Cybersecurity critical for system reliability
By Andre Ristaino
Having attended numerous conferences hosted by different industry groups over the past few years, I have found that the conversations are frequently muddled, lacking structure, and without a generally accepted paradigm for establishing context—with the exception of interchanges with a few subject-matter experts (SMEs) at the top of their game. The most frustrating dynamic is the lack of context. For example, I reviewed a recent industry group study about industrial automation and control system (IACS) cybersecurity that surveyed its constituency about spending plans for “cybersecurity solutions” in the context of purchasing cybersecurity “products” to solve the problem. That was it. The study did not separate the issues into people, process, and technology categories and did not separate the cybersecurity topics into IACS life-cycle phases.
IACS life-cycle phases are important because the challenges and responses are different, but also interrelated, in each phase. The recommended cybersecurity responses must match the issues for each phase, and in almost every case, must address people, process, and technology. In my experience, it is an exception rather than the norm that life-cycle phases enter into conversations about IACS cybersecurity. No wonder it gets messy; there are not enough IACS cybersecurity SMEs to go around, let alone SMEs at the top of their game.
Enter the ISA/IEC 62443 standards, developed in an open, structured ANSI-accredited standards development process by the ISA99 standards committee. During the course of the standards development process, hundreds of individuals contributed thousands of volunteer hours. The volunteers included industry-leading IACS cybersecurity SMEs, who worked through complex, often difficult-to-resolve issues. Moreover, the ISA99 committee included a healthy balance of stakeholders representing the interests of end users, suppliers, academia, government, and industry groups. The resulting ISA/IEC 62443 standards encapsulate hundreds of years of valuable IACS cybersecurity knowledge from the best minds in the industry. Standards codify and leverage the cumulative knowledge and expertise of the SMEs who wrote them.
The standards establish context, a common vocabulary, concepts, and models. At a minimum, a group of cybersecurity professionals who have read the ISA/IEC 62443 standards can have productive interchanges, because they are “talking the same language.”
The ISA/IEC 62443 standards (and technical reports designated with a TR prefix) are a family of 13 standards organized by target audience. They align with IACS life-cycle phases. Well-vetted requirements in the standards provide answers to the “what must I do” question for all audiences in the IACS life cycle, including product suppliers, integrator/solution providers, and owner/operators (end users). Figure 1 shows the general responsibilities of these three participant groups in the IACS cybersecurity life cycle.
Figure 1. Three IACS
life-cycle phases and
To be successful in IACS cybersecurity, all the target audiences have “shared responsibility” for all phases of the IACS cybersecurity life cycle.
- Product suppliers must securely develop commercial-off-the-shelf (COTS) components that include security capabilities that support the intended use of the products to be used in integrated solutions.
- System integrators must use practices that result in secure site-specific solutions that support the cybersecurity requirements for the intended deployment environment at operational sites.
- Asset owners must configure, commission, operate, and maintain the deployed solution in accordance with the solution’s documented cybersecurity instructions, so the solution’s cybersecurity capabilities do not degrade over time.
The green arrows show that the product suppliers have a working relationship with the integrators to ensure success in building the products into the site solution. The integrators have a working relationship with the end users for securely deploying the solution into the operating site and providing support for upgrades, maintenance, and change.
The blue arrows show that the end users have a working relationship with the integrators to triage cybersecurity issues discovered in their operations, and the integrators and product suppliers have a working relationship to triage cybersecurity issues and develop responses, possibly including product patches and updates to the operating site systems. At each level, the issue may be caused by product defects (including documentation), a process deficiency, or a personnel-related issue (training, education, process discipline). Figure 2 links each of the ISA/IEC 62443 standards to the three broad life-cycle phases and the key player or target audience for each of the three phases.
