Some biometric authentication devices are more “socially acceptable” than others. (For example, retinal scans are very low on the scale of acceptability, while iris scanners and fingerprint scanners are high on the scale of acceptability.) 8, Location based authentication SECURITY VULNERABILITY ASSESED: – Password and pins are prone to vulnerabilities to guessing , hacking and interceptions, – Encryption and other system can also fail and including biometric systems – devices can be stolen too Location based authentication systems can determine authentication based on physical location of human or deice requesting access iPLONIndia 56 56 Project :IEC 62443 Guidelines Date : 17.05.23 – Direct authentication is possible since location is a fixed go state – Geodetic solution and location signature add an additional layer invisible of access – Only a small portion of IACS control system are location based protection and authentication Issues and weakness: – – – – – – Is of great use when users are authenticated from a wireless access point of view The access to the system can be verified if only and within the Geo-boundary set, thus practically severing the access if exceeds the boundary Different roles and access can also be granted based on location Engineer working on laptop in site can be only authorized for a read-only format if off site Use of location can be potential track of location of user and device location Requires hardware in both host and client devices which costs extra 9, Password distribution and management SECURITY VULNERABILITIES ADDRESSED: – – – If passwords are properly generated, updated, and kept secret, they can provide effective security. Passwords are authentication based on what a user knows as opposed to something the control system user has or is. Updation of User ID and password are changed using password policy enforcement iPLONIndia 57 57 Project :IEC 62443 Guidelines Date : 17.05.23 Issues and weakness: – Attacker can listed to network traffic to retrieve information of password and can use – Access the password file located on authentication server thus exposing the credentials – – – – replay attack database They are weak security mechanism Brute force attack multiple password combination for access Dictionary attack use file of words to possibly gain access Social engineering is spamming the user for access over the system as phishing etc Industrial Assessment OTP based authenticators Synchronous Time based OTP generators Asynchronous Challenge code based OTP generators Password is encrypted and decrypted using time change parameter validity Password is encrypted and decrypted using challenge code validity Time value creates a token device to create password Challenge nonce creates token device to create password Recommendations – The degree of security needs to be consistent with the value of the information and the – process, and especially for control systems, with the critical industrial assets and equipment that it protects. Small, stand-alone control systems that do not contain valuable information or that are connected to insignificant benign assets, do not control valuable processes, and are not connected to the Internet can be protected with simple passwords. iPLONIndia 58 58 Project :IEC 62443 Guidelines Date : 17.05.23 – Systems interconnected and hold information need to have sophisticated security – passwords In compensated process hacker intrusion could result in loss of millions and damage to system and products and loss of information and harm to all 10, Device to device authentication SECURITY VULNERABILITIES ADDRESSED: – Mitigate vulnerability associated with data integrity – Authentication technology will prevent any entity without the proper token from sending – – – – – – authentic data, regardless of the data content (e.g., data could be telemetry, firmware, files, SCADA commands, or other). Man-in-the-middle attacks are mitigated by this technology. If the authentication of data occurs at a device’s application layer, then authentication technology will prevent some forms of attacks focused at corrupting the data before it is sent. If the authentication validates the user’s identification (such as biometric devices), then this technology is further beneficial. Device to device authentication ensures that malicious changes to data traveling between two devices is recognized Authentic data verified as authentic in originating device must be validated by receiving device This does not prevent malicious tampering of data, but denote it This applies to all mobile devices, to identify users and type of application sending data and sessions Deployment – Device to device deployed along with encryption, to achieve confidentiality with encryption authentication only Issues and weakness: – Device to device authentication does not guarantee mitigation of DoS attack, this must not be confused with privilege or role based authentication control Industrial Assesment: – Authentication technology widely used is TCP/IP , ICS protocol are IP based which have – Future progress in DNP3/ IEC 60870-5 protocol – some challenges in implementing User must follow best practice as prescribed by vendor Network protection technologies from 62443-3-1 Covered Topics; # Network Firewalls iPLONIndia 59 59 Project :IEC 62443 Guidelines Date : 17.05.23 # Host based Firewalls # Virtual Local Area Network (VLAN) 1, Network Firewalls: Firewalls are most commonly used technology to enforce security, limit data from or to the process, help