Process and control today | Improve industrial network security by following IEC 62443-4-2

Awarded to Felipe Sabino Costa, LATAM Expert in Industrial Cybersecurity (IACS), Moxa Amid continued global supply chain disruption, industrial organizations are looking for ways to stabilize their operations to maintain their competitive advantage. Adopting new technologies is one of the most effective ways to achieve resilient industrial operations. To capture, transmit, and ultimately transform data into meaningful information, organizations are implementing innovative networking technologies to accelerate their digitization journey. However, connected devices also present new cybersecurity risks for business owners and therefore require component-level security features to mitigate these risks.

According to IDC Worldwide IT/OT Convergence 2022* forecasts, by 2025, 30% of G2000 manufacturers will integrate connected technologies into their products to increase reliability. The operational information that can be obtained by doing this will increase availability and support an optimized maintenance supply chain.

As this trend sees new technologies being frequently integrated into products and more connected assets, network components are playing an increasingly important role. Components must therefore be developed to meet these new requirements. For this reason, discrete manufacturing companies take responsibility for ensuring connectivity remains reliable and secure. Industrial organizations that want to take advantage of the number of services that can be provided by connecting more devices must ensure that they connect devices securely and in accordance with regulations and standards to ensure accessibility, integrity and data security.

A quick overview of the IEC 62443 standard
Many standards describe the security framework for industrial control systems. One of the most widespread and frequently adopted standards by industrial organizations is IEC 62443. IEC 62443 includes guidelines that define the procedures for implementing industrial automation and control systems (IACS) electronically secure for different parts of a network. Additionally, the standard includes guidelines for those who perform automation control and different responsibilities on the network. Today, system integrators (SI) often require component vendors to comply with the sub-section of IEC 62443 relevant to their devices. The figure below provides an overview that includes the scope and the roles and responsibilities of those who must ensure the security of a network’s operations at each stage.

Defined policies and security management
Industrial organizations should base their security profiles and security management systems on a risk assessment. “Assessment must be able to identify dependencies, determine what are the critical risks to the operation/security of these processes and what are the responses to these risks,” said Felipe Sabino Costa in his white paper, A Practical Approach to Adopting the IEC 62443 Standards. After confirming policies and security management system, it is imperative to deploy visualization software to help asset owners get the latest information about their security posture .

Defense-in-depth cybersecurity for IACS networks
A defense-in-depth framework suggests partitioning systems into zones and conduits, as this helps mitigate risk to levels a business can accept. Each zone and conduit will be assigned a security level based on its importance, and network operators must ensure that it is adhered to. The defense-in-depth approach can be achieved with physical or logical segregation using industrial secure routers, VPNs and remote access solutions suitable for industrial automation. Additionally, some of the networking features, such as ACLs (Access Control Lists), can also help segment networks to achieve certain levels of security. If asset owners or system integrators hope to mitigate risk, industrial intrusion protection systems
(IDS/IPS) can also be feasible, especially to protect critical infrastructures against malicious attacks.

Hardened devices with built-in security features
Built-in security features for network devices echo the defense-in-depth framework and security management system. Building blocks with built-in security are very useful for asset owners and ISs to ensure their systems achieve the desired levels of security. Later in this article, we will
summarize the requirements for IEC 62443-4-2.

IEC 62443-4-2 requirements for the automation industry
IEC 62443 contains several subsections relating to persons with different responsibilities. As IS increasingly require compliance with the IEC 62443-4-2 subsection, which provides guidance for component suppliers, this subsection becomes increasingly important. Component requirements are derived from core requirements, including account, credential and authenticator management, password authentication, public key authentication, usage control, integrity and confidentiality of data, as well as safeguarding the availability of resources.

If component vendors follow all of the guidelines defined in the IEC 62443-4-2 subsection, they will equip network operators with the best chance of protecting their networks against cyberattacks. Although component vendors must add certain features and capabilities to their devices in order for the devices to be suitable for deployment on industrial IoT networks, it is the responsibility of network operators to use these features on their network. In addition, they must ensure that anyone authorized to access the network knows
with the best procedures and guidelines described in IEC 62443-4-2 subsection.

Following all the guidelines stated in the IEC 62443-4-2 subsection will usually result in several positive results that will go a long way in improving network security. However, choosing not to follow the guidelines could have negative consequences, making the network less secure and vulnerable to attacks from people with malicious intent.

Moxa solutions
To improve security at the component level, Moxa introduced one of the world’s first IEC 62443-4-2 certified Ethernet switches, the EDS-4000/G4000 series, which was developed following the life cycle guidelines of the IEC 62443-4-1 software development. Moxa has a broad product portfolio of industrial networking devices that allows customers to deploy the right device that will improve their network security. Visit our microsite to learn more.

Ask the supplier for information about the products in this article for FREE

Login or Register

Process and Control Today is not responsible for the content of articles and images submitted or produced externally. Click here to email us regarding any errors or omissions in this article.

Kevin M. Risinger