The Future of Industrial Cybersecurity: IEC 62443 Meets OTAC

In the realm of industrial operations, the integrity and security of automation and control systems are paramount. The IEC 62443 standard stands at the forefront of this battle, offering a strategic framework to defend against the evolving landscape of cyber threats. This set of guidelines is not just a recommendation; it’s an imperative shield that protects the critical infrastructure powering our industries.

The significance of IEC 62443 cannot be overstated. It provides a structured approach to cybersecurity, tailored for the unique needs of industrial automation systems. By addressing security from multiple angles—ranging from system design to the supply chain—it ensures a holistic defense strategy. Compliance with this standard is a testament to an organization’s commitment to cybersecurity excellence.

As threats grow more sophisticated, adherence to IEC 62443 becomes the cornerstone of a resilient industrial ecosystem. It’s the difference between reactive firefighting and proactive fortification. For any entity entrenched in the operational technology sector, embracing the principles of IEC 62443 is not just about avoiding risks—it’s about ensuring operational continuity, safety, and trust in an interconnected world.

What is IEC 62443?

IEC 62443 is a comprehensive international series of standards that provide guidelines and best practices for cybersecurity within industrial automation and control systems (IACS).  It provides a structured framework to address and mitigate current and future security vulnerabilities in industrial automation and control systems. 

• Purpose: The standard aims to secure industrial communication networks and IACS against cyber threats, ensuring the safety, reliability, and resilience of these systems.
• Scope: It covers various aspects of cybersecurity, including technical requirements, management practices, and the roles and responsibilities of different stakeholders involved in IACS.
• Structure: IEC 62443 is organized into several parts, addressing general principles, policies, and procedures, as well as technical specifications for system design, implementation, and maintenance.
• Stakeholder Categories: The standard divides cybersecurity topics by stakeholder category, such as operators, service providers, and manufacturers, each following a risk-based approach to manage security risks.
• Defense in Depth: A key concept in the standard is 'defense in depth', which involves multiple layers of security controls to protect against threats.
• Zones and Conduits: It introduces the idea of segmenting the network into zones and conduits to manage access and control information flow.
• Certification: There are accredited certification schemes like IECEE CB Scheme and ISASecure that help organizations demonstrate compliance with the IEC 62443 standards.

The IEC 62443 standard is organized into four main parts, each addressing different aspects of cybersecurity for industrial automation and control systems (IACS):

• General (IEC 62443-1.*): This part covers topics that are common to the entire series, such as terminology, concepts, and models for industrial cybersecurity.
• Policies and Procedures (IEC 62443-2.*): This section focuses on the methods and processes associated with IACS security, including risk assessment, system design, and security policies.
• System (IEC 62443-3.*): It deals with requirements at the system level, outlining how to establish cybersecurity for IACS from a holistic perspective.
• Components (IEC 62443-4.*): This part provides detailed requirements for IACS products, including technical specifications for secure product development and lifecycle management.

Each part consists of multiple standards, technical reports, and technical specifications that collectively provide a framework for implementing and maintaining secure IACS across various industrial sectors.

Security Principles

IEC 62443 encompasses various aspects of cybersecurity, from the technical to the process-related, and is applicable across different industrial sectors. The technical depth of the standard can be understood through several key components:

Security Levels (SLs)

The standard defines four Security Levels, each representing a set of capabilities that an asset must have to defend against a corresponding set of threats. These levels range from SL1 to SL4.

• SL 1 - Protection against causal or coincidental violation: This level offers basic protection against non-malicious threats, such as unintentional human errors.
• SL 2 - Protection against intentional violation using simple means: Here, the system can defend against attacks that employ basic tools and techniques.
• SL 3 - Protection against intentional violation using sophisticated means: At this level, the system is equipped to counter threats from skilled and motivated adversaries using advanced tools.
• SL 4 - Protection against intentional violation with severe consequences: This is the highest security level, designed to protect against nation-state level adversaries or threats that could have a catastrophic impact.

Zones and Conduits

IEC 62443 introduces the concept of dividing the network into zones (areas with specific security requirements) and conduits (communication channels between zones). This segmentation helps in managing access and controlling the flow of information, which is crucial for maintaining security.

Risk Assessment

A core part of the standard involves conducting risk assessments to identify potential vulnerabilities and threats, assess the impact of these threats, and determine the required security level for each zone and conduit.

Foundational Requirements (FRs)

The standard outlines seven foundational requirements that cover areas such as: 

• FR1 - Identification and Authentication Control (IAC): This requirement ensures that all users, whether human, processes, or devices, are properly identified and authenticated before being allowed access to the IACS.
• FR2 - Use Control (UC): It involves managing and controlling the actions that an authenticated user can perform within the system, ensuring they have the necessary privileges.
• FR3 - System Integrity (SI): This requirement focuses on maintaining the integrity of the IACS, ensuring that systems and data are protected from unauthorized changes.
• FR4 - Data Confidentiality (DC): It aims to protect sensitive information within the IACS from being disclosed to unauthorized individuals.
• FR5 - Restricted Data Flow (RDF): This involves ensuring that data flows within the IACS are controlled and restricted as necessary to maintain security.
• FR6 - Timely Response to Events (TRE): It requires the system to have the capability to detect, log, and respond to security events in a timely manner.
• FR7 - Resource Availability (RA): This ensures that the IACS resources are available to authorized users when needed, protecting against denial of service attacks and other disruptions.