in successful logging safely and enable network interaction through routing and NAT – Firewall control access to and from network and protect system from unauthorized uses – It is important to have firewall in IACS separating enterprise network and internet – – They block all traffic from network and allow only required network Best practice is to allow server control the LAN access on enterprise network and firewall placed between the DMZ Issues and weakness: – – – Firewalls are not a solution to all intrusion problems in an IACS. Firewalls are not designed for process industry applications (DCS, SCADA), making it difficult to tailor the filtering for optimal security. Software and hardware firewalls should be used in connection with other security measures such as IDS-systems, monitoring systems, and computer software such as Active Directory and VPNs. iPLONIndia 60 60 Project :IEC 62443 Guidelines Date : 17.05.23 – – – Firewalls have evolved and become increasingly complex, sometimes requiring specialized expertise for each different brand or model Reviewing logs needs central monitoring systems Patch management of firewalls are important as patching servers and clients 2, Host based firewall Host-based firewalls are software solutions deployed on a workstation or controller to control traffic that enters or leaves that specific device SECURITY VULNERABILITIES ADDRESSED: – It works on enforcing set of rules based on network control through controller or device – It enforces local access control policy bu blocking or permitting certain types of traffic – Protects the system installed from unauthorized comms and applications from other system – Act as host intrusion detection system – Blocks inbound packets from processed – Controls outbound traffic from host – Record information for monitoring and detection Issues and weakness: – – – – Do not protect against data driven attack and some DoS, social engineering and insider jobs Cannot protect tunnel over allowed applications by infected applications Firewall deployment does not remove need to implement software control in all networks and servers It does not help if access is not configured properly (ports and access) iPLONIndia 61 61 Project :IEC 62443 Guidelines Date : 17.05.23 – Specialized IT personnel shall only be allowed to modify the firewall Industrial Assessment 3, Virtual Local Area Networks (VLAN) Virtual Local Area Networks divide physical networks into smaller logical networks to increase performance, improve manageability, and simplify network design. Categories of VLAN: Static Dynamic assigned to VLAN and known to end user determine the IP or hardware address Also called as port-based, switch ports are When device is connected to port it automatically assumes VLAN to assigned port and are used to reduce broadcast and improve security End device negotiates with switch to Provide more flexibility allowing hosts to roam the network, however setting up VMPS server and MAC , server mapping is bit tiring SECURITY VULNERABILITIES ADDRESSED: iPLONIndia 62 62 Project :IEC 62443 Guidelines Date : 17.05.23 – – VLANs are not typically deployed to address host or network vulnerability in same way as firewall or Intrusion detection system Properly segmented network can also mitigate risk of broadcast storm may result in port scanning and worm activity Issues and weakness: – VLAN hopping is ability to inject frames to unauthorized ports. – Port based authentication can prevent this attack. (static) – – – This attack need physical access to ports. Better to adhere with vendor practices VLANs have been effectively deployed in plant floor networks with each automation cell, even those containing Field area network assigned to a single VLAN to limit unnecessary traffic flooding and allow network devices on the same VLAN to span multiple switches. Encryption technologies and data validation from 62443-3-1 Covered Topics: # Virtual Private Networks # Symmetric Key encryption # Private key encryption 1, Virtual Private Network A VPN is private network that operates as an overlay on a public infrastructure. – – – – – Authenticity & Authentication: Establish the validity of a transmission, message, or, or a means of verifying an individual's authorization. Integrity : Protection against unauthorized modification or destruction of information. Confidentiality: Information is not disclosed to unauthorized persons, processes, or devices. Access Privileges granted to user or software service or any process. Rights Granted : Rights granted to user to access in certain mode Read/Write/Insert/Delete or to execute some executable file or program. SECURITY VULNERABILITIES ADDRESSED: iPLONIndia 63 63 Project :IEC 62443 Guidelines Date : 17.05.23 – – – Preventing man in middle attack by encrypting communication on public network. Control access into trusted network via authentication Maintain integrity of the trusted data on an untrusted network Industrial assessment: Issues and weakness: VPNs do not protect a network and workstations against most data-driven attacks (i.e., viruses), some denial-of-service attacks, social engineering attacks, and malicious insiders.Interoperability,Setup and Support ,Maintenance also play a key role in upkeep of the VPN service iPLONIndia 64 64 Project :IEC 62443 Guidelines Date : 17.05.23 2, Symmetric key encryption Symmetric (or secret) key encryption involves transforming a digital message (called the plain text) into an apparently uncorrelated bit stream known as the cipher text. A well