This is the next in a series of blogs and papers on the benefits of cyber certification. You can read part 1 here , part 2 here, and part 3 here . Certification provides you with the opportunity to work with an experienced cyber team here at exida, and the vast knowledge of cyber experts worldwide codified in the IEC 62443 family of standards.
Last year Kevin Mandia, CEO FireEye published a white paper – “Validation for Security Effectiveness”. This is not directly focused at the control industry but does offer valuable insight into cyber management. Mandia splits his concerns into 5 areas:
- Prioritize what you are going to measure based on relevant and timely cyber threat intelligence
- Measure where you are today
- Optimize your environment as informed by the identified gaps
- Rationalize your portfolio and processes to eliminate redundancies
- Monitor your environment continuously against a known good baseline
While these concepts came more from the commercial sector, they are clearly applicable to industrial control systems, and are key concepts for all those involved with critical computer systems. If these are tested against the IEC 62443 family of standards, there are direct mappings to various parts of the standard.
No security project ever starts without asking the question “What are we trying to protect?” Most often these are identified as assets that need protection. They include things like user authentication, control strategies, I/O configuration, firewall and router setup, among others. Unauthorized access to any of these could create havoc or worse. Some may be more critical than others which gives rise to the concept of Security Levels. The IEC 62443-3-2 part of the standard specifically discusses Risk Assessment and provides guidance on how to perform this analysis and likely partitioning of assets into different security levels. Once security levels have been identified IEC 62443-3-3 provides specific hardware and software mitigation requirements needed to meet the target security level. The higher the security level the more functionality is required of the system.
In order to measure anything, some kind of monitoring and logging is needed. There are numerous places in the standard that have requirements around monitoring and collection of operational metrics. Things like having a database that tracks security events (wrong passwords, inappropriate access to databases, internal hardware and software diagnostics, unfamiliar IP addresses on the network, etc.) This can amount to a significant amount of information possibly requiring a Security Incident and Event Monitoring (SIEM) tool to help correlate and analyze the data. Once a baseline is set for all the metrics that have been identified, they can be tracked so it is possible to measure the impact of security changes.
With the data collected from the metrics it will be possible to get a clearer understanding of the impact of the changes implemented. Typically measuring system variables involves a set of processes. The two most frequently used process standards in IEC 62443 are parts 4-1 (product development) and 2-4 (system integrators). The concept of Maturity Level (ML1 to ML4) is used in each to assess how well the organization is managing their processes.
The IEC 62443 standard has significant requirements regarding Threat Modeling and Architecture Design. Both of these are key parts of a system design and development process and help to document how security measures and mitigations fit into the system (rationalize their use). Good Configuration Management is another key process in system design. It can be a daunting task in large systems to keep records and drawings up to date. Good CM makes sure all roles have access to current configurations and help assure that countermeasures implemented in one part of the system are not replicated in multiple locations.
Monitoring can take many forms from logging incorrect passwords to equipment maintenance cycles. Monitoring is something that must be done by someone not directly involved with what is being monitored to prevent any kind of bias in the reports being generated. Beyond the normal collection of data and events in an operational system, processes also must be monitored. This is where a third party can come into an organization for a short period of time and do a review of normal operations. The IEC 62443 2-1 part of the standard lists 9 specific security areas to be reviewed in an operational industrial control environment. The IEC 62443 4-1 part of the standard outlines 8 key practices that are needed for secure product development. Both of these parts provide details needed for determine if secure processes are in place.
While the cited article referenced business and IT operations more so than industrial control, the basic concepts still apply. The IEC 62443 family of standards provides specific guidance and checklists to address these 5 areas – Prioritize, Measure, Optimize, Rationalize, and Monitor.