Mastering IEC 62443: A Guide to Securing Industrial Automation and Control Systems

The traditional approach to securing IACS involved flat network designs. While this might have sufficed in an era of isolation, it now poses significant risks. In such designs, a single breach can lead to widespread system compromise, as there are few internal barriers to halt the spread of malicious activity. The increasing need for remote access complicates the scenario. This necessity directly conflicts with the original design principles of IACS, which prioritized isolation for security, and is partially why 40% of global IACS were targeted by malware in 2022 alone. 

In 2021, the IEC approved the 62443 series as horizontal standards to help organizations across any industry safeguard IACS. In this article, we will help navigate the complex standards of IEC 62443 and provide actionable guidance on how to apply those standards in any industrial environment. 

To understand why IEC 62443 is essential, we must explore the intricacies that make IACS security particularly challenging. IACS often require highly specialized knowledge and skills to operate effectively, and finding professionals equipped with operational and security expertise can be daunting.

Another significant obstacle is the reliance on legacy software in most industrial environments. Many IACS components involve unsupported software, which may never receive another security update from the developer. For those that do, updates must undergo thorough testing to avoid unexpected compatibility issues and potential operational delays. Securing IACS becomes even more complex when patches can’t be applied, forcing engineers to implement additional security controls to mitigate risk.

Modern IACS requirements necessitate remote access for monitoring and management. However, remote access simultaneously increases their vulnerability to cyber attacks, a risk traditionally mitigated through segmentation and isolation.

Furthermore, regulatory compliance poses its own set of challenges. IACS operators are often subject to industry-specific regulations, which can vary significantly from one sector to another. For example, ISO/SAE 21434 prescribes standards for automotive manufacturers, and medical device manufacturers rely on Quality Management System Regulation (QMSR). Both industries involve their own unique compliance standards in addition to IEC 62443. 

Navigating this regulatory landscape can be daunting, especially when regulations evolve or are subject to regional variations, adding additional layers of compliance.

The International Electrotechnical Commission (IEC) was established over 100 years ago to address a need for standard electrical measurements and terminology. Technology markets were struggling to manifest and flourish because scientists from different parts of the world couldn’t collaborate. In 1906, Scientists representing a dozen countries around the world convened in London and established the IEC.   

Fast-forward to the early 21st century, and the IEC has become the global authority on electrical and electronic subjects. To date, the organization has published over 10,000 standard documents, ranging from symbology to combustion engines.

When automation and cybersecurity professionals from around the world sought to address the surmounting risk in industrial environments, they leveraged the IEC standards creation process. 

The result was IEC 62443, a series of standards that offers guidance on implementing security practices into the entire IACS lifecycle, from design to system retirement. These uniform, accessible standards have enabled organizations around the world to adopt secure IACS practices. 

In 2021, the IEC approved the 62443 series as horizontal standards, meaning they should be considered foundational by subject matter experts when authoring sector-specific standards for securing IACS.

IEC 62443 was designed to be applicable across various industrial sectors. Whether it’s manufacturing, energy, water, or transportation, IEC 62443 can be tailored to meet the specific security needs of any organization, despite their unique operational requirements and risk profiles.

Why is IEC 62443 important?

Protecting IACS goes beyond manufacturing. Some IACS environments provide services and utilities that are integral to national and economic security. Some could put human lives in danger if compromised. IEC 62443 helps ensure cybersecurity resiliency, giving actionable guidelines to secure IACS in any environment, regardless of criticality. 

IEC 62443 starts by focusing on the industrial processes, setting standards for continuity and standards across industrial operations. The guidance prioritizes IACS availability—the uninterrupted functioning of vital systems—and the safety of personnel and the public.

The standards also offer a cybersecurity framework that helps organizations defend against external attacks and reduce the overall attack surface of their operations. Organizations should focus on protecting data and implementing controls that promote the principle of least privilege, such as minimal and simplified network access. 

IEC 62443 also helps organizations form a cybersecurity baseline, allowing them to meet numerous other regulatory and legal requirements. These standards closely align with geographic mandates, such as the North American Electric Reliability Corporation (NERC) for U.S.-based energy and utilities. By building a solid cybersecurity baseline, organizations can better avoid potential legal and financial penalties for non-compliance. 

