- By Pierre Kobes
Although it would be ideal to always select common controls and implementations for both IT and OT, organizations have had challenges in doing so.
New ISAGCA whitepaper explains how to apply ISO/IEC 27001/2 and the ISA/IEC 62443 series to secure operational technology environments.
Author’s note: This is an excerpt of a new whitepaper available for download. It offers guidance for organizations familiar with ISO/IEC 27001 that are interested in protecting the OT infrastructure of their operating facilities based on the ISA/IEC 62443 series. The paper describes the relationship between the ISA/IEC 62443 series and ISO/IEC 27001/2 and how both standards may be used effectively within one organization to protect both IT and OT. 62443 does not require the use of an underlying information security management system (ISMS). However it requires that, if the organization has an established ISMS, the security program in the OT environment should be coordinated with it. The whitepaper, and this article, are assuming an existing ISMS based on ISO/IEC 27001/2. Other information security standards similar in scope to 27001 might be used effectively together with ISA/IEC 62443.
Many organizations (especially very large ones) have established policies and procedures governing the information technology (IT) security in their office environments. Many of these are based on ISO/IEC 27001/27002. Some have attempted to address their operational technology (OT) infrastructure under the same management system, and have leveraged many IT/OT commonalities.
Although it would be ideal to always select common controls and implementations for both IT and OT, organizations have had challenges in doing so, such as OT operator screen locking creating unsafe conditions, antivirus products that are incompatible with OT equipment, patching practices that disrupt production schedules, and network traffic from routine backups blocking safety control messages. The ISA/IEC 62443 series of standards explicitly addresses issues such as these; this helps an organization maintain conformance with ISO/IEC 27001 through common approaches wherever feasible, while highlighting differences in the approach of IT versus OT where needed.
Scope of ISO/IEC 27001/2. The standard ISO/IEC 27001 provides requirements for establishing, implementing, maintaining, and continually improving an underlying information security management system and a list of commonly accepted controls to be used as a reference for establishing security requirements (ISO/IEC 27000, the glossary and introduction to the 27000 series, defines the term control as “measure that is modifying risk”). In addition, ISO/IEC 27002 provides further detailed guidance for organizations implementing these information security controls. It is designed for organizations to use as a reference for selecting controls within the process of implementing an ISO/IEC 27001–conformant ISMS.
IT and OT. “IT” is the common term for the entire spectrum of technologies for information processing, including software, hardware, communications technologies, and related services. “Operational technology” or “OT” is hardware and software that detects or causes a physical change, through the direct monitoring and/or control of industrial equipment, assets, processes, and events. Increasingly, IT products and systems are used in OT infrastructures, and recently, the advent of Internet of Things (IoT) and Industrial Internet of Things has further blurred the IT/OT distinction. However, the main difference is that OT environments in general must comply with strict integrity, availability, and performance constraints due to the fact that operation outside of the constraints may affect health, safety, or the environment.
Scope of the ISA/IEC 62443 series. The scope of the ISA/IEC 62443 series of standards is the security of industrial automation and control systems (IACSs) used in OT infrastructures. This includes control systems used in manufacturing and processing plants and facilities, geographically dispersed operations such as utilities (i.e., electricity, gas, and water), pipelines and petroleum production, and distribution facilities. The ISA/IEC 62443 series has also gained acceptance outside its original scope, for example in building automation, medical systems, and industries and applications such as transportation networks that use automated or remotely controlled or monitored assets.
Figure 1 is an overview of the scope of some core documents of the ISA/IEC 62443 series. Part 62443-2-1 is targeted at organizations that are responsible for IACS facilities, which includes owners and operators (termed “asset owners” in the series). It provides requirements for asset owner IACS security programs. Note: The present document refers to the most recent version of part 62443-2-1, which is not finally approved as an international standard and may be subject to changes. It is not expected that these changes will impact the recommendations of this paper.
In addition, the ISA/IEC 62443 series provides conformance requirements for all entities supporting asset owners in the implementation of technical and procedural security measures for the protection of operating facilities from cyberthreats. Part 62443-2-4 provides security requirements for integration and maintenance service providers supporting asset owners in the development and operation of OT-specific technical solutions. Parts 62443-3-3 and 62443-4-2 define requirements for security capabilities of systems and components, respectively. Part 62443-4-1 includes lifecycle requirements for product suppliers for the development and support of products with adequate security capabilities. In addition, the ISA/IEC 62443 series includes guidance documents for specific issues like patch management and risk-based system partitioning in zones and conduits.
