In this article I will give some references to implement a methodological approach, developed on the basis of international experiences, with the use of a specific standard, IEC62443, for the cyber defense of critical infrastructures necessary for the functioning of the country.
The situation in which we are living is showing us every day that cyber wars have completely different characteristics from traditional conflicts. A cyber attack follows the principles of asymmetric warfare: there is no well-defined front, attacks can arrive at any point and at any time. Even with limited resources, substantial damage can be created: protection must therefore be disseminated, updated and structured according to solid, validated and shared criteria.
In the world of critical infrastructures, the continuity of supply of public utility services has the highest priority and must be maintained, to ensure that no damage to people, the environment, or process systems occurs. Damage that could lead to huge losses of human life and financial capital.
From this point of view, the NIS legislation has made a strong contribution in identifying critical objectives, identifying risks and has made it possible to become aware of the real cyber protection measures existing in the country.
Having completed the first step, it is important that the specificity of industrial control systems is now taken into consideration, which almost always represent the beating heart of an infrastructure that provides essential services. Think of a DCS (Distributed Control System) in a petrochemical plant or in a pharmaceutical industry, a SCADA (Supervision Control And Data Acquisition) in an electricity, gas or drinking water distribution network, a BMS (Building Management System) for the control of a hospital structure. Well, all these infrastructures need to be protected in a timely manner to ensure their functioning, according to rules that are clear, well defined and easy to apply, in terms of technologies and processes. And that they are understandable and applicable in a context that is not purely dedicated to Information Technology (IT), but which is influenced by the modus operandi of those who interact with the cyber-physical world, and often do not have a thorough background in IT.
Safety and Security
In the vocabulary of industrial control systems a terminology derived from the Anglo-Saxon language is used that distinguishes between Safety and Security.
In Italian we do not have this distinction, we speak of "safety" in an all-encompassing sense, but the English-speaking distinction has its own reason: "Safety" has to do with HSE safety, that is Health, Safety & Environment "(literally: Health, Safety and Environment), while "Security" deals with data security, which in the industrial world are not, however, those relating to personal data, but rather the data necessary to maintain an active and functioning process correctly.
In some plants there are systems designed to safeguard Safety, the so-called Safety Instrumented Systems (SIS) which have the task of acting as an extreme line of defense before a system can produce catastrophic damage. By way of example, the SIS are the systems that supervise an emergency shut-down before an explosion can occur in a process reactor, at the closure of a part of the plant subject to a fire, so that the fire does not propagate, are the systems that regulate the traffic in a tunnel. Well, these systems must already comply with precise SIL (Safety Integrity Level) safety levels that are defined by international standards (among others IEC 61511, IEC61508), also taken from national laws that give safety scales to be respected in a function of the risks to be mitigated assessed on the damages that could be caused by their malfunction.
The safety scale for safety goes from SIL1: minimum value, to SIL4: maximum safety for the system.
Compliance with SIL is a practice that has been used for some time and accepted in all industrial sectors and critical infrastructures and allows for a clear and precise definition of how to protect humans, be they a worker, a user or a citizen from damage that may be caused by machinery, understood in their broadest sense.
Similarly to the method of classifying "safety" with an easy to understand and applicability scale, there is a specific "de facto" standard for the protection of OT (Operational Technology) industrial control systems from cyber attacks: IEC62443, which is now assuming a horizontal value, that is valid in any infrastructural context where there are systems or networks to be protected from malevolent actions (security).
The standard was born in the United States in the early 2000s as ISA99 (International Society of Automation) and was then implemented internationally as IEC62443 (International Electrotechnical Commission). One of the parts of this standard (module 3-3) defines the cyber security levels to be implemented according to the risks and threats to protect against.
What are the threats? How can they be classified and then implemented protective measures?
In this regard, there are several classifications, but one of the most effective is that of the FBI which identifies the following:
The IEC62443-3-3 standard defines the Security Levels, as security levels to be implemented, as a function of risk parameters attributable to the threats listed above, based on four main factors: Motivations, Skills, Means and Resources.
The application of a security level SL4 allows a critical infrastructure to have a very high protection to face cyberwar attacks triggered by APT (Advanced Persistent Threats), that is, by organizations that have extensive resources, sophisticated means, in-depth knowledge in the field of Industrial Control Systems (ICS) and which have strong motivations.
How and why to evaluate a Security Level SL?
An SL represents an objective parameter, not subject to drifts that can be inherited from the experience of the individual, from the persuasiveness of a technology supplier or from previous company history. The IEC62443 standard defines 7 parameters (Functional Requirements) on which to evaluate the security level: Identification Authentication Control, User Control, Data Integrity, Data Confidentiality, Restricted Data Flow, Timely Response to Events, System Availability.
Each FR has Additional Controls to be respected, depending on the degree of safety to be obtained. To get to evaluate an SL there are specific checklists for systems and networks, with more than 100 items to check.
What is the advantage of introducing a "standard based" approach to protect the country's infrastructure? Such an approach gives the possibility to clearly define a minimum level of security, based on the risk that a cyber attack could have on the infrastructure itself.
From the operator's side, a classification model is proposed that has already entered his modus operandi as regards physical safety with the SIL levels defined previously. And as a further benefit, operators are given the opportunity to define a security path that can be developed in “milestones” in order to reach a clear Security Level Target, in a reasonable time frame.
The approach of implementing cyber protections according to IEC62443 with Security Level is increasingly widespread internationally. In fact, today many projects, especially abroad, require compliance with the SL2 or SL3 levels, where infrastructures are considered critical and the effects of malicious attacks can have consequences for the population or the environment.
In this regard, it is enough to recall how in 2015, following the BlackEnergy cyber attack on the Kiev electricity grid, which created a blackout in the middle of the city, forensic analyzes showed that the implementation of a Security Level 2 in the control system of the the electricity grid would have prevented the exploit from being successful.
Conclusions
In conclusion, I believe that the time has come to pay particular attention not only to the defense of the privacy of personal data or the retention of business data, but also to the defense of critical infrastructures in terms of continuity of operation and HSE risks, applying a standard which is dedicated to the cyber protection of industrial control systems in a broad sense, such as IEC61443.
It is important that attention is paid to giving operators of essential services certain guides to implement homogeneous control system protection measures. Minimum cybersecurity levels should be required, such as to protect the Security of critical infrastructures, as is already the case for Safety. The protection of the country's infrastructures and industrial control systems must be set with specific standards, and objective and measurable security levels, otherwise we could run the risk of finding ourselves in the dark or without water, but with the personal data of our bills well guarded and preserved.
Umberto Cattaneo (IEC62443 certified specialist, PMP)
References:
QUICK START GUIDE: AN OVERVIEW OF ISA / IEC 62443 STANDARDS, ISA GLOBAL CYBERSECURITY ALLIANCE,
https://gca.isa.org/blog/download-the-new-guide-to-the-isa/iec-62443-cyb...
THE 62443 SERIES OF STANDARDS: INDUSTRIAL AUTOMATION AND CONTROL SECURITY, ISA99 COMMITTEE
BlackEnergy: https://attack.mitre.org/software/S0089/ https://www.cisa.gov/uscert/ics/alerts/ICS-ALERT-14-281-01B