Maturity Model

IEC 62443 also includes a maturity model that provides a way to measure the maturity of an organization's cybersecurity practices and processes, helping to guide continuous improvement.

• Level 0 (Informal): At this level, the organization lacks a formal cybersecurity strategy. Actions are reactive, and there's no consistent approach to managing threats.
• Level 1 (Structured): The organization has established basic cybersecurity practices and procedures. However, these may not be consistently applied across the board.
• Level 2 (Integrated): Cybersecurity practices are integrated into daily operations. There's a consistent approach to managing cyber risks, with regular reviews and updates.
• Level 3 (Optimized): At this pinnacle level, the organization has a mature cybersecurity approach. Continuous improvement processes are in place, ensuring that the organization stays ahead of emerging threats.

Secure by Design

The principles of 'Secure by Design' are emphasized, advocating for security considerations to be integrated into the design and development phases of IACS components and systems.

Certification

There are certification programs like ISASecure and IECEE that allow organizations to demonstrate their compliance with the IEC 62443 standards, providing assurance to stakeholders about the security of their IACS.

Lifecycle Considerations

The standard addresses the entire lifecycle of IACS, from the initial concept and design to decommissioning, ensuring that cybersecurity is maintained throughout the system's operational life.

The Role of Authentication & Authorization in IEC 62443

Authentication & Authorization plays a crucial role in the IEC 62443 framework as it is one of the foundational requirements for securing IACS. It falls under the category of Identification and Authentication Control (FR1) and Use Control (FR2), which is designed to ensure that all users—whether they are human operators, processes, or devices—are reliably identified and authenticated before being granted access to the IACS.

This requirement is essential for establishing trust within the system and for enforcing access control policies. By verifying the identity of users and devices, the system can control access to sensitive areas and functions, thereby reducing the risk of unauthorized activities that could lead to security breaches or system disruptions.

In summary, authentication (FR1) and authorization (FR2)  in the context of IEC 62443 is about:

• Identifying and authenticating all users: This includes human users, processes, and devices. Before anyone or anything can access theIACS, they must be properly identified and authenticated.
• Access Control: Once identification and authentication are confirmed, appropriate access control measures must be in place to ensure that users have the correct permissions to perform their tasks.
• Security Assurance: Providing a level of confidence that the system’s security measures are effective in protecting against unauthorized access.

The implementation of robust authentication & authorization mechanisms is a fundamental step in protecting IACS from potential cyber threats and is integral to the overall cybersecurity strategy outlined by the IEC 62443 standards.

What is OTAC and how can it help?

swIDch’s OTAC (One-Time Authentication Code) can be a valuable tool in aligning with the IEC 62443 standard, particularly with the Identification and Authentication Control (FR1) & Use Control (FR2) foundational requirement of the System security requirements (ISA 62443-3-3) , here’s how OTAC generally supports the standard:

swIDch’s OTAC technology combines advantages of the three most common authentication systems – user ID/passwords, TOTP authenticators for generating authentication codes, and tokenization. This provides a solution that is more efficient and more effective than any of these elements individually. It generates a single dynamic code that both identifies and authenticates the user or a device at the same time and can do so without a network connection. It’s a single-use, time-based code that’s unique to the user or a device, it can’t be used by someone else or used again. And because it's a single-step authentication process it can be applied to users as well as devices for machine-to-machine access.

How OTAC meets the System Security Requirements (ISA 62443-3-3)

swIDch’s OTAC (One-Time Authentication Code) is a dynamic, randomized, one-time authentication code generated on-demand, locally by the user without needing any network that enables identification and authentication simultaneously in a single step that enhances security in Operational Technology (OT) environments.

How OTAC addresses the FR1 & FR2 requirements: 

By integrating swIDch’s OTAC into their cybersecurity strategy, organizations can strengthen their defense against cyber threats and ensure a robust authentication mechanism that aligns with the IEC 62443 standards.

Conclusion

In the pursuit of industrial cybersecurity, the IEC 62443 standard stands as a critical framework, guiding organizations in safeguarding their industrial automation and control systems against cyber threats. As we have explored, the standard’s comprehensive approach to security is essential for the resilience of critical infrastructure.

swIDch’s One-Time Authentication Code (OTAC) solution emerges as a powerful ally in this endeavor. By providing dynamic, one-time codes for authentication, OTAC aligns with the IEC 62443’s foundational requirements for Identification and Authentication Control (FR1) and Use Control (FR2). It ensures that only verified users gain access and that their actions within the system are authorized and monitored.

The implementation of OTAC technology can significantly bolster an organization’s compliance with IEC 62443, enhancing the security posture of IACS. It addresses the need for robust authentication mechanisms, which are vital in preventing unauthorized access and ensuring operational integrity.

As we conclude, it is clear that the synergy between IEC 62443 and swIDch’s OTAC solution represents a forward-thinking approach to industrial cybersecurity. By integrating OTAC, organizations can not only meet but exceed some of the stringent requirements of the standard, setting a new benchmark for security in the industrial sector.

--------------------

Author: Vinny Sagar, Solution Architect, swIDch

With over 15 years of experience in pre-sales, consulting and software development in the Identity and Cyber Security space Vinny has helped many clients across various industries and regions to design and deploy Zero Trust solutions that meet their specific needs and challenges.