New ISA99 standard on developing products that are cybersecure by design
The ISA/IEC 62443 series of standards, developed by the ISA99 committee and adopted by the International Electrotechnical Commission (IEC), is designed to provide a flexible framework to address and mitigate current and future security vulnerabilities in industrial automation and control systems (IACSs). The committee draws on the input and knowledge of IACS security experts from across the globe to develop consensus standards that are applicable to all industry sectors and critical infrastructure.
A newly published standard in the series, ISA-62443-4-1, Security for Industrial Automation and Control Systems Part 4-1: Product Security Development Life-Cycle Requirements, specifies process requirements for the secure development of products used in an IACS. It defines a secure development life cycle for developing and maintaining secure products. The life cycle includes security requirements definition, secure design, secure implementation (including coding guidelines), verification and validation, defect management, patch management, and product end-of-life.
These requirements can be applied to new or existing processes for developing, maintaining, and retiring hardware, software, or firmware. The requirements apply to the developer and maintainer of a product, but not to the integrator or user of the product.
"Designing security into products from the beginning of the development life cycle is critical, because it can help eliminate vulnerabilities from products before they ever reach the field," emphasizes Michael Medoff of exida, who led the ISA99 development group for the standard. "We all know how difficult and expensive it can be to constantly have to patch software in the field. The new standard gives us a real opportunity to break the cycle of frequent security patches and to produce products that are secure by design."
Also coming in 2018
Two additional standards in the ISA 62443 series are expected to be published in the coming months. The first, ISA/IEC 62443-3-2: Security Risk Assessment, System Partitioning and Security Levels, is based on the understanding that IACS security is a matter of risk management. Each IACS presents a different risk to an organization depending upon the threats it is exposed to, the likelihood of those threats arising, the inherent vulnerabilities in the system, and the consequences if the system were to be compromised. Further, each organization that owns and operates an IACS has a different tolerance for risk.
For these reasons, ISA/IEC 62443-3-2 will define a set of engineering measures to guide an organization through the process of assessing the risk of a particular IACS and identifying and applying security countermeasures to reduce that risk to tolerable levels. A key concept is the application of IACS security zones and conduits, which were introduced in ISA/IEC 62443-1-1: Concepts and Models. The new standard is a basis for specifying security countermeasures by aligning the identified target security level with the required security level capabilities specified in ISA/IEC 62443‑3‑3: System Security Requirements and Security Levels.
The second standard, ISA-62443-4-2: Technical Security Requirements for IACS Components, will provide the cybersecurity technical requirements for the components that make up an IACS, specifically the embedded devices, network components, host components, and software applications. This document, which derives its requirements from the IACS security requirements of ISA/IEC 62443‑3‑3, will specify security capabilities that enable a component to mitigate threats for a given security level without the assistance of compensating countermeasures.
In addition, ISA99 has begun working on converting ISA-TR62443-2-3, Patch Management in the IACS Environment, into a standard by adding normative language. The current technical report addresses the installation of patches, also called software updates, software upgrades, firmware upgrades, service packs, hotfixes, basic input/output system updates, and other digital electronic program updates that resolve bug fixes, operability, reliability, and cybersecurity vulnerabilities. It covers many of the problems and industry concerns associated with IACS patch management for asset owners and IACS product suppliers. It also describes the effects poor patch management can have on the reliability and operability of an IACS.
The technical report provides a defined format for the exchange of information about security patches from asset owners to IACS product suppliers, and definitions of activities associated with the development of the patch information by IACS product suppliers and deployment of the patches by asset owners. The exchange format and activities are defined for use in security-related patches, but may also be applicable to other types of patches or updates.
For information on viewing or obtaining any of the ISA/IEC 62443 standards, visit www.isa.org/findstandards. For information on ISA99 and the ISA/IEC 62443 series of cybersecurity standards, contact Eliana Brazda, ISA Standards, firstname.lastname@example.org or +1-919-990-9200.