Industrial Security Standard IEC62443:

Security Functions for Industrial Control

Systems
Dr. Rainer Falk

Unrestricted © Siemens AG 2017 siemens.com/innovation

Our industrial society confesses a growing demand for IT-Security

IT Security trends are determined by drivers such as

• Industry infrastructures changes (Digitalization)
• More networked embedded systems
• Increasing device-to-device communication
• Need to manage intellectual property

And
• Increasing international organized crime
• Privacy
• Compliance enforcement
• Cyber war fare
• Cloud/Virtualization
• PDAs, Smart Mobiles
• Social Networks / data mining concepts
• ….

Unrestricted © Siemens AG 2017

Page 2 June 2017 Corporate Technology
The threat level is rising –
Attackers are targeting critical infrastructures

Evolution of attacker motives, vulnerabilities and exploits

Cybercrime and Financial Politics and Critical
The Age of Computerworms Hacking against physical assets
Interests Infrastructure
Code Red Slammer Blaster Zeus SpyEye Rustock Aurora Nitro Stuxnet

"Hacking for political and

"Hacking for fun" "Hacking for money" States Criminals
economic gains"
Hacktivists
Hobbyists Organized Criminals Terrorists Activists
State sponsored Actors

Worms Credit Card Fraud Anonymous Cyberwar

Backdoors SCADA
Botnets Banker Trojans RSA Breach
Anti-Virus Hacking against
Phishing DigiNotar
Hackers APT critical infrastructure
Adware SPAM
BlackHat Targeted Attacks
Ransomware
Viruses WebSite Hacking Sony Hack Identity theft

IBM X-Force Trend and Risk Report

# of new
Responsible Disclosure Major loss of privacy
malware

Symantec Intelligence Report

samples "Gläserner Bürger im Netz"

HP Cyber Risk Report

# of published exploits
# of published vulnerabilities

Data sources:
2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015

Unrestricted © Siemens AG 2017

Page 3 June 2017 Corporate Technology
Office world versus industrial systems - Protection targets for security

Industrial Systems : Office IT :

Protection of Production resources Protection of IT-Infrastructure

Lifetime up to 20 years and more Lifetime 3-5 years

Unrestricted © Siemens AG 2017
Page 4 June 2017 Corporate Technology
The CIA pyramid is turned upside down in
industrial automation and control systems

Industrial Automation and Control Office IT Systems

Systems

Availability Confidentiality

Integrity Integrity

Priority
Confidentiality Availability

Unrestricted © Siemens AG 2017

Page 5 June 2017 Corporate Technology
Industrial systems and office world have
different management & operational characteristics

Industrial Systems Office IT

Protection target for security Production resources, incl. logistics IT- Infrastructure

Component Lifetime Up to 20 years 3-5 years

Availability requirement Very high Medium, delays accepted

Real time requirement Can be critical Delays accepted

Physical Security Very much varying High (for IT Service Centers)

Application of patches Slow / restricted by regulation Regular / scheduled

Anti-virus Uncommon, hard to deploy, white listing Common / widely used

Security testing / audit Increasing Scheduled and mandated

Unrestricted © Siemens AG 2017

Page 6 June 2017 Corporate Technology
Security-by-Design is different from Safety-by-Design

IT Security Safety

Prevention of consequences Prevention of threats to humans and

of threats to a system (intentionally) caused by environment caused by technical systems
humans and/or environment

Humans / Environment Humans / Environment

Technical System Technical System

Unrestricted © Siemens AG 2017

Page 7 June 2017 Corporate Technology
Caught between regulation, requirements, and standards

Solution design and deployment plays an essential role in designing compliant solutions

Secure operation, policies, • ISO 27001/19

Asset operates and
requirements • IEC 62443-2-1
Owner maintains
• NERC-CIP

• IEC 62443-2-4
System designs and Design + hand over / maintain
• DIN VDE V0831-104
Integrator deploys a secure solution
• BDEW WP

develops and • IEC 62443-3-3

Product Capabilities, documentation,
supports • IEC 62443-4-2
Supplier secure development, support
• BDEW WP

Unrestricted © Siemens AG 2017

Page 8 June 2017 Corporate Technology
IEC 62443 Covers Security Management, System, and
Component Level for Industrial Automation Control Systems (IACS)

IEC 62443 (ISA-99)

General Policies and procedures System Component

1-1 Terminology, concepts and 2-1 Establishing an IACS security 3-1 Security technologies for IACS 4-1 Product development
models program requirements

