Protecting critical infrastructures from cyber-attacks and threats has become an important objective for government and enterprise organizations. Especially as infrastructures are increasingly connected with networks.
Previously, security was only a topic for the IT (Information Technology) industry. For example, the virus protection of PCs, how to keep personal passwords and information from being stolen, how to prevent the company's network from being hacked, etc. It was hard to imagine that one day automated factory manufacturing systems could be hacked, thereby paralyzing the factory's manufacturing. One of the most famous cases occurred in December 2015, when a large-scale power outage was caused by a hacker attack on the Ukrainian power network. This instance of cyber hacking showed that it is possible to paralyze national-level infrastructure operations.
On December 23, 2015, the hacker attack on the Ukrainian power network caused a blackout of hundreds of thousands of households in Ivano-Frankivsk Oblast. One month later, security experts confirmed that the blackout was a hack. It was caused by a customer attacking the power grid with malicious software. This attack marks a milestone in the history of worldwide power grid security.
In order to effectively prevent critical infrastructures and IACS (Industrial Automation and Control Systems) from being invaded and attacked by cyber hackers, causing harm and loss, safety and security considerations and solutions must not only be considered from the perspective of IT, but also from the perspective of OT (Operational Technology). The differences between IT and OT are summarized below:
| Security Policies | IT Network | Security |
|---|---|---|
| Focus | Protect company's business related documents, financial data, IP (Intellectual Property) | Protect human and physical asserts for continuous operations with high efficiency and safety |
| Priorities | 1. Confidentiality 2. Integrity 3. Availability | 1. Availability 2. Integrity 3. Confidentiality |
| Type of Data Traffic | Data, Voice and Video | Data, control information, real time status, safety information |
| Implications of Cyber-attacks | Economic losses, loss of confidential data | Stop processes or services, Physical or environmental damage, endanger the safety or health of personnel |
| Upgrades and Patch Management | During up time, ASAP | Scheduled During Downtime (months, years), ASAP if urgent |
| Infrastructure Life Cycle | Refresh < 5 years | Lifespan 15+ years |
| Deployment Conditions | Controlled and stable environments | Harsh environments |
Reference Source: Page 12, Cybersecurity for Industry 4.0 by Garrick Ng, Cisco, Nov. 2017, modified by EtherWAN Systems, Inc.
| General | IEC-62443-1-1 | IEC-TR62443-1-2 |
|---|---|---|
| Concepts and models | Master glossary of terms and abbreviations | |
| IEC-62443-1-3 | IEC-TR62443-1-4 | |
| System security compliance metrics | IACS security lifecycle and use-cases |
| Policies & Procedures | IEC-62443-2-1 | IEC-62443-2-2 | IEC-TR62443-2-3 | |||
|---|---|---|---|---|---|---|
| Security program requirements for IACS asset owners | IACS protection levels | Patch Management in the IACS environment | ||||
| IEC-62443-2-4 | IEC/TR62443-2-5 | |||||
| Requirements for IACS service providers | Implementation guigance for IACS asset owners | |||||
| System | IEC/TR62443-3-1 | IEC/62443-3-2 | IEC 62443-3-3 |
|---|---|---|---|
| Security technologies for IACS | Security risk assessment and system design | System security requirements and security levels |
| Component | IEC 62443-4-1 | IEC 62443-4-2 |
|---|---|---|
| Secure product development lifecycle requirements | Technical security requirements for IACS components |
IEC 62443 is organized into four parts: General, Policies and Procedures, System, and Component
- The "General documents" provide the overall concepts, terminologies, and overview of industrial security.
- The "Policies and Procedures" part outlines the requirements and guidelines of establishment of Cyber Security Management System for IACS. The Patch Management for IACS is included in this part as well.
- The "System documents" provide the technologies, policy, and risk assessment for designing and implementing security systems.
- The "Component" section addresses the requirements of product suppliers and the devices integrated in an IACS solution.
As one of the major industrial network equipment providers, in addition to continuing to providing customers with the best and complete networking solutions, EtherWAN is investing resources and actively working to obtain IEC 62443 certification today. With in-depth understanding and compliance with the IEC 62443 standard to design secure products, EtherWAN will soon provide customers with products and solutions that meet the world's security standards!
