Aim for Security: Stay on Target

A stock image of a yellow padlock.

Alan Raveling | April 3, 2024

The ISA/IEC 62443 standards guide organizations to align their security efforts with business risks, outlining three target security levels that aren't applicable to all systems. These levels—Capability (SL-C), Target (SL-T), and Achieved (SL-A)—help identify system capabilities and gaps, highlighting areas for enhancement to meet evolving cyber threat landscapes.

The key to these standards is the understanding that not all systems require the highest level of security (SL-4); rather, it’s based on the unique purpose and risk profiles. Regular reassessment of target security levels is crucial to adapt to evolving threats and technology. The standards advocate for a balanced approach, weighing the necessity of security measures against their practicality and alignment with the organization's broader risk management strategy.

Understanding Security Levels in ISA/IEC Standards

Using the ISA/IEC 62443 as a resource and guideline will help lay a foundation for enhancing the security measures at your facility. It’s a tool to understand your risk and ensure software and devices meet cybersecurity standards and undergo certification. Here are the three areas to discuss:

  • SL-C represents a system's potential security capacity.
  • SL-T is the organization's aimed-for security state.
  • SL-A reflects the actual security level attained during evaluations.

The distinction between SL-T and SL-A helps pinpoint which areas organizations need to focus on addressing. possibly due to outdated technology or insufficient security features in existing equipment, which must be addressed to improve SL-A.

Zoning and Conduits: A Strategic Approach

Establishing varied security levels within an organization is pivotal, as it allows for the segmentation of facilities into 'zones' as per the ISA/IEC 62443 standards. These zones can be customized based on risk factors to asset criticality. This strategic zoning not only facilitates targeted protection but also streamlines communication through conduits, ensuring that security measures are finely tuned to each area's specific needs.

When assessing the appropriate security level, it's essential to consider potential threats, such as accidental vs. intentional or sophisticated vs. simple. Each threat has different approaches and steps to avoid them. While high-profile cyberattacks often make headlines, they may not represent the most common threats organizations encounter or need to prepare for in their defenses. Instead, organizations should assess the security incidents common within their industry, understanding that attackers vary greatly in their resources and objectives, and tailor their defense strategies accordingly.

Considering the Consequences of a Cyberattack

In the event of a cybersecurity incident, its impact on your organization can appear in several critical areas.

  • Operations: A breach could lead to significant downtime, affecting everything from a single facility to the entire organization's network, with the duration of this downtime varying widely.
  • Financial: The repercussions extend beyond lost revenue to potential legal and regulatory challenges, not to mention the possibility of a public relations crisis that could change public trust in your brand.
  • Health, safety, and environmental (HSE): The stakes are high, raising concerns about potential injuries to personnel, building or equipment damage, or environmental impacts stemming from a compromised system.

Determining the right security level involves assessing these potential impacts and classifying them as low, medium, or high risk, guided by the frameworks provided in the tables in the 62443-3-2 standard. A general guideline and good starting point are to align lower risk levels with lower security levels, ensuring that high-risk scenarios aren't underestimated with lower security levels and vice versa. The goal is to adopt a security posture that effectively neutralizes these risks to a manageable level in the face of potential cyber threats.

The Significance of Security Levels: An Example

Let's put these concepts into practical perspective with an example: consider a biodiesel production facility. This facility handles hazardous processes and chemicals, but many areas have relatively low-risk activities. First, divide equipment and devices into zones and conduits. These zones might include areas for receiving raw materials, the biodiesel production process, safety systems, and loading finished goods, with each zone carrying varying risk levels. For instance, a minor spill in the raw material area (assigned SL-1) is considered lower risk compared to a critical failure in the processing area's safety systems (which might be assigned SL-3 or SL-4) due to the potential for severe consequences like fires.

To ensure each zone's security measures are up to par, the organization evaluates the current security state (SL-A) against the potential (SL-C) and works to address any discrepancies, possibly through upgrading equipment or enhancing safety protocols. This may involve upgrading components, implementing compensating measures, or reassessing target security levels.

Defining target security levels for zones isn't a one-time task; it requires periodic assessment to adapt to evolving threats, consequences, and technological changes. Effective collaboration among stakeholders is essential to align security efforts with the facility's operational needs, making security an integral part of project planning rather than an afterthought. ISA/IEC 62443 security levels empower organizations for a tailored security strategy that addresses the specific risks of each zone, avoiding a blanket approach that may not cover all vulnerabilities adequately.

Learn more on this topic.

This article was initially published on Industrial Cybersecurity Pulse.