Cyber Security Assessment for ICS Components
New industrial control assessment coming in 2021
FM Approvals is currently working to extend its certification services to include a new cyber security assessment program for industrial control system (ICS) components. The new effort will build on FM Approvals’ globally recognized certification program for electrical equipment used in hazardous locations. New and existing customers will be able to save time and costs by combining multiple certification services for global markets.
The new cyber security program—expected to be available in 2021—will certify qualified ICS products as FM Approved based on the ISA/IEC 62443 series of standards developed by the ISA99 committee as American National Standards and adopted globally by the International Electrotechnical Commission (IEC).
The ISA/IEC 62443-4-2 standard, Technical Security Requirements for IACS Components, for instance, provides technical requirements for IACS (Industrial Automation and Control System) components, such as embedded devices, network components, host components, and software applications. The ISA/IEC 62443 standards series defines seven foundational requirements (FRs), including:
- Identification and authentication control (IAC)
- Use control (UC)
- System integrity (SI)
- Data confidentiality (DC)
- Restricted data flow (RDF)
- Timely response to events (TRE), and
- Resource availability (RA)
The new ICS certification program will be based at a new laboratory at FM Approvals’ Norwood, Massachusetts, USA, headquarters. “We have hired a cyber security expert to develop and run our new laboratory,” notes Jim Marquedant, vice president and manager of FM Approval’s electrical group. “Our program will require a significant level of organizational maturity on the part of ICS component manufacturers. We’ll be evaluating the development lifecycle and ability to maintain that system in the field through required software patches, updates, and support.”
Leading the development of the new ICS certification program for FM Approvals is industry veteran and senior engineer Khalid Ansari (Fig. 1). He joined FM Approvals in August from his post as an Automation and MES (manufacturing execution system) engineer for Qatalum at its headquarters in Doha, Qatar.
[pg:ICS-Certification-1]
Qatalum, a joint venture between Norsk Hydro and Qatar Petroleum, is an aluminum smelter that produces more than 600,000 tons of aluminum products annually. There, Ansari implemented and supported plant production systems and ICS with a focus on ICS and Operational Technology security. His responsibilities included ICS security, best practices, compliance with national and international standards, and support of various industrial control protocols and systems, including MES, IIoT, LIMS and interfaces with ERP.
Ansari, who grew up in India, but has lived and worked around the world, holds a master’s degree in instrumentation and control systems and a master’s in business administration. He has two decades of experience in ICS spanning the entire spectrum from software development to integration to owner operations. His previous experience includes work with ICS product manufacturers like National Instruments and Yokogawa.
“This was a unique opportunity—the challenge of building a new program for a renowned certification organization,” Ansari says. He points out that the new FM Approvals’ ICS certification program will also include the standards encompassed by ISA/IEC 62443-4-1, Product Security Development Lifecycle Requirements. This standard defines security requirements definition, secure design, secure implementation, coding guidelines, verification and validation, defect management, patch management and product end-of-life.
According to Ansari, “like other FM Approved products and systems, the certification of ICS products and systems provides manufacturers with a way to distinguish their products in a crowded marketplace and demonstrate their commitment to security for critical operational technology (Fig. 2). The availability of FM Approved ICS components signals to end users that the component meets certain standards with respect to known vulnerabilities and weaknesses, provides an easy way of specifying security needs by including certified products in RFPs, and reduces time spent on testing security during factory or site acceptance testing (FAT/SAT).”
| Security Level |
Definition | Means | Resources | Skills | Motivation |
|---|---|---|---|---|---|
| 1 | Protection against casual or coincidental violation | ||||
| 2 | Protection against intentional violation using simple means with low resources, generic skills and low motivation | simple | low | generic | low |
| 3 | Protection against intentional violation using sophisticated means with moderate resources, IACS specific skills and moderate motivation | sophisticated | moderate | IACS Specific | moderate |
| 4 | Protection against intentional violation using sophisticated means with extended resources, IACS specific skills and high motivation | sophisticated | extended | IACS specific | high |
Fig. 2 — “The goal is to verify security capabilities that enable a component to mitigate threats for a given security level (SL) without the assistance of compensating countermeasures,” explains FM Approvals cybersecurity expert Khalid Ansari.
The growing importance of ICS
Industrial control systems are embedded cyber-devices that operate critical infrastructures in almost every industry and business. From building automation systems that control HVAC and building security to energy, transportation, wastewater, pharmaceuticals, pulp and paper, discrete manufacturing, and many more. ICS devices are often part of a wider supervisory control and data acquisition (SCADA) system that may oversee industrial processes at one or more sites.
Initially, ICS devices such as PLCs were isolated from corporate networks and ran their own proprietary software in relative isolation. However, over time, operational technology (OT) networks have increasingly converged with corporate IT networks, resulting in greater risk of cyber attacks.
According to a recent global survey by OT experts Claroty, since the outbreak of the COVID-19 pandemic, digital transformation has accelerated dramatically, leading to the rapid convergence of OT and IT networks. As many employees began working remotely, companies have been forced to rapidly adopt online collaboration tools and remote access. OT systems and devices that were never meant to be Internet connected are now accessible.
The Claroty survey of global IT and OT security professionals found that 67 percent of global respondents and 65 percent of those in the U.S. say their IT and OT networks are more connected now than before the pandemic. When asked to what degree these networks are connected, 97 percent of all respondents said their networks were completely or partially connected. More than half of all respondents believed their organizations are more of a target for cybercriminals since the pandemic outbreak.
In addition, the Claroty ICS Risk and Vulnerability report for the first half of 2020 notes that the National Vulnerability Database (NVD) identifies 365 vulnerabilities that impact ICS products from 53 vendors. More than 75 percent of these vulnerabilities were assigned a high or critical score on the Common Vulnerability Scoring System (CVSS), an open industry standard.
FM Approvals’ certification program would verify these published vulnerabilities have been addressed or mitigated by the manufacturer.
A final thought
According to FM Approvals’ Ansari, “While mainstream industrial controllers, such as programmable logic controllers, would be a key category for us, we will not limit ourselves to that. We will also be evaluating human machine interfaces (HMIs), remote terminal units (RTUs), SCADA, DCS, historian systems, smart sensors and actuators, I/O modules and much more. We will work closely with clients to make sure we are evaluating these systems as they would be used in industry.”