Amid continuing
disruption to the global supply chain, industrial organizations are seeking
ways to stabilize their operations in order to preserve their competitive
advantage. One of the most efficient ways to achieve resilient industrial
operations is to embrace new technologies. To capture, transmit, and ultimately
transform data into meaningful insights, organizations are implementing
innovative networking technologies to speed up their digitalization journey.
However, connected equipment also poses new cybersecurity risks to business
owners and therefore requires security features at the component level to
mitigate these risks. According to IDC’s Worldwide IT/OT Convergence 2022
Predictions*, by 2025, 30% of G2000 manufacturers will embed connected
technologies into their products to increase reliability. The operational insights
that can be gained by doing this will increase uptime and support an optimized
maintenance supply chain.
As this trend sees new
technologies being frequently embedded in products and more assets connected,
networking components are playing an increasingly important role. Therefore,
components must be developed to meet these new requirements. As a consequence
of this, discrete manufacturing companies are taking responsibility to ensure
that connectivity remains reliable and secure. Industrial organizations that
want to capitalize on the number of services that can be provided by connecting
more devices must ensure they are connecting devices securely and in accordance
with regulations and standards to ensure data accessibility, integrity, and
security.
A Quick Glance at the
IEC 62443 Standard
There are many standards that outline the security framework for industrial control systems. One of the most prevalent and frequently adopted by industrial organizations is the IEC 62443 standard. The IEC 62443 includes guidelines that define procedures for implementing electronically secure Industrial Automation and Control Systems (IACS) for different parts of a network. In addition, the standard includes guidelines for those who perform automation control and different responsibilities on the network. Nowadays, system integrators (SIs) often require component suppliers to comply with the subsection of the IEC 62443 standard that pertains to their devices. The figure below provides an overview that includes the scope and the roles and responsibilities of those who must ensure secure operations of a network during each stage.
Adopt the Standard to
Enhance Network Security
Defined Policies and
Security Management
Industrial organizations
should base their security profiles and security management systems on a risk
assessment. ‘The assessment should be able to identify dependencies, determine
what are the critical risks to the operation/safety of these processes, and
what are the responses to these risks,’ mentioned Felipe Sabino Costa in his
white paper, A Practical Approach to Adopting the IEC 62443 Standards. After
confirming the policies and security management system, it is imperative to
deploy visualization software to help asset owners get the latest information
about their security posture.
Defense-in-depth
Cybersecurity for IACS Networks
A defense-in-depth
framework suggests partitioning systems into zones and conduits as it helps
mitigate risks to levels a company can accept. Each zone and conduit will be assigned
a security level depending on its importance, and the network operators must
ensure that this is adhered to. The defense-in-depth approach can be achieved
with either physical or logical segregation by using industrial secure routers,
VPNs, and remote access solutions tailored for industrial automation. In
addition, some of the networking functions, such as ACL (Access control lists),
can also help segment the networks to achieve certain security levels. If asset
owners or system integrators hope to mitigate risk, industrial intrusion
detection/prevention systems (IDS/IPS) can also be feasible, especially to
protect critical infrastructure from malicious attacks.
Hardened Devices With
Built-in Security Features
The built-in security
features for network devices echo back to the defense-in-depth framework and
the security management system. The building blocks that feature built-in
security are very helpful for asset owners and SIs to ensure that their systems
achieve the desired security levels. Later in this article, we will summarize
the requirements pertaining to the IEC 62443-4-2 standard.
IEC 62443-4-2
Requirements for the Automation Industry
The IEC 62443 standard
contains several subsections that relate to people with different
responsibilities. As SIs are increasingly demanding compliance with the IEC
62443-4-2 subsection, which issues guidelines for component suppliers, this
subsection is becoming ever more important. The component requirements are derived
from foundational requirements, including account, identifier, and authenticator
management, password-based authentication, public key authentication, use the control, data integrity, and confidentiality, as well as backup for resource
availability.
If component suppliers
follow the set of guidelines that are defined in the IEC 62443-4-2 subsection,
they will equip network operators with the best chance of protecting their
networks against cyberattacks. Although the component suppliers must add
certain features and capabilities to their devices in order for the devices to
be suitable for deployment on Industrial IoT networks, the onus is on network
operators to utilize these features across their network. Furthermore, they
must ensure that everyone granted access to the network is familiar with the
best procedures and guidelines outlined within the IEC 62443-4-2 subsection.
Adherence to every
guideline set out under the IEC 62443-4-2 subsection will typically result in
several positive outcomes that will go a long way to enhancing network
security. However, choosing not to follow the guidelines could have negative
consequences, which will make the network less secure and leave it vulnerable
to attacks from those with malicious intent.
Moxa's Solutions
To enhance
component-level security, Moxa has introduced one of the world’s first IEC
62443-4-2 certified Ethernet switches, the EDS-4000/G4000 Series, which was
developed by following the IEC 62443-4-1 software development lifecycle
guidelines. Moxa has a large product portfolio of industrial networking devices
that allows customers to deploy the correct device that will enhance their
network security.