IEC62443 In A Nutshell - CertX

IEC62443 in a nutshellBY CERTX, SPIN OFF OF HEIA-FR

Content CertX – Who we are Definitions, exemples and trends What about Cybersecurity reference documents ? IEC 62443 principles Perspectives of a larger landscape Q&A CertX AG – K. Marty – SCSD 2019 – IEC62443 in a nutshellwww.certx.com

Certx / ROSAS / HEIA-FRWho we are CertX AG – K. Marty – SCSD 2019 – IEC62443 in a nutshell

CertX – Cybersecurity Certification Bodywww.certx.com Accreditation Forum : IAF (Certification) and ILAC (Inspection) are the worldorganisations of Conformity Assessment Accreditation Bodies and other bodiesinterested in conformity assessment in the fields of management systems, products,services, personnel and other similar programs of conformity assessment. In Switzerland: the Swiss Accreditation Service (SAS), as part of the Swiss StateSecretariat for Economic Affairs (SECO), is responsible for accreditation of conformityassessment bodies by the recognition of the IAF. From Support to Certification: ROSAS creates CertX as the first Swiss Certification Bodyfor Cybersecurity and Functional SafetyIAF, EARecognition CertX AG – K. Marty – SCSD 2019 – IEC62443 in a nutshellSwissAccreditationServices (SAS)AccreditationCreation of a spin-off

CertX – Certification Serviceswww.certx.comCertX offers certification services in the following areas: CERTIFICATION of PRODUCTS in compliance of Functional Safety andCyber Security Standards and Regulations CERTIFICATION of ENGINEERS and MANAGERS to ensure that relevantStandards, Processes and Regulations are being applied in their daily work. CERTIFY CORPORATE PROCESSES and ORGANIZATIONS to ensure thatapplicable Safety and Cyber Security Standards and Regulations are beingincorporated into the Quality Management systems of the company andapplied corporate wide.IEC 61508: Key Functional Safety StandardISO 26262: AutomotiveISO 13849: Industrial machinery and RoboticsIEC 62061: Industrial machinery and Robotics CertX AG – K. Marty – SCSD 2019 – IEC62443 in a nutshellIncreasing degreeof organisationalfocusEN 5012X: RailwaysIEC 60601: Medical DevicesIEC 61511: Process industryIEC 62443: Industrial Cyber Security

CertX – Assessment & Training ServicesPreliminary Assessment Services Technology Benchmarking Threat Identification / Modelling Gap AnalysisCertification Services Secure Process for Development Secure Process for Integration Service Certification for System Certification for ComponentTraining Services ISA/IEC62443 Cybersecurity Red/Black/Master Belt Certification Cybersecurity Principle IT Security Awareness OT Security Awareness Introduction to GDPR for ays courses 1/2-day exam)(1/2-day course)(1/2-day course)(1/2-day course)(1/2-day course)CertX Cybersecurity team will be happy to get an informal discussion with you to develop coursestailored to your current needs CertX AG – K. Marty – SCSD 2019 – IEC62443 in a nutshell

Definitions, exemples and trends CertX AG – K. Marty – SCSD 2019 – IEC62443 in a nutshell

What is ICS / IACS?An Industrial Control System (ICS)comprises «systems that are used to monitorand control industrial processes.»[def. Wikipédia]An Industrial AutomationControl System (IACS) is a and«collection of processes, personnel,hardware, and software that canaffect or influence the safe, secureand reliable operation of anindustrial process» [def. IEC624431-1] CertX AG – K. Marty – SCSD 2019 – IEC62443 in a nutshellwww.certx.com

OT/IT – Different paths for same goalswww.certx.comOT properties:IT properties:- Deterministic- Processes arethe assets- Patch decade ?- Dynamic- Data are the assets- Patch TuesdaySrc: nvergence CertX AG – K. Marty – SCSD 2019 – IEC62443 in a nutshell

OT/IT – Different paths with similar trapsThe human error as a major common source of failure CertX AG – K. Marty – SCSD 2019 – IEC62443 in a nutshellwww.certx.com

