Originally published on GMI blog by GM International | August 06, 2020

Since the number of connections are always increasing, industrial safety problems arise. Help comes from Standard IEC 62443 which guarantees industrial plants safety and data integrity.

Today, industrial processes aim to reach goals of production increases and efficiency. Often, it is required to separate in different locations the monitoring and the supervising (e.g. gas distribution line, water or electric mains)

Therefore, more and more connected computer technologies are used in industrial OT (Operational Technologies). This means production processes could be dangerously modified or interrupted with cyberattacks.

While the security triad (CIA: Confidentiality, Integrity and Availability) involves IT, the SRP (Safety, Reliability and Productivity) is more related to OT.

On one side cybersecurity makes it harder for unauthorized access to happen in industrial control systems. On the other hand, in IACS (Industrial Automation Control System)/OT, cybersecurity provides for a safer working environment and neutralizes possible hackings (malware, DDoS, Man-in-the-Middle, etc).

On this topic, IEC 62443 is different from other IT security standards since it defines the requirements for all the involved parts: IT suppliers, System Integrators and Network Operators.

This means that IT and OT departments should collaborate on IEC 62443 topics. These norms aim at many targets: helping industries handle cyber risk, persevering safety and security of people, protecting the environment, avoiding consistent economic and public damages and blocking reserved information losses.

IEC 62433 regulations do not only apply to perimetric protection but underline the importance of applying a “in depth defence” model combined with solutions such as “in depth detection” to secure the network even in the design phase (security by design).

The main goal of the standard is to guarantee plant safety, confidentiality, integrity and availability. Four different Security Levels are defined.

The IEC 62443 effects 

Using a firewall is not enough to feel safe, it is necessary to work on protection layers which include people, policies and technologies. A good in-depth defense includes policies, adequate procedures, safe accesses through VPN, demilitarized zones (DMZ), account management, role-based access control, etc.

It is also very important to install a system that allows the detection of irregular events and activities like unusual protocols, unexpected traffic by type, volume or directed to unusual IPs or MACs, to missing or new instrumentation or updates. On this matter many companies developed innovative solutions, based on machine learning and behavior analysis which allow detection of specific anomalies in the IACS

Taking care of the importance of network security during the design phase, IEC 62443 underlines the “Zones & Conduits” concept. “Zones” is a group of logic or physic assets with common safety requirements. “Conduits” instead involve assets where the communication of single endpoints are transmitted such as PLC, sensors, actuators and others, transit. IEC 62443-3 defines technical requirements for electric substations security while IEC 62443-4 defines safety procedures and the engineering process.

The implementation of IEC 62443 can increase industrial plant difficulties and costs. The great advantage of mitigating risks caused by tampering or accidental or intentional damages. If security has a central role in IT, in the design phase and in the management of informatic system, in OT such awareness is still not present.

OT is older and does not contemplate recent digitalization and informatic security of industrial assets and connected networks have been underestimated. In OT it is normal to talk about security in terms of “safety” and not cybersecurity. If, up to today, being secure in industries meant avoiding accidents, with the exponential spread of new digital technologies and industry model 4.0 it is not possible to close your eyes in front of industrial informatic security.