defined algorithm that has two input perform the reversible transformation – A receiving device in possession of a algorithm and key changes cipher text to original plain text message, inverse transformation is not feasible without key, symmetric encryption is due to fact they use reverse algorithm to both encrypt and decrypt plain and cipher text, mostly used ones are FIPS 140-2, 3DES, AES This is most effective when used a block to provide confidentiality Link Encryptor Is a hardware unit with two or more distinct data ports One port receives data to be encrypted in plain text, the remaining ports is ciphertext port, it sends the encrypted data stream to other ciphertext port of one or more units. -CISCO high assurance IP encryptor Embedded Cryptography Symmetric key embedded in a cryptographic module inside the unit to be protected, often on a special purpose chip. – Apple iphone – Honeywell experion PKS – – ABB AC500 PLC Siemens S7-1500 -Thales nShield connect -Rockwell automation Stratix 5700 iPLONIndia 65 65 Project :IEC 62443 Guidelines Date : 17.05.23 Industrial assessment: 3, Public Encryption and key distribution In public key cryptography, a pair of different but related keys, usually known as a public-private key pair, replaces that single key SECURITY VULNERABILITIES ADDRESSED: – – – – – – – Open possibility of one of the participants being compromised, rely on secret being secure. Secret need to be shared securely, if not then there is no point. - Public asymmetric key cryptography Addresses the weakness of shared secrets and one way hashing algorithm Pair of keys are used : Private and Public Encryption using Private key Decryption using Public key Key holder circulates public key to other users but doesn’t reveal private key to other users. iPLONIndia 66 66 Project :IEC 62443 Guidelines Date : 17.05.23 – – – A constraint for using encryption in an IACS is the for time sensitive performance, including control system response. High performance load of public key cryptography restricts time-critical use of digital signatures, with low computer power devices. When authentication and non-repudiation are important than performance, digital signatures is proper tool. Issues and weakness: -No major weakness, key length must be good and quality of algorithm must be good to generate random key – – Creation must be proper and usage must be monitored Is not guarded against MTM attack then perpetrator can communicate through his public and private key can be avoided by using PKI and Signed Certificates, can also use Kerberos to find this weakness and patch up iPLONIndia 67 67 Project :IEC 62443 Guidelines Date : 17.05.23 Management, audit measurement, auditing and detection tools from 62443-3-1 Topics Covered: # Log auditing utilities # Virus and malicious code detection # Intrusion detection system # Vulnerability scanner - Nessus Demo 1, Log Auditing Utilities KIND OF EVENTS CAN MONITOR: – Account events (account logon events) – Object access (object access) – – – – – – – Directory (directory service access) Policy events (policy change) track changes to the local security policy; Privilege events (privilege use) Process (process tracking) System events (system events) Application events Security Events Audit monitoring and detection provide the ability to analyze security, vulnerabilities, detect possible compromises. And forensically analyze compromise incidents Event list – Anti virus system Intrusion detection system – Event correlation – – – – – – Host logging Network tools Application white listing Access controls Malware prevention Network devices iPLONIndia 68 68 Project :IEC 62443 Guidelines Date : 17.05.23 All system can give a log data to a centralized log server using SIEM ( Security Information and event management) solutions, or a centralized syslog server for remote log and protected using IACS standards of high priority 2, Virus and malicious code detection SECURITY VULBERABILITY ADDRESSED: – It can detect known virus, trojan horse – Detection, isolation and safe shutdown of affected system – Alerts about a attack using virus, worm or trojan Virus detection systems (VDS) can monitor and respond to one or more of these indicators. Indicators can result directly from a specific virus payload, as a side effect of the virus payload, or as a result of the virus’s attempt to spread. Indicators of virus infection include the following: - Interface indicators: where a screen or sound generated by the virus appears on several machines at once. – – – – System indicators: where a host’s operating profile is changed, a file share becomes unsecured suddenly, or a system function becomes disabled. File indicators: the appearance of unknown files on a host, or changed parameters of an executable file. Network indicators: like network storms, email blasts or buffer flooding attempts. Custom indicators: designed to address specific host functions or vulnerabilities. iPLONIndia 69 69 Project :IEC 62443 Guidelines Date : 17.05.23 Issues and weakness: – VDS can only function effectively when installed, running full time, and upgraded with latest patches and signature. Configuration of scanning system, application and data files with standard frequency, future scope include deploying AI based systems for virus protection Recommendations – – – VDS can be deployed alongside with firewall Each VDS can be flexible with firewall and detect unauthorized system intrusion should provide advance notice of a possible attack The policy for critical system of IACS