Emerging Cybersecurity Standards for Industrial Control Systems

Earlier today I highlighted the cybersecurity technologies in the DeltaV system. Emerson’s Alexandre Peixoto held a second workshop on the emerging cybersecurity standards for industrial control systems (ICS).

There are many standards body addressing cybersecurity. Alexandre noted that probably the most mature is the NERC CIP standards for the power industries.

The ISA99 committee is working to conclude and officially publish all of the standards in the ISA/IEC 62443 series.

The DeltaV Security Manual v4.1.0 provides best practices on how to deploy a DeltaV system securely. It is highly correlated with the ISA/IEC 62443-3-3 standard.

There are 13 standards in the ISA/IEC 62443 series. These are at many levels—product level security, system level security, baseline to achieve compliance, and general support information. Alexandre noted that the three areas, product security, service deployment security and ongoing maintenance security must be part of the cybersecurity program.

3 standards are about system security standard which includes functional security, supplier development lifecycle, and embedded devices security. It’s how you develop, how you test, and what functions and features support the cybersecurity strategy.

One of the standards is a technical report about automated patch management. The standard requires end users to keep the system up to date with respect to patches, virus signatures, and other fixes.

The ISA 62443-4-1 standard describes the security development lifecycle which includes procedures, risk assessment, threat modelling and audit of control system product’s development processes. Procedures include updated processes, training and having a security lead. Risk assessment includes design review and evaluation. Threat modelling includes detailed reviews, risk mitigation and implementation guidelines. Audit includes validation and identification of improvement opportunities.

From an embedded device security standpoint, the Achilles certification provides testing of the final embedded device product and its test kit is accepted as test tool to obtain EDSA certification. The Embedded Devices Security Assurance (EDSA) is governed by the ISA Security Compliance Institute (ISCI), but based on the IEC 62443 standards. It evaluates the process to develop a product and test it.

The effort for suppliers is define the architecture of the system and determine the security boundaries. For the DeltaV system this includes zones, remote access, digital protocols and most components within the overall DeltaV system architecture. Tests must be performed on all the entry points into the system-web UIs, remote access, physical access to firewalls, etc.

The ISASecure System Security Assurance (SSA) includes compliance to the 4-1, 3-3, and 4-2 standards from the ISA-62443 series. Over the next several DeltaV releases, DeltaV will achieve ISASecure SSA certification starting with level 1 in the version 14 release.

Do you have questions on cybersecurity for the team managing cybersecurity in the DeltaV system? Leave a comment below.