The IEC 62443 document series is an international standard intended to provide a flexible framework to enhance Industrial Automation Control System (IACS) cybersecurity. Seven core functional requirements are used to assist with the design, development, testing and construction of an integrated security architecture. As the Security Level (SL) targets and capabilities are defined, cybersecurity metrics become necessary to be able to assess the efficacy and comprehensiveness of the design. These Security Levels are organized into four increasing tiers each requiring more stringent controls be in place.
As the security architecture matures and the logical and physical assets are grouped into zones, they need to be evaluated along with the connections and data flows between zones that are called conduits. Both the zones and conduits need appropriate security controls to insure plant operational safety. Cybersecurity Best Practices have principles (such as ‘defense in depth’) that can be evaluated through cybersecurity metrics that evaluate architectural components such as zones and conduits.
Furthermore, security is a process that requires continual risk management and risk reduction via the mitigation of identified threats. Cybersecurity metrics are generated and evaluated to determine if adequate risk management is being enabled. Through the usage of well defined, repeatable and accurate cybersecurity metrics, SL adequacy can be assessed.
This presentation goes through the IEC 62443 foundational requirements and describes appropriate and relevant security metrics for evaluating that architectural components such as zones and conduits have appropriate cybersecurity controls in place and that the SL target has been achieved.