Effective cybersecurity management is imperative for all organizations. There are many standards and guidelines available for organizations to refer to in order to move forward. In this article, we will introduce specific action items based on well-defined frameworks and standards when building a cybersecurity management system for your own industrial control system (ICS). Taking a defense-in-depth approach to network construction and choosing secure-by-design solutions from trusted vendors can help simplify the ICS cybersecurity decision-making process.
Key elements of the cybersecurity management system
In order to understand the key elements of the cybersecurity management system (CSMS), we can take an in depth look at one of the well-defined industry standards — the IEC 62443 series of standards — which provide a holistic and wide-ranging approach to securing industrial control systems (ICS). Although these standards provide a wealth of information to asset owners, supply chain managers and product development teams in an ever-expanding spectrum of field applications, it can be difficult to distill concrete action items for building an ICS cybersecurity management system. Here, we identify the main elements in the CSMS development process proposed by the IEC 62443 standards.
Asset owners, system integrators and product suppliers play key roles in the whole cybersecurity management system as suggested in the IEC 62443 standard (Table 1). In particular, the IEC 62443 standard recommends that asset owners analyze, address, monitor and improve the cybersecurity management system’s ability to defend itself against risks in accordance with the company’s risk appetite. In addition, the IEC 62443 standard recommends security development throughout the product lifecycle to maintain an acceptable level of security in the products and systems the solution providers or system integrators offer.
There are two principles mentioned in the framework above that encourage security leaders to take the following concrete actions:
- Take a defense-in-depth approach to network construction.
- Choose vendors that provide secure-by-design solutions, which include after-sales service and established security response processes.
Following these two principles may help security professionals protect devices from vulnerabilities and better manage risk.
Build defense-in-depth networks
One of the most common security weaknesses in an ICS is the use of flat networks that unnecessarily allow all devices on a network to communicate with each other. A flat network architecture contributes to a lack of control over information on the network and facilitates both threat propagation and communication degradation.
Taking a page out of the military playbook, asset owners can adopt the defense-in-depth approach when building their network. In the military context, defense-in-depth refers to implementing multiple layers of protection to prevent an intruder from advancing. Similarly, defense-in-depth networks are partitioned into multiple zones and conduits, which are each assigned different security levels depending on associated risks.
Assess security levels
An important part of the defense-in-depth strategy is to consider countermeasures for zones and internal products. Accordingly, the IEC 62443 standard introduces the concept of security levels that can be applied to zones, conduits, channels and products. The security level (SL) is defined by researching a particular device, and then determining what level of security it should have, depending on its place in the system. The security levels may be classified into four distinct levels (The standard also mentions an “open” level 0 that is rarely used):
- Security level 1 (SL1) is a casual exposure.
- Security level 2 (SL2) is an intentional attack with low resources.
- Security level 3 (SL3) is an intentional attack with moderate resources.
- Security level 4 (SL4) is an intentional attack with extensive resources.
Balance risks and costs
Once the required SL of a zone is defined, it is necessary to analyze if the devices inside the zone can meet the corresponding security level. If they do not, security leaders must plan which countermeasures can help reach the required SL. These countermeasures can be technical (a firewall), administrative (policies and procedures) or physical (locked doors).
It is important to note that not every zone, conduit or device requires Level 4 security. Asset owners or system integrators need to conduct a detailed risk analysis to determine the appropriate level of risk for each zone and conduit in their system. In other words, there is an inherent balancing of risk and cost that asset owners and system integrators need to consider.
Choose hardened components
The concept of security levels also applies to the components that go into building the system. In fact, the IEC 62443-4-2 standard specifically defines the security requirements for four types of components:
- Software applications
- Embedded devices
- Host devices
- Network devices
For each type of component, the IEC 62443-4-2 standard also defines seven foundational requirements:
- Identification and authentication control
- Use control
- System integrity
- Data confidentiality
- Restricted data flow
- Timely response to events
- Resource availability
This component level security assurance, also known as hardening, adds another layer of protection to the system as part of a defense-in-depth strategy.
Select secure-by-design suppliers with post-sales support
Besides selecting security hardened devices, asset owners also need to pay careful attention to supply chain management practices. In fact, post-sales support and response to vulnerabilities are just as important as how the devices are designed and built. That’s because the components that go into building a CSMS often come from separate vendors. If a vendor’s devices are compromised, then the devices and potentially an entire system could be too. So, besides device level security, security leaders will also need to choose suppliers that provide security throughout the entire product lifecycle, including support, quality control, validation of performance and vulnerability responses, among other aspects.
In other words, the entire product lifecycle needs to be secure-by-design. The IEC 62443 standard has even dedicated a subsection, IEC 62443-4-1, to specify the requirements for ensuring secure-by-design techniques throughout the product lifecycle (that is, building, maintaining and discontinuing devices). These requirements are generally associated with the support needed for patch management, policies, procedures and security communications about known vulnerabilities. Similar to the IEC 62443-4-2 standard for product certification, it is possible to certify that a solution provider is following good security management practices and adheres to tangible criteria in the IEC 62443-4-1 standard, simplifying the asset owner’s decision-making process.
Moreover, selecting a trusted vendor that takes a proactive approach to protecting their products from security vulnerabilities and helping their customers manage those risks through a dedicated response team can also help ensure the supply chain is protected even as new vulnerabilities and threats emerge.
Protecting the industrial control systems that keep critical infrastructure around the world up and running is a daunting task. Although many guidelines and standards are available for developing a holistic CSMS for industrial networks, asset owners, system integrators and product suppliers need to work together when building their own systems and applications. Adopting a defense-in-depth approach to network construction and selecting secure-by-design suppliers that provide proactive responses to vulnerabilities can help simplify the inherent complexity of building your own cybersecurity management system.
This article originally ran in Today’s Cybersecurity Leader, a monthly cybersecurity-focused eNewsletter for security end users, brought to you by Security Magazine. Subscribe here.
Table 1 and Figure 1 images courtesy of Moxa