Making control system standards work

Understanding a company’s operational technology (OT) security posture and the developments from IEC 62443-2-4 have added security program requirements and benefits for industrial automation and control systems (IACS) security and are key in protecting a company’s infrastructure.

12/22/2015


Changes to international standards in the industrial security arena are helping operators consistently procure and manage control systems security expertise. Understanding these changes and how they can apply to your situation is useful in evolving a company's operational technology (OT) security posture.

The need to protect your infrastructure and services from disruption is a critical priority, especially considering increasing connectivity prevalent in industrial environments. To build OT resilience, asset owners oftentimes engage with specialized consultants. These OT security researchers, testers, certification groups, and consultants can work together to fulfill a holistic risk mitigation strategy.

Nearly a year ago, with the ratification of IEC 62443, industrial operators and suppliers had better methods to more efficiently invest in such security expertise. Since then, updates to this international industrial controls standard were published to move systems integration work forward.

Here are some common questions about IEC 62443-2-4 along with a perspective based on experience in working with standards bodies and operators who want to improve operational security: 

What critical infrastructure has changed and how might I benefit?

The existing standard, IEC 62443, focuses on industrial automation and control systems security (IACS). The new section, part 2-4 (IEC 62443-2-4) added security program requirements for IACS service providers. By working from specifications identified in this standard, operators can better clarify what work areas they need to scope for industrial automation and control systems security improvements. With these standards to draw from, organizations can potentially avoid "one-off" costs or variations in bids as they pursue critical infrastructure security expertise.

Specifically, IEC 62443-2-4 defines a standard set of security services (capabilities) for integration and maintenance activities, thus allowing asset owners to select those most appropriate for their sites. As a result, they can ask their integrators and maintenance contractors for standard requirements. Vendors can tailor their service offerings around these standard activities, rather than customizing their offerings specifically for each customer. 

Is IEC 62443 a cyber security standard?

IEC 62443 standards are specific to industrial automation control systems, which are OT systems as opposed to IT systems. By hardening OT environments, risks such as unauthorized access to control systems, false commands to operating equipment, and read/write of proprietary device data can be minimized. 

What kind of systems or equipment does IEC 62443-2-4 address?

IEC 62443-2-4 addresses the processes and activities used to install (integrate) and maintain industrial control systems and their components. These components can include workstations, controllers, and network devices. 

Is this applicable to my organization? Who does this standard affect?

Anyone running critical services is likely to need hardened security to prevent disruption from attacks, accidents, and nation-state incidents. IEC 62443 provides standardization to help with critical infrastructure security, and IEC 62443-2-4 offers specific guidance to integrators and maintenance contractors. Specifically, IEC 62443-2-4 is written for integrators and maintenance contractors performing industrial automation control systems security work. It also applies to those asset owners who choose to do their own integration and maintenance. 

What should operators do with this standard?

Operators should first review this standard—either on their own or preferably with knowledgeable sources—and use it to select requirements for their own critical infrastructure security programs. Subsequently, they should implement security-hardening work, across the categories defined, to enforce their new policies. 

What is the next step for adhering to this standard?

While IEC 62443-2-4 provides the "what" for addressing critical infrastructure security, by defining and standardizing integration and maintenance capabilities, your organization still needs to determine the "how and why" to define your own security program. This includes the subset of these capabilities applicable to your specific needs.

For example, IEC 62443-2-4 defines critical infrastructure security categories including architecture and staffing and provides detailed requirements for each, such as administration of network devices and data protection. It does not, however, define how the network devices will be set or who will be allowed access. It doesn't define the type and strength of passwords chosen to use for data protection either.

Nate Kube founded Wurldtech Security Technologies in 2006 and, as the company's chief technology officer, is responsible for strategic alliances, technology, and thought leadership. Courtesy: ISSSource, Wurldtech Security TechnologiesInitial standards work can begin quickly. Yet implementations of the appropriate parts of the standard to meet the customer's requirement span long-term time horizons. Specialized expertise can bring deep knowledge, discipline, and best practices for a more robust security posture. IEC 62443-2-4 is designed to bring clarity to the integrator and maintenance areas.

