Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

8/24/2020
09:00 AM
By Dawn Cappelli,Vice President of Global Security & CISO, Rockwell Automation.
By Dawn Cappelli,Vice President of Global Security & CISO, Rockwell Automation.
Sponsored Article
50%
50%

CISO Conversations: Understanding ISA/IEC 62443

Discover why adoption of the new cybersecurity standard is critical to protecting industrial control system environments.

Part 3 of a 4-part series.

Secure industrial control system (ICS) operations require the use of products, services and solutions that are securely architected and operated. ISA/IEC 62443 is the recognized cybersecurity standard for ICS, but adoption is still in its infancy. In this installment I’m joined by Rockwell Automation executives Rachael Conrad, Services VP and GM, and Shoshana Wodzisz, Global Product Security Leader.

Cappelli: What should people know about ISA/IEC 62443?

Wodzisz: It’s the only consensus-based global cybersecurity standard specific to industrial automation components and solutions. It covers your cybersecurity program if you’re a manufacturer, system integrator or vendor developing components that go into an ICS. In a nutshell, the standard is a set of best practices for developing high-quality, robust and secure products and solutions. It covers the entire lifecycle, from development to maintenance to disposal. Also, while the technical controls that companies like Rockwell Automation put into products and solutions are important, the standard covers how those are developed –and whether the suppliers developing them are qualified.

Cappelli: Do manufacturers need to apply ISA/IEC 62443 in their own plants?

Conrad: Yes. Our perspective is that companies should take a dual approach where they insist that vendors and partners like Rockwell Automation are applying it and are making plans to apply it in their own plants. We recommend using ISA/IEC 62443 together with the NIST Cybersecurity Framework (CSF). When combined, they provide a solid set of tools – answering the “what” and “how” that can help companies make the best decisions and move along in their cybersecurity journey.

Cappelli: We already have IT standards. Why do we need another new standard for OT security?

Wodzisz: The ISA-99 community that created the standard did look at all the great IT standards out there. But it turns out those standards are just not enough to ensure the safety, integrity and reliability of an ICS. The consequences of a cyberattack in an ICS environment are fundamentally different than in an IT environment. They can include loss of life or health, environmental damage, and loss of product integrity. OT also has different requirements than IT in areas like performance and availability.

Cappelli: Many attacks that impact OT actually start in IT. Does ISA/IEC 62443 address converged IT/OT environments?

Conrad: ISA/IEC 62443 describes a defense-in-depth model and the corresponding set of requirements for both products and systems to help protect OT systems from attacks. Typically, those attacks pivot from the IT space. We all recognize the value of IT/OT convergence, while at the same time this convergence brings a certain level of risk. So, it’s really important that the ISA/IEC 62443 security level of your systems align to your risk tolerance to make sure you get the appropriate level of protection that fits your needs.

Cappelli: What value does an ICS-specific standard bring to companies that operate in ICS environments?

Wodzisz: There’s value in having a standard that provides a common set of terms and terminology that everyone can use. Manufacturers, system integrators and vendors can all communicate expectations, requirements and responses using the same language. It saves us all time and effort. It makes things less error prone. And we can more consistently do our work. It also helps manufacturers know what they’re getting. They can articulate what they want and how much they want, such as what level of security they need in their system or solution.

Cappelli: Do you see companies adopting ISA/IEC 62443?

Conrad: We work with a wide variety of companies in different industries, and in general, most are in the early stages of adoption. Generally, exploring the standard, learning what it is, and defining a plan for where and how they could apply it.  Companies are at different points in their cybersecurity journey as it relates to the OT environment. Some have cyber hygiene in place and are moving in a phased approach with phased investments. Others are just getting started on their journey.

Cappelli: What are some recommendations and resources that can help companies progress on their journey?

Conrad: Do an assessment of your current state of ICS/OT cyber hygiene. You can do that yourself, or there are a lot of places you can go to get help, like Rockwell Automation. But you need to know where you are to plan where you want to go. Also, build a pragmatic and disciplined approach for moving forward on your journey. You can progress at a pace that’s right for you based on your risk tolerance and appetite for investment.

There are some great resources on ISA/IEC 62443. I’d recommend the ISA Global Cybersecurity Alliance Quick Start Guide and the NIST CSF. These two tools can help you understand what’s important and secure it.

Read Part 1CISO Conversations: Engaging Leadership
Read Part 2: CISO Conversations: Securing IT/OT Infrastructures

About the Author: 
Dawn Cappelli is vice president of global security and CISO for Rockwell Automation. She is a member of the RSA Conference Advisory Board and RSA Conference Program Committee, and co-founder of the Open Source Insider Threat information sharing group.

 

 

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
What the FedEx Logo Taught Me About Cybersecurity
Matt Shea, Head of Federal @ MixMode,  6/4/2021
Edge-DRsplash-10-edge-articles
A View From Inside a Deception
Sara Peters, Senior Editor at Dark Reading,  6/2/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-34682
PUBLISHED: 2021-06-12
Receita Federal IRPF 2021 1.7 allows a man-in-the-middle attack against the update feature.
CVE-2021-31811
PUBLISHED: 2021-06-12
In Apache PDFBox, a carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
CVE-2021-31812
PUBLISHED: 2021-06-12
In Apache PDFBox, a carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
CVE-2021-32552
PUBLISHED: 2021-06-12
It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the openjdk-16 package apport hooks, it could expose private data to other local users.
CVE-2021-32553
PUBLISHED: 2021-06-12
It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the openjdk-17 package apport hooks, it could expose private data to other local users.