Industrial automation and control system (IACS) (from ISA/IEC 62443-2-4)
Figure 2. Example scope of IACS product life cycle
Starting at the bottom of the diagram, there is the product supplier and the two relevant, forthcoming standards: ISA/IEC 62443-4-1, Secure Product Development Lifecycle Requirements and ISA/IEC 62443-4-2, Technical Security Requirements for IACS Components. These two standards describe requirements for the IACS security development life cycle and the IACS technical security requirements, respectively. ISA/IEC 62443-4-1 includes requirements for ensuring that products are secure by design and maintain security over the life of the products. ISA/IEC 62443-4-1 is an organizational process standard specific to cybersecurity of IACS products.
ISA/IEC 62443-4-2 establishes technical security requirements for IACS products, including applications, embedded devices, network components, and host systems.Requirements for functional security features are a key part of this standard. They are based on the seven requirements that form the basis of security characteristics for products within the ISA/IEC 62443 family of standards.
It is imperative that cybersecurity capabilities are designed into the base products offered by product suppliers. If the base product’s cybersecurity is not ensured, the integrator or solution provider is at a disadvantage, expending resources on mitigation and imposing IACS design constraints. In addition, the resulting deployed solution may be characteristically “brittle” in regards to cybersecurity, making the system difficult to change or maintain over its useful life.
Defense-in-depth strategies may also become difficult to implement and maintain if base products are not free from known vulnerabilities and robust against network attacks, resulting in the “hard on the outside and soft in the middle” cybersecurity characteristic.
Product certifications independently certify the security capabilities of IACS products. This lets end users easily determine if a product’s security features support the security policies and requirements of the project or procurement requirements.
Why standards-based certification for IACS
The international cybersecurity standards ISA/IEC 62443 provide context and an objective set of well-articulated requirements for determining an IACS product’s cybersecurity capabilities. The ISA/IEC 62443 standards are purpose-built for automation and control systems. They define multiple levels of security capabilities to which the supplier may align the product’s certification level (and associated capabilities) with its intended use. Think of the ISA/IEC 62443 standards as building codes for residential and commercial structures. The building codes establish the minimum engineering requirements for the structural, electrical, and plumbing systems of buildings, ensuring safety and longevity.
The ISASecure certifications are based on standards and provide conformity certification to international cybersecurity standards with a commitment to aligning with the ISA/IEC 62443 series of standards as they are approved and maintained. For example, the ISASecure ® SSA certification assesses conformity to the international standard ISA/IEC 62443-3-3, Part 3-3: System security requirements and security levels standards for systems. ISASecure ® SSA certificates issued by the ISA Security Compliance Institute (ISCI) certification bodies (CBs) are a formal international recognition of IACS conformance to ISA/IEC 62443-3-3.
Benefits for all stakeholders
The ISA/IEC 62443 standards give suppliers internationally accepted, objective IACS cybersecurity requirements, which reduce variability in requirements across regions or industry sectors. This is economically efficient.
End users benefit from hundreds of years of cumulative IACS cybersecurity knowledge and experience that have been codified into the ISA/IEC 62443 standards via the open-consensus standards committee process. Use of the ISA/IEC 62443 standards by end users as a basis for procurement requirements augments staff capabilities for establishing cybersecurity policies, procedures, and measures.
ISASecure® IACS cybersecurity certification scheme
In 2015, the ISA Security Compliance Institute’s governing board elected Ed Crawford from Chevron as the chairman of the board, succeeding Johan Nye from ExxonMobil. The ISCI governing board sets the strategy and direction of ISCI and provides oversight for the ISASecure® conformity assessment schemes.
Eric Cosman, the co-chairman of the ISA99 standards committee, continues to be the governing board–level liaison to the ISA99 standards committee. This role helps to ensure proper alignment of ISASecure certification schemes with the relevant ISA/IEC 62443 standards. ISCI has a standing commitment to donate completed ISCI work products to the ISA99 standards committees for consideration as input to the ISA/IEC 62443 standards development process. It submits the work products through the ISCI ISA99 liaison. ISCI has donated work products to ISA99 for the following standards: ISA-62443-3-3, ISA-62443-4-1, and ISA-62443-4-2.