Protecting a company's infrastructure and services from disruption is an important priority with the increasing connectivity prevalent in operational environments. Standards can help distinguish what work types and expertise areas can be engaged to improve the company's operations security posture.

Nate Kube founded Wurldtech Security Technologies in 2006 and, as the company's chief technology officer, is responsible for strategic alliances, technology, and thought leadership. This content originally appeared on ISSSource. Edited by Chris Vavra, production editor, CFE Media, cvavra@cfemedia.com.

ONLINE extra

- See additional stories from Kube and from ISSSource linked below.



The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by Control Engineering subscribers. Vote now (if qualified)!
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
HMI effectiveness; Distributed I/O; Engineers' Choice Award finalists; System Integrator advice; Inside Machines
Women in engineering; Engineering Leaders Under 40; PID benefits and drawbacks; Ladder logic; Cloud computing
Robotic integration and cloud connections; SCADA and cybersecurity; Motor efficiency standards; Open- and closed-loop control; Augmented reality
Programmable logic controllers (PLCs) represent the logic (decision) part of the control loop of sense, decide, and actuate. As we know, PLCs aren’t the only option for making decisions in a control loop, but they are likely why you’re here.
This digital report explains how motion control advances and solutions can help with machine control, automated control on assembly lines, integration of robotics and automation, and machine safety.
This article collection contains several articles on how advancements in vision system designs, computing power, algorithms, optics, and communications are making machine vision more cost effective than ever before.

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

Control room technology innovation; Practical approaches to corrosion protection; Pipeline regulator revises quality programs
Cloud, mobility, and remote operations; SCADA and contextual mobility; Custom UPS empowering a secure pipeline
Infrastructure for natural gas expansion; Artificial lift methods; Disruptive technology and fugitive gas emissions
Automation Engineer; Wood Group
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by Control Engineering subscribers. Vote now (if qualified)!
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
HMI effectiveness; Distributed I/O; Engineers' Choice Award finalists; System Integrator advice; Inside Machines
Women in engineering; Engineering Leaders Under 40; PID benefits and drawbacks; Ladder logic; Cloud computing
Robotic integration and cloud connections; SCADA and cybersecurity; Motor efficiency standards; Open- and closed-loop control; Augmented reality
Programmable logic controllers (PLCs) represent the logic (decision) part of the control loop of sense, decide, and actuate. As we know, PLCs aren’t the only option for making decisions in a control loop, but they are likely why you’re here.
This digital report explains how motion control advances and solutions can help with machine control, automated control on assembly lines, integration of robotics and automation, and machine safety.
This article collection contains several articles on how advancements in vision system designs, computing power, algorithms, optics, and communications are making machine vision more cost effective than ever before.

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

Control room technology innovation; Practical approaches to corrosion protection; Pipeline regulator revises quality programs
Cloud, mobility, and remote operations; SCADA and contextual mobility; Custom UPS empowering a secure pipeline
Infrastructure for natural gas expansion; Artificial lift methods; Disruptive technology and fugitive gas emissions
Automation Engineer; Wood Group
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by Control Engineering subscribers. Vote now (if qualified)!
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
HMI effectiveness; Distributed I/O; Engineers' Choice Award finalists; System Integrator advice; Inside Machines
Women in engineering; Engineering Leaders Under 40; PID benefits and drawbacks; Ladder logic; Cloud computing
Robotic integration and cloud connections; SCADA and cybersecurity; Motor efficiency standards; Open- and closed-loop control; Augmented reality
Programmable logic controllers (PLCs) represent the logic (decision) part of the control loop of sense, decide, and actuate. As we know, PLCs aren’t the only option for making decisions in a control loop, but they are likely why you’re here.
This digital report explains how motion control advances and solutions can help with machine control, automated control on assembly lines, integration of robotics and automation, and machine safety.
This article collection contains several articles on how advancements in vision system designs, computing power, algorithms, optics, and communications are making machine vision more cost effective than ever before.

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

Control room technology innovation; Practical approaches to corrosion protection; Pipeline regulator revises quality programs
Cloud, mobility, and remote operations; SCADA and contextual mobility; Custom UPS empowering a secure pipeline
Infrastructure for natural gas expansion; Artificial lift methods; Disruptive technology and fugitive gas emissions
Automation Engineer; Wood Group
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
click me