Security from the operator's view 

Introduction

The IEC 62443-2-1 standard defines the elements to establish a cyber-security management system for owners and operators of ICS. For that purpose, it lists specific security requirements with a special focus to ICS/OT the implementation of which is intended to protect the systems against unwanted access or attacks. These requirements are aimed to achieve the needed and best possible security according to the existing protection needs.
What "needed and best possible security" means in a specific plant must be assessed individually by each operator. Accordingly, the requirements defined in the standard must also be assessed and implemented individually by each operator for the respective plant. This is, because the general measures defined by the standard must be comprehensive enough, but should not be too restrictive (and in line with the available budget).

The requirements in the part 2-1 of the IEC 62443 standard series are organized into Security Program Elements (SPEs) that contain measures for establishing, implementing, maintaining, and continuously improving an SPE.

The present chapter summarizes those SPEs which relate in particular to the functionality of a plant and above all which correspond to the viewpoint of the plant operator. It therefore contains in a condensed form information from the previous chapters with the special focus of the plant operator. Details can be found in the standard.

SPE 1 – ORG 1.1

The plant operator must coordinate the Security Program (SP) with the ISMS (Information Security Management System) to ensure integrated Defense-in-Depth strategies for the ICS and coordinated operational (OT) and information (IT) security. SP and ISMS security administrators must collaborate. Common ICS network interfaces (such as firewalls or remote access) as well as a cross-interface user management should be designed and managed.

The plant operator should identify, investigate, and address areas of potential conflict.

A holistic security approach (360° security) for a plant can only result from the combination of personnel, hardware and software. To comply with the IEC 62443-2-1, SPs must therefore consider all of the following:

• Organizational measures (including organization-wide policies and practices) must be taken, and
• technical security functions provided by the hardware and software components involved must be configured and used, and
• security-related processes must be implemented for the secure setup/configuration/operation of the ICS and for maintaining its technical security functions.

SPE 2 - CM 1.1

The operator of the ICS must document, verify and maintain all included devices used to build automation infrastructures and systems, software components, communication protocols and ports in a verified inventory list (e.g., managed in a database).

This is the only way to ensure that the operator is aware of all components of the ICS and that all components are authorized and configured to meet the security requirements. The verified inventory list should also be used to record all changes to devices, components and communication paths.

SPE 3 - NET 1.1

The operator of an ICS must ensure that segmentation and communication policies are established and implemented for the interconnection of networks from the ICS and other networks. This is because external networks are a threat to the ICS as they allow access from potentially unknown sources.

The segmentation of networks allows to restrict data and control flows as well as the visibility between the ICS and external systems.

• All connections between the ICS and external networks/systems must be identified (as trustworthy or non-trustworthy), managed, authorized and documented.
• Only necessary data flows should be allowed.
• Connections between segments must be examined for threats.

SPE 4 - COMP 1.1

The plant operator must ensure that all hardware and software components included in the ICS are sufficiently protected against cyber attacks. Attacks can occur via internal interfaces (e.g., USB or configuration ports) and external interfaces (e.g., inter-process communication interfaces or APIs).

Devices used to build automation infrastructures and systems must be hardened prior to installing them in an ICS. Hardening includes, for example, removing or disabling unneeded functions, applications, network addresses and interfaces.

SPE 5 - DATA 1.1

To protect data from disclosure, tampering, loss, or loss of use, the system operator must perform a risk assessment. The goal of the risk assessment is to understand which data needs to be protected from which threats. See topic Threat and Risk Assessment.

SPE 5 - DATA 1.2

Data must be protected from threats according to its classification. The following protection mechanisms are possible:

• User access controls: Only users with appropriate permissions are allowed to access specific data or software.
• Permissions for the transmission of data: Restrict what data is transmitted and validate data and parameters to determine if they were changed during transmission or if invalid values were transmitted.
• Encryption: Protect data from disclosure.
• Digital signatures: Enable authentication and change detection based on a secure checksum.
• Physical access controls: Especially when the above options cannot be realized or if additional protection is desired. Access controls restrict physical and network access to computers and communication connections.

SPE 5 - DATA 1.4

If normal operation of the ICS cannot be maintained due to an identified security breach, the ICS must be brought into a predetermined secure state in order to limit further risks to the ICS (incl. health, safety, and environmental risks). This state is referred to as "fail-secure" (similar to the "fail-safe" from the functional safety area), into which the system is brought to protect itself from the hazard. Since this state is ICS specific, the operator must define it individually based on the risk to the ICS.

SPE 5 - DATA 1.6

After removing devices and components from the ICS and/or decommissioning them, the system operator must delete all confidential data that requires protection.

SPE 6 - USER 1.1

The plant operator must ensure that there is a plant-specific procedure for assigning identifiers, authenticators, and roles to users. Users in this context may be human users, software processes, and the devices used to build automation infrastructures and systems.

• Human users must be authenticated by their login data and will be given access to programs/data according to their role. Refer to the topic User Management for details.
• Software processes must be authenticated when connect to any process within the ICS.
• Devices connected to any device in the ICS must be identified and verified as authorized.

SPE 6 - USER 1.2

User accounts that are no longer needed must be removed or deactivated immediately. For this purpose, the operator must set up a separate procedure, in close coordination with Human Resources.

SPE 6 - USER 1.3

The user IDs, authenticators, roles and associated access rights must be configured so that they cannot be automatically disabled. This could result in the inability to perform essential operations (those that ensure health, safety, environmental and system availability). A risk assessment is required in which the plant operator identifies essential operations, their software dependencies, and associated user accounts.

Policies should be established and implemented for the identified user accounts to ensure that they automatically expire or are automatically terminated.

SPE 7

The operator must implement suitable measures for the timely detection, logging, analysis, and management of security-related events and hazards. Such measures serve to identify security-related problems, initiate actions, and record responsibilities.
Security-relevant events must be reported and written to protected event or audit logs. These logs must be retained for an appropriate period of time.

The system operator must ensure that the appropriate capabilities are in place to restore the system to its previous state if needed. For this, a site disaster recovery plan (DRP), business continuity plan (BCP), or both must be deployed and kept up to date. These plans must include disaster scenarios, error handling procedures, and processes to maintain the required level of business continuity.