Top five questions about building a cyber risk mitigation plan for today’s connected plant using IEC 62443

How does IEC 62443 compare to the NIST cybersecurity framework?

The NIST CSF and IEC 62443 complement each other.  The NIST CSF provides overarching guidance to organizations for building strong cybersecurity programs where IEC 62443 builds upon it providing specific guidance for ICS cybersecurity.   Both are based on the same foundational security functions but the IEC 62443 drills deeper on the application of those functions to ICS.  The IEC 62443 standards that are related to an organizations’ risk practice is built upon the NIST CSF controls and their foundation.

How are suppliers using IEC 62443?

Today, asset owners of plants or critical infrastructure are demanding suppliers of industrial automation systems to provide evidence of their security diligence in their practices and supply chain management. The IEC 62443 family of standards provides guidance for manufacturers and system integrators to build strong security measures into their processes to help mitigate these security risks for asset owners.

System integrators can take advantage of aligning organizational security practices with IEC 62443-2-4 or security functions with IEC 62443-3-3 that align with their services. Manufacturers can provide security assurance to customers of their secure software development lifecycle process utilizing IEC 62443- 4-1 and security functions in IEC 62443-3-3. UL is with you every step of the way to guide you through the process – starting from defining the scope of security requirements to testing and certification.

The UL portfolio of cybersecurity services for IEC 62443 incorporates cybersecurity testing, including relevant tests required for a strong Secure Development Lifecycle (SDLC) process, certification to the published requirements of IEC 62443 and training.

How do you secure legacy equipment that can’t be patched?

Legacy equipment that cannot be patched or equipment that cannot be patched immediately is a similar problem with different timelines. Securing equipment which have known vulnerabilities that exist in the public use many different techniques. First and foremost is understanding the risks associated with vulnerabilities as they are disclosed. Therefore, you have to follow these as they are published and develop plans to address them as part of your risk management process. The only difference being, that the risk mitigation is addressed not by applying the patch but by applying mitigation techniques to either:

  • surround and encapsulate the vulnerability, hence reducing its exposure
  • using tools, software and devices to monitor in the event the vulnerability may be utilized that allows for detection and response
  • limit the impact on the vulnerability on the legacy equipment by modifying the supportability of the vulnerability in the equipment
Can ISO 27000 help with building a risk assessment framework?

ISO 27000 is one of the standards that can support building a risk management framework for an organization but needs to be mapped to the needs of an OT network.

How often should a risk assessment be performed?

Risk Assessment is an ongoing exercise that is part of the OT process. Risk assessment and its processes are utilized when new information, equipment, vulnerabilities, etc. have changed that allow for those changes to run through the risk assessment framework utilized. For example, a new vulnerability being disclosed should be run through the risk process for impact and decisioning. Public discussion of potential attack patterns should be run through the risk process to determine if the process covers the newly discovered information. Annual review of the risk process is needed to ensure everyone is aware of the process and it is controlled based on any impact that may become relevant.

Learn how UL can help you mitigate cyber risks with gap assessments, training, testing and certification to IEC 62443.