Enhance Industrial Network Security by Following the IEC 62443-4-2 Standard
Amid continuing disruption to the global supply chain, industrial organizations are seeking ways to stabilize their operations in order to preserve their competitive advantage. One of the most efficient ways to achieve resilient industrial operations is to embrace new technologies. To capture, transmit, and ultimately transform data into meaningful insights, organizations are implementing innovative networking technologies to speed up their digitalization journey. However, connected equipment also poses new cybersecurity risks to business owners and therefore requires security features at the component level to mitigate these risks. According to IDC’s Worldwide IT/OT Convergence 2022 Predictions*, by 2025, 30% of G2000 manufacturers will embed connected technologies into their products to increase reliability. The operational insights that can be gained by doing this will increase uptime and support an optimized maintenance supply chain.
As this trend sees new technologies being frequently embedded in products and more assets connected, networking components are playing an increasingly important role. Therefore, components must be developed to meet these new requirements. As a consequence of this, discrete manufacturing companies are taking responsibility to ensure that connectivity remains reliable and secure. Industrial organizations that want to capitalize on the amount of services that can be provided by connecting more devices must ensure they are connecting devices securely and in accordance with regulations and standards to ensure data accessibility, integrity, and security.
A Quick Glance at the IEC 62443 Standard
There are many standards that outline the security framework for industrial control systems. One of the most prevalent and frequently adopted by industrial organizations is the IEC 62443 standard. The IEC 62443 includes guidelines that define procedures for implementing electronically secure Industrial Automation and Control Systems (IACS) for different parts of a network. In addition, the standard includes guidelines for those who perform automation control and different responsibilities on the network. Nowadays, system integrators (SIs) often require component suppliers to comply with the subsection of the IEC 62443 standard that pertains to their devices. The figure below provides an overview that includes the scope and the roles and responsibilities for those who must ensure secure operations of a network during each stage.
Adopt the Standard to Enhance Network Security
Defined Policies and Security Management
Industrial organizations should base their security profiles and security management systems on a risk assessment. ‘The assessment should be able to identify dependencies, determine what are the critical risks to the operation/safety of these processes, and what are the responses to these risks,’ mentioned Felipe Sabino Costa in his white paper, A Practical Approach to Adopting the IEC 62443 Standards. After confirming the policies and security management system, it is imperative to deploy visualization software to help asset owners get the latest information about their security posture.
Defense-in-depth Cybersecurity for IACS Networks
A defense-in-depth framework suggests partitioning systems into zones and conduits as it helps mitigate risks to levels a company can accept. Each zone and conduit will be assigned a security level depending on its importance, and the network operators must ensure that this is adhered to. The defense-in-depth approach can be achieved with either physical or logical segregation by using industrial secure routers, VPNs, and remote access solutions tailored for industrial automation. In addition, some of the networking functions, such as ACL (Access control lists), can also help segment the networks to achieve certain security levels. If asset owners or system integrators hope to mitigate risk, industrial intrusion detection/prevention systems (IDS/IPS) can also be feasible, especially to protect critical infrastructure from malicious attacks.
Hardened Devices With Built-in Security Features
The built-in security features for network devices echo back to the defense-in-depth framework and the security management system. The building blocks that feature built-in security are very helpful for asset owners and SIs to ensure that their systems achieve the desired security levels. Later in this article, we will summarize the requirements pertaining to the IEC 62443-4-2 standard.
IEC 62443-4-2 Requirements for the Automation Industry
The IEC 62443 standard contains several subsections that relate to people with different responsibilities. As SIs are increasingly demanding compliance with the IEC 62443-4-2 subsection, which issues guidelines for component suppliers, this subsection is becoming ever more important. The component requirements are derived from foundational requirements, including account, identifier and authenticator management, password-based authentication, public key authentication, use control, data integrity and confidentiality, as well as backup for resource availability.
If component suppliers follow the set of guidelines that are defined in the IEC 62443-4-2 subsection, they will equip network operators with the best chance of protecting their networks against cyberattacks. Although the component suppliers must add certain features and capabilities to their devices in order for the devices to be suitable for deployment on Industrial IoT networks, the onus is on network operators to utilize these features across their network. Furthermore, they must ensure that everyone granted access to the network is familiar with the best procedures and guidelines outlined within the IEC 62443-4-2 subsection.
Adherence to every guideline set out under the IEC 62443-4-2 subsection will typically result in several positive outcomes that will go a long way to enhancing network security. However, choosing not to follow the guidelines could have negative consequences, which will make the network less secure and leave it vulnerable to attack from those with malicious intent.
To enhance component-level security, Moxa has introduced one of the world’s first IEC 62443-4-2 certified Ethernet switches, the EDS-4000/G4000 Series, which was developed by following the IEC 62443-4-1 software development lifecycle guidelines. Moxa has a large product portfolio of industrial networking devices that allows customers to deploy the correct device that will enhance their network security.
* IDC FutureScape: Worldwide IT/OT Convergence 2022 Predictions, Doc #US47131521, October 2021.