Part 3 of a 4-part series.
Secure industrial control system (ICS) operations require the use of products, services and solutions that are securely architected and operated. ISA/IEC 62443 is the recognized cybersecurity standard for ICS, but adoption is still in its infancy. In this installment I’m joined by Rockwell Automation executives Rachael Conrad, Services VP and GM, and Shoshana Wodzisz, Global Product Security Leader.
Cappelli: What should people know about ISA/IEC 62443?
Wodzisz: It’s the only consensus-based global cybersecurity standard specific to industrial automation components and solutions. It covers your cybersecurity program if you’re a manufacturer, system integrator or vendor developing components that go into an ICS. In a nutshell, the standard is a set of best practices for developing high-quality, robust and secure products and solutions. It covers the entire lifecycle, from development to maintenance to disposal. Also, while the technical controls that companies like Rockwell Automation put into products and solutions are important, the standard covers how those are developed –and whether the suppliers developing them are qualified.
Cappelli: Do manufacturers need to apply ISA/IEC 62443 in their own plants?
Conrad: Yes. Our perspective is that companies should take a dual approach where they insist that vendors and partners like Rockwell Automation are applying it and are making plans to apply it in their own plants. We recommend using ISA/IEC 62443 together with the NIST Cybersecurity Framework (CSF). When combined, they provide a solid set of tools – answering the “what” and “how” that can help companies make the best decisions and move along in their cybersecurity journey.
Cappelli: We already have IT standards. Why do we need another new standard for OT security?
Wodzisz: The ISA-99 community that created the standard did look at all the great IT standards out there. But it turns out those standards are just not enough to ensure the safety, integrity and reliability of an ICS. The consequences of a cyberattack in an ICS environment are fundamentally different than in an IT environment. They can include loss of life or health, environmental damage, and loss of product integrity. OT also has different requirements than IT in areas like performance and availability.
Cappelli: Many attacks that impact OT actually start in IT. Does ISA/IEC 62443 address converged IT/OT environments?
Conrad: ISA/IEC 62443 describes a defense-in-depth model and the corresponding set of requirements for both products and systems to help protect OT systems from attacks. Typically, those attacks pivot from the IT space. We all recognize the value of IT/OT convergence, while at the same time this convergence brings a certain level of risk. So, it’s really important that the ISA/IEC 62443 security level of your systems align to your risk tolerance to make sure you get the appropriate level of protection that fits your needs.
Cappelli: What value does an ICS-specific standard bring to companies that operate in ICS environments?
Wodzisz: There’s value in having a standard that provides a common set of terms and terminology that everyone can use. Manufacturers, system integrators and vendors can all communicate expectations, requirements and responses using the same language. It saves us all time and effort. It makes things less error prone. And we can more consistently do our work. It also helps manufacturers know what they’re getting. They can articulate what they want and how much they want, such as what level of security they need in their system or solution.
Cappelli: Do you see companies adopting ISA/IEC 62443?
Conrad: We work with a wide variety of companies in different industries, and in general, most are in the early stages of adoption. Generally, exploring the standard, learning what it is, and defining a plan for where and how they could apply it. Companies are at different points in their cybersecurity journey as it relates to the OT environment. Some have cyber hygiene in place and are moving in a phased approach with phased investments. Others are just getting started on their journey.
Cappelli: What are some recommendations and resources that can help companies progress on their journey?
Conrad: Do an assessment of your current state of ICS/OT cyber hygiene. You can do that yourself, or there are a lot of places you can go to get help, like Rockwell Automation. But you need to know where you are to plan where you want to go. Also, build a pragmatic and disciplined approach for moving forward on your journey. You can progress at a pace that’s right for you based on your risk tolerance and appetite for investment.
There are some great resources on ISA/IEC 62443. I’d recommend the ISA Global Cybersecurity Alliance Quick Start Guide and the NIST CSF. These two tools can help you understand what’s important and secure it.
Read Part 1: CISO Conversations: Engaging Leadership
Read Part 2: CISO Conversations: Securing IT/OT Infrastructures
About the Author:
Dawn Cappelli is vice president of global security and CISO for Rockwell Automation. She is a member of the RSA Conference Advisory Board and RSA Conference Program Committee, and co-founder of the Open Source Insider Threat information sharing group.