1-2 Master glossary of terms and 2-2 Operating an IACS security 3-2 Security assurance levels for 4-2 Technical security requirements
abbreviations program zones and conduits for IACS products

1-3 System security compliance 2-3 Patch management in the IACS

metrics environment 3-3 System security requirements
and security assurance levels

2-4 Certification of IACS supplier

security policies

Requirements to the security

Definitions organization and processes of the Requirements to a secure system Requirements to secure system
Metrics plant owner and suppliers components

Unrestricted © Siemens AG 2017

Page 9 June 2017 Corporate Technology
IACS, automation solution, control system

Industrial Automation and Control System

(IACS)

Asset Owner Operational policies and procedures 2-1

operates and maintains
2-3
Service Provider Maintenance policies and procedures 2-4

+
System designs and deploys Automation solution 2-4
Basic Process Complementary 3-2
Integrator Control System Safety Instrumented Hardware and
(BPCS) System (SIS) Software 3-3
IACS environment / project specific
is the base for

develops control systems Control System

Product as a combination of components 3-3
develops components 4-1
Supplier Embedded Network Host Applications
devices components devices 4-2

Independent of IACS environment

Unrestricted © Siemens AG 2017
Page 10 June 2017 Corporate Technology
IEC 62443-3-3 and 3-2 have to be addressed by both the System Integrator
and Product Supplier.

Industrial Automation and Control System

(IACS)

Asset Owner Secure operation, policies, requirements 2-1

operates and maintains
2-3
Service Provider 2-4

Design + hand over / maintain 2-4

System designs and deploys
a secure solution 3-2
Integrator
3-3
IACS environment / project specific

develops control systems Control System

Product 3-3
develops components Capabilities, documentation, secure 4-1
Supplier
4-2
development, support

Independent of IACS environment

Unrestricted © Siemens AG 2017
Page 11 June 2017 Corporate Technology
Security levels provide for protection against different attack levels

Zones and Conduits

Zone Plant
Conduit
Zone Enterprise
Zone Network
Zone Control
Diagnosis

The targeted security level is determined by a threat and risk analysis

SL1 Protection against casual or coincidental violation

Protection against intentional violation using simple means,

SL2 low resources, generic skills, low motivation
Protection against intentional violation using sophisticated means,
SL3 moderate resources, IACS specific skills, moderate motivation
Protection against intentional violation using sophisticated means,
SL4 extended resources, IACS specific skills, high motivation
Unrestricted © Siemens AG 2017
Page 12 June 2017 Corporate Technology
Security Standard IEC 62443-3.3 defines security requirements for industrial
control systems

Example Security Vector:

7 Foundational Requirements
SL-x=(3,3,3,1,2,1,3)

FR 1 – Identification and authentication control 3

FR 2 – Use control 3

FR 3 – System integrity 3

FR 4 – Data confidentiality 1

FR 5 – Restricted data flow 2

FR 6 – Timely response to events 1

FR 7 – Resource availability 3

Unrestricted © Siemens AG 2017

Page 13 June 2017 Corporate Technology
Example: System requirements (SR) and requirement extensions (RE) for
foundational requirement FR1 “Identification and authentication control”

Unrestricted © Siemens AG 2017

Page 14 June 2017 Corporate Technology
Security within Industry 4.0:
Security by design & security by default

More integrated security within applications

• …rather than just within the network (layers)
• Application based end-to-end security must be possible

Adaptive security architectures

 Agile security profiles have to be adaptable in a dynamic way.
 Fast configuration must include security.

Security for the digital model

 Security for the physical instance, its digital twin and their
interactions must take place in a concerted way.

Prevention and reaction are still needed

 Security will remain moving target. There will be no final
I4.0 security solution without a need for further measures.

Unrestricted © Siemens AG 2017

Page 15 June 2017 Corporate Technology
Security has to be suitable for the addressed environment

Awareness and Acceptance

Since security is not just a technical

solution, which can be incorporated
transparently, we need to consider how
humans can get along with this issue.
This needs, especially for automation
environments, actions for:
• awareness trainings
• help people to understand security
measures and processes
• provide user friendly interfaces and
processes

Unrestricted © Siemens AG 2017

Page 16 June 2017 Corporate Technology
 Dr. Rainer Falk
Principal Key Expert
Siemens AG
Corporate Technology
CT RDA ITS
Otto-Hahn-Ring 6
D-81739 Munich
Germany
E-mail
rainer.falk@siemens.com
Internet
siemens.com/corporate-technology

Unrestricted © Siemens AG 2017

Page 17 June 2017 Corporate Technology