ISO / IEC 62443: Cybersecurity in industrial automation

The IEC 62443 series was developed to secure industrial communication networks and Industrial Automation and Control Systems (IACS) through a systematic approach.

It currently comprises nine standards, Technical Reports (TR) and Technical Specifications (TS), with four parts still under development. IACS can be found in an increasing number of sectors and industries, many of which, such as energy supply and distribution, transport, manufacturing, etc., are central to critical infrastructure (PH 9.860.2: The Review of Measures to be Implemented by Critical Infrastructure Operators Pursuant to Section 8a (1) BSIG).

IACS also include Supervisory Control and Data Acquisition (SCADA) systems, which are often used by organisations operating in critical infrastructure industries, such as power generation, transmission and distribution, gas and water supply networks. Ensuring risk mitigation and resilience is therefore essential.

Prevention of illegal or inappropriate access

In IEC 62443 publications, “the term ‘security’ is considered to be the prevention of illegal or unwanted intrusion, intentional or unintentional interference with the proper and intended operation of, or inappropriate access to, confidential information in Integrated Administration and Control System (IACS).”

Security “includes computers, networks, operating systems, applications and other programmable, configurable components of the system”.

IEC 62443 standards cover all aspects of cyber security at all stages and are a cornerstone of a secure-by-design approach.

Therefore, a broad overview of the IEC 62443 publications is necessary as they are relevant to all industrial communication networks and IACS users, including plant owners, system integrators, equipment manufacturers, suppliers, plant operators, maintenance professionals and all private and governmental organisations involved in or affected by cyber security of control systems (IEC / TS 62443-1-1 Industrial communication networks, network and system security – Part 1-1: Terminology, concepts and models).

The IEC 62443 series of standards is divided into four parts, which cover the following:

  • General (IEC 62443-1.* – one part of four published).
    The general documents provide an overview of the industrial safety process and introduce essential concepts.
  • Policies & Procedures (IEC 62443-2.* – three parts of four published)
    The Policies & Procedures documents emphasise the importance of policies – even the best safety is useless if employees are not trained and committed to support it.
  • System (IEC 62443-3.* – all three parts published)
    Since safety can only be understood as an integrated system, the system documents provide important guidance on the design and implementation of safe systems.
  • Components (IEC 62443-4.* – both parts published)
    Since you cannot build a solid building from weak bricks, the component documents describe the requirements that must be met for safe industrial components.

Information technology (IT) and operational technology (OT)

International IEC standards such as ISO / IEC 27001 and IEC 62443, together with testing and certification (conformity assessment), are important tools for a successful and holistic cyber security programme. Such an approach increases stakeholder confidence by demonstrating not only the use of security measures based on best practices, but also that an organisation has implemented the measures efficiently and effectively. This must be integrated into an overarching strategy that encompasses people, processes and technology. This not only looks at the technical measures themselves, but also the organisation around these measures, which ensures that cyber-attacks are detected in a timely manner.

Implementation challenges

Although IEC 62443 has many benefits and advantages, implementing the standard also brings some challenges.

However, the standard is not complete. Some of the specifications in the standard have not yet been published.

Nonetheless, the standard is very comprehensive: with a total volume of more than 800 pages so far and further specifications which will be published successively, a considerable amount of time and effort is required to read and understand the complete standard.

With our auditing standard in accordance with IDW PS 860 (IT auditing outside the audit of financial statements), we ensure compliance with legal or regulatory requirements.

The exam notes are intended for

  • Cloud / Cybersecurity
  • Examination of the principles, procedures and measures in accordance with the EU General Data Privacy Regulation and the Federal Data Privacy Act (PH 9.860.1)
  • Audit for operators of critical infrastructures (PH 9.860.2)
  • Conformity with GoB requirements

Einhaltung von Industriestandards und anerkannter IT-Frameworks

  • PCI-DSS
  • ISO standards
  • COSO, COBIT or ITIL

With our attestation, we ensure that the mechanisms, implemented measures and controls are subjected to an appropriateness test (time consideration) and that the criteria are suitable. We examine the implementation of the controls and measures to ensure cyber security and subject them to an effectiveness test (period consideration), thus ensuring that the controls and measures were effective during the period.

/by

REMOTE WORK – Cybersecure from threats

The pandemic has made home the new workplace for many of your colleagues. A familiar environment, but is it safe?

Most work is done via home internet service providers (ISPs), i.e. unsecured routers. Neighbours can listen in on your phone calls and pick up sensitive information. Maybe your life partner also uses the same work device and uses it for other business. In short, there is no other popular place for cyber-attacks like the home of your employees.

Hackers use well-known methods such as phishing emails almost daily. The fraudsters are keeping up with the times and shamelessly exploiting the pandemic. They direct your employees to websites to supposedly sell mouth-nose coverings, medical face masks as well as particle-filtering half masks (FFP) or lead the “victim” to websites to read the latest news (e.g. how to recover from the virus). Hackers even developed an app that posed as the “World Health Organisation WHO”. This app was confusingly similar to the original. It was deceitful and extracted information directly from the user’s mobile phone. Old-fashioned security measures – such as firewalls – have reached their limits in stopping cyberthreats of this kind.

But what can be done? We need to rethink the issues around cyber security so that employees can work safely from a distance.

Unfortunately, it is not possible to completely avoid cyber-attacks. However, not every threat is a big threat per se. It is important that your staff are made aware so that they can take timely action to prevent the most dangerous cyber-attacks. This makes the difference between a successful remote workforce and a vulnerable one. The company is advised to have a “home office policy” in place, because companies have a burden of proof. Companies need a clear procedure in case of data breaches and IT problems.

In order to prevent irreparable and possibly expensive data privacy breaches (according to DSGVO and / or BDSG), we recommend the following courses of action:

Work data remain work data

  • Switch off laptops / work devices outside working hours
  • Lock screen as soon as you leave the workplace (even if only for going to the toilet and back)
  • Lock screen to protect it from unauthorised third parties (flatmates, family members, friends, etc.)

Do not slack on passwords

  • It is recommended to use at least twelve characters (including special characters and numbers)
  • It is recommended to change the password regularly (every 30 days)

Reboot

  • This is important so that the antivirus software updates itself regularly
  • This process minimises the vulnerability of (mobile) devices

Beware of suspicious e-mails

  • Do you know the sender?
  • Does the message look like spam?
  • Employees should delete and report phishing attempts immediately

The best offensive against cyber-attacks is a good defence strategy. This starts with conducting an IT analysis. This is how your company arms itself against data breaches:

  1. The necessary anti-virus software must be provided by the employer for all end devices, such as laptops
  2. All employees who work remotely must attend regular (every twelve months) training sessions on information and cyber security. Employees must be informed about current threats in a timely manner.
  3. Recommend multi-level authentication to ensure that employees confirm their identity via their phones before accessing confidential files.
  4. set up an encrypted VPN connection to ensure access to secure information
  5. Appoint a Data Privacy Officer / Information Security Officer to be able to report potential cyber-attacks.

 

/by