Implementing ISA/IEC 62443: Practical Peripheral and Removable Media Protection for OT Systems

The first part includes a general overview and introduces the foundational concepts, requirements, terminology, and guidelines for designing and implementing cybersecurity in IACS. 

It begins with section 62443-1-1, defining the foundational terminology, concepts, and reference models used throughout the standard series. Then, 62443-1-2 with a glossary of terms and abbreviations used across the series, and 62443-1-3 to discuss security metrics for evaluating and measuring the security of systems. Lastly, 62443-1-4 provides guidelines to be followed for addressing cybersecurity throughout entire systems. 

Focusing on governance and risk management, the second part provides guidance on creating, maintaining, and managing cybersecurity programs. 

Section 62443-2-1 describes the process of creating, implementing, and maintaining a cybersecurity management system for IACS, while 62443-2-2 offers detailed implementation guidelines for organizations to follow when setting up IACS security programs. Then, 62443-2-3 provides best practices for managing software and firmware patches to maintain system security, and finally, 62443-2-4 lists cybersecurity requirements and best practices for service providers working in industrial environments.

This part provides guidance on designing and implementing secure systems and addresses the cybersecurity requirements for IACS. It covers risk assessment, system security requirements and strategies, and system security levels.  

Section 62443-3-1 reviews existing and emerging security technologies relevant to IACS. Next, 62443-3-2 introduces a methodology for assessing and managing cybersecurity risks during system design. Finally, 62443-3-3 establishes detailed system security requirements and categorizes them into four Security Levels (SL1-SL4).

The fourth and last part of the series describes the Product Development Lifecycle. It focuses on the security of individual components of IACS, such as SCADA (supervisory control and data acquisition), PLCs (programmable logic controllers), and sensors. 

It includes two sections. 62443-4-1 outlines the processes of a Product Development Lifecycle, including the design, development, and maintenance of IACS components, and section 62443-4-2 specifies the technical security requirements and capabilities required for individual IACS components within the system. 

These standards have been adopted in various industries, including manufacturing, critical infrastructure, oil and gas, healthcare, and wastewater treatment. The way an organization can utilize the ISA/IEC 62443 series depends on the role of the organization within a specific industry, whether operating, maintaining, integrating, or manufacturing components for IACS.

Asset Owners establishing security protocols and operating IACS can refer to section 2 of ISA/IEC 62443 to develop requirements for system integrators. These guidelines can help them determine what security features they specifically need in a product.

Due to performing integration, maintenance, and similar ICS-related services, system Integrators mainly use 62443-3 standards to assess the security level of the asset owners and process their requirements. Also, the 62443-3-3 standards are used to assess the security of the components produced by Product Manufacturers and to determine if they include the features required by Asset Owners.

The 62443-3-3 standards provide critical technical security requirements and security levels to be used as a reference for the security level to be achieved. This section is used by system integrators to meet the standards of the systems they develop.

The defined security levels are intended to measure the strength and highlight any risk factors in OT and IACS systems. Four Security Levels are defined in 62443-3-3, starting from 1 as the minimum level and up to 4 as the maximum level.

Removable media, such as USB and external hard drives are often used as conduits to transfer data in IACS and OT networks, despite the significant security risks they pose. There have been prominent cyberattacks caused by removable media, such as Stuxnet that targeted Iran’s Natanz nuclear facility (2010), India’s Kudankulam Nuclear Power Plant attack (2019), and the Agent.BTZ attack that spread through the U.S. Department of Defense networks (2008). 

Including peripheral and removable media protection as a part of the defense-in-depth strategy can play an essential role in mitigating such attacks, and to achieving compliance with the ISA/IEC 62443 standards, reducing the risk of data breaches and system disruptions. For instance, a physical solution, like MetaDefender Kiosk™, can scan removable media using multiple anti-malware engines to ensure its safety. Other solutions like MetaDefender Drive™, MetaDefender Media Firewall™, MetaDefender Endpoint™, and MetaDefender Managed File Transfer™ can play a pivotal role in enhancing your security level and defense-in-depth strategy.