Every industry requires regulatory guidelines to act as a guide for service providers and manufacturers, and as a safeguard for consumers. The IT industry has adopted several different standards including ISO 35.020 for general standards and ISO 27001 for IT security. Manufacturing and Industrial environments have only become a cyber security concern in recent years, since Industry 4.0 led to the convergence of IT and OT networks, creating a need for a combined IT and OT cybersecurity system.
As more critical infrastructure becomes networked and is exposed to the internet, security risks have grown considerably, leading to several high-profile cyber attacks such as the ransomware attack on Colonial pipeline earlier this year.
Cyber security specialists are in a race to create a secure OT environment in order to prevent damage to equipment or possibly even to people. Industry standard setters make it easier to stay abreast of the technological developments, publishing lists of guidelines and recommended providers. NIST (the National Institute of Standards and Technology) regularly updates its guide to ICS issues and solutions, and Gartner provides a list of technologies along with recommended providers.
ISA 62443 – the Answer to a Growing Issue
Although these guidelines were helpful to SOC teams, they have not been adopted as regulatory standards. In 2018 the ISA (the International Society of Automation) answered this need by publishing a set of standards, ISA 62443 which was then ratified by the IEC (International Electro-technical Commission) creating the official ISA/IEC 62443 standard.
The IEC cyber security standard is designed to be applied to existing ICS systems, as well as newly-built facilities. It’s intended to help older manufacturers to bring their cyber security in line with the latest safety recommendations, which is essential given the pace at which cyber criminals develop new and more sophisticated attack methods.
IEC 62443 is constantly reviewed and updated to ensure that new technologies are incorporated and new threats protected against. The latest version runs to over 50 pages and includes nine standards, together with technical reports and technical specifications.
The standard was originally intended to be used for securing industrial automation and control systems, but over time it has proved to be an essential guide for almost all categories of OT systems cybersecurity, including utility facilities and transportation networks, in particular integrated IT/OT systems. In November, ISA released a press statement announcing that IEC has designated the standard as “horizontal”, meaning that it can now officially be applied to many other sectors making it easier to attain the correct level of cyber security for those industries.
The scope of IEC 62443 cybersecurity standards is comprehensive, providing guidelines on the ICS technology, as well as taking into account other risk factors such as work processes, personnel and attack countermeasures. This risk-based approach to the modern-day threat landscape is in line with the latest best practice methods. It takes into account the impossibility of solving the problem of cyber threats using maturity methods, as the dangers become more prevalent and assets become more intricate and numerous. A risk-based approach enables a company to concentrate both its efforts and its resources where they are most needed, protecting the most critical assets first and foremost.
Radiflow’s Risk-Based OT Cybersecurity Solutions and IEC 62443
Radiflow is proud to be a supporting member of ISAGCA. ISA created the ISA Global Cybersecurity Alliance (isa.org/ISAGCA) to advance cybersecurity readiness and awareness in manufacturing and critical infrastructure facilities and processes. The Alliance brings end-user companies, automation and control systems providers, IT infrastructure providers, services providers, system integrators, and other cybersecurity stakeholder organizations together to proactively address growing threats.
Radiflow’s CIARA is a cyber-security risk-assessment platform and is focused on supporting the IEC 62443 cyber-risk management process. By assigning a level to each risk factor, CIARA is also able to help you optimize ROI when deciding where to allocate your cybersecurity budget, by presenting a prioritized list of mitigation measures according to the results of the attack simulation. This ensures that you maintain control over your ICS expenditure whilst complying with international standards and regulations.
CIARA was created according to the highest possible industry standards, and was listed in the Gartner Hype-Cycle report as a recommended vendor.
Contact our team today for more information and to discover how you can ensure the best level of ICS security for your OT network.