As we have seen in my previous article, the RAT theory identifies how the attacker's motivation is an important element in assessing threats and how it is necessary to implement adequate protective measures to avoid or respond to cyber attacks.
With reference to cybersecurity applied to the OT (Operational Technology) world, similarly the IEC 62443 standard, which is based on the principle of the risk approach, defines how to implement protections by referring to the motivations of the attackers and the risks of damage that can result from a successful attack.
In particular, starting from the analysis of the risks related to a threat, the following are defined: 5 security levels which can be implemented, starting from Security Level 0 (there are no particular protection needs) up to the Security Level 4 (maximum protection).
One of the most important features of the IEC62443 standard, which is widely used as a reference for OT infrastructures, is that define security levels not only for individual components of a system but also for a system as a whole, as the sum of technologies, architectures and applied procedures.
Another important feature of IEC62443 is that it provides check list for the definition of security level, making the evaluation of a system's ability to resist cyber attacks objective and standardized.
And finally the concept of security level follows the same logic as the “SIL” safety levels used to evaluate the “Safety” characteristics (“physical safety” we would say in Italian) which refer to the ability of a system to operate continuously without causing damage to people or things, according to the IEC61508 and IEC61511 standards. The evaluation and compliance with SIL levels has long been mandatory, for example, for control systems of critical infrastructures such as: railway or road tunnels, systems with a high risk of environmental impact, signaling systems.
Let's see how cyber security levels are defined and how in practice these security levels can be achieved, in the creation of an industrial control system.
The definition of security level refers to the protections that must be introduced to mitigate attacks from:
SL1: inadvertent errors committed by individuals within the organization (e.g. employee errors);
SL2: voluntary attacks by individuals with few resources, simple means, low motivation and generic knowledge of industrial control systems (ICS) (such as cybercriminals, hackers);
SL3: voluntary attacks by individuals with moderate resources, sophisticated means, moderate motivations and specific knowledge in the field of industrial control systems (ICS) (cyberterrorists and hacktivists)
SL4: voluntary attacks by individuals with large resources, sophisticated means, high motivation and specific knowledge in the field of industrial control systems (ICS) (cyberterrorists, cyberattacks by nations, APTs).
To achieve the Security Levels, objective evaluation parameters have been defined so that it is possible to standardize the evaluations, wherever it is carried out worldwide.
I fondamentali requisiti which are evaluated in the conformity checks or certifications are 7, which are then further enriched by a certain number of additional requirements to arrive at a complete description of the security features of a system and/or product.
Fundamental requirements assess how a system is able to:
-
Check identification and access authorization
-
Control users in their operations
-
Manage data confidentiality
-
Manage data integrity
-
Control and limit data flow
-
React promptly to a malicious event
-
Ensure critical system redundancies
Each of the above-mentioned fundamental requirements, as already mentioned, is then enriched by additional requirements and goes on to constitute an "objective" checklist of approximately 100 parameters which defines the Security Level Reached (Achieved) by a system (or product).
It is important to note that in an OT cybersecurity project achieving a SL Target (SL-T) can be planned with different phases that can also include the modernization of production infrastructures to make them suitable for the introduction of cybersecurity controls. The achievement of the SL-T can be achieved by reaching intermediate SLs over time.
This process can take years., during which, to ensure the safety of the system, it may be necessary to introduce some compensatory controls, even temporary ones, capable of making up for any deficiencies related to the obsolescence of the systems.
Another fundamental element to consider is the introduction of maintenance and update plans, dedicated to the OT world. These plans must take into account the need to limit impacts on production cycles, integrate into processes and keep cyber components updated, as validated by system component suppliers and not interfere with supervision and control processes.
The main difference compared to the checks carried out in the IT field may be that the approach takes place at system level and no specific rules are defined. baseline, but you must have a Vision as “holistic” as possible.
* ISA99/IEC62443 Expert
