Team Shieldworkz
January 27, 2025
The IEC 62443 is a series of international standards represent a set of guidelines to ensure the application of a robust level of cybersecurity for industrial automation and control systems (IACS). The IEC 62443 standards offer a specific framework to secure all types of assets and networks managed by OT operators. It offers specific recommendations in areas such as responsibilities of asset owners, how to conduct a OT risk and gap analysis and steps on continually improving the security posture of an enterprise.
However, despite the standards being comprehensive, enterprises are often found to be in partial compliance or bearing a confusion on where to start the IEC 62443 compliance journey.
Common areas of confusion include:
How can a IEC 62443-based risk and gap analysis exercise be conducted?
How to engage the OEMs for their side of the compliance guidelines?
How to align the goals with existing information security audit practices?
How to put together a roadmap for IEC 62443 compliance?
How can legacy systems be brought under the purview of IEC 62443?
What about remote sites?
Which security level is appropriate for my business?
How to accurately determine the maturity level of my security practices?
How to derive a RACI matrix?
How can one get started with IEC 62443?
IEC 62443-3-2-based OT security risk assessment exercise is a good place to begin. With such an exercise, enterprises get a complete view of the present state of their infrastructure including:
Existing vulnerabilities and security gaps
Gaps in security policy guidance and enforcement
Employee awareness levels on managing OT security
Risks associated with each operation
Residual risks that may remain after all risks are addressed
Supply chain risks associated with the overall operations footprint
Existing and target security and maturity levels
Opportunities for improvement
To make the exercise more relevant, the risk and gap assessment exercise should also cover these guidelines:
Identify the potential for a cyber event and its fallout on the business
Do a root cause analysis on why gaps are present and address the core challenges
Involve a risk and gap assessment vendor with competent resources that are OT focused
It is recommended to go with a risk assessment vendor because a third party may offer a more balanced and unbiased view
Prioritise all recommendations and action items
The vendor should offer an interim report in case there are issues to be addressed on an immediate basis
Also offer the enterprise access to resources to improve their knowledge levels
The next steps
To ensure ongoing compliance with IEC 62443, the business needs to:
Identify personal to guide the ongoing compliance efforts
Institutionalize compliance measures, enhance risk sensitivity among employees and look into areas such as patch discipline, risk and threat monitoring, supply chain security
Maintain documentation on all compliance efforts
Channel knowledge across the enterprise and ensure zero loss of established best practices
Conduct training on an ongoing basis to test and improve the knowledge of employees and other stakeholders
In case of events or issues that have been identified and rectified in the past, mechanisms should be deployed to prevent recurrence
Break down IEC 62443 recommendations further to ease compliance and to take a phased approach
Identify timelines for compliance with each phase
While this might sound tough on paper, we can certainly use IEC 62443 as a north star for guidance and recommendations. IEC 62443-2-1, for instance, can be a good source of input. IEC 62443-2-1 can be used to identify the requirements for an ICS security management system and derive the requirements around policy, processes, practices, and personnel in order to comprehensively implement a complete cybersecurity management system for the ICS systems and overall OT infrastructure.
Here is an outline of the overall IEC 62443 standards to help you understand the concepts that bear a deep connection within a compliance approach
ISA/IEC 62443-1-1: Offers information on models and concepts associated with OT security.
ISA/IEC 62443-1-2: Is nothing but a master glossary of terminology, definitions and abbreviations:
ISA/IEC 62443-1-3: Covers System Security Compliance Metrics including compliance criteria
ISA/IEC 62443-1-4: Presents Security Life Cycle explanations with Use Cases along with descriptions
ISA/IEC 62443-2-1: Outlines the Requirements for an ICS Security Management System including the components (which include but are not limited to policy, process, practices, and Personnel) that are required for an industrial automation and control systems (ICS) and to put in place a cyber security management system (CSMS).
ISA/IEC 62443-2-2: Offers implementation Guidance for evaluating the level of protection that is presently offered by an operational ICS against overall requirements that are given in the ISA/IEC 62443 Family of standards.
ISA/IEC 62443-2-3: Patch Management in the ICS Environment: Includes an approach that covers the distribution of information on security patches that are associated with various asset owners linked to IASC product suppliers.
ISA/IEC 62443-2-4: Goes into the requirements associated with ICS Solution Suppliers including a list of requirements to be called for during integration and maintenance.
ISA/IEC 62443-3-1: Security Technologies for ICS. Talks about the use of various tools and tech to protect an ICS environment
ISA/IEC 62443-3-2: One of the most crucial parts, this one deals with Security Risk Assessment, System Partitioning, and Security Levels with recommendations to minimize risk to an acceptable threshold by identifying and applying security countermeasures.
ISA/IEC 62443-3-3: Deals with System Security Requirements and Security Levels and offers information on ICS components' Security Levels linked to cyber resilience measures.
ISA/IEC 62443-4-1 and ISA/IEC 62443-4-2: Product Security Development Life-Cycle Requirements deals with developers and suppliers. It goes into the process requirements for generating and maintaining secure products in an ICS while delving into secure development lifecycle for running secure products.
IEC 62443 Security Levels
As of now, four security levels have been defined under the standards which include SL1, SL2, SL3, SL4. These essentially list the level of and set of countermeasures required to address threats and risks. Each security level is broken down into a set of tactical requirements that have to be complied with to qualify for the specific level. SL4 is the highest attainable level of security which applies to critical infrastructure operators.
We feel that these levels will be revised in the near future to present more compliance opportunities.