Example of cyber incident: CrashOverridewww.certx.comCrashOverride HistoryPragmatic approach Linked to SANDWORM APT and BlackEnergy1. Initiated by phishing campaign Responsible of multiple Blackout in/near Kiev(Ukraine) in 2015, 2016 and 20172. Pivoting from corporate network to ICS Target: Electric Grid Operations CertX AG – K. Marty – SCSD 2019 – IEC62443 in a nutshell3. Deployment in ICS

What are the critical trends ? Controls systems use more commercial off the shelf (COTS) software and hardware Implementing Internet Protocols (IP) exposes control systems to same vulnerabilities as business systems Increased use of remote monitoring and access Tools & Services to automate attacks are commonly available (Shodan, Autosploit, Tritton framework )A standardized approach seems therefore to be essential in the context of setting up secure systems. CertX AG – K. Marty – SCSD 2019 – IEC62443 in a nutshellwww.certx.com

What about CybersecurityReference documents ? CertX AG – K. Marty – SCSD 2019 – IEC62443 in a nutshell

A huge world of reference documents Multiple document types: Regulations,norms, standards, best practices What is a standard: Voluntary documents Collaborative approach Containsbothnormativeandinformative elements There is no requirement on anyoneto use them unless a regulationmention it or absence of regulation CertX AG – K. Marty – SCSD 2019 – IEC62443 in a nutshellwww.certx.com

with a same single goalwww.certx.com but few of these cover both human, technological and organizational aspects of the development, theintegration and the operation of Industrial and Automation Control System (IACS) CertX AG – K. Marty – SCSD 2019 – IEC62443 in a nutshell

Standardized Approach – IEC62443www.certx.comDesigned to cover Control System Cybersecurity which is defined as hardware and software components of an IndustrialAutomation and Control System (IACS)Manufacturing and controlinclude, but are not limited to:systems hardware and software systems suchas DCS, PLC, SCADA, networkedelectronic sensing, and monitoring anddiagnostic systems associated internal, human, network,or machine interfaces used to providecontrol, safety, and manufacturingoperations functionality to continuous,batch, discrete, and other processes.Source: isa,org/isa99 CertX AG – K. Marty – SCSD 2019 – IEC62443 in a nutshell

IEC 62443 principles CertX AG – K. Marty – SCSD 2019 – IEC62443 in a nutshell

IEC62443 – Security mindsetswww.certx.com See Cybersecurity as an ongoing process and not a goal thatcan be reached Security by Design - Defense-in-depthEvaluate /Assess Zones & Conduits Diagram Security Levels Requirements Maturity Level Roadmap for both Asset owner, service provider and productmanufacturer CertX AG – K. Marty – SCSD 2019 – IEC62443 in a nutshellMaintainImplement

IEC62443 – Security mindsetswww.certx.com See Cybersecurity as an ongoing process and not a goal thatcan be reachedPolicy Compliance Security by Design - Defense-in-depth Zones & Conduits DiagramUser & Access ManagementSecure Communication Security LevelsSecure Architecture Requirements Maturity Level Roadmap for both Asset owner, service provider and productmanufacturer CertX AG – K. Marty – SCSD 2019 – IEC62443 in a nutshellSecureDevice

IEC62443 – Security mindsets See Cybersecurity as an ongoing process and not a goal thatcan be reached Security by Design - Defense-in-depth Zones & Conduits Diagram Security Levels Requirements Maturity Level Roadmap for both Asset owner, service provider and productmanufacturer CertX AG – K. Marty – SCSD 2019 – IEC62443 in a nutshellwww.certx.com

IEC62443 – Security mindsets See Cybersecurity as an ongoing process and not a goal thatcan be reached Security by Design - Defense-in-depth Zones & Conduits Diagram Security Levels Requirements Maturity Level Roadmap for both Asset owner, service provider and productmanufacturer CertX AG – K. Marty – SCSD 2019 – IEC62443 in a nutshellwww.certx.com

