IEC-62443 Application to IIoT

1

About the Speaker

Kevin Staggs

Senior Fellow

Kevin Staggs possesses over 43 years of experience in hardware, software and systems engineering at Honeywell with 39 years focused on control systems. Mr. Staggs has been driving product cybersecurity development since 1996. Mr. Staggs is currently a Senior Fellow in Honeywell’s Advanced Connected Technology Solutions organization and serves as a cybersecurity consultant to Honeywell’s product development organizations. Mr. Staggs currently serves as co-chairperson of ISA99 working group 4 and is also the technical Chairman of the ISA Security Compliance Institute - a non-profit organization seeking to improve ICS security through standards compliance.

2

Agenda ISA and ISA-99

IEC 62443 Overview

ISA-99 Working Group 9

IIoT Certification Study

Summary

3

ISA4

ISA99 Global Standards Committee

The ISA99 committee was formed in 2002 – works closely with technical committee 65 of the International Electrotechnical Commission (IEC).

ISA/IEC 62443 standards contain over 500 normative requirements and associated rationale that address all phases of the system life cycle,

The committee has over 1,000 volunteer members, representing a wide range of industry sectors and constituency groups from all areas of the world.

The ISA99 committee includes formal and informal liaison relationships with other standards development organizations, consortia and interest groups such as IEC, OPAF, NAMUR, WIB, NIST, DHS, INL, ISASecure, and ISAGCA.

The ISA99 committee desires to engage with sector, industry, government and company programs in their efforts to address automation systems cybersecurity. Contact the committee leadership at ISA99chair@gmail.com.

5

ISA-99 Committee

Responsible for creation of the majority of 62443 standards and technicalreports

Comprised of multiple working groups and task groups

All work coordinated by Working Group 5

Working Group 9 (WG9) formed to address IIoT The group Is focused on cybersecurity of IoT within industrial usage

Membership in the group is open to members of ISA-99 committee

6

IEC 62443 Standards Family

7

General Principles

Security Context Security Objectives Response Elements (People, Process Technology) Risk-Based Approach Compensating Countermeasures Least Privilege Defense in Depth Supply Chain Security Security and Safety

Source: ISA-62443-1-1, 2nd Edition (Under development)

8

8

Fundamental Concepts

System Taxonomy Principal Roles Life Cycles and Processes Zones and Conduits Security Levels Maturity Security Program Rating

9

Source: ISA-62443-1-1, 2nd Edition (Under development)

ISA99-WG9 Addressing IIoT

The group will analyze the specific characteristics of the IIoT in terms of threats, attack surface and vulnerabilities, and examine whether the approach developed by the ISA99 committee for securing IACS is appropriate and sufficient for IIoT. In particular, it will examine the content to be given to the concept of "secure by design" objects, as a prelude to a possible certification. It will examine the arrangements to be made to secure the architectures, either in a centralized or decentralized approach, classifying data transmitted from the perspective of inherent risk, and to detect any anomalies.

10

Early work identified some concerns

Proliferation of communications with IIoT Proliferation of applications at lower levels of the control system architecture New, and unanticipated, movement of data Lack of controls for new functions

Lack of application controls Inadequate identity management Lack of tools for management

Leading to: Potential lack of trustworthiness Potential loss of control and visibility over automated systems

11

Current Activities

Development of a Technical Report on IIoT cybersecurity The report is technical guidance in the application of the requirements of IEC 62443 to

cybersecurity of IIoT

It is written predominantly for asset owners and integrators Although service providers and vendors may find it useful

Will present information on how the requirements of the IEC 62443 can be applied in the introduction of IIoT into assets.

Currently in first draft within the working group

12

Current Activities - 2

A TR is NOT a standard Recommendations or permission

No requirements

The report will not define IIoT

13

How we got here

WG9 was formed to determine if IEC 62443 could be used to address the cybersecurity of IIoT

The WG created a use case and considered whether IEC 62443 provided sufficient requirements The use case was developed to be extreme

The WG decided that IEC 62443 did have sufficient requirements, but it was unclear how to apply them Examples

Securing multi-functional devices

How to work with IIoT with cloud-based functionality

14

IIoT Certification Study

Various certification laboratories offer IACS product certifications to 62443-4-2 (component) and 62443-3-3 (system)

Asset owners seeing IIoT deployments Unsure of sufficiency of existing product certification programs Creating their own procurement criteria Prefer industry-vetted, standards-based product certification Urgent need Key new factor is direct connection to Internet

