The Case for ISA/IEC 62443 Security Level 2 as a Minimum for COTS Components

Target Audience: Asset owners, system integrators, product suppliers, security architects, and cybersecurity professionals in industrial automation and control systems (IACS).

In today's interconnected industrial landscape, the security of Commercial Off-The-Shelf (COTS) components is crucial. This analysis demonstrates why Security Level 2 (SL2) should be the minimum standard, based on ISA/IEC 62443-4-2 requirements.

The Evolving Threat Landscape and Business Context:

Industrial systems face increasingly sophisticated cyber threats. Several factors contribute to this growing risk:

Expanding Attack Surface: The convergence of Operational Technology (OT) and Information Technology (IT) systems creates more entry points for attackers.

Supply Chain Vulnerabilities: Compromised components can introduce significant risks, impacting the integrity and availability of industrial processes.

Demand for Interoperability: The need for seamless communication between systems necessitates robust security measures that don't hinder functionality.

Regulatory Pressures: Growing awareness of industrial cybersecurity risks is driving increased regulatory scrutiny and compliance requirements.

?

Security Framework Analysis:

1. Security Level Structure SL1 (Current Baseline): 50 Requirements

·???????? Limited to casual/coincidental protection

·???????? Insufficient for modern threat landscape

Understanding the ISA/IEC 62443 Security Levels:

The ISA/IEC 62443 standard defines four Security Levels (SLs), each building upon the previous one:

• SL1 (Current Baseline): Provides limited protection against casual or accidental threats. With only 50 requirements, it is insufficient for the current threat landscape.
• SL2 (Recommended Minimum): Adds 43 requirements to SL1, including 22 new base requirements and 21 enhancements. This level protects against intentional attacks.
• SL3: Builds upon SL2 with further enhancements to address more complex threat scenarios.
• SL4: Represents the highest level of security, designed for critical systems requiring maximum protection.

Why SL2 is the Essential Foundation:

SL2 offers a balanced approach, providing significant protection without excessive complexity. It addresses key security areas crucial for modern industrial environments:

• A. Critical Infrastructure Protection (FR 1 & FR 2 - Access Control): Focuses on robust access control mechanisms, including user/device authentication, role-based authorization, and session management. This minimizes unauthorized access and ensures accountability. Business Impact: Reduced unauthorized access risks, improved accountability.
• B. Supply Chain Security (FR 3 - System Integrity): Emphasizes system integrity through boot process verification, update authentication, and tamper resistance. This protects against counterfeit components and ensures the authenticity of software updates. Business Impact: Protection against counterfeit components, assurance of authentic updates.
• C. Operational Resilience (FR 6 & FR 7 - System Monitoring): Prioritizes continuous security monitoring, resource availability, and backup verification. This enables rapid incident response and helps maintain operational continuity. Business Impact: Sustained operational continuity, effective incident response.
• D. Network Security (FR 4 & FR 5 - Data Protection): Addresses data protection through information confidentiality measures and controlled data flow. This is essential for securing critical data and enabling secure IT/OT integration. Business Impact: Secure critical data, facilitated IT/OT integration.

For SL2 (Recommended Minimum): +43 Requirements

• 22 new base requirements
• 21 requirement enhancements
• Protection against intentional attacks

?

Key Implementation Areas:

A. Critical Infrastructure Protection FR 1 & FR 2: Access Control Foundation

• User/device authentication
• Role-based authorization
• Session management Business Impact: Reduces unauthorized access risks, enables accountability

?B. Supply Chain Security FR 3: System Integrity

• Boot process verification
• Update authentication
• Tamper resistance Business Impact: Protects against counterfeit components, ensures authentic updates

?C. Operational Resilience FR 6 & FR 7: System Monitoring

• Continuous security monitoring
• Resource availability
• Backup verification Business Impact: Maintains operational continuity, enables incident response

D. Network Security FR 4 & FR 5: Data Protection

Information Confidentiality

• Controlled data flow Business Impact: Secures critical data, enables IT/OT integration

Implementation Strategy:

For Asset Owners: Specify SL2 in procurement requirements, prioritize certified components, and plan for system-wide security integration.

• Specify SL2 in procurement requirements
• Choose certified components
• Plan for system-wide security integration

For System Integrators: Design systems incorporating SL2 components, implement defense-in-depth strategies, and ensure security interoperability.

Design with SL2 components

• Implement defense-in-depth
• Enable security interoperability

?For Product Suppliers: Design new products to meet SL2 requirements, implement robust cryptographic capabilities, and pursue third-party certification.

• Design new products to SL2
• Implement cryptographic capabilities
• Obtain third-party certification

?

Return on Investment (ROI) Considerations:

Investing in SL2 compliant components and systems offers several key benefits:

• Reduced Security Incident Risk: Proactive security measures minimize the likelihood and impact of cyberattacks.
• Lower Integration Costs: Standardized security requirements simplify integration and reduce associated costs.
• Enhanced Product Authenticity: Strong supply chain security measures ensure the authenticity and integrity of components.
• Improved Regulatory Compliance: Meeting SL2 requirements helps organizations comply with relevant industry regulations.
• Future-Proofed Security Architecture: SL2 provides a solid foundation for future security enhancements and adaptations.

?

Verification Options: Organizations can verify SL2 compliance through various methods:

1. Supplier Declaration (Low Assurance)
2. Internal Assessment (Medium Assurance)
3. Third-Party Certification (High Assurance)

Supplier Declaration (Low Assurance): Relies on self-attestation from the supplier.

Internal Assessment (Medium Assurance): Involves internal evaluation of the product or system.

Third-Party Certification (High Assurance): Provides independent verification by a qualified third-party organization.

Conclusion: SL2 represents the minimum viable security level for modern industrial components. It balances comprehensive security controls with practical implement ability, making it the logical choice for protecting today's industrial systems.

This structured approach helps organizations understand, implement, and verify SL2 requirements while maintaining operational efficiency and security effectiveness.

?