Issue link: https://resources.mouser.com/i/1512203
63 Engineering a More Sustainable Future | ADI Introduction Despite the potential for increasingly sophisticated cyberattacks, IACS have previously been slow to adopt security measures. This has been partly due to the lack of common references for designers and operators of such systems. The IEC 62443 series of standards offers a way forward towards more secure industrial infrastructures, but firms must learn how to navigate its complexities and understand these new challenges in order to make use of it successfully. Industrial Systems Are at Risk The digitalization of critical infrastructures such as water distribution, sewage, and power grids has made uninterrupted access essential for everyday life. However, cyberattacks are still one of the causes of disruption to these systems and they are expected to grow. 1 Industry 4.0 calls for highly connected sensors, actuators, gateways, and aggregators. This increased connectivity increases the risk of potential cyberattacks, making security measures more critical than ever. The creation of organizations such as the U.S. Cybersecurity and Infrastructure Security Agency (CISA) illustrates the importance and demonstrates a commitment to safeguarding critical infrastructures and ensuring their resilience against cyberattacks. 2 Why IEC 62443? In 2010, the emergence of Stuxnet thrust industrial infrastructures into a state of vulnerability. 3 Stuxnet was the world's first publicized cyberattack indicating that attacks could successfully target IACSs from afar. Subsequent attacks have solidified the realization that industrial infrastructures can be harmed through remote attacks that can target a specific type of equipment. Government agencies, utilities, IACS users, and equipment makers quickly understood that IACS needed to be protected. While governments and users naturally leaned towards organizational measures and security policies, equipment makers investigated possible hardware and software countermeasures. However, adoption of security measures was slow due to: X the complexity of the infrastructures X the different interests and concerns of stakeholders X the variety of implementations and available options X the lack of measurable objectives Overall, stakeholders faced uncertainty about the right level of security to target, one which carefully balanced protection with costs. The International Society for Automation (ISA) launched working groups to establish common references under the ISA99 initiative, which finally led to the release of the IEC 62443 series of standards. This set of standards is currently organized into four levels and categories, shown in Figure 1. Thanks to its comprehensive scope, the IEC 62443 standard encompasses organizational policies, procedures, risk assessment, and security of hardware and software components. The complete scope of this standard makes it uniquely adaptable and reflective of current realities. Additionally, the ISA has taken a comprehensive approach when addressing the various interests of all stakeholders involved in an IACS. In general, security concerns are different from one stakeholder to another. For example, if we think about IP theft, the IACS operator will be interested in protecting manufacturing processes while an equipment maker may be concerned with protecting an artificial intelligence (AI) algorithm from being reverse engineered. Also, because IACS are complex by nature, it's essential to consider the entire security spectrum. Procedures and policies alone are insufficient if not supported by secure equipment, while robust components are useless if their secure usage is not properly defined by procedures. The chart in Figure 2 shows the adoption rate of the IEC 62443 standards through ISA certifications. As expected, a standard defined by industry key stakeholders has accelerated the implementation of security measures. Getting IEC 62443 Compliance: A Complex Challenge The IEC 62443 is an incredibly comprehensive and effective standard for cybersecurity, yet its complexity can be overwhelming. The document itself is nearly 1000 pages in length. Acquiring a clear understanding of cybersecurity protocols Figure 1: The IEC 62443 is a comprehensive security standard. 1 Adobe Stock / WilliamJu – stock.adobe.com