Author: Ainara García, Project Manager PMO at Barbara IoT
Using IEC-62443 to Secure Industrial Devices
In the era of Industry 4.0, the convergence of Information Technology (IT) and Operational Technology (OT) has revolutionized industrial processes. This convergence, however, has also introduced significant cybersecurity challenges.
At Barbara, we focus on offering industrial companies a way to digitize their operations, using connected devices to capture data and enable AI driven automations in a cyber-secure way. Therefore, in Barbara, we are interested in providing the highest levels of cybersecurity in the interconnection of the IT and OT domains, being IEC-62443 an important standard for us.
The IEC-62443 standards have emerged as a de-facto solution to address interconnected IT/OT security challenges, providing comprehensive guidelines to secure industrial automation and control systems (IACS). Among these standards, the IEC 62443-4-2 specification specifically focuses on security requirements for components, including embedded devices, network components, and software applications. Leveraging the CROSSCON Secure IoT stack, which is being developed to employ advanced techniques such as Hypervisors, Trusted Execution Environment (TEE) abstractor, and TEE isolation, can enhance compliance with these standards and fortify industrial devices against cyber threats.
Understanding IEC-62443 Standards
IEC-62443 is a series of standards developed by the International Electrotechnical Commission (IEC) to provide a flexible framework for addressing and mitigating current and future security vulnerabilities in industrial automation and control systems. The standards cover various aspects of cybersecurity, including general concepts, policies, and procedures, as well as technical requirements for different components of the IACS.
The key components of IEC-62443 are the following:
- IEC 62443-1-1 to 1-4: General principles, including concepts, models, and terminology.
- IEC 62443-2-1 to 2-4: Policies and procedures, including security program requirements for IACS.
- IEC 62443-3-1 to 3-3: System-level security requirements and security levels.
IEC 62443-4-1 to 4-2: Component-level security requirements, with 4-1 focusing on the secure development lifecycle and 4-2 detailing technical security requirements for IACS components.
IEC 62443-4-2: Security for Industrial Devices
IEC 62443-4-2 specifies the technical security requirements for individual components within an IACS. These components include embedded devices, network components, host devices, and software applications. The standard outlines several key areas such as Identification and Authentication Control to ensure that only authorized entities can access the device, Use Control to limiting the actions that authorized entities can perform, System Integrity to protect the device from unauthorized changes, Data Confidentiality to ensure that data is only accessible to authorized entities, Restricted Data Flows that controls the exchange of information between devices, Timely Response to Events to ensure that security-related events are promptly addressed, and finally, Resource Availability to guarantee devices are available and can perform their intended functions even under adverse conditions.
Enhancing Compliance with CROSSCON Secure IoT Stack
The CROSSCON Secure IoT stack is being designed in a way that helps device manufacturers and owners to meet some of the most complex requirements set forth by IEC 62443-4-2, providing a robust solution for securing industrial devices. Here’s how these innovative techniques contribute to achieving higher levels of compliance:
CROSSCON hypervisors play a crucial role in isolating different operational environments on the same physical hardware. By creating multiple virtual machines (VMs) on a single device, hypervisors can segregate critical control functions from less secure processes. This isolation minimizes the risk of a security breach affecting the entire system, thereby helping to achieve the System Integrity and Resource Availability requirements of IEC 62443-4-2.
The Trusted Execution Environment (TEE) abstractor CROSSCON is working in, facilitates the management of secure areas within the main processor. These secure areas ensure that sensitive data and processes are protected from unauthorized access and tampering, contributing significantly to the Data Confidentiality requirements.
Finally, with CROSSCON TEE isolation techniques, each TEE operates independently, preventing any compromise in one TEE from affecting others. This isolation is critical for maintaining restricted Data Flows.
Conclusion
Securing industrial devices in the context of IT/OT convergence requires adherence to stringent cybersecurity standards. The IEC-62443 standards, particularly the IEC 62443-4-2 specification, provide a robust framework for addressing these challenges when it comes to connected devices.
By leveraging the CROSSCON Secure IoT stack, which incorporates advanced techniques such as Hypervisors, TEE abstractor, and TEE isolation, organizations of any type can achieve a higher level of compliance to the IEC-62443 and ensure the security and reliability of their industrial devices.
As we at Barbara continue to innovate and enhance our security solutions with the results of this project, we are committed to helping industries navigate the complexities of cybersecurity and protect their critical infrastructure.