Cyber attacks targeting industrial networks increased by 2000% from 2018 to 2019. Attacks on operational technology (OT) can interrupt production and revenue, expose proprietary information, or taint product quality. They can even put employees in harm’s way or damage the environment. Attacks on critical infrastructure—water, power, and transportation—can inflict devastating effects on the economy and public health.
Securing industrial operations is now top of mind. But converting good intentions to action can be challenging, for two main reasons. First, industrial networks are often managed by OT teams that don’t have advanced cybersecurity skills. They might also be concerned that the IT team will take actions that reduce operational uptime. Unlike a 2-hour outage to an email server, whose costs are measured in lost productivity and annoyance, a 2-hour unplanned outage to an assembly line can bring output and revenue to a halt.
The other barrier is not knowing where to start. Industrial networks are very complex. Should you start by adding cybersecurity controls to the easiest systems to protect, for a quick win, or to the most critical systems? Does the bigger payoff come from segmenting the network? Detecting anomalous activity? Authorizing users? Something else?
Fortunately, the International Society of Automation (ISA) put together the ISA99 set of standards for building secure industrial automation and control systems (IACS). The International Electrotechnical Commission (IEC) built on that work to introduce IEC 62443.
Some think the ISA/IEC 62443 set of standards is too detailed and complex. We at Cisco like it because it gives IT and OT common ground to work together. It’s a framework to implement industrial cybersecurity best practices step by step, for continuous improvement. The standard defines a secure network architecture, functional requirements, and guidelines to measure your maturity level for each requirement. OT contributes its knowledge about which assets need to communicate and how critical they are, and IT contributes its cybersecurity expertise and technology.
The standards lay out a four-step framework:
Significantly, the IEC 62443 doesn’t call the highest maturity level “mature” or “advanced.” Instead, the highest maturity level is “improving,” highlighting the fact that cybersecurity is never done. To stay ahead of ever-more-sophisticated attacks, OT and IT teams should plan to continually strengthen protection.
Implementing ISA/IEC 62443 requires asset visibility, defining zones and conduits, and assigning controls to zones. IT and OT can do this collaboratively using Cisco Cyber Vision, as described in this blog.
For more technical reports on IoT/OT Security
Subscribe to the Cisco IoT Security Newsletter