IEC 62443 is a gold standard when it comes to cybersecuring industrial infrastructure. In addition to that, a encrusted approach can be adopted using IEC 62443 and NIST CSF to provide an added layer of cybersecurity to critical assets. How can that be done, let’s find out.
Three IEC 62443 standards can be considered for overall infrastructure protection. These are:
- IEC 62443-2-1: outlines the responsibility of ICS asset owners. IEC 62443-2-1:2024 spells out the asset owner security program (SP) policy and procedure requirements for an industrial automation and control system (IACS). An asset owner includes the IACS operator as well.
- IEC 62443-3-3: deals with technical control system requirements (SRs) associated with the seven foundational requirements (FRs) that are mentioned in IEC 62443-1-1. These include defining the requirements related to control system capability security levels, SL-C(control system). These requirements can be used along with the defined zones and conduits for the system under consideration (SuC) to develop the relevant control system target SL, SL-T(control system), for any asset.
- IEC 62443-4-2:2019: provides detailed technical control system component requirements (CRs) for the seven Foundational Requirements (FRs) that are described in IEC TS 62443-1-This includes defining the requirements for control system capability security levels and their components, SL-C (component).
Also read: The Complete Guide to OT SOC
IEC 62443-1-1 defines seven Foundational Requirements (FRs) which include:
- Identification and authentication control (IAC)
- Use control (UC),
- System integrity (SI),
- Data confidentiality (DC),
- Restricted data flow (RDF),
- Timely response to events (TRE), and
- Resource availability (RA).
Now lets take a look at the relevant NIST CSF recommendations.
Under NIST CSF, we can look at these aspects that are specific to critical assets:
| NIST CSF Core Function Categories | Action specific to critical assets |
|---|---|
| Identify | Asset Management |
| Protect | Access Control |
| Detect | Anomalies and events |
| Respond | Respond to events appropriately |
| Recover | Plan recovery to minimize business impact |
When we overlay the applicable IEC 62443 standards on NIST CSF for critical assets, we can derive a more comprehensive approach to securing these assets.
Levels for securing critical OT assets according to IEC 62443 and NIST CSF
| Applicable standard | Derivative for critical asset protection |
|---|---|
| IEC 62443-2-1 and NIST CSF category identify | 1. Define what critical assets are and the level of security they need 2. Maintain a current list of critical assets as per this definition 3. If required, assign a checker (a second pair of eyes) to ensure adherence to the requirements and to enable QA for the quality of security assigned to the assets. 4. Ensure a mechanism for updating the asset inventory 5. Ensure clear asset ownership for critical assets |
| IEC 62443-4-2:2019, IEC TS 62443-1-1 and NIST CSF category protect | 1. FR: Identification and authentication control (IAC) 2. Deploy controls that align with the principle of least privilege 3. Ensure authenticated use with one credential per user 4. Ensure maintenance of logs for user sessions 5. Develop and publish an asset fair use and access control policy 6. Deploy a stringent version of all the above controls for critical resources |
| IEC 62443-3-3 and NIST CSF category protect and/or detect | 1. FR: Identification and authentication control (IAC) 2. Deploy controls that align with the principle of least privilege 3. Ensure authenticated use with one credential per user 4. Ensure maintenance of logs for user sessions 5. Develop and publish an asset fair use and access control policy 6. Deploy a stringent version of all the above controls for critical resources |
| IEC 62443-2-1 and NIST CSF category detect | 1. All critical asset owners to have an unambiguous understanding of anomalous events within and beyond what is flagged by a monitoring solution 2. Have playbooks for handling such events including communication and event categorization 3. Events to be mapped to impact and response mechanisms to be triggered |
| IEC 62443-2-1, IEC TS 62443-1-1 foundational level: timely response to events NIST CSF category respond | 1. Ensure timebound response to events as per event priority 2. Ensure means to deal with false positives 3. List of key stakeholders to be informed to be maintained and updated along with key actions for each set of stakeholders 4. All responses should be documented along with deviations, if any 5. Ensure testing of responses through stimulated events along with potential outcomes and business impacts if responses fail |
| All the above from IEC 62443 and NIST CSF category recover | 1. Have all the recovery mechanisms in place 2. Constantly monitor infrastructure for risks and state of recovery mechanisms 3. Ensure system integrity levels support recovery means |
Also Read: A Buyer’s Guide to OT/ICS Security Solutions
Learn more about leveraging IEC 62443 and NIST CSF to secure critical infrastructure. Talk to our compliance consultant.
Talk to us to learn how your crown jewels and assets can be protected through a custom-built ICS security plan. Contact us now!
Reach out to us now.
Conduct an IEC 62443/NIST-CSF based risk assessment and gap analysis now!
Looking at checking your ICS environment for IEC 62443/NIST CSF/NIS2 compliance? Connect with our Compliance and Governance expert.
Book a consultation with our ICS security experts now. Contact Us
Learn more about our ICS security solution and its capabilities around asset inventory, vulnerability management, threat management, and compliance.
Thinking of an ICS security training program for your employees? Talk to us for a custom package.
