JAN-FEB 2018

Issue link:

Contents of this Issue


Page 37 of 53

IEC 62443 standards and conformance assessment program. Neitzel holds mul - tiple patents in the area of control system cybersecurity and has a master's degree in computer science with a focus on com - puter security from George Washington University in Washington, D.C. View the online version at Vital sign checklist SPECIAL SECTION 38 INTECH JANUARY/FEBRUARY 2018 WWW.ISA.ORG organization's processes are. The base level in this model is for processes that the organization performs on an ad hoc basis. The remaining levels in this model are for formally defined, repeat- able processes. If your organization has formal processes that it uses for a vital sign, give yourself a higher score. Third, the degree to which your orga- nization and its suppliers apply security can be assessed through certifications. The IECEE and other nonaffiliated test labs have formal certification programs for IEC 62443 security standards. Other certifications, such as Achilles Commu- nications Certifications, are well known in the industry, even though they are not tied to a specific standard. Certifications provide an extra level of confidence that security is properly understood and implemented in the ICS. Give yourself higher scores for vital signs where certi- fied devices or processes are used. Top-level diagnostics The vital signs represent top-level diag- nostics that you can use for a self-check of your ICS's cybersecurity. Your an- swers to the questions about these vital signs bring valuable insights into how your ICS is poised to protect itself. This self-check can be performed periodical- ly, and supplemented with occasional in-depth assessments, analogous to get- ting an annual checkup from your doc- tor and getting a full physical every few years. Of course, if the self-check reveals issues that need immediate attention, specially scheduled assessments can be used to investigate them. Several types of in-depth assessments exist, such as risk assessments, vulner- ability assessments, and threat models. Each has its own purpose, so you can se- lect the ones most appropriate for your ICS. Finally, it is often advantageous to have an independent third party per- form in-depth assessments to rule out bias and invalid assessments. n ABOUT THE AUTHOR Lee Neitzel ( is a cybersecurity consultant at GE Digital. He has been involved in security and network standards for more than 30 years and is currently leading the development of the anti-malware software and firewalls. In addition, some software, like login ap- plications, log suspicious behavior and issue event notifications to administrator or operator screens. In many cases, logs need to be ex- amined for suspicious behavior, for ex- ample, to determine if a failed login is an attack or just a typo by the user, or to correlate multiple control system events together to detect a pattern of malicious activity. Some software packages, like security information and event man- agement (SIEM) systems, can be used to support these activities. However, many SIEMs are information technology ori- ented and are not equipped to examine control system logs. Response teams are often used to verify and handle security breaches once they have been detected, and also to identify associated vulnerabilities and establish a way forward. In some cases, this involves restoring failed components from backups, reporting breaches and losses to authorities and customers, and notifying suppliers of vulnerabilities and requesting work- arounds and patches from them. Other considerations As you perform this cybersecurity self- check, three additional factors may in- fluence your score. These factors relate to the rigor with which your ICS imple- ments cybersecurity. First, you can con- sider the strength of the security measures associated with each of the vital signs. The ISA/IEC 62443-3-3 and ISA/IEC 62443- 4-2 standards formalize the strength of security measures using four security levels. Security levels represent defen- sive capabilities against increasing levels of attacker strength, expertise, and skill. For example, security level "1" represents defense against novice attackers, while security level "4" represents the ability to defend against nation-state attacks. For this self-check, give yourself higher scores if your system protects against at - tackers with higher skills. Second, you should consider the for- mality of the organizational processes used with a vital sign. The IEC 62443- 2-4 standard defines a maturity model for gauging how evolved (or formal) an o Vital sign #1 Is cybersecurity ingrained into your organi- zation's culture and day-to-day operations? o Vital sign #2 Do you maintain an inventory of all hard- ware and software in the ICS, and do you follow a formal process for controlling changes to them? o Vital sign #3 Are only necessary inbound and outbound communications between your ICS and other plant systems allowed? o Vital sign #4 Are network access controls in place to prevent unapproved devices from being connected to the ICS? o Vital sign #5 Are your workstations and other devices hardened for security? o Vital sign #6 Does your supply chain program require product developers in the supply chain (suppliers, their suppliers, etc.) to use se curity best practices? o Vital sign #7 Is confidential ICS data protected from dis- closure, and is critical data protected from tampering? o Vital sign #8 Are all users authenticated and authorized using credentials (e.g., name and pass- word) that follow best practices? o Vital sign #9 Once they have gained access, can users access only the resources they need? o Vital sign #10 Is the control system capable of detecting security breaches, and are there formal processes for handling breaches and as so- ciated security vulnerabilities?

Articles in this issue

Links on this page

Archives of this issue

view archives of InTech - JAN-FEB 2018