Scribd
Upload
325 views20 pages

Cyberium ISA 62443 3 3 Standard Lessons Learn From The Plant Floor

Uploaded by

mahsa mohseni
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
325 views20 pages

Cyberium ISA 62443 3 3 Standard Lessons Learn From The Plant Floor

Uploaded by

mahsa mohseni
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 20

ISA-62443-3-3 Standard, lessons

learn from the plant floor


Presenter: Gilles
Loridon, Cyberium CEO

• 29 experience of working in IT/OT systems


development and OT Cyber Security.
• IEC/ISA 62443 certified.
• Pioneered implementation IEC/ISA 62443
CSMS in Middle East.
• SME in Nuclear Safety relative to AIA &
LOLA, NRC 5.71.
• Regular speaker in ISA & Nuclear Security
conferences
Part I –
Refresher on
ISA-62443-3-3
Assets Owners

Services Suppliers

Product Vendors
Systems
• TR62443-3-1 is a Technical Report describing security technologies for ICS (under
revision)
• 62443-3-2 provides specific guidance on methodology to perform Cyber Security
Risk Assessment for ICS (Brand new).
ISA-62443-3-3 • 62443-3-3 provides the list of controls for each of the 7 Foundational
Requirements (FR) according to Security Level, SL (Published in 2013 under
revision).
Impact Factor
• Confidentiality: impact of disclosure of confidential information
• Integrity: impact of unauthorized modification/destruction of information
• Availability: impact of system’s availability
• Identification and Authentication (IAC): the Business Consequences of failure to
authenticate users (humans, processes or devices)
• Use Control (UC): the Business Consequences of failure to enforce policies which
restrict use to those authenticated users with sufficient privileges
• Timely Response to Event (TRE): the Business Consequences of failure to respond
promptly to Information Security violations
• Restricted Data Flow (RDF): the Business Consequences of unnecessary data causing
restrictions to necessary data flow

31 January 2023
Foundational Requirements & Security Vector
Example Security Vector:
7 Foundational Requirements
SL-x=(3,3,3,1,2,1,3)

FR 1 – Identification and authentication control 3

FR 2 – Use control 3

FR 3 – System integrity 3

FR 4 – Data confidentiality 1

FR 5 – Restricted data flow 2

FR 6 – Timely response to events 1

FR 7 – Resource availability 3
Security Level
The Zone or conduit defines the SL Target SL-T, controls can achieve a certain SL, Capability SL-C, and after
implementation of controls the SL Achieved SL-A, can be same or lower.

The targeted security level is determined by a threat and impact analysis

SL1 Protection against casual or coincidental violation

Protection against intentional violation using simple means,


SL2
low resources, generic skills, low motivation
Protection against intentional violation using sophisticated
SL3 means, moderate resources, IACS specific skills, moderate
motivation
Protection against intentional violation using sophisticated
SL4 means, extended resources, IACS specific skills, high
motivation
ISF IRAM 2 Threat Landscape
Threat Threat Group Origin LoI TS
Nation-state Adversarial External High Very High
Organised criminal group Adversarial External High High
Power failure or fluctuation Environmental External High High
Employee (privileged) Adversarial Internal Low High
Fire (structural) Environmental Internal/external Low High
Supplier/vendor/partner Adversarial Internal Low High
Employee (privileged) Accidental Internal Low High
Pathogen Environmental Internal/External High Low
Hacking group Adversarial External Moderate Moderate
Flooding Environmental Internal/external Low Moderate
Individual hacker Adversarial External Low Moderate
Failure of environmental control systems Environmental Internal/External Low Moderate
Supplier/vendor/partner Adversarial External Low Moderate
Hardware malfunction or failure Environmental Internal/external Low Moderate
Employee (general) Adversarial Internal Low Low
Customer Adversarial External Low Low
Employee (general) Accidental Internal Low Low
Supplier/vendor/partner Accidental Internal Low Low
Damage to or loss of external communications Environmental External Low Low
Customer Accidental External Low Negligible
Zones &
conduits
IEC62443 FR 5 – Restricted data flow
Technology Comparison

Some Industrial protocols are extremely difficult to secure with a F/W, ie, OPC DA
Firewall &
protection
• A National Oil Company: USD 313 million profit in 2019
• 26/12/19, after a merry Christmas, employees (expats)
discover that all PCs have been hacked by ransomware
• The hackers penetrated the network through the
vulnerabilities of the firewall VPN (no kidding...)
• During Christmas they cracked admin passwords and
encrypted all PCs.

Not only the firewalls didn’t protect the


network but they facilitate the attack!!!!!
Part II – Case
studies
Honeywell PHD
Historian
replication

Case Study 1
PHD Historian
replication setup

• Existing Honeywell PHD server


with millions of data points in
back log.
• Master PHD server connected
to Slave PHD server with 1
Gbps network connection
• OT Engineers familiar with the
historian protocols
• Factory Acceptance Test: few
thousands data points
replicated from OT to IT
through FTP file transfer. FAT
passed with flying colours.
Blame the Donkey

• To process the backlog the OT


Engineers sent 400k files through
the Data Diode to one single
network share folder.
• Surprise, surprise: the file sharing
sever crashed, I/O kernel panic.
• The OT Engineers blamed the
donkey (=Data Diode)
OSIsoft PI to PI
replication

Case Study 2
Real-time HA metadata and data replication
with auto backfill and auto recovery
BEFORE: complex architecture, maintenance heavy, AFTER: less PI servers in IT, major reduction of cost and
licences cost 100% protection against outsiders
Site A UTM Firewall

OSIsoft PI
Site B UTM Firewall OSIsoft PI

UTM Firewall
OT Network IT Network
Thank you

The End. Merci

You might also like