ISASecure® CB additions
ISCI launched its first conformity assessment (CA) scheme, the embedded device security assurance (EDSA) certification scheme, in 2010. It has been issuing certificates of conformance since 2011. The first certification body to be accredited to the ISASecure certification programs was exida, LLC, which was independently accredited by ANSI ANAB in 2010.
ISCI added the quasi-governmental Japanese CB, Control Systems Security Center Chartered Laboratory (CSSC-CL) in 2014 as the first ISASecure-accredited CB in Asia. ISCI is currently processing the accreditation for a Germany-based CB. Talks are also progressing with interested certification bodies in the U.K. and China.
The ISCI labs are independently evaluated by an internationally accredited ISO/IEC 17011 accreditation body (AB), such as ANSI ANAB, and are accredited to ISO/IEC 17065 requirements for conformity assessment bodies and to ISO/IEC 17025 requirements for certification laboratories. The ISCI labs are authorized to perform process audits, product assessments, and product testing as a result of the ISO/IEC 17011 accreditation process for the ISASecure CA scheme.
ISCI has established memorandums of understanding with the Japan Accreditation Board, ANSI ANAB, and DAkkS in Germany to process the ISO/IEC 17011 accreditation body evaluations on behalf of ISCI in their respective regions. These accreditation bodies are signatories to multilateral recognition arrangements with organizations such as APLAC, ILAC, IAF, and the EU MLA (for DAkkS). These agreements establish a global network for mutual recognition of the services and results of accredited bodies to remove technical obstacles and multiple accreditations. This creates both national and international recognition of accredited ISCI lab results.
ISCI labs operate independently, conducting ISASecure conformity assessments and issuing certificates of conformance under their lab’s logo, with a dual logo representing achievement of ISASecure certification requirements. Accreditation of ISCI labs by internationally recognized ABs offers benefits for all stakeholders in the IACS and services value chain.
For suppliers of automation control system products and services, certifications from accredited labs provide:
- better acceptance of products and services, easing market access or making it possible
- tested once, accepted everywhere: international comparability and recognition of certificates, inspections, tests, or calibrations prevents costs from multiple assessments
- proof of competence, facilitating the selection of a suitable service provider for the conformity assessment of goods and services
For accredited bodies, such as exida and the CSSC-CL in Japan, accreditation provides:
- objective proof of quality and competence for the activities of conformity assessment bodies according to international standards
- competitive advantages over nonaccredited market participants
For consumers and end users, accreditation provides:
- more trust in the quality of products and services, notwithstanding a complex global market
- fewer production errors or recalls
For legislators, accreditation provides:
- product and services conformity assessment, offering a flexible alternative to legislation
The first ISASecure certification offered was the EDSA certification. Devices such as programmable logic controllers, supervisory control and data acquisition systems, remote terminal units, compressor controllers, and other types of embedded controllers and devices are evaluated using the EDSA requirements. The product’s security development life cycle is evaluated as one of the assessment dimensions of the EDSA certification, providing assurances that the cybersecurity capabilities will be maintained over the life of the product.
In 2014, ISCI launched the system security assurance (SSA) certification, which evaluates commercial-off-the-shelf control system products. Control systems may be comprised of one or more subsystems, such as a control system and a safety system. The SSA certification aligns with ISA 62443-3-3.
In 2015, ISCI announced and published updates to both the EDSA and SSA certifications, resulting in version 2.0 for both certification specifications, effective 1 July 2016. This was the first technical revision to the ISASecure certifications since its first publication in 2010. The advanced notification of updates gives labs, tool suppliers, and product suppliers a transition period to prepare for version 2.0, which is effective for any products submitted for certification on or after 1 July 2016.
