Recent headlines about cybersecurity breaches underscore how important protecting devices and networks is in today’s world. Cyberattacks involve multiple industries, from industry giants such as Equifax, Target and, recently, SolarWinds, to universities, utilities and government agencies around the world. The attacks ranged from data breach and theft to ransomware, system infiltration and identity theft as well as nationwide attacks on key infrastructure, such as electricity and water.
Threat actors can access systems via internet-connected devices and systems, such as sensors, programmable logic controllers (PLCs), distributed control systems (DCSs), and other sensors found in IIoT (industrial internet of things) devices, such as smart alarms, smart breakers and more. These industrial automation and control systems (IACS) are vulnerable to malware, data leakage and compromise.
In a world of ubiquitous connectivity, trusted equipment is the backbone of safe network environments. But as more manufacturers and industries build and deploy smart IIoT devices, the security and safety of systems providing essential operations become more important and more difficult to manage. With the integration of IIoT devices in legacy systems and solutions on the rise, critical infrastructures and other industrial control system networks become more exposed to cyberattacks that are increasingly challenging to mitigate.
And while technology advances in leaps, the greatest vulnerability is still human error. A simple PowerPoint presentation that looks harmless can easily spread dangerous malware when an embedded link is clicked by a user. A simple USB plugged into a computer by a curious operator can take over the network of an entire plant. Threat actors exploit users through phishing, spoofing and social engineering.
The best way to combat this growing threat is to build protections in at the product or systems level. In essence, using secure-by-design philosophy, standards and countermeasures to stop a cyberattack before it even starts.
Here’s where the ISA/IEC 62443 series of standards come in. The standards, developed by the International Society of Automation and adopted by the International Electrotechnical Commission, helps organizations to reduce the risk of exposure of IACS networks to cyberthreats.
IEC 62443 standard addresses both how to identify the key elements that should be included in a cybersecurity management system (CSMS) for IACS as well as how to develop a robust CSMS for them. The management systems need to address not only the nuts-and-bolts of the IACS, but also define policies and procedures to manage changing how the employees of an organization think about cybersecurity.
The IEC 62443-4-1 standard, which defines the elements that should be part of an effective CSMS, consists of over 40 requirements that must all be complied with to meet the standard, such as identification and authentication, code signing, development environment security, and hardware security. Organizations may choose their maturity levels for each of the requirements; however, it is important that all the requirements are complied with in order to achieve certification. An organization earns IEC62443-4-1 certification from any of IEC/ISA approved global certification bodies such as Underwriters Laboratories (UL), Intertek, TÜV, CertX and others, for security development lifecycle assurance (SDLA) when it demonstrates compliance with all requirements.
Meeting IEC 62443-4-1 is a prerequisite to compliance with IEC 62443-4-2, which defines the levels of security requirements that may be embedded in an industrial automation and control system, component, device, network and/or host environment to protect against cybersecurity threats.
Organizations earn product and system certifications when they demonstrate that they comply with certain requirements defined in the IEC62443-4-2 standard as defined by the security level they wish to target for their product/system.
Organizations that offer products and processes meeting the IEC62443 standards have a key differentiator that simplifies the product specification and acceptance process for end users and helps organizations provide a level of cybersecurity assurance to its customers, leading to greater customer satisfaction and lesser potential liabilities.
We have adopted the IEC62443-4-1 standard, aligning with its cybersecurity standards to ensure that Eaton products are developed with cybersecurity in mind and capable of certifying to the standard.
Also aligned with IEC62443-4-1 is our secure development life cycle (SDLC) process, which is our framework for ensuring that security is integrated at every phase of product development, with guidelines for secure coding and applying security to commercial-off-the-shelf (COTS) devices as well as processes for cybersecurity design principles. In addition, developers receive many hours of customized cybersecurity training to ensure that they integrate security in their development work.
At our Cybersecurity Center of Excellence, we test products that feature intelligence or embedded logic to key aspects of UL 2900-1 and IEC 62443 standards, which require mandatory testing protocols for vulnerabilities, software weaknesses and malware. Our baseline cybersecurity requirements are derived from and aligned with electrical and industrial security standards such as NIST, NEMA, NHTSA, UL, IEEE, and DHS. We build on these baseline security controls—such as user identification and authentication, access controls, audit logging, and hardware security— with today’s security compliance requirements of UL2900 and IEC62443-4-2, meaning that our customers can rely on our products to be safe, secure and reliable.
Of course, no system is entirely without risk. Building such a system would add layers to the design, adding to the cost without materially improving function and security. We have a well-defined incident response and vulnerability management process that ensures our customers receive ongoing support to patch cybersecurity vulnerabilities that might be discovered in the product during its lifetime.
Gửi email