must be designed with mission and criticality of the system and deploying and maintain VDS 3, Intrusion Detection systems An intrusion is an attempt by someone/program to break into or misuse a computer system. – – IDS monitor either traffic patterns on the network or files in host computers, looking for signatures that indicate an intruder characteristics. Detects unusual activity such as new open ports, unusual traffic patterns, or changes to critical operating system files are brought to the attention to operator. NIDS (Network) Monitor network traffic and anomaly detection HIDS (Host) Monitors system or application and action of user and malicious activity Classificiation Knowledge based systems: – IDS applies knowledge accumulated about a specific attack and system vulnerablility (database) Behavior based systems: – IDS assumes that intrusion is detected based on deviation from normal behaviour based on smart processes iPLONIndia 70 70 Project :IEC 62443 Guidelines Date : 17.05.23 Issues and weakness: – – – – – – Hackers may be able to identify IDS through port scan and create a DoS attack against IDS and override it thorough encryption and fragmentation False positives Friendly fire – on enabling IDS a high accuracy is required that malicious activity is blocked and legitimate activity is allowed High bandwidth network might overrun the sensing capability f NIDS Lack of standard testing procedure leads to large differences in performance of IDS based on traffic profiles Lack of HIDS for controller based OS and requires resources to deploy and manage in wide system 4, vulnerability scan – Nessus Demo Install Nessus and launch web page verify on demand video Zones, Conduits and Risk Assessment 62443-3-2 1, How to implement – Developing a network diagram of the IACS – Understand the risk, tolerance and acceptability of – Maintain an up-to-date record of all devices compromising the countermeasure as it may vary from every business and regions IACS for future assessment iPLONIndia 71 71 Project :IEC 62443 Guidelines Date : 17.05.23 – Establish the criteria for identification to which device cover the – Identify devices which are critical to the business process and – Classify assets and components based on availability, integrity IACS IACS including the IT system and confidentiality as well as HSE impact (Health, Safety, Environment) – Conduct a risk assessment in all stage of tech life cycle – Identify reassessment frequency or trigger criteria based on (Development-implementation-updating-decommission) technology, organization or industrial operation change 2,Flowchart of risk assessment iPLONIndia 72 72 Project :IEC 62443 Guidelines Date : 17.05.23 ZCR 1 Identification of System Under Consideration (SuC) ZCR 1.1 The organization shall clearly identify the System under Consideration (SuC), including clear definition of the security perimeter and identification of all access points to the SuC (includes all system critical to the IACS) Requirements: – Inventory of the premises – Ensure that all communication accessing a SuC and its devices pass from the intended – – Identify current security perimeter and access points (gateways, firewalls) access points. Real time alerts are raised if communications violate flow and perimeter restrictions. ZCR 2 High Level Risk Assessment ZCR 2.1 The organization shall perform a high-level cybersecurity risk assessment of the SuC in order to identify the worst case unmitigated cybersecurity risk that could result from the interference with, disruption of, or disablement of mission critical IACS operations. Requirements: – Conduct Asset Inventory Assessments – Find out major risks and threats – Conduct Vulnerability Assessments ZCR 3 Partition of SuC in Zones and conduits ZCR 3.1 The organization shall establish zone and conduits by grouping IACS and related assets, it shall be based on architecture and the high-level security assessment carried out including criticality of assets, operational function, physical or logical location, access required and responsible organization ZCR 3.2 IACS shall be grouped into zones physically and logically from business and enterprise system assets ZCR 3.3 Safety assets to be grouped in zones that are separated from non safety related assets iPLONIndia 73 73 Project :IEC 62443 Guidelines Date : 17.05.23 ZCR 3.4 Devices that are permitted to make temporary connections to SuC should be grouped into separate zone and zones whose assets are intended for permanent connection with IACS ZCR 3.6 Devices that are permitted to make connection to SuC via external network to SuC to be grouped into separate zone(s) ZCR 3.7 The organization shall produce a drawing that illustrate zone and conduit partitioning of the entire SuC and assign each asset to a zone and conduit ZCR 3.8 Organization shall identify and document for each zone the follows: – Name or unique identifier – Define logical boundary, physical boundary – – – – – – – Accountable organization Safety designation List of all logical and physical access point List of data flow associated with each access point, zones and conduits List of assets and its classifications Criticality and business value Applicable security requirement and policy, assumption and external dependencies Requirements: – – – – – – – – – – Understand the network operation and its risk Identify security perimeters, access points and group of functionally and logically related devices Define zone and conduit based on risk on basis for network segmentation User must identify