InTech

SEP-OCT 2018

Issue link: http://intechdigitalxp.isa.org/i/1034708

Contents of this Issue

Navigation

Page 48 of 67

INTECH SEPTEMBER/OCTOBER 2018 49 reliability, and cybersecurity vulnerabili- ties. It covers many of the problems and industry concerns associated with IACS patch management for asset owners and IACS product suppliers. It also describes the effects poor patch management can have on the reliability and operability of an IACS. The technical report provides a defined format for the exchange of information about security patches from asset owners to IACS product suppliers, and definitions of activities associated with the development of the patch information by IACS product suppliers and deployment of the patches by asset owners. The exchange format and ac- tivities are defined for use in security-related patches, but may also be applicable for other types of patches or updates. For information on viewing or obtain- ing any of the ISA/IEC 62443 standards, visit www.isa.org/findstandards. For infor- mation on ISA99 and the ISA/IEC 62443 series of cybersecurity standards, contact Eliana Brazda, ISA Standards, ebrazda@ isa.org or +1-919-990-9200. n ISA112, SCADA Systems 12 October ISA101, HMI (working groups) 15–17 October ISA18, Management of Alarms 16 October ISA75, Control Valves 15–16 October ISA96, Valve Actuators 17–18 October For more information, visit www.isa. org/isa-annual-leadership-conference New ISA/IEC 62443 standard specifies security capabilities for control system components New Benchmarks & Metrics | standards cycle includes security requirements defini- tion, secure design, secure implementation (including coding guidelines), verification and validation, defect management, patch management, and product end of life. Looking ahead Another key ISA/IEC 62443 standard ex- pected to be completed in the coming months is ISA/IEC 62443-3-2, Security Risk Assessment, System Partitioning and Security Levels, which is based on the un- derstanding that IACS security is a matter of risk management. That is, each IACS presents a different risk to an organization depending upon the threats it is exposed to, the likelihood of those threats arising, the inherent vulnerabilities in the system, and the consequences if the system were to be compromised. Further, each orga- nization that owns and operates an IACS has its own tolerance for risk. For these reasons, ISA/IEC 62443-3-2 will define a set of engineering measures to guide organizations through the pro- cess of assessing the risk of a particular IACS and identifying and applying securi ty countermeasures to reduce that risk to tolerable levels. A key concept is the ap - plication of IACS security zones and con - duits, which were introduced in ISA/IEC 62443-1-1, Concepts and Models. The new standard provides a basis for specify- ing security countermeasures by aligning the identified target security level with the required security level capabilities set forth in ISA/IEC 62443 - 3 - 3, System Secu- rity Requirements and Security Levels. ISA99 is also working on converting ISA/IEC TR62443-2-3, Patch Manage- ment in the IACS Environment, into a standard by adding normative language. The current technical report addresses the installation of patches, also called software updates, software upgrades, firmware upgrades, service packs, hot fixes, basic input/output system updates, and other digital electronic program up- dates that resolve bug fixes, operability, T he ISA/IEC 62443 series of stan- dards, developed by the ISA99 committee and adopted by the International Electrotechnical Commis- sion (IEC), provides a flexible framework to address and mitigate current and fu- ture security vulnerabilities in industrial automation and control systems (IACSs). The committee draws on the input and knowledge of IACS security experts from across the globe to develop consensus standards that are applicable to all indus- try sectors and critical infrastructure. A new standard in the series, ISA- 62443-4-2, Security for Industrial Auto- mation and Control Systems: Technical Security Requirements for IACS Compo- nents, provides the cybersecurity techni- cal requirements for components that make up an IACS, specifically the embed- ded devices, network components, host components, and software applications. The standard, which is based on the IACS system security requirements of ISA/ IEC 62443 - 3-3, System Security Require- ments and Security Levels, specifies secu- rity capabilities that enable a component to mitigate threats for a given security level without the assistance of compen- sating countermeasures. "The standard definition of the secu- rity capabilities for system components provides a common language for prod- uct suppliers and all other control system stakeholders," emphasizes Kevin Staggs of Honeywell, who led the ISA99 devel- opment group for the standard. "This simplifies the procurement and integra- tion processes for the computers, appli- cations, network equipment, and control devices that make up a control system." The new standard follows the February 2018 publication of ISA/IEC 62443-4-1, Product Security Development Life-Cycle Requirements, which specifies process re- quirements for the secure development of products used in an IACS and defines a se- cure development life cycle for developing and maintaining secure products. The life Standards meetings at the 2018 ISA Leaders Conference, Montreal, Quebec

Articles in this issue

Links on this page

Archives of this issue

view archives of InTech - SEP-OCT 2018