As security threats evolve and adapt, so too must organizations’ responses to them. The development and application of cybersecurity standards in support of current and new generation industrial automation and control systems (IACS) are of fundamental importance. This presentation will provide practical and useful information on how cybersecurity standards are progressing and how they are applied. The initial focus will be on current activities in the development of the IEC 62443 IACS cybersecurity standards, and implications to the various stakeholders. An illustration will describe how to use the standards to frame the development of secure-by-design products and services, both current and future. Thereafter, the focus will shift to how IEC 62443 standards are used by other industry standards and securing IIoT and associated cloud systems. This is of particular importance in the context of the Open Process Automation Standard (O-PAS).
Contributing to the Development and Application of Cybersecurity Standards
1. Camilo Gomez
Global Cybersecurity Strategist
Yokogawa USTC
November 10, 2020
Contributing to the
Development and Application
of Cybersecurity Standards
2. Agenda
1. Overview of ICS Cybersecurity
Standards Development Activities
2. Using the Standards
3. Applying and Adopting the
Standards to the New and
Emerging
8. ■ Methodology for developing quantitative metrics
and KPIs from requirements in the standards
■ Understanding the objective and context
of requirements
■ Deriving performance metrics from process
and technical requirements
■ Differentiating Performance metrics
from Conformance metrics
■ Building Key Performance Indicators
WG12: 62443-1-3 Performance Metrics
How to measure performance and effectiveness
of security controls in operation?
9. ■ Methodology for combining the evaluation of
organizational and technical security measures
■ Results expressed in numerical values (SPRs)
■ SPR values are derived from rating the security level
provided by capabilities of security measures used
and the maturity levels of the organization operating
the IACS
■ Based on maturity levels defined in 62443-2-1,
62443-2-4 and 62443-4-1 and security levels
defined in 62433-3-3
WG3TG3: 62443-2-2 Security Program Ratings
Evaluating the actual level of protection of an
IACS cybersecurity program in operation
11. ■ Examine whether the standards are appropriate and sufficient
for IIoT in the context of “secure-by-design” objects as a prelude
to possible certification
■ Focus on data classification, edge data collection and processing,
and data transmission to the cloud via gateways
■ Relevance of zone and conduits concept
Applying ISA/IEC 62443 to Industrial IoT
ISA99 WG9-TR
■ Project towards an IIoT certification in progress
■ Applicability of CSA Certification
■ Differentiating IIoT device vs IIoT solution
■ Study of potential gaps in certification requirements
and 62443
ISASecure roadmap
12. ■ Responding to market need for intrinsically secure
automation components and systems
■ Adopted 62443 as the guiding standard for
secure-by-design of O-PAS™ products
■ Both software applications and physical platform
■ Mapped for the first-time other OT and IT functional
standards such as OPC UA and Redfish to 62443
■ Established collaborative agreement with ISASecure
for security testing of O-PAS™ products based on
ISA/IEC 62443 and relevant O-PAS™ specifications
Adopting ISA/IEC 62443—OPAF Example
O-PAS™ a standards based, open, secure, and
interoperable process control architecture
O-PAS™ Standard is a registered trademark of The Open Group.
14. Standards based secure development lifecycle
and support of products and services – secure by
design
■ Policy
◆ Group Quality Management Policy
■ Knowhow
◆ Engineering standards
◆ Guidelines & tools
■ Assurance Framework
■ Training
■ Product Certification
Yokogawa’s case
Adopting Standards Servicing our Customers
Standards based lifecycle management services
for plant cybersecurity
15. The names of corporations, organizations, products and logos herein are either registered trademarks or
trademarks of Yokogawa Electric Corporation and their respective holders.
Thank You!
There is more than just
having standards when
they are set to work.