The version 2.0 updates included improvements in the technical requirements for both EDSA and SSA, such as adding a vulnerability identification test using Nessus scans referencing the U.S. CERT National Vulnerability Database. Clarifications and improvements in the communication robustness tests were added to both EDSA and SSA, and the security development life-cycle (SDLA) requirements document was reorganized to simplify support of both EDSA and SSA. SDLA specification updates included augmented auditor guidance and expanded descriptions of requirements.
ISCI also launched the “stand-alone” SDLA certification in 2014; it is a product development organization certification that audits and certifies that the product development organization has adopted and institutionalized a formal security development life-cycle process. Several major supplier organizations have embraced the SDLA certification and are currently being audited by accredited ISASecure CBs. Schneider Electric is the first supplier to earn the SDLA certification and now has certified development sites in the U.S., U.K., and India.
The SDLA certification is structured to align with the forthcoming ISA/IEC 62443-4-1 Part 4-1: Secure product development life-cycle requirements and will undergo maintenance this summer to align with the recently approved version of ISA/IEC 62443-4-1. SDLA certificates already issued to development organizations remain valid, and the development organizations will be evaluated to the updated requirements during normally scheduled maintenance audits.
New ISASecure initiatives
Expansion of cybersecurity test coverage
New test tools have appeared in the IACS cybersecurity marketplace since the early days of the ISASecure program. ISCI is evaluating current testing approaches and coverage with the goal of improving the quality of the certifications and remaining current with available technology. One area of study includes broadening the coverage of industrial protocol testing.
Application software assurance
ISCI initiated a new certification to assess and certify software applications. The framework for the application software assurance (ASA) certification was completed in 2015, and the ISCI technical steering committee is continuing work on the ASA certification in 2016. This is an important program area for ISCI, because there is a large inventory of critical applications that are software only. An availability date for the ASA certification will be announced when the new initiative nears completion.
Building automation systems
The ISA/IEC 62443 standards have been designed as “technology-horizontal” standards for automation and control systems. The standards committees have enjoyed good representation from traditional process industries. It is reasonable to assume that the ISA/IEC 62443 standards and associated ISASecure certification scheme should be equally applicable to control system products from outside the process industries. However, before making declarations, ISCI believes that the ISA/IEC 62443 standards and the associated ISASecure certification requirements should be reviewed by supplier and end-user stakeholders from any nonprocess-industry vertical to identify gaps (if any) and ensure applicability. At the request of companies from the building automation industry, ISCI recently set up a working group to analyze the applicability of ISA/IEC 62443 and ISASecure certifications to building automation system products. The working group expects to render a report in 2016.
Case for harmonization
As the ISA/IEC 62443 standards have emerged, interest in product conformity assessment is gaining momentum globally. Government organizations, such as the National Institute of Standards and Technology and the EU, are exploring IACS product conformity assessment, as are others, such as the Federal Energy Regulatory Commission (FERC) in the U.S. It would be counterproductive if every jurisdiction developed separate CA schemes. They would cause conflicts and inefficiencies in the global market for IACS products. Suppliers would experience unnecessary requirements for multiple certifications if the certifications are not somehow harmonized. ISCI is collaborating with these organizations to encourage agreement on a single global set of CA certification requirements, or at a minimum, agreements for harmonization or equivalence of certifications.
Challenge of supply-chain certification
Earlier this year, I attended a FERC notice of proposed rulemaking in which FERC requested input on the topic of supply-chain certification for basic energy systems. The discussion was fairly open ended and did not include a definition of the scope for supply-chain certification. Utility operators, suppliers, and industry representatives gave input. It was clear that prescriptive regulations were not desired and that the participants preferred industry initiatives for securing the IACS supply chain. One presenter astutely noted that whatever the solution, the program should be globally administered, because suppliers offer products all around the globe, and many operators have sites in multiple countries and jurisdictions.
Today’s IACS product certifications are administered for systems and subsystems. Certifications for low-level components, such as printed circuit boards and chips, would be an implementation challenge requiring sophisticated lot tracking and genealogy software down through the lowest levels of the supply chain and significant changes to supplier’s operations.