By Dr. Pierre Kobes, Product and Solution Security Officer, Siemens AG, Karlsruhe
The basic understanding of the IEC 62443 standard is that the protection of a production system against intended or unintended misuse through cyberattacks cannot be achieved with one single measure. Rather, it has to be shaped by various parties involved. In the standard, three basic roles are differentiated, all of which must make a contribution: product supplier, integrator and operator. The product supplier is responsible for the development, sales and maintenance of OEM components (Original Equipment Manufacturer), such as programmable logic controllers (PLC) or network components for machine builders. In this respect, the machine builder is also a product supplier according to IEC 62443.
The integrator is responsible for the integration in the production installation, the configuration and the commissioning of the machine. The operator is responsible for the operation and maintenance of the production installation as well as its dismantling at the end of the life cycle. It is important to notice that these are roles that can be carried out by different organizations. For example, the maintenance is often carried out by an external service provider, although it is the responsibility of the operator according to the role concept of the standard. On the other hand, the machine builder presets many configuration and integration possibilities through the functions of the machine - and often also assumes the role of the integrator.
"Defense in Depth" is the golden path
The important concept of "Defense in Depth" is based on the recognition that the protection of the production installation requires the participation of all stakeholders: operator, integrator and product supplier. A number of concerted and coordinated measures must be implemented, each of which can be regarded as a line of defense. The various components of the IEC 62443 standard support the design of a defense-in-depth strategy. If the lines of defense are presented as a shell model, then the outer layers are to be found in the operation and maintenance processes of the operator. Further lines of defense are formed in the configuration and integration of the machine. The internal lines of defense form security functions of the machine.
Protection levels for evaluation
From the point of view of the operator, an evaluation of the protection of his production installation can only be carried out on the premises and must cover all the measures of a holistic protection strategy. The concept of protection levels provides such a framework and a method for analysing the conformity to the IEC 62443 standard. Organizational and technical measures are evaluated together. The latter are reflected in the security functions and properties of the machine.
The standard differentiates the strength of technical measures in four security levels. The organizational measures in the operating and maintenance processes of the operator have a decisive influence on the protection. They have to be described in a comprehensive way and it has to be ensured that personnel act according to to the processes.
This is also reflected in the degree of maturity of the organization. Here, too, four different degrees of maturity, called "maturity levels", are distinguished in the standard. Each combination of the security and maturity levels is assigned to a protection level, which allows a good evaluation of the protection of the system during operation. For the manufacturer, the standard provides a comprehensive framework to maximize security throughout the product's life cycle.
Concept creates trust in products
The "Holistic Security Concept" has five aspects: security functions, improvement of processes, dealing with incidents, increasing awareness and IT infrastructure. The aim is to implement a holistic approach to the development, production and marketing of the products based on IEC 62443. With the implementation of the "Holistic Security Concept", the product supplier proves his trustworthiness with regard to security.
The first four aspects - security functions, improvement of processes, dealing with incidents, increasing awareness - pursue the goal of offering high-quality products with advanced security functions and properties. The standard parts 3-3 and 4-2 form the basis for the functional requirements. Security must also be fully integrated in the product development cycle as described in part 4-1. This covers not only the phases from specification to the production release, but also requires the treatment of vulnerabilities and incidents throughout the entire duration of the commercialization. It goes without saying that raising all of the manufacturer's employees' awareness is the basis of all activities.
The fifth aspect, the IT infrastructure, ensures that the software used in the products is exactly the one created by the development teams. Here the goal is to ensure integrity. The IT infrastructure in development and production must be protected in order to avoid manipulation. And here the product supplier has the role of the operator of his own production systems and development environments as defined by IEC 62443.
vdma.org: Industrial Security | VDMAimpulse 03-2017: "Securely networking existing machinery" | VDMAimpulse 03-2017: "Innovative risk management with CMDB" | VDMAimpulse 01-2016: "Security - A moving target" | VDMAimpulse 03-2017: "The invulnerable machine"