Gabriel Faifman TC 65 WG10 Convenor

Gabriel Faifman

TC 65 WG10

Convenor

Event: IEC 62443 Series

Date: 2021-06-30

Location: IEC Academy

Gabriel Faifman – TC 65 WG 10

2

- Product and System Security Office (PSSO) member, in charge of the Cybersecurity Strategic Domain at Schneider Electric;

- Formerly Director of Strategic Programs and Principal Technical Product Manager with Wurldtech (acquired by GE Digital) for over 7 years.

- 30+ year diverse experience as Director, Manager and Senior Consultant in operational and Information Systems and Network Security on multiple organizations, such as: Coca Cola; Deloitte; Stet-France Telecom; Accenture.

- Electronic Engineer UBA, specialized in Industrial Automation; CSS1 Infosec professional; Advanced trained at INL.- IEC 62443-2-4 certifier for: Schneider Electric’s substation automation solution; Siemens Substation Automation;

Siemens PCS7; Emerson DeltaV & SIS; Yokogawa Centum VP among others.Objective: ✓ To build bridges between ISA; IEC and its certification programs (ISASecure & IECEE) with regional regulation bodies.✓ To implement and enhance the applicability of IEC 62443 series across Critical Infrastructure stakeholders, for their entire lifecycle.Work in progress: - Serving as an SME for the TC 65 working group on the IEC 62443 international standards project since 2011, representing Canada

(Canadian Delegate).- Created and executed the original conformance criteria adopted by IECEE on the current IEC 62443-2-4 certification program.- IEC 62443-2-4 certifier for: Schneider Electric’s substation automation solution; Siemens Substation Automation; Siemens PCS7;

Emerson DeltaV & SIS; Yokogawa Centum VP among others- ISASecure – Steering committee member, representing Schneider Electric.- Voting member on ISA99 (Industrial Automation & Control Systems Security), with weekly active contribution on many Workgroups.

• Current state

• Risks & opportunities: our challenge

• Series Overview

• The ‘who’ and the ‘what’

• This is just the beginning

Agenda: IEC 62443 Series

3

OT security: A very Real Cyber Threat

4

Cybersecurity by numbers:The cost of non-compliance

5

Connected IoT devices will reach 75

billion by 2025.

Every 11 sec a ransomware attack

occurs by 2021 (*3)

IoT devices are under attack within 5

min of being powered up.

68% of business leaders feel their

cybersecurity risks are increasing.95% of cybersecurity breaches are due to

human error (almost never in the IT area)

Most companies take nearly 6 months to

detect a data breach, even major ones.

U$S3.86 million: Average total cost of a

data breach during 2020.

Share prices fall 7.27% on average

after a breach

*1- IBM –Cost of a Data Breach

*2- Ponemon.org

*3- & *4- Cybersecurity Ventures

*5- Cybersecurity Ventures

*6- Cybint

*7- Equifax, Capital One, Facebook

*8- Netscout

Digital Transformation: Accelerate Digital

6 Copyright IEC CO 2021 – reuse of material for commercial use prohibited

IEC 62443 Series

TC 65 WG 10

Co-convenors:

Mr Gabriel Faifman

Mr Lee A. Neitzel

137 Experts from 22 National Committees:

AT AU CA CH CN DE DK ES FI

FR GB IE IL IT JP KR NL NO

PT RO RU US

22 TC level Liaisons with TCs/SCs of IEC ISO ITU

11 WG Liaisons …

7Copyright IEC CO 2021 – reuse of material for commercial use prohibited

IEC 62443 Series

Partnering with Liaisons


Products

IEC 62443 – OverviewIndustrial automation and control system (IACS)

Components

Supporting

software

applications

Embedded

devices

Network

devices

Host

devices

Role

Product

Supplier

developsand supports

Integration Service

Provider designsand deploys

Includes configured products (Security Guidelines)

Automation Solution

Essential functions

Control

functions

Safety

functions

Complementary

functions

Roles

Asset Owner

commissionsand validates

maintains

Maintenance capabilities

(policies and procedures)Maintenance Service

Provider

Operational capabilities

(policies and procedures)

operates

accountable for

IEC 62443-2-4

IEC 62443-3-3

IEC 62443-4-2

IEC 62443-4-1

IEC 62443-2-1

IEC 62443-3-2

Control system (as a

combination of components)

Supporting

software

applications

Embedded

devices

Network

devices

Host

devices


Managerial & Operational Procedures

Dependencies between processes

Managerial Measures (by Asset Owner)

Operational Routine Maintenance Measures

Security Technical Features

Operational Measures (by Product Supplier – component & systems)

Service Provider Managerial ICM

Service Provider Operational ICM

Managerial Measures (by Product Supplier – component & systems)

Technical CapabilitiesProcedural Capabilities

Organizational Capabilities


Defence in depth

Defence in depth

IEC 62443-2-1

IEC 62443-3-2

IEC 62443-2-4

IEC 62443-3-3

IEC 62443-4-2

IEC 62443-4-1

Organizational capabilities


Technical capabilities

Procedural capabilities

Defence in depth


Managerial & Operational Procedures

Dependencies between processes



Technical capabilities

Procedural capabilities

Defence in depth

Operational Routine Maintenance MeasuresService Provider Managerial ICM

Service Provider Operational ICM

Technical CapabilitiesProcedural Capabilities



Defence in depth

Defence in depth

IEC 62443-2-1

IEC 62443-3-2

IEC 62443-2-4

IEC 62443-3-3

IEC 62443-4-2

IEC 62443-4-1

FinancialTrainingLegalThreat Model Sec. Context

Update/ Patch QualifManagement

Risk ID & Mitigation

Security Process

Implementation Process

DiD - Design Process

Defence in Depth Sec. Guidelines Vulnerability Management

Verify Test Process

HR TrainingLegalThreat

Model Check

Risk Target Review (Vulnerability check)

