Gabriel Faifman
TC 65 WG10
Convenor
Event: IEC 62443 Series
Date: 2021-06-30
Location: IEC Academy
Gabriel Faifman – TC 65 WG 10
2
- Product and System Security Office (PSSO) member, in charge of the Cybersecurity Strategic Domain at Schneider Electric;
- Formerly Director of Strategic Programs and Principal Technical Product Manager with Wurldtech (acquired by GE Digital) for over 7 years.
- 30+ year diverse experience as Director, Manager and Senior Consultant in operational and Information Systems and Network Security on multiple organizations, such as: Coca Cola; Deloitte; Stet-France Telecom; Accenture.
- Electronic Engineer UBA, specialized in Industrial Automation; CSS1 Infosec professional; Advanced trained at INL.- IEC 62443-2-4 certifier for: Schneider Electric’s substation automation solution; Siemens Substation Automation;
Siemens PCS7; Emerson DeltaV & SIS; Yokogawa Centum VP among others.Objective: ✓ To build bridges between ISA; IEC and its certification programs (ISASecure & IECEE) with regional regulation bodies.✓ To implement and enhance the applicability of IEC 62443 series across Critical Infrastructure stakeholders, for their entire lifecycle.Work in progress: - Serving as an SME for the TC 65 working group on the IEC 62443 international standards project since 2011, representing Canada
(Canadian Delegate).- Created and executed the original conformance criteria adopted by IECEE on the current IEC 62443-2-4 certification program.- IEC 62443-2-4 certifier for: Schneider Electric’s substation automation solution; Siemens Substation Automation; Siemens PCS7;
Emerson DeltaV & SIS; Yokogawa Centum VP among others- ISASecure – Steering committee member, representing Schneider Electric.- Voting member on ISA99 (Industrial Automation & Control Systems Security), with weekly active contribution on many Workgroups.
• Current state
• Risks & opportunities: our challenge
• Series Overview
• The ‘who’ and the ‘what’
• This is just the beginning
Agenda: IEC 62443 Series
3
OT security: A very Real Cyber Threat
4
Cybersecurity by numbers:The cost of non-compliance
5
Connected IoT devices will reach 75
billion by 2025.
Every 11 sec a ransomware attack
occurs by 2021 (*3)
IoT devices are under attack within 5
min of being powered up.
68% of business leaders feel their
cybersecurity risks are increasing.95% of cybersecurity breaches are due to
human error (almost never in the IT area)
Most companies take nearly 6 months to
detect a data breach, even major ones.
U$S3.86 million: Average total cost of a
data breach during 2020.
Share prices fall 7.27% on average
after a breach
*1- IBM –Cost of a Data Breach
*2- Ponemon.org
*3- & *4- Cybersecurity Ventures
*5- Cybersecurity Ventures
*6- Cybint
*7- Equifax, Capital One, Facebook
*8- Netscout
Digital Transformation: Accelerate Digital
6 Copyright IEC CO 2021 – reuse of material for commercial use prohibited
IEC 62443 Series
TC 65 WG 10
Co-convenors:
Mr Gabriel Faifman
Mr Lee A. Neitzel
137 Experts from 22 National Committees:
AT AU CA CH CN DE DK ES FI
FR GB IE IL IT JP KR NL NO
PT RO RU US
22 TC level Liaisons with TCs/SCs of IEC ISO ITU
11 WG Liaisons …
7Copyright IEC CO 2021 – reuse of material for commercial use prohibited
IEC 62443 Series
Partnering with Liaisons
8Copyright IEC CO 2021 – reuse of material for commercial use prohibited
Products
IEC 62443 – OverviewIndustrial automation and control system (IACS)
Components
Supporting
software
applications
Embedded
devices
Network
devices
Host
devices
Role
Product
Supplier
developsand supports
Integration Service
Provider designsand deploys
Includes configured products (Security Guidelines)
Automation Solution
Essential functions
Control
functions
Safety
functions
Complementary
functions
Roles
Asset Owner
commissionsand validates
maintains
Maintenance capabilities
(policies and procedures)Maintenance Service
Provider
Operational capabilities
(policies and procedures)
operates
