Engineered and technical controls pertain to Supply Chain Security aspects of Industrial Control System

Supply chain security in the context of Industrial Control System (ICS) security covers a wide range of aspects that aim to protect the ICS from vulnerabilities introduced through the supply chain. The IEC 62443 series of standards provides comprehensive guidelines and requirements for securing ICS, including aspects related to supply chain security.

While formulating ICS security Framework OR Scope of Work for technical bid evaluations either for hardening of existing brownfield ICS infrastructure, upgrades, migrations OR new greenfield System under Consideration (SuC) for upcoming critical infrastructure/projects, Following are the key aspects to consider in compliance to IEC 62443 series:

Aspects of Supply Chain Security

1. Supplier Evaluation and Risk Management

• Assessing the security practices of suppliers and vendors.
• Evaluating the potential risks introduced by third-party components or services.
• Ensuring suppliers adhere to security standards and best practices.

2. Secure Procurement Practices

• Implementing policies for the secure procurement of hardware, software, and services.
• Verifying that products are free from known vulnerabilities and have not been tampered with.

3. Component Integrity and Authenticity

• Ensuring the integrity and authenticity of components through the use of cryptographic techniques such as digital signatures.
• Protecting against counterfeit components.

4. Secure Development Lifecycle (SDL)

• Requiring suppliers to follow secure development practices.
• Incorporating security considerations throughout the product lifecycle, from design and development to deployment and maintenance.

5. Transparency and Traceability

• Maintaining transparency in the supply chain.
• Keeping detailed records of the supply chain to trace the origin and handling of components

6. Security Testing and Validation

• Conducting security testing on products received from suppliers to identify and mitigate vulnerabilities.
• Regularly updating and patching components to address new security threats.

7. Incident Response and Management

• Establishing processes for incident response and management in collaboration with suppliers.
• Ensuring timely communication and coordination during security incidents.

8. Regulatory Compliance

• Ensuring that all supply chain activities comply with relevant regulations and standards.
• Staying up to date with changes in regulatory requirements.

How ICS Supply Chain security can be driven systematically in line with IEC 62443 series

The IEC 62443 series of standards is specifically designed to address the cybersecurity of industrial automation and control systems. It provides a framework that includes requirements and guidelines for securing the supply chain. The relevant parts of the IEC 62443 series that cover supply chain security include as follows:

i) IEC 62443-2-4: Security Program Requirements for IACS Service Providers

• Specifies requirements for IACS service providers, including those related to secure supply chain practices.

ii) IEC 62443-3-3: System Security Requirements and Security Levels

• Defines system security requirements, including those that pertain to the supply chain, such as ensuring the integrity of components.

iii) IEC 62443-4-1: Secure Product Development Lifecycle Requirements

• Outlines requirements for the secure development of products used in IACS, emphasizing secure development practices and supply chain considerations.

iv) IEC 62443-4-2: Technical Security Requirements for IACS Components

• Specifies technical security requirements for IACS components, including those related to maintaining the integrity and authenticity of components throughout the supply chain.

Likewise, any other Lifecycle management program auditing, benchmarking and compliance with reference to defined performance standards such as PSM or Functional Safety management (IEC61508/51511), Quality Management System (ISO9001) etc.; there are involvements of internal and external stakeholders with defined roles and responsibilities which is part of Lifecycle and driven systematically to all phases such as concept, design engineering, deployment, testing & implementation and maintaining up to decommissioning or end of the life.

As a part of Industrial Control System security program, maintaining integrity of system requirements as a whole is paramount for System under Consideration / respective ICS infrastructure to be effective at each and every phases.

Consider an example that particular industrial complex asset/plan considered ICS infrastructure have gone through risk assessment process and outcome is to maintain Security Level-2 (SL2) OR Security Level-3 (SL3) for respective zones / conduits. What does it mean exactly in broader prospect of engineering, design, testing & deployment?

1. It helps to define robust industrial control system architecture for System under Consideration
2. Clear picture in terms of defining zones and conduits in consideration to Logical & Physical grouping considering safety, operability/availability and information for asset management/production management and effective enterprise management. Not only this but also consideration of diverse network formation and segregation criteria's such as Control System Network (further within process control & safety system network), Business Enterprise network, Telecommunication System network, Wireless Communication Network as a part of smart manufacturing facilities, RPA, Manufacturing Execution System or any other control system monitoring only network across the plant.
3. Further clarity and understanding at network and components deployment level based on risk assessment outcomes such as switches, routers, firewalls, embedded devices as a part of process control and safety systems (BPCS/SIS) including control processors, IO cards, communication modules, IO interface/Fieldbus Modules, Safety Network interface components including same CPUs, I/O cards, power supplies and other active and passive components.

Based on these understandings we need to be clear that most of the threat actors be it intentional OR unintentional, internal OR external the cause of impact initiates from any of the component hardware involvement, software triggered or due to configurational gaps but remains overlooks sometimes which arises as "vulnerabilities" sooner or later. I am highlighting these points because of following reasons:

• Industrial Control System Being the COTS items historically proposed to end-users and asset owners as one of the packaged items with ultimate aim to achieve functionality of the process automation and safety system.
• As a legacy way all the technical evaluations mainly focused on achieving high end functionality for the purpose it is designed be is monitoring, controlling or preventive fail-safe safety aspects BUT ever focus been rare to through the questions and clarifications such as in which way respective product (embedded devices, network devices, host devices or associated applications) have been designed or sourced from).

NOTE: Sometime sub-vendor/supplier info asked to furnish by System Integrators but not with core purpose of understanding this aspect but to maintain long term spares and services.

• Whether particular product and component supplier is qualified for production of product which follows secured base requirements, secure design criteria, how robust and independence is their product verification and validation process, similar to FMEDA for Functional Safety Lifecycle management what is the process in place for identification and mitigation for products security defect management and other things such as product security manual OR lifecycle security maintenance guidelines etc. ?

Being an end-user OR asset owner, one should clearly keep in mind that Industrial Control System security management is not just creating the engineered control defense ion depth barriers, patch management, upgrades etc. but it is a wholistic approach which will not be effective without involving each stakeholder of involved pieces/components/system requirements integrity.

Product/components suppliers of Industrial Control System is of the key stakeholder's design, development & implementation phase whole tight lesioning goes along with successful System Integrator/Main Automation Vendor however accountabilities and responsibilities shall be well defined as a part of Industial Control System Framework to be answerable from above raise aspects.

During one of the technical clarification's sessions, I remember while raised the question to one of the System Integrator that why these particular pieces and components "Common Vulnerabilities and Exposures (CVEs)", updates and outdates is not well informed in advance than getting information from open sources & similar question regarding obsolescence and upgrades such as OS, Network Switches, Firewalls etc... answer was quite simple as "these are not directly driven by respective system integrator company but driven by xyz vendors which is beyond their control" which is something any asset owner/end-user would like to listen specially in context to supply chain security aspect. This is why a well frames strategy shall be formulated also considering the fact now a days many independent agencies have competency for such compliance criteria such as TUV, ISCI, UL etc.; to make sure that respective phases of product development security assessments are in matured enough state including development lifecycle, system security requirements and device/components secured by hardware, software and configuration point of view followed by independent verifications and validation process in place within Organization OR by 3rd parties.