Understanding zones and conduits in IEC 62443

The concept of zones and conduits is crucial in interpreting IEC 62443 standards, playing a pivotal role in structuring network architecture and providing security segmentation in IACS. Within IACS, zones are distinct areas with specific security requirements based on their risk levels and operational functions. These are connected by conduits, which are the communications paths between these zones. 

Effectively implementing zones and conduits takes a strategic approach tailored to each industrial environment: 

• Risk assessment and network segmentation: Risk assessments identify critical assets, data sensitivity, threat exposure, and vulnerabilities, which gives security architects the visibility to segment the network into zones and establish secure conduits. 
• Defining zones and conduits: The organization can clearly define zones and establish secure and controlled communication between them, creating a limited-access and monitorable pathway.
• Layered security measures: Once zones are established, the organization can implement layered security controls to mitigate risks. This includes deploying firewalls, intrusion detection systems, and access control measures to fortify each zone and its conduits.
• Regular review and updating: Each zone and conduit configuration must be regularly reviewed and updated to ensure an effective threat defense. This process builds into a security lifecycle, addressing changes to infrastructure. 
• Training and awareness: Staff training and awareness of zone and conduit structures help to maintain security. This allows employees to understand the importance of these concepts and their role in adhering to the security protocols.
• Leveraging advanced technologies: Utilize advanced technologies such as AI and machine learning for enhanced threat detection and response. This can include anomaly detection systems and automated response mechanisms.
• Compliance and standards alignment: Finally, ensure that the implementation of zones and conduits aligns with IEC 62443 standards and other relevant regulations.

When implementing IEC 62443, organizations must define and address multiple security risk levels. By using this graded approach to security, organizations can determine appropriate security measures based on their risk profile and operational needs. This approach ensures that resource allocation is done as efficiently as possible, reducing security expenditure while building an effective defense. 

Security Level 1 (SL1) – Protection against casual or accidental breach

SL1 is the most basic level of security, suitable for environments where threats are not highly sophisticated or targeted, and is designed to protect against casual or coincidental violations. This level involves implementing fundamental security controls to guard against accidental breaches, which might include basic user authentication, simple physical access controls, and elementary protection against malware. SL1 is appropriate for systems where the impact of a security breach is low and does not significantly compromise safety or operational reliability.

Security Level 2 (SL2) – Defense against intentional violations with simple means

SL2 steps up the security to guard against intentional violations with simple means. This level is suited for systems facing moderate risks, where potential attackers might have low skills and resources. SL2 is applicable in scenarios where a breach could cause moderate damage or disruption, necessitating more robust security controls than SL1 but not the most advanced measures. Security measures at this level include stronger authentication and authorization mechanisms, enhanced user access controls, and more sophisticated malware protection. 

Security Level 3 (SL3) – Safeguarding against sophisticated threats

SL3 is designed to protect against sophisticated threats and involves advanced security measures suitable for high-risk environments where potential attackers possess significant skills and resources. SL3 is necessary for systems where a security breach could have severe consequences, including major operational disruptions or threats to human safety. At this level, security controls are more rigorous and comprehensive, including advanced encryption techniques, multi-factor authentication, intrusion detection systems, and regular security audits.

Above SL3 – Highest level of protection

Even though IEC 62443 primarily defines up to SL3, there are incredibly high-risk scenarios, potentially involving state-sponsored attackers or advanced persistent threats against critical infrastructure such as national power grids. This upper echelon of recommendations is reserved for systems that, if compromised, could lead to catastrophic consequences, impacting national security and/or causing widespread harm. These levels demand the most stringent security controls based on the heightened impact, possibly including state-of-the-art cybersecurity technologies, continuous monitoring, and a highly sophisticated response to incidents.

Public Key Infrastructure (PKI) and digital certificates are critical components of IEC 62443. These technologies are foundational for addressing increased security threats and verifying the identities of devices and users within IACS. This is especially important for SL3 and beyond, where threats are more sophisticated. Securing communication and validating authorized entities for critical systems makes it significantly harder for cybercriminals to succeed. 

PKI provides digital identity verification by employing public-key cryptography to authenticate entities within an industrial environment. Digital certificates serve as electronic passports, providing authentication and enabling secure data transmission. They play a crucial role in encrypting communications between devices, ensuring confidentiality and integrity during transmission.