Risk ID & Mitigation

Physical MoCEvent &

Incident MgmtUAC

Remote Access

Configuration Management

Segmentation Availability

AvailabilityData

SecurityIntegrityUAC

Segmentation & Comm Sec

Event & Incident Mgmt

ConfigMgmt


IEC 62443-4-1: Security Development Lifecycle

• ISA/IEC 62443-4-1 has 47 Product

Development Lifecycle security

requirements organized into 8

Practices.

• These security practices are

intended for development

organizations on any automation

and control products.

Value Req ID # of Reqs

SM – Security Management SM-xx 13

SR – Specification of security reqs SR-xx 5

SD – Secure by design SD-xx 4

SI – Secure Implementation SI-xx 2

SVV – Security Verification &

ValidationSVV-xx 5

DM – Mgmt of security related issues DM-xx 6

SUM – Security update management SUM-xx 5

SG – Security Guidelines SG 7

SM – Security Management SM-xx 13

SR – Specification of security reqs SR-xx 5

SD – Secure by design SD-xx 4


IEC 62443-4-2: Component Security Reqs

• ISA/IEC 62443-4-2 has 88 System

Requirements organized into 7

Foundational Requirements.

• The intent of this document is to

specify security capabilities that

enable a component to mitigate

threats for a given security level

without the assistance of

compensating countermeasures


FR 1 – Identification and

authentication controlCR.01.XX 14

FR 2 – Use control CR.02.XX 13

FR 3 – System integrity CR.03.XX 14

FR 4 – Data confidentiality SR.04.XX 3

FR 5 – Restricted data flow SR.05.XX 4

FR 6 – Timely response to events SR.06.XX 2

FR 7 – Resource availability SR.07.XX 8

SAR – Software application SAR.X.X 2

EDR – Embedded device EDR.XX.XX 8

HDR – Host device HDR.XX.XX 8

NDR – Network device NDR.XX.XX 12


IEC 62443-3-3: System Security Requirements

• ISA/IEC 62443-3-3 has 51 System

Requirements organized into 7

Foundational Requirements.

• Some requirements have

requirements enhancements used to

increase the security level of the

System Requirement.


FR 1 – Identification and

authentication controlSR.01.XX 13

FR 2 – Use control SR.02.XX 12

FR 3 – System integrity SR.03.XX 9

FR 4 – Data confidentiality SR.04.XX 3

FR 5 – Restricted data flow SR.05.XX 4

FR 6 – Timely response to

eventsSR.06.XX 2

FR 7 – Resource availability SR.07.XX 8


IEC 62443-2-4: Req’s – Security Programs for Service Providers

• ISA/IEC 62443-2-4 has 123 Security

Requirements have been organized

into 12 Functional Areas.

• Requirements address integration

and maintenance – include

references to security requirements

for products.


Solution staffing SP.01.XX 11

Assurance SP.02.XX 7

Architecture SP.03.XX 24

Wireless SP.04.XX 6

SIS SP.05.XX 12

Configuration management SP.06.XX 4

Remote access SP.07.XX 5

Event management SP.08.XX 8

Account management SP.09.XX 17

Malware protection SP.10.XX 8

Patch Management SP.11.XX 12


IEC 62443-2-1: Reqs for Asset Owner Security Programs

• ISA/IEC 62443-2-1 has 90 Asset

Owner (role) Requirements

organized into 9 Security Program

Elements.

• Some requirements may have a

supply chain program that contains

security requirements derived from

this document for product suppliers

and service providers.


ORG – Organizational Security ORG x.x 9

CM – Configuration Management CM x.x 4

NET – Network Security NET x.x 17

COMP – Component Security COMP x.x 10

DATA – Protection of data DATA x.x 9

USER – Human User Access Ctrl USER x.x 24

EVENT – Event & Incident Mgmt EVENT x.x 9

AVAIL - System Availability AVAIL x.x 8

ORG – Organizational Security ORG x.x 9

CM – Configuration Management CM x.x 4

NET – Network Security NET x.x 17


IEC 62443-2-4: helps depicting the attack surface


IEC 62443-2-4: Maturity Level

Used to gauge maturity of individual security capabilities

Ad-hoc,

(no formal process)

Defined

(formal, repeatable process )

Practiced

(performed on

customer solution)

e.g. Contract SOW

e.g. Written procedures,

training materials

e.g. Completed checklists

e.g. Revised procedures

Continuous improvement

(evolving process based on

experience)


IEC 62443 Projects in progress

• Protection Levels

• Rules for IEC 62443 Profiles

• Security evaluation methodology for IEC 62443 – Part 2-4

• Security evaluation methodology for IEC 62443 – Part 4-2

• TC 65 WG 10 – Roadmap

• IIoT and Security

• Edition updates


Copyright IEC CO 2021 – reuse of material for commercial use prohibited

Gabriel Faifman

TC 65 WG10

Convenor

Find more IEC Academy webinars at

https://www.iec.ch/academy/webinars

https://www.iec.ch/academy/webinars

Gabriel Faifman TC 65 WG10 Convenor

Documents

Transcript of Gabriel Faifman TC 65 WG10 Convenor