by Michael Magee and Rob Goss
Informational technology (IT) administrators have long attempted to impose IT standards on operational technology (OT) systems. However, OT system admins have resisted understanding that OT environments have unique requirements for real-time performance, reliability, and safety that significantly differ from those in typical IT systems. To address this issue, the International Society of Automation (ISA) and International Electrotechnical Commission (IEC) collaborated to create the ISA/IEC 62443 Industrial Cybersecurity Standards, which combine the best aspects of various standards to form an OT-specific policy. This is the standard that we all have been asking for. Nonetheless, the path to compliance remains challenging due to limited resources, budget constraints, and diverse infrastructures.
Many articles on LinkedIn and the Internet tackle the technical aspects of 62443 compliance. Few discuss the commitment needed to embark on the journey. Compliance is not something you can gain by issuing a PO or complete as a personal goal. It will require buy-in from all levels of your organization, including the CISO, Property Manager, and Chief Building Engineer. This article lays out the considerations that should be discussed at the start of the journey to compliance.
Document the Plan: Compliance will take some time, planning, and attention to detail. The following actions are recommended to start:
- Establish a Project Charter for existing buildings and the Owner’s Project Requirements (OPR) when seeking compliance in an existing building is recommended.
- Reference the Project Charter often to keep everyone focused on the goal, inform new team members, and document of any deviations.
- Understand that pursuing a 62443 certification also requires changes in workflows. These changes will affect how your systems are administered and maintained.
Security and Maturity Level: The security and maturity levels determine what level of cyber controls or actions need to be implemented. You need to take time to identify the appropriate security level and maturity level that is right for your organization. Here are some topics to consider:
- Review the security level carefully. A security level that may be appropriate for your organization may not be enough for your tenants or the tenants you are targeting. Fiduciaries, government, and law firms could require the property to pursue a higher security level.
- The security level and maturity level are more complementary than dependencies. However, as you increase the security level, you may need to increase your maturity level to meet the requirements of the security level (e.g. If the security control requires a documented repeatable process, you may need to target a maturity level 3 that requires processes to be documented and repeatable).
- Each increase is directly connected to increased resources, budget, and effort. Be realistic and document the reason why you select particular goals. This will help keep the project tracking in the same direction.
In-House or Outsourced: Be honest about your in-house capabilities. The journey will likely go through a few budget cycles and change existing workflows. Keeping momentum towards short-term goals is critical. To determine your in-house capabilities, ask the following questions:
- Does your organization have the skill set and resources to complete the work?
- Will stretching your in-house team beyond its capacity delay other initiatives, or worse, stall the project while the team works on other priorities?
- Does your organization’s risk posture encourage which efforts need to be outsourced so that the risk is shared with the third party?
Determine your starting point: The journey starts by documenting how your existing infrastructure and practices compare with your security and maturity goals. This includes the following:
- Inventory all OT systems. Develop a profile for each OT device, including the network configuration, connectivity/communication standards, and all software/firmware.
- Conduct security risk assessments on the data collected above to identify potential threats and vulnerabilities and determine the risk level of each device and the systems they belong to.
- If you are like most organizations, this process will identify some hidden risks that need to be addressed before starting the compliance journey or by adjusting the starting risk level.
Develop the budget and team: The path to 62443 compliance will require an established budget and a diverse team. Both elements should consider the work identified and the projected timeframe while allowing for flexibility if additional elements are identified. This includes the following:
- Break the budget into phases or assign specific amounts to achieve a specific design principle. This will help the team track the project’s financial health and reserve funds for future phases.
- Teams will also need a cybersecurity expert, IT representation, building and system engineers, and other technical consultants. The team may want to consider adding Human Resources (HR), legal counsel, and incident response managers to refine workflows, handle communications and training, and oversee risk. Roles should be clearly defined by task and schedule.
- New construction will need to consider the team and budget for the construction and post-construction efforts. Care will be needed to include IT and the compliance team when establishing the initial planning budget.
Don’t forget workflows: Workflows are needed to maintain compliance. As different controls or design principles are enabled, new workflows will need to be established and rolled out to the users. Consider the following:
- Determine how changes will be communicated. Constant changes can overwhelm users. Developing a regular cadence to update and train all users tends to yield better results.
- Include your system vendors and third-party support vendors in the training. They are under contract to uphold your standards and need to be kept up to date.
Involve your system vendors: By involving system vendors in the compliance process, you can leverage their expertise, resources, and support to implement new standards effectively. Consider the following:
- Cybersecurity is a shared responsibility. It is important to ensure that all parties are aligned and current on the policies and procedures needed to keep the system safe and secure.