While PKI enables critical services, organizations face several challenges. 

• In complex industrial environments, managing the certificate lifecycle can be daunting due to the large number of devices and systems involved. Without centralized certificate discovery and management, misconfigured or expired certificates threaten to result in outages, service disruptions, and even business interruption.
• Integrating PKI with legacy systems requires a careful, phased approach. Legacy PKI comes with a lot of baggage – including manual processes, certificate sprawl, and the pressure to evolve with exploding use cases.

To address these challenges, IEC 62433 recommends using certificate automation tools to efficiently handle large-scale PKI deployment. These tools can simplify the management of digital certificates, reducing the risk of errors and ensuring timely updates. They also form the foundation of a comprehensive security strategy that includes PKI tailored to the specific needs and architecture of the IACS environment.

Part 4-2 of the IEC 62443 series ensures that each element of an IACS is fortified against cyber threats. The standard emphasizes implementing robust authentication mechanisms for both devices and users. This includes deploying multi-factor authentication at critical access points to ensure only authorized entities can interact with the IACS. Regular updates and management of user credentials and access rights form a vital part of this control, helping to safeguard against unauthorized access.

Another key requirement is the assurance of data confidentiality and integrity, to include code signing mechanisms that verify firmware and software updates. This is achieved through industry-standard encryption protocols during data transmission and storage. The security of these systems is further strengthened by regularly updating cipher suites, ensuring that the data remains protected against evolving cyber threats.

To bolster the resilience of IACS components, the standard advocates for developing and testing comprehensive incident response plans. Implementing redundancy and failover mechanisms for critical components is also crucial.

Challenges in Implementing IEC 62443 4-2:

The technical complexity of IEC 62443 can overwhelm even the most experienced security architects. Organizations are encouraged to invest in specialized personnel training and leverage external expertise to bridge knowledge gaps.

Implementing changes based on IEC 62443 4-2 may demand a lot of resources. Take a phased, prioritized approach to minimize losses. Start with areas most critical to the business and focus on cost-effective solutions. 

Of course, legacy IACS components complicate any integration plan. It may not be cost-effective to completely replace some systems within an environment. In the interim, alternative and layered security measures can mitigate the risk associated with those systems.

By addressing these challenges head-on and adhering to the standard’s requirements, companies can significantly enhance the security and resilience of their industrial systems.

To learn more and to stay current with all things post-quantum cryptography, check out Keyfactor’s post-quantum Lab.

Advanced manufacturing technologies and digital integration have helped pave the way to Industry 4.0, which has improved operational efficiency. This increase in interconnectedness also amplifies potential risk, which IEC 62443 helps address by offering a robust framework for protecting industrial automation and control systems against cyber threats.

A key component of modern manufacturing is the ‘digital twins’ concept – virtual replicas of physical systems used for simulation and analysis. These digital twins, integral to process optimization and predictive maintenance, require stringent security measures to prevent data manipulation or theft. 

IEC 62443 plays a pivotal role in ensuring the security of digital twins. By implementing the standard’s guidelines, manufacturers can ensure that the data and algorithms that drive these virtual models are protected from unauthorized access and tampering.

As Industry 4.0 continues to evolve, so will the cybersecurity threats. This constant evolution will likely influence the development and application of IEC 62443 standards. Future updates and iterations of the standard can be expected to address emerging technologies and threats. 

To learn more and to stay current with all things post-quantum cryptography, check out Keyfactor’s post-quantum Lab.

In the journey toward robust IACS security, the role of a PKI is fundamental, regardless of the security level or the stage of your security implementation. PKI infrastructure establishes a secure foundation in IACS environments and brings a structured approach to authentication, encryption, and digital signature processes. 

Enterprise tools built on the EJBCA framework can enable organizations to quickly deploy and scale PKI in any environment.

Automating PKI processes is pivotal in streamlining security management and enabling comprehensive certificate issuance, renewal, and revocation. Many organizations use enterprise tools to gain visibility and automate control over PKI, avoiding outages caused by manual, error-prone processes. 

Ready to learn how PKI automation can improve your IACS operations? Get in touch — our team is ready to help.