Breaking Down Industrial Cybersecurity Standards

ISA99/ ISA/IEC 62443 and NERC-CIP

By Dan French

Breaking Down Industrial Cybersecurity Standards

Control systems have been around for a long time. Since the Industrial Revolution, control systems have grown to be the invisible backbone on which society depends. In recent decades, industrial control systems (ICS) have undergone another revolution of sorts, growing into agile behemoths that churn out things we rely on every day: from smartphones and cars, to drinking water and electricity.  

ICS have become more networked than ever before, allowing operators to be much more connected with their operations. On a more negative note, these systems have become more exposed to cyber/network problems thanks to evil hackers, unwitting employees and even well-meaning but misguided contractors. This new level of exposure has resulted in an abundance of annoyances that range from major downtimes to minor headaches. An up-to-date list of the latest reported cyber incidents can be found on the ICS-CERT website.

These cyber events have given visibility into some of the vulnerabilities that affect the most important control systems in existence, eventually leading to the development of ICS security standards. This document is intended to give a brief overview of what is covered in the cybersecurity standards: ISA99/ ISA/IEC 62443 and NERC-CIP.

Defense In Depth: ISA99/ ISA/IEC 62443 

The ISA99 body developed the standards ISA/IEC 62443, which should apply to any industrial control system. For brevity, this document will refer to this group of standards as ISA99. The main concepts of ISA99 are defense in depth and zones and conduits.

The defense in depth concept is very easy to implement when taken in chunks. There are a lot of little things that an ICS network administrator can do to create a robust system when these individual pieces are added together. This includes activities such as:

  • Updating remote passwords for everything on the system (network switches, PLCs, PC, etc.)
  • Practicing standard layer 2 security best practices
    • Turning off unused switch ports, implementing VLANs to segment the network (turn off VLAN 1!), tying switch ports to MAC addresses at end devices
  • Physically locking the ICS system hardware
  • Limiting access for routed traffic, having a firewall in place
  • Implementing MAC authentication at access ports (802.1x)
  • Changing SNMP community strings from the default
  • Implementing access control lists
  • Updating passwords on physical configuration ports (Telent)

Zones and conduits are easy to conceptualize in theory, but, in practice, become more complicated to implement. Physical assets in an ICS would be separated into zones based on their security requirements and functions.

Network communications between these zones would have to pass through a “conduit.” By protecting the traffic passing through these conduits, you can effectively protect the assets in each zone and isolate problems. This can be done through the use of firewalls, traffic controls and network separation/routing. The most critical assets should be given additional protection by protecting their conduits with physical cybersecurity hardware or firewalls. There is even layer 2 “bump in the wire” cybersecurity hardware that can execute deep packet inspection on the most critical conduits.

More information on ISA99 (ISA/IEC 62443) can be found in the reference links at the end of this document.

Critical Infrastructure Protection: NERC-CIP

The North American Electric Reliability Corporation has developed a set of Critical Infrastructure Protection standards – also known as NERC-CIP. These standards are targeted specifically for utility power transmission systems. At the time of writing, NERC-CIP has released over 80 standards, of which 11 are subject to enforcement. To check if your system is subject to NERC-CIP enforcement, click here.

The currently enforced standards are a framework that work together to create a strong cyber system. NERC-CIP shares many concepts with ISA99, but also covers guidelines that include recovery plans, personnel training, and visitor management. Each standard is briefly described in the table below, and the full list of NERC-CIP standards can be found here.

CIP Standard Title Description

CIP-002-5.1a

Cyber Security — BES Cyber System Categorization

Identify and categorize all of your “BEA assets or systems” that could cause problems if compromised. 

Logically separate BEAs into subsystems. The operator can choose the size/how you think systems should be divided.

Ranking Severe to Low impact

Definitions-

“BES - Bulk Electronic System

BEA - Bulk Electronic Asset - A Cyber Asset that if rendered unavailable, degraded, or misused would, within 15 minutes of its required operation, misoperation, or non-operation, adversely impact one or more Facilities, systems, or equipment, which, if destroyed, degraded, or otherwise rendered unavailable when needed, would affect the reliable operation of the Bulk Electric System

The 15 minute time window cannot account for redundant systems, because redundancy does not necessarily eliminate cyber vulnerabilities.  “ - CIP-002-5.1a

CIP-003-6

Cyber Security - Security Management Controls

This section outlines how NERC CIP compliance is measured and enforced in specific instances

CIP-004-6

Cyber Security - Personnel & Training

Talks about training personnel on things such as:

  • Cyber security policies
  • Site access controls
  • Electronic access controls
  • Handling of visitors
  • Information and storage
  • Incident identification and recovery plans

Also talks about the handling of personnel, verifying identity, background checks, etc. 

CIP-005-5

Cyber Security - Electronic Security Perimeter(s)

Defines establishing a perimeter around cyber systems, also rules and guidelines to protect any routable protocols

CIP-006-6

Cyber Security - Physical Security of BES Cyber Systems

This standard defines requirements to physically restrict access to the premise and to the critical assets.  In addition, it covers items such as:

  • Visitor logs
  • Surveillance and alarming systems
  • Visitor escorts

Restricting access to areas where network access or data can be obtained.

CIP-007-6

Cyber Security - System Security Management

System security measures, such as disabling unused ports, limiting removable media, security patches, password management, etc.  Also covers detecting security breaches, malware, etc. on the system and mitigation plans in case of an attack

CIP-008-5

Cyber Security - Incident Reporting and Response Planning

Plan and practice cyber incident responses, recording and reporting them.

CIP-009-6

Cyber Security - Recovery Plans for BES Cyber Systems

Practices for information backup, roles and responsibilities for responders, in recovery situations.

CIP-010-2

Cyber Security - Configuration Change Management and Vulnerability Assessments

Change management – Develop and document “baseline configuration” of the system

  • Operating system/ firmware
  • Any software (including version) intentionally installed, including custom software
  • Any logical network accessible ports
  • Any security patches applied.

Authorize and document changes from baseline

There are software suites available to help make this system management much simpler, more robust, and more secure. 

CIP-011-2

Cyber Security - Information Protection

Handling and storage of sensitive information

CIP-014-2

Physical Security

Implementing physical barriers, law enforcement, etc. on site