A two-part approach to OT cybersecurity
ISO/IEC 27001/2 and the ISA/IEC 62443 series address two complementary parts of an overall OT cybersecurity approach (figure 2). ISO/IEC 27001/2 standards have been broadly used for many years as a base for organizing the information security of organizations. The processes and overall management structure of organizations responsible for OT environments may be integrated with an ISMS based on these standards, as will be described here. The ISA/IEC 62443 series addresses specific needs of OT infrastructures and complements the ISMS. The OT infrastructure of operating facilities may be embedded in the IT infrastructure of the responsible organization or autonomously organized. In both situations, ISO/IEC 27001/2 and the ISA/IEC 62443 series can be used for addressing complementary parts of an overall cybersecurity approach for OT environments.
ISO/IEC 27001/2 addresses the establishment of an information security management system for the IT infrastructure of an organization. ISO/IEC 27001/2 specifies generic requirements that are intended to be applicable to all organizations, regardless of type, size, or nature. The requirements for establishing, implementing, maintaining, and continually improving an ISMS are described in clauses 4 to 10 of ISO/IEC 27001. Excluding any of the requirements specified in these clauses is not acceptable when an organization claims conformity to this standard.
In addition, ISO/IEC 27001/2 includes a set of controls addressing security topics that it requires to be given consideration in a comprehensive security strategy. In a risk-based approach, an organization can ultimately select controls from the list provided by ISO/IEC 27001/2 or from other control sets, or design new controls to meet specific needs as appropriate. The distinction between ISMS requirements and information security controls found in ISO/IEC 27001/2 is illustrated by a few examples shown in figure 3.
The ISA/IEC 62443 series addresses specific needs required for cybersecurity in OT environments. The OT infrastructures of operating facilities must fulfill specific requirements of integrity, performance, and availability to ensure operational continuity. Loss of operational continuity may, for example, manifest as an explosion, a blackout, or an incorrect formula or dose of a life-saving medicine. Many operating facilities implement dedicated safety systems to prevent operational conditions that would have health, safety, and environmental consequences. Security requirements in ISA/IEC 62443 are designed so they do not prevent or disrupt safe operation.
Further, dedicated safety functions require unique protections, and therefore are subject to unique security requirements in the standard. As examples, the challenges mentioned above, often faced when extending existing IT security control implementations to OT, are addressed by 62443. The ISA/IEC 62443 series includes requirements addressing various security topics to be handled in a comprehensive security program, in the same way that ISO/IEC 27001/2 includes a list of controls addressing these security aspects. The ISA/IEC 62443 requirements address specific needs in the OT environment and complement the list of controls of ISO/IEC 27001/2 by adding critical details relevant to that environment.
ISO/IEC 27001/2 and ISA/IEC 62443 should be combined to protect the OT infrastructure of operating facilities. The above discussion shows how ISA/IEC 62443 augments ISO/IEC 27001/2 by incorporating specifics unique to the OT environment. However, ISA/IEC 62443 does not include all elements needed to secure OT. In particular, ISO/IEC 27001/2 provides ISMS requirements and controls/guidance that are entirely common to IT and OT and are not found in ISA/IEC 62443. Therefore, a method for applying both standards to OT infrastructure is recommended. The full whitepaper describes one such method.
ISO/IEC 27001/2 and the ISA/IEC 62443 series complement one another for implementing a comprehensive, risk-based, defense-in-depth strategy for the protection of operating facilities including the contribution of all entities:
- The combined requirements and controls of ISO/IEC 27001/2 and 62443-2-1 are the basis for asset owners to establish security programs and ensure the design and implementation of technical and procedural security measures.
- The requirements of ISA/IEC 62443-2-4 are the basis for service providers to support asset owners by designing and maintaining technical solutions providing the required security capabilities.
- The requirements of ISA/IEC 62443-4-1 are the basis for product suppliers to support asset owners and service providers by employing secure development processes and providing guidelines and support for integrating and maintaining the security of products used in OT infrastructures.
- The requirements of ISA/IEC 62443-3-3 and 62443-4-2 are the basis for providing product security capabilities necessary for the implementation of protection schemes by asset owners and service providers.
To implement the approach, a mapping of the set of related ISO/IEC 27001/2 controls to the elements of the security program of IACS asset owners specified in 62443- 2-1 is required. An organization may use the approach that relies on the structure of 62443-2-1 in security programs, or any other approach they find convenient for merging ISO/IEC 27001/2 controls with 62443-2-1 requirements. A reference mapping could be developed for this purpose as a commonly used resource, and ISA’s Global Cybersecurity Alliance (ISAGCA) is considering developing such a reference. Organizations could use such a mapping as a starting point for the development of their OT security programs and adjust it to their specific needs as necessary.
We want to hear from you! Please send us your comments and questions about this topic to InTechmagazine@isa.org.