- Vendors often have in-depth knowledge of the systems and devices they provide. Collaborating with them ensures that security measures are effectively integrated and configured correctly.
- Vendors will be needed to keep software and hardware up to date and patched.
Hire a Consultant: Depending on the resources available, this may save you time and money as an experienced consultant will know exactly what is needed and may be able to evaluate cost-effective options. Consider the following:
- Consultants provide an objective view of your current security posture, helping to identify gaps and vulnerabilities that internal teams might overlook.
- Consultants focus exclusively on the compliance process, ensuring that it progresses efficiently without being sidetracked by other internal priorities.
- Consultants are more familiar with this process and the technology available. They can develop customized strategies and solutions that align with your specific needs, operational environment, and business objectives.
Key Technical Discussion: Zones and Conduits
This article has focused on the key business decisions needed to pursue ISO 62443. However, this discussion would not be complete without adding some technical detail around one of the key aspects of ISO 62443: emphasizing the environment of zones and conduits.
Zones: The easiest way to explain this concept is to ask yourself a question: What needs to be communicated to whom? Answering this should allow you to create a logical diagram showing your different systems and how they communicate with each other.
How you answer the previous question (or the logical diagram you created) is the basis for what zones or networks need to be created. An example of this would be a building management server needing to communicate with controllers. The building management server and the controllers would be placed in a zone that is isolated from the other systems. In this example, a zone would be created to group similar devices that need to communicate with each other within the parameters of a common security policy. Benefits to this architecture would be the isolation of like application traffic to minimize network congestion, develop inter-communication policies to minimize unauthorized communication, the elimination of un-federated internet access, and the ability to implement a remote access control policy. Zones or networks can be accomplished by deploying individual switches for each application, creating virtual local area networks (VLANs), which are virtual networks or using a management device to configure a software-defined network (SDN).
Conduits: Conduits control who or what is needed to communicate with a specific device, application, server, or zone. The policy that creates conduits can control communication between OT systems, like lighting controls and the building management system (BMS). It could also be used for remote access and management of critical OT systems. Conduits can also be configured within zones to restrict and isolate specific communications to meet security, critical communication, or privacy requirements.
Historically, communication to these systems was unfederated or wide open, allowing free communication to any device or person who had access to the network. This included internet access. In some cases (and still today), public Internet Protocol (IP) addresses were used on servers, allowing for direct access to applications and devices from the public Internet.
What can properties do now: Creating an Access Control Policy that starts creating zones of like devices that prevents (or limits) anyone from accessing the server or application from outside the zone is a great place to start. Using your knowledge and the information gathered from the security risk assessment will give you the basis for a conduit policy allowing OT system to OT system communication. It is also important that encryption like TLS and SSL is used to secure that application data. Next, address the remote access and management conduits. This piece is often harder to tackle than any other because vendors and engineers historically like things easy and less complicated—two things that don’t go hand in hand with security. The conduits that allow remote access to vendors and engineers must be controlled and be very specific. This has become extremely hard to do with our reliance on mobile devices and our always-available mentality. However, deploying an environment that uses zones and conduits will help you minimize the attack surface, reduce the risk of bad actors attacking system servers or applications, and give you more control over intercommunication.
Newer technology may help: Technologies like zero trust have filled a need to create trust between the vendor and engineer and the server or application that needs access. Unlike traditional VPNs, zero-trust solutions do not require inbound access policies. Once a zero-trust solution is deployed, you can create a firewall policy that doesn’t allow for inbound connections, giving you the ability to obfuscate your building and its critical systems from the Internet. Zero-trust solutions use a high level of encryption to ensure the security of the data as it traverses from the server to the end user accessing the data.
Embarking on the journey to ISA/IEC 62443 Industrial Cybersecurity Standards compliance is a multi-faceted endeavor that demands thorough planning, commitment, and active participation from various levels of your organization. From securing upper management buy-in to detailed documentary and procedural upkeep, every step requires deliberate action and alignment with broader organizational goals. Remember, effective compliance transcends mere regulatory adherence; it integrates seamlessly into the fabric of daily operations, enhancing security and operational efficiency. Navigating this path won’t be without its challenges, including budgeting, resource allocation, and evolving workflows, but with a clear plan and a united team, the risks can be mitigated and the journey towards robust cybersecurity can be successful. This article lays out crucial considerations and starting points, ensuring that those who undertake this journey are as informed and prepared as possible.