Thanks to the International Society of Automation (ISA) and the International Electrotechnical Organization (IEC), there is a set of standards that help organizations identify and understand security for their control systems. These standards, called ISA/IEC 62443 Target Security Levels, can be used to guide small or large security concerns. The consequences of a cybersecurity incident targeting a control system can be as small as material spilling on the floor or as large as a multi-site outage taking weeks to recover.
You may wonder why organizations shouldn’t just choose to classify all their control systems with the same target security level? After all, it may seem easier and better to do so. But there are many practical reasons why this is not the best approach for organizations or the control systems they seek to protect.
Categorizing zones
ISA applies target security levels to what they refer to as a ‘zone.’ A zone includes grouped assets based on criteria such as physical location, criticality or operational function. The system under consideration will most likely be partitioned into multiple zones with conduits connecting them. These conduits are the communication channels enabling the components within each zone to transfer the necessary data or information to components in another zone.
As an example, think about a facility that makes cake. There may be one or more raw material receiving zones, an ingredient mixing zone, a baking zone, a packaging zone, etc. Conduits may connect raw materials and mixing zones, or mixing and baking zones, but most likely not connect mixing to packaging zones. The consequences of successful attacks for each zone must be evaluated.
To start this evaluation, ask yourself: What are the operational, financial and health safety and environment (HSE) impacts? Categorizing the consequences in these impact areas as high, medium or low is crucial in determining the target security level. ISA/IEC 62443-3-2 provides tables with examples to help with categorization.
Next, complete the mapping exercise to align the high, medium and low-risk levels with the 62443 security levels. At the end of the exercise, you will have different determinations of security levels based on risk tolerance, industry vertical and physical location. At the end of this process, each zone should have a target security level designation of SL-1, SL-2, SL-3 or SL-4.
Sticking with the right security level
After you’ve designated each zone with the proper target security level, picking a level and standardizing it across the plant may be tempting but it’s not advised.
For example, if the organization has a zone that controls a dangerous process or handles hazardous materials and is designated as SL-3, why not make the entire site conform to SL-3? The technical and security requirements increase with each step up in security level. ISA/IEC 62443-3-3 lists the foundational requirements with associated enhancements expected for the higher security levels. An example of these enhancements involves starting with an operator account that all shift personnel use and changing that account to individual named accounts with strict role-based access controls for all functions within an HMI. Another example is implementing mechanisms to prevent malware from executing on an HMI server and applying operating system and application hardening practices to protect that same HMI server from advanced attack techniques.
In both examples, the effort and resources necessary to meet the more secure requirements are much higher than the baseline requirement. When a zone with existing equipment has a specific security level, are the device and software even capable of meeting the requirements? Does the organization have capable staff and time to implement the more stringent security requirements? Do the vendors, integrators and other third parties the organization works with have the technologies and capabilities to deliver this functionality within their projects? Meeting these higher standards probably isn’t necessary across the entire facility. On the other hand, only meeting the SL-1 requirements may not be enough for specific zones.
What to expect
As many have experienced from the IT groups within their organizations, onerous security requirements and measures often lead to personnel who may ignore them, rendering them ineffective. Trying to take on too many security controls may lead to poor implementation, so it’s better to implement a smaller subset of sensible security requirements that may find more success and less resistance.
Troubleshooting and change management may also take longer due to the additional checks, approvals and access controls that may restrict who can work with specific devices or systems. During a platform upgrade or expansion, a higher security level may result in increased project costs, implementation time and a limited choice of vendors or equipment to meet the listed security requirements.
Organizations certainly need to enhance the security posture of their control systems and the ISA/IEC 62443 target security levels provide a methodology for doing so in a way that right-sizes the security measures based upon the risks and consequences present within a facility. For organizations starting their cybersecurity journey within the controls environment, simply getting all zones to SL-1 may be a monumental undertaking.
Identifying the proper security levels early on for new and planned projects can help avoid future costs due to applying measures post-implementation. Everyone can agree that budgets and resources are limited, that’s why it makes sense to get the best return on investment by applying the right level of security.
Alan Raveling is an OT Architect at Interstates, a certified member of the Control System Integrators Association (CSIA). For more information about Interstates, visit its profile on the Industrial Automation Exchange.