ISA-99 WG9 working on technical report on application of 62443 to IIoT ISAGCA and ISCI (ISA Security Compliance Institute) joint study to accelerate availability of vetted IIoT

certification based on 62443 Identify any gaps in 62443 certification programs Recommend next steps for creation of IIoT certification programs

To follow progress of ISA-99 WG9 IIoT and contribute study results

15

Overall approach

Definition - candidate gap: Something that might be missing in existing certification programs, to be able to meaningfully certify IIoT under 62443

1. Find candidate gaps by reviewing industry sources on topic of IoT/IIoT security Leverage large body of existing studies and other efforts

2. Find and categorize candidate gaps considering Map to 62443

Map to existing certification criteria

3. Identify next steps for addressing gaps as appropriate In standard

In certification programs

16

Status

Initial scope IIoT devices and gateways, find gaps with respect to 62443-4-2 certification Fully outsourced IIoT systems

Results to date - for IIoT devices and gateways Reviewed 6 industry sources for IoT/IIoT security Many requirements found already in 62443-4-2

Many start at capability security levels (SL-C) >=2 Some gaps identified Outlined certification criteria In-progress, opinions here not yet formally those of ISAGCA/ISCI

17

Status

Next stepsReport draft underway Team reviewSystem level study

18

Scope of study for components = IIoT devices and gateways

19

IIoT gateway(network device

and software application)

Firewall (network device)

Historian (software

application)

PLC (embedded

device)

IIoT device(embedded

device)

IIoT device(embedded

device)

Other IACS components (may or may not connect to IIoT gateway, no direct Internet connection)

IIoT devices

IIoT gateway, directly connected to the Internet

Industry sources analyzed against 62443-4-2

1. Any candidate gaps from WG92. Any candidate gaps from ISAGCA/ISCI IIoT team3. Microsoft seven properties of highly secure devices4. Industrial Internet Consortium Reference Architecture and Security Framework 5. ENISA Baseline Security Recommendations for IoT in the context of Critical Information

Infrastructures (2017)6. IoT Cybersecurity Certification Program’ which was announced by CTIA, a US wireless

industry association, in August 2018 https://www.ctia.org/news/ctia-iot-cybersecurity-certification-program-certifies-first-device https://www.ctia.org/news/wireless-industry-announces-internet-of-things-cybersecurity-certificationprogram, test plan at https://www.ctia.org/certification-resources

7. NISTIR 8259A IoT Device Cybersecurity Capability Core Baseline 8. NIST catalog of IoT device cybersecurity capabilities - https://pages.nist.gov/FederalProfile-

8259A/

20

How to get involved

Join ISA-99 WG9 and contribute to writing and reviewing the technical report You do not need to be a member of ISA to participate

Contact Eliana Brazda at ebrazda@isa.org

Join ISASecure or ISA-GCA to contribute to certification study

Join ISA-GCA

21

ISA Global Cybersecurity Alliance

Bridge the gap between publication of the 62443 standards and adoption by stakeholders.

Awareness & Outreach Advocacy & Adoption Compliance & Prevention Training & Education

Launched July 2019

25 members in 2nd half 2019; add 50 more in 2020

Added industry groups – LOGIIC, ISASecure, ISA99; in discussion with others

Globalize - Establish regional teams for outreach activities and regulatory tracking (NA, EU, Japan, MEA) in 2020

Complete 8 key projects in 2020

22

ISA-GCA Member Companies23

ISASecure

Globally recognized ISA/IEC 62443 certification brand

Started in 2007, first certification in 2011 Eight certification global bodies in EU, ASEAN, Japan, USA, Canada Certifies systems, components, development organizations Promotes adoption of ISA/IEC 62443 standards in

collaboration with ISAGCA and ISA99 standards committee OPAF agreement to use ISASecure scheme for assessing prototype components Can certify IOT components/devices today New certifications in development

1) IIOT system certification

2) facility certification for building management systems (BMS).

24

ISASecure supporters past and present

YPF Trust CB

25

Summary

• Applicability of IEC-62443 to IIot is a work in progress• Contributors to the work are needed

• ISA-99 WG9 for the technical report

• ISASecure for certification report

• ISA-GCA for promotion and adoption of ISA-62443

26

Contacts and information

• For ISA-99 (IEC/ISA-62443):• https://www.isa.org/isa99• Contact Eliana Brazda at ebrazda@isa.org or ISA-99 chairs at

ISA99chair@gmail.com.

• For ISA-GCA:• https://isaautomation.isa.org/cybersecurity-alliance/• Contact Andre Ristaino at aristaino@isa.org

• For ISASecure:• https://isasecure.org/en-US/• Contact Andre Ristaino at aristaino@isa.org

27

Thank you