open links and communication between the IACS system and business network, related safety, and non safety assets as to mitigate risk for the communication to be stopped Verify whether two network or segment zone have active communication Ensure that connection from certain zone to the IACS are not always active If connection are allowed at pre-determined times then solution must initiate alert for access time violations User can edit group to define zone and visualize activity User can easily spot device that have to be assigned to zone, conduit which may or may not be present User to identify logical boundary and network access point, list of data flow connected to each access point, generate asset list, and business value iPLONIndia 74 74 Project :IEC 62443 Guidelines Date : 17.05.23 – Info about accountable organization safety designation, applicable security requirement and policies to make it available for internal and external compliance audit ZCR 4 Detailed Risk Assessment Perform a detailed cyber security risk assessment DRAR1 A list of threat that could affect the asset contained in the zone or conduit shall be developed, a description shall include a threat source, vectors and potentially affected assets DRAR 2 The zone or conduit shall be analyzed in order to identify and document the known vulnerabilities in the assets contained within the zone or conduit including the access point. Requirements: – – These vulnerabilities and threats are to be automatically matched with the asset inventory information. This list contains further details about the source, target and nature of the threat, enabling an informed analysis and mitigation. ZCR 5 Document cyber security requirements, assumptions and constraints ZCR 5.3 Cyber security requirements specifications (CSRS) shall identify and document the physical and logical environment in which the SuC is located or planned to be located. This shall provide a clear understanding of the networks, information technology, protocols and IACS systems that may interface with the SuC. ZCR 5.4 CSRS shall include a description of the threat environment that impacts the SuC. The description shall include the source(s) of threat intelligence and include both current and emerging threats. Requirements: – Full visibility over the monitored environment (the SuC), including details about: – Communications and links across networks/zones. – – – All active IP-connected network devices, their function and their properties. All protocols and services in use in each network/zone and by each device within that zone. Visual threat scenarios on the network map or inclusion in external documentation. iPLONIndia 75 75 Project :IEC 62443 Guidelines Date : 17.05.23 – Each threat and vulnerability obtained from external sources contains a clear reference to the threat intelligence source or identifier. Challenges: – Design of solution during assessment – Minimizing or overstating the consequence – Failing to gain consensus on the risk assessment results – Assessing the system without considering the assessment results from other similar systems RISK OUT Design: – Reduce the risk – Accept the risk – Transfer or share the risk – Eliminate or fix outdated risk and control measures 3, SL Target calculation, risk matrix and template creation iPLONIndia 76 76 Project :IEC 62443 Guidelines Date : 17.05.23 The risk assessment carried out by the asset owner and cyber security personnel to assess the risk iPLONIndia 77 77 Project :IEC 62443 Guidelines Date : 17.05.23 iPLONIndia 78 78 Project :IEC 62443 Guidelines Date : 17.05.23 Cybersecurity requirements and techniques Use cases Security Level 1 Requirements and Analysis iPLONIndia 79 79 Project :IEC 62443 Guidelines Date : 17.05.23 Sample Plant before Deployment of IEC 62443 in IACS iPLONIndia 80 80 Project :IEC 62443 Guidelines Date : 17.05.23 Sample plant after deployment of IEC 62443 in IACS SL-1 Modifications carried out In this example, the control zone from the sample network has been broken into seven smaller zones highlighted in grey. New elements are highlighted in green. – Demilitarized Zone (DMZ) – Security Appliance Zone – – – Plant/Process Zone Wireless Zone Controller Zones Industrial grade firewalls (highlighted in green) have been added to segment the network. iPLONIndia 81 81 Project :IEC 62443 Guidelines Date : 17.05.23 Security Level 2 Modifications carried out: A unified account management appliance, Certificate Authority, Back-up Server, Event Server, and Network Intrusion Detection System have been added to the network and highlighted in green below. In addition, the control network has been segmented into two separate networks iPLONIndia 82 82 Project :IEC 62443 Guidelines Date : 17.05.23 Sample plant after deployment of IEC 62443 in IACS SL- 2 iPLONIndia 83 83 Project :IEC 62443 Guidelines Date : 17.05.23 Security Level 3 Modifications carried out: The event server that was added at security level 2 will have to be updated to a SIEM server to accommodate security level 3 requirements.In addition, a GPS time source and a wireless threat device have to be added. iPLONIndia 84 84 Project :IEC 62443 Guidelines Date : 17.05.23 Sample plant after deployment of IEC 62443 in IACS SL- 3 Attached reference documents: – Use case of industrial firewall (2021-TeleTrusT-IEC_62443-4- 2_Use_Case_Industrial_Firewall.pdf) – Availability of 62443 standards (ISAGCA QuickStart Guide FINAL.pdf) (2020-ODVA- Conference_CIP_Security_and_IEC_62443_Visoky_Wiberg_Final .pdf) iPLONIndia 85 85