accountable for
IEC 62443-2-4
IEC 62443-3-3
IEC 62443-4-2
IEC 62443-4-1
IEC 62443-2-1
IEC 62443-3-2
Control system (as a
combination of components)
Supporting
software
applications
Embedded
devices
Network
devices
Host
devices
9 Copyright IEC CO 2021 – reuse of material for commercial use prohibited
Managerial & Operational Procedures
Dependencies between processes
Managerial Measures (by Asset Owner)
Operational Routine Maintenance Measures
Security Technical Features
Operational Measures (by Product Supplier – component & systems)
Service Provider Managerial ICM
Service Provider Operational ICM
Managerial Measures (by Product Supplier – component & systems)
Technical CapabilitiesProcedural Capabilities
Organizational Capabilities
Organizational Capabilities
Defence in depth
Defence in depth
IEC 62443-2-1
IEC 62443-3-2
IEC 62443-2-4
IEC 62443-3-3
IEC 62443-4-2
IEC 62443-4-1
Organizational capabilities
Organizational capabilities
Technical capabilities
Procedural capabilities
Defence in depth
10 Copyright IEC CO 2021 – reuse of material for commercial use prohibited
Managerial & Operational Procedures
Dependencies between processes
Organizational capabilities
Organizational capabilities
Technical capabilities
Procedural capabilities
Defence in depth
Operational Routine Maintenance MeasuresService Provider Managerial ICM
Service Provider Operational ICM
Technical CapabilitiesProcedural Capabilities
Organizational Capabilities
Organizational Capabilities
Defence in depth
Defence in depth
IEC 62443-2-1
IEC 62443-3-2
IEC 62443-2-4
IEC 62443-3-3
IEC 62443-4-2
IEC 62443-4-1
FinancialTrainingLegalThreat Model Sec. Context
Update/ Patch QualifManagement
Risk ID & Mitigation
Security Process
Implementation Process
DiD - Design Process
Defence in Depth Sec. Guidelines Vulnerability Management
Verify Test Process
HR TrainingLegalThreat
Model Check
Risk Target Review (Vulnerability check)
Risk ID & Mitigation
Physical MoCEvent &
Incident MgmtUAC
Remote Access
Configuration Management
Segmentation Availability
AvailabilityData
SecurityIntegrityUAC
Segmentation & Comm Sec
Event & Incident Mgmt
ConfigMgmt
11 Copyright IEC CO 2021 – reuse of material for commercial use prohibited
IEC 62443-4-1: Security Development Lifecycle
• ISA/IEC 62443-4-1 has 47 Product
Development Lifecycle security
requirements organized into 8
Practices.
• These security practices are
intended for development
organizations on any automation
and control products.
Value Req ID # of Reqs
SM – Security Management SM-xx 13
SR – Specification of security reqs SR-xx 5
SD – Secure by design SD-xx 4
SI – Secure Implementation SI-xx 2
SVV – Security Verification &
ValidationSVV-xx 5
DM – Mgmt of security related issues DM-xx 6
SUM – Security update management SUM-xx 5
SG – Security Guidelines SG 7
SM – Security Management SM-xx 13
SR – Specification of security reqs SR-xx 5
SD – Secure by design SD-xx 4
12 Copyright IEC CO 2021 – reuse of material for commercial use prohibited
IEC 62443-4-2: Component Security Reqs
• ISA/IEC 62443-4-2 has 88 System
Requirements organized into 7
Foundational Requirements.
• The intent of this document is to
specify security capabilities that
enable a component to mitigate
threats for a given security level
without the assistance of
compensating countermeasures
Value Req ID # of Reqs
FR 1 – Identification and
authentication controlCR.01.XX 14
FR 2 – Use control CR.02.XX 13
FR 3 – System integrity CR.03.XX 14
FR 4 – Data confidentiality SR.04.XX 3
FR 5 – Restricted data flow SR.05.XX 4
FR 6 – Timely response to events SR.06.XX 2
FR 7 – Resource availability SR.07.XX 8
SAR – Software application SAR.X.X 2
EDR – Embedded device EDR.XX.XX 8
HDR – Host device HDR.XX.XX 8
NDR – Network device NDR.XX.XX 12
13Copyright IEC CO 2021 – reuse of material for commercial use prohibited
IEC 62443-3-3: System Security Requirements
• ISA/IEC 62443-3-3 has 51 System
Requirements organized into 7
Foundational Requirements.
