In accordance with the isa99/iec 62443 standard
Industry in general, and particularly what is commonly referred to as industry 4.0, faces multiple challenges, among which industrial cybersecurity emerges as a key topic to consider in the technological evolution of industrial processes. Knowing where and when to make investments in industrial cybersecurity may result in a competitive advantage for those companies that are aiming to obtain greater availability, quality and performance in order to improve the efficiency of their business processes or comply with the regulations of the market to which they belong.
What is industry 4.0? Industry 4.0 involves taking advantage of digitalisation in industrial processes through increasingly frequent use of sensors and actuators that progress in the incorporation of “smart” technologies and complementary information systems which enable production processes to be transformed and made more efficient.
The figure below clearly shows the evolution of industrial automation from the incorporation of mechanical equipment in industrial processes to what is known today as the fourth industrial revolution, where cyber-physical systems play a leading and differentiating role in improving the management and efficiency of industrial processes.
Like any cybersecurity programme, the starting point to manage this issue is to carry out a risk analysis. Once we have proposed this objective, the next question that arises is, ‘what are we going to analyse?’ Each industry has its own characteristics and as such different elements should be assessed depending
on the level of detail that we hope to obtain. For example, in the oil & gas industry, a refinery comprises multiple processes (separation, transformation, purification, etc.) through which crude oil is converted into a variety of end products. Within each of these processes, more than one industrial system is involved, and these systems in turn are composed of an extensive variety of components (sensors, actuators, PLCs, RTUs, HMIs, etc.). We can then choose to analyse a process, a sub-process, an industrial system or each of its components.
It’s quite a challenge …
The ISA99/IEC 62443 standard constitutes the main international reference framework for cybersecurity in industrial systems where availability and integrity are the most important factors for the adoption of protective measures against cyber threats, but also to reduce unintended technological incidents.
The ISA99 committee that initially developed the IEC 62443 schema is composed of a series of members including owners, equipment and service providers (manufacturers and integrators), governments, educational institutions and various research groups.
According to this standard, the industrial cybersecurity lifecycle consists of three phases: Assessment, Development & Implementation, and Maintenance.
Each of these phases forms part of the methodology proposed by the standard for the protection of industrial systems against incidents, whether intentional or otherwise. When we refer to “lifecycle”, it is essential to understand that in cybersecurity the state of “guaranteed” security does not exist. Rather, each of these phases must be carried out in an iterative manner, feeding off the previous phase and adding value to the next. In this way, we can improve the countermeasures implemented until a tolerable risk level is achieved.
As a starting point, the standard proposes the clear identification of the “System under Consideration”
(SuC), which consists of all infrastructure that will be the subject of the analysis. This can include control networks, tele-supervision, communications infrastructure and security (routers/firewalls), and may even incorporate computer networks, depending on the services that they provide to the industrial process and vice versa. Once the SuC has been identified, the “Assessment” phase is initiated, which includes the “Allocation of assets to zones & conduits” stage (see figure 3). In this document, we will focus on that stage, leaving matters related to risk analysis for subsequent publications.
The importance of this definition lies in the premise that each specific scenario has different security levels associated with the tolerable risk for each organisation. For large-scale or complex industrial systems, it may not be recommendable or necessary to apply the same security level to all of their components. For this reason, the concepts of zone and conduit were created, which should be identified within the SuC.
A zone is defined as the logical or physical grouping of industrial assets (which may be physical assets, applications or information) that share the same security requirements.
A conduit is a specific type of zone that groups the communications which enable information to be transmitted between different zones.
Finally, the concept of channel is incorporated, which is defined as a specific communication link established within a conduit. The objective of industrial cybersecurity is to provide the SuC with two key concepts: robustness and resilience.
The concept of robustness is defined as the capacity to operate in the face of a certain level of disturbance produced by cyber threats, and resilience is defined as the capacity to reset or restore the system after an undesired event occurs with the minimum possible impact, according to the tolerable risks defined by the organisation.