How to implement zone as per IEC 62443 ?

If you worked or discussed about IEC 62443, you must have also discussed about zoning and conduiting as one of the core requirement to secure an IACS.

IEC 62443 revolves around zoning and it acts as a fundamental activity to set security levels, security policy and compliances. One cannot have effective implementation of IEC 62443 without having optimum zoning.

Although zoning is basically described as "A security zone is a physical/ logical grouping of physical, informational, and application assets sharing common security requirements", it is important to understand What, Why and How of this concept.

What is zone ?

Let's dive deep into IEC 62443 for more understanding of zones.

Following points depict the concept of zones.

• Primary concept of zones is to provide defence-in-depth capability by design - application of administrative, physical and technical controls based on risk.
• Zones can have child zones and have the property of inheritance.
• Zones have boundaries, which separates them from other trusted/ untrusted zones. Typically firewall or router can be considered as boundary of the zone.
• Not all zones have the same requirement and hence SLs may vary from zone to zone.
• Zone have assets grouped based on the commonality in security requirements. It is possible to group physically or logically but grouping on the physical premise has its own advantages. E.g.- Security zone of control centre or safety equipment (SIS).
• Conduit is also a zone meant to secure communication channels. They cannot have have sub-conduit. All the components like switches, routers, security appliances which make the communication channel possible make up the conduit.

Few implementation of zones

1. Zone with sub-zones (child zones)

2. Separate zones, each with security levels and security policy defined.

Why zone ?

Zone is the basic requirement for implementing IEC 62443. It is basis for the following

1. Segregation of networks for Defence-in-Depth.
2. Assigning SL(T) and assessing SL(A) after control implementation.
3. Formulating security scope and policies for zones and enterprise.
4. Granular control of asset inventory management.
5. Change management and authorization.
6. Formulation of security strategy and distribution of controls, thus helping in finetuning cybersecurity budget.
7. Enforcement of security measures with context.
8. Bedrock for other programs in CSMS such as patch management, IDAM, PAM, access control, risk management, update management, BCP, incident management, mobile device management, etc.

If the zoning is not optimum, it will perpetuate the error across CSMS, thus demanding rework, patch, budget, time and resources.

How to implement a zone ?

As per IEC 62443 few of the models can be used to define zones and conduits (communication zones). Below picture depicts a simplified form of it. It can be more related to greenfield and can be adopted for brownfield along with strategically planned change management.

Here,

1. Reference Model can be Purdue Enterprise Reference Architecture (PERA).
2. Asset Model can be referred in IEC 62443 and is high level and generic depiction on how the control systems in an IACS is deployed.
3. Reference architecture is very specific to organisation and architected as per the context. It is high level but enough detailed that all concerned personnel in an organization can refer.
4. Network architecture is detailed view of communication networks as it influences conduits and zones.
5. Zone and conduit model depicts concluded zone and conduits after risk assessment. IEC 62443-3-2 may be used to conduct risk assessment.
6. Security Level (Target) [SL(T)] can be assigned once zones and conduits are defined. By this time, we know the criticality and required degree of countermeasures.
7. These activities will influence and helps in formulating policies for zones and in turn can be adopted at enterprise level.

Security levels are functions of time, which means, countermeasures will deteriorate over time due to dynamic nature of cybersecurity. Hence, it should be repeated at a predefined trigger points.

Conclusion

Recently we have seen many of the compromises on state owned critical infrastructure. RCAs mention one of the core reason as no defence-in-depth or no segregated networks. This is nothing but the above mentioned activities regarding zoning. If this is done with due diligence, we can make activities of adversaries, uneconomic or unsustainable, and prevent major incidents.