With industrial control systems (ICS) at the center of virtually everything we do today, new regulations are on the way to help protect these systems against cyber threats. However, meaningful improvements cannot simply be bolted onto deployed ICS, but instead must be implemented in the design phase of systems and components. This shift requires a collective, industry-wide push toward reliable cybersecurity testing and certification of ICS products.
Certification won’t necessarily make a system ‘unhackable,’ but it will deliver many tangible benefits, as presented by Khalid Ansari, Senior Engineer for Industrial Control Cybersecurity at FM Approvals, at the S4x22 ICS Security Event in Miami Beach. These benefits include:
Mitigating risk
In 2021, FM Approvals introduced its cybersecurity assessment program to certify ICS products as FM Approved based on the ISA/IEC 62443 series of standards originally developed by the ISA99 committee as American National Standards and adopted globally by the International Electrotechnical Commission (IEC). Many professionals in the ICS security community still do not realize that cyber-certified products even exist. At S4x22, Ansari explained to asset owners that using certified products based on three key ISA/IEC 62443 standards—Part 3-3, 4-2, and 4-1—can contribute to risk reduction in facilities based on adherence to different security levels.
A risk assessment helps determine the Target Security Level (SL-T), or the desired level of security for a zone or conduit, among four 62443-defined security levels based on the resources, skills, and motivation of a threat actor. An asset owner will strive to reach the SL-T or greater from their current level of security, or the Achieved Security Level, in tune with the Capability Security Level of properly configured components and systems. Recognizing that 62443 standards can be confusing, FM Approvals developed a simplified tool for selecting an SL-T, which Ansari demonstrated in his talk.
Raising the bar
Asset owners that adopt cybersecurity certification make an impact beyond their own organizations by holding vendors to higher standards.
Ir. Michael Ng Chien Han. Principal Engineer (I&C) at the Malaysian gas and oil company Petronas, articulates his organization’s view of cybersecurity certification. “Given the criticality of our assets and the fast-changing cyber threat landscape, at Petronas we have aligned our OT Cybersecurity requirements to the ISA/IEC 62443 Standards,” he says. “This helps ensure the design of our OT systems cybersecurity commensurate with the amount of cyber risk we are willing to tolerate. We highly encourage our technology partners to certify their products, as this eases the validation process for us as the end user; allowing us to speak a common language and share a standardized approach.”
Getting ahead
Cybersecurity is poised to become a focal point in the regulatory landscape. For example, the NFPA 72, National Fire Alarm and Signaling Code, for 2022 lists cybersecurity in an annex as a recommendation. The recommendation says systems should be designed, installed, and maintained in accordance with standards including ISA/IEC 62443. It goes on to say that certification of compliance by a nationally recognized laboratory would be one of the acceptable types of evidence of compliance.
There are currently four proposals to make this a requirement by 2025, with most proposing third-party certification become mandatory. Other certification requirements are likely in the U.S. and Europe over the next several years, moving the needle from “nice-to-have” to “need-to-have.” Given the many threats and importance of ICS to critical infrastructure, the latter is certainly more accurate.
Unlike traditional certifications, cybersecurity certification is ingrained in product development and maintenance, bringing new considerations to the front of manufacturers’ minds. Asset owners and vendors can help each other now by anticipating and, through early adoption, driving, the cybersecurity requirements of the future. It is not about achieving the impossible 'unhackable' status but facilitating secure-by-design products for different threat levels.
Product manufacturers who see the adoption of secure-by-design as a challenging task can work with FM Approvals to receive guidance and gain an understanding of the first steps needed to prepare for Secure Development Lifecycle Assurance (SDLA) certification obligations and requirements.
Click here to watch Ansari’s S4x22 presentation about effectively using IEC62443 product certifications. FM Approvals will be organizing webinars to help spread awareness of cybersecurity certification. Details will be made available on fmapprovals.com and featured in future communications.