• Some requirements have
requirements enhancements used to
increase the security level of the
System Requirement.
Value Req ID # of Reqs
FR 1 – Identification and
authentication controlSR.01.XX 13
FR 2 – Use control SR.02.XX 12
FR 3 – System integrity SR.03.XX 9
FR 4 – Data confidentiality SR.04.XX 3
FR 5 – Restricted data flow SR.05.XX 4
FR 6 – Timely response to
eventsSR.06.XX 2
FR 7 – Resource availability SR.07.XX 8
14 Copyright IEC CO 2021 – reuse of material for commercial use prohibited
IEC 62443-2-4: Req’s – Security Programs for Service Providers
• ISA/IEC 62443-2-4 has 123 Security
Requirements have been organized
into 12 Functional Areas.
• Requirements address integration
and maintenance – include
references to security requirements
for products.
Value Req ID # of Reqs
Solution staffing SP.01.XX 11
Assurance SP.02.XX 7
Architecture SP.03.XX 24
Wireless SP.04.XX 6
SIS SP.05.XX 12
Configuration management SP.06.XX 4
Remote access SP.07.XX 5
Event management SP.08.XX 8
Account management SP.09.XX 17
Malware protection SP.10.XX 8
Patch Management SP.11.XX 12
15 Copyright IEC CO 2021 – reuse of material for commercial use prohibited
IEC 62443-2-1: Reqs for Asset Owner Security Programs
• ISA/IEC 62443-2-1 has 90 Asset
Owner (role) Requirements
organized into 9 Security Program
Elements.
• Some requirements may have a
supply chain program that contains
security requirements derived from
this document for product suppliers
and service providers.
Value Req ID # of Reqs
ORG – Organizational Security ORG x.x 9
CM – Configuration Management CM x.x 4
NET – Network Security NET x.x 17
COMP – Component Security COMP x.x 10
DATA – Protection of data DATA x.x 9
USER – Human User Access Ctrl USER x.x 24
EVENT – Event & Incident Mgmt EVENT x.x 9
AVAIL - System Availability AVAIL x.x 8
ORG – Organizational Security ORG x.x 9
CM – Configuration Management CM x.x 4
NET – Network Security NET x.x 17
16Copyright IEC CO 2021 – reuse of material for commercial use prohibited
IEC 62443-2-4: helps depicting the attack surface
17 Copyright IEC CO 2021 – reuse of material for commercial use prohibited
IEC 62443-2-4: helps depicting the attack surface
18Copyright IEC CO 2021 – reuse of material for commercial use prohibited
IEC 62443-2-4: helps depicting the attack surface
19Copyright IEC CO 2021 – reuse of material for commercial use prohibited
IEC 62443-2-4: Maturity Level
Used to gauge maturity of individual security capabilities
Ad-hoc,
(no formal process)
Defined
(formal, repeatable process )
Practiced
(performed on
customer solution)
e.g. Contract SOW
e.g. Written procedures,
training materials
e.g. Completed checklists
e.g. Revised procedures
Continuous improvement
(evolving process based on
experience)
20 Copyright IEC CO 2021 – reuse of material for commercial use prohibited
IEC 62443 Projects in progress
• Protection Levels
• Rules for IEC 62443 Profiles
• Security evaluation methodology for IEC 62443 – Part 2-4
• Security evaluation methodology for IEC 62443 – Part 4-2
• TC 65 WG 10 – Roadmap
• IIoT and Security
• Edition updates
21Copyright IEC CO 2021 – reuse of material for commercial use prohibited
Copyright IEC CO 2021 – reuse of material for commercial use prohibited
Gabriel Faifman
TC 65 WG10
Convenor
Find more IEC Academy webinars at
https://www.iec.ch/academy/webinars