min reading time
Did you know that in the first half of 2021, 33.8% of Industrial Control Systems’ (ICS) computers were attacked, which is 0.4% points (p.p.) higher than in H2 2020? This means that only in the first 6 months of last year, over one-third of ICSs suffered some kind of cyber attack in the world. If cybercrime were a country, it would be the world's third-largest economy after the United States and China, inflicting $6 trillion USD in worldwide damages in 2021.
Shocking data especially if we consider that Industrial Control Systems handle many types of processes including critical infrastructures, such as water treatment, energy, and air traffic control.
In our newest article below we will discuss:
Besides, you can get to know how we, at CCLab can help you to achieve better security for your business’s ICS.
Industrial Control System (ICS) is a collective phrase to define different types of control systems and associated instrumentation. These can be systems, networks, devices, and controls used to automate and operate industrial processes. Almost all critical infrastructure and sectors of industrial production, power management, water treatment, and transportation require some kind of ICS, as well as the devices and procedures that go with it.
Industrial Control Systems are divided into groups based on the complexity of their control actions in regard to the comprehensive functions of the ICS. The following are examples of common types of control systems:
Today's automated and digitized ICSs have the following main components:
You may assume that cyberattacks are becoming less of a concern, but this is not the case. According to global research, security incidents are increasing at a compound annual growth rate of 66 percent. This means as the number of Industrial Control System devices and elements increases so does the chance of cyber-threats and attacks.
The average cost of a cyber-attack in 2019 ranged from $108,000 to $1.4 billion, depending on the firm's size. According to Cybersecurity Ventures, overall damage might exceed $6 trillion. Based on a recent global risk assessment, over half of the Industrial Control Systems have evidence of attempted hostile break-ins in the second half of 2018.
According to the research, the most frequent type of attack was Trojan malware, which was found on 27 percent of ICS systems.
Phishing emails are the other common type of attack against ICSs. Threats can be diverse and wide-ranging, with far-reaching human repercussions, not only for employees.
Malware dangers are also more common than many of us would think. Portable media is often used by personnel in the industrial control system environment. Malware can be easily transferred through removable media and infect the ICS.
While smart devices and the Internet of Things (IoT) are revolutionizing Industrial Control System networks and enhancing usability, efficiency, and productivity in ICS environments, they are also having a substantial influence on ICS security.
The number of devices and components connected to the Internet and different networks is increasing, with which their exposure to cybercrime grows in direct proportion. This means that the entire system is just as secure as its weakest component.
As ICS components become smarter, they are increasingly becoming a target for cybercriminals, so special attention should be paid to their protection too. This is where often mentioned Defense in Depth (DiD) comes into play. DiD is a cybersecurity method that layers a succession of defensive procedures to protect critical data and information. If one system fails, another instantly steps in to prevent an attack. This multi-layered strategy with intended redundancy improves overall system security and handles a wide range of attack vectors.
A security assessment can help industrial businesses determine their cybersecurity maturity and understand the danger of a cyber intrusion. It will also assist them in arranging the next steps to develop their cybersecurity strategy, install security controls, assess cyber-resilience, establish a vulnerability management program and design their DiDs.
The International Electrotechnical Commission (IEC) is a global organization for standardization comprising all national electrotechnical committees (IEC National Committees). IEC 62443 is a global standard for the security of ICS networks that was created to protect ICSs and assist facilities in lowering the risk of failure and exposing ICS networks to cyber threats. Currently, compliance with ISO/IEC 62443 is the most effective cybersecurity solution for Industry 4.0.
IEC 62443 has four parts:
IEC 62443 part 4-1 specifies the process requirements for the secure development life cycle for developing and maintaining secure products used in Industrial Automation and Control Systems (IACS). The life cycle includes security requirements definition, secure design, safe implementation including coding guidelines, validation and verification, defect and patch management, and product end-of-life.
The IEC 62443-4-1 certificate confirms that the developer has executed a securityby-design method from day one of the product development processes. Therefore it is highly recommended that an Industrial Automation and Control Systems component manufacturer include the security requirements under IEC 62443 4-1 in its product development operations.
This section describes the technical requirements for products and their components. If suppliers adhere to the set of rules stated in this part, they can provide their customers with the best possibilities for securing their networks against cyberattacks. Industrial Control System suppliers shall certify their components and products in accordance with IEC 62443-4-2 to ensure that the security standards applicable to customers are met.
The IEC 62443 standard defines 4 levels of safety functionality for component security in 62443-4-2:
As an accredited test laboratory together with other members of QTICS Group we provide versatile compliance services within the Energy and Industry sector for both manufacturers and suppliers of Industrial Control System's components. We can support you from preparation to getting certified for 62443-4-1 Product development requirements and for 62443-4-2 Technical security requirements.
We provide preparation consultation services, which help you create the necessary evidence for a certification process. We designed our service portfolio around the device manufacturers' certification journey to help you reach 62443-4 compliance wherever your product is in the development life cycle.
We suggest starting with an analysis of your current documentation to decide whether it can be used in its current form as evidence for the certification. We help you identify key areas where additional documentation or tasks should be performed in order to create the evidence required by 62443-4. This will be covered by our gap analysis service, which results in a report that can be used as a roadmap to identify the required effort and resources that you need to get your product 62443-4 certified.
Technical advances, globalization, and digitization are constantly changing and improving the industries, getting networks connected and automating processes to make them smoother and faster. On the other hand, it is digitalization that makes these systems more vulnerable to cybercriminals. The IEC-62443 international standard was developed to work toward securing these vulnerabilities in Industrial Control Systems (ICS) networks.
If you are a product manufacturer or supplier that designs and creates the components for the System Integrator to build ICS then you are also responsible for responding to IEC-62443 requirements. Get in touch with us if you are looking for comprehensive support in being certified for 62443-4-1 and 62443-4-2.
Our professionals at CCLab are dedicated to contributing to the cybersecurity industry. Our aim is to help the profession by active participation in many professional forums, where our knowledge and experience could add value.
min reading time