IEC62443 – Security mindsets See Cybersecurity as an ongoing process and not a goal thatcan be reached Security by Design - Defense-in-depth Zones & Conduits Diagram Security Levels Requirements Maturity Level Roadmap for both Asset owner, service provider and productmanufacturer CertX AG – K. Marty – SCSD 2019 – IEC62443 in a nutshellwww.certx.com

IEC62443 – Security mindsets See Cybersecurity as an ongoing process and not a goal thatcan be reached Security by Design - Defense-in-depth Zones & Conduits Diagram Security Levels Requirements Maturity Level Roadmap for both Asset owner, service provider and productmanufacturer CertX AG – K. Marty – SCSD 2019 – IEC62443 in a nutshellwww.certx.com

IEC62443 – Security mindsets See Cybersecurity as an ongoing process and not a goal thatcan be reached Security by Design - Defense-in-depth Zones & Conduits Diagram Security Levels Requirements Maturity Level Roadmap for both Asset owner, service provider and productmanufacturer CertX AG – K. Marty – SCSD 2019 – IEC62443 in a nutshellwww.certx.com

IEC62443 – Security mindsets See Cybersecurity as an ongoing process and not a goal thatcan be reached Security by Design - Defense-in-depth Zones & Conduits Diagram Security Levels Requirements Maturity Level Roadmap for both Asset owner, service provider and productmanufacturer CertX AG – K. Marty – SCSD 2019 – IEC62443 in a nutshellwww.certx.com

IEC62443 – Security mindsetswww.certx.com See Cybersecurity as an ongoing process and not a goal thatcan be reachedML4 – Improving Security by Design - Defense-in-depth Zones & Conduits DiagramML3 – Defined Security Levels RequirementsML2 – Managed Maturity Level Roadmap for both Asset owner, service provider and productmanufacturer CertX AG – K. Marty – SCSD 2019 – IEC62443 in a nutshellML1 – Initial

IEC62443 – Security mindsets See Cybersecurity as an ongoing process and not a goal thatcan be reached Security by Design - Defense-in-depth Zones & Conduits Diagram Security Levels Requirements Maturity Level Roadmap for both Asset owner, service provider andproduct manufacturer CertX AG – K. Marty – SCSD 2019 – IEC62443 in a nutshellwww.certx.com

Perspectives of a larger landscape CertX AG – K. Marty – SCSD 2019 – IEC62443 in a nutshell

IEC62443 as cybersecurity frameworkCurrently, IEC62443 covers aspects related to IACS for domain such as the following: Chemicals Processing Petroleum Refining Food and Beverage Energy Pharmaceuticals Water Manufacturing but some other domain see IEC62443 as a potential alternative to follow: Automotive / Smartmobility Medical devices CertX AG – K. Marty – SCSD 2019 – IEC62443 in a nutshellwww.certx.com

Cybersecurity in Automotive worldIncludes vehicles, other traffic participants, infrastructures, customers and authorities ISO-21434 (partly based on IEC62443) under development and followed/supported by CertX CertX AG – K. Marty – SCSD 2019 – IEC62443 in a nutshellwww.certx.com

Cybersecurity in Medical worldwww.certx.comPotential attack vectorsIEC-62443 tailored to medical environmentSocialEngineeringMedical eDevicesSecureInfrastructures CertX AG – K. Marty – SCSD 2019 – IEC62443 in a nutshellSecureServicesVulnerableThird-Parties

?QuestionsThank you for your attentionYou can contact me at kilian.marty@certx.com CertX AG – K. Marty – SCSD 2019 – IEC62443 in a nutshell

Your Contact for Cybersecurity at CertX M.sc. in Telecommunication networks andIT Security ISA/IEC 62443 Certified IEC 61508 Certified Member of IEC technical committee TC65covering IEC-62443 standardsCertX support customers with qualified assessorswww.certx.com

IEC-62443 tailored to medical environment Medical environment Secure Devices Secure Infrastructures Secure Processes Secure Services Social Engineering Denial -of Services Ransomware Spoofing Physic