Challenges Of Using IEC 62443 To Secure IIoT

00:00

foreign

00:08

just making sure that you're all in the

00:10

right room this is the session on 62443

00:13

and iiot

00:16

okay

00:21

so welcome to this session uh I'm Ryan

00:24

de Souza and I'm a principal Solutions

00:27

architect at AWS it's a real pleasure to

00:29

be with you all here today and the topic

00:32

I'm going to discuss is 62443 and how to

00:35

apply it to iiot or the industrial

00:37

Internet of Things uh in this session

00:40

we'll be going over some of the changes

00:43

in the standards as well as the

00:45

certifications we've got really a lot of

00:47

content to cover uh so let's get started

00:51

so as most of you know or most of you

00:53

are aware industrial iot is used across

00:56

Industries

00:57

and uh

00:59

these are some of the industries that

01:01

it's it's used in it gets introduced

01:05

into the OT environment so industrial

01:06

iot or iiot devices integrate into the

01:11

OT environment and you do that when you

01:13

implement industrial iot use cases

01:17

throughout the stock today I will be

01:20

discussing and talking about

01:21

OT devices as well as I iot devices and

01:25

just to level set when I mention OT

01:27

devices I mean traditional OT devices

01:30

like plcs hmis scada systems when I

01:35

mentioned I iot devices I mean modern

01:38

iiot devices like IP based cameras

01:40

secondary sensors as well as Edge

01:43

gateways these iiot devices get

01:47

introduced into the OT environment when

01:49

you implement industrial iot use cases

01:54

so what are these industrial iot use

01:57

cases here are some of them it's

01:59

improving operational efficiencies in

02:01

the factory okay reducing unplanned

02:03

downtime with predictive maintenance

02:05

improving product quality

02:08

supply chain improvements in Supply

02:10

Chain management as well as creating new

02:13

Revenue opportunities for manufacturers

02:15

with smart products and services

02:19

let's go ahead and take the take a look

02:21

at the evolving manufacturing data

02:23

landscape and I've tried to lay this out

02:25

based on Isa 95 and based on three

02:29

different time zones okay so the first

02:32

time zone we'll take a look at is

02:34

yesterday

02:35

in yesterday's world you had asset

02:37

owners that implemented the traditional

02:40

para model or Isa 95 model OKAY in this

02:43

model you had Standalone applications

02:45

you had data silos very little

02:47

connectivity between the different

02:49

layers and few connections to external

02:52

networks right so that's the yesterday

02:54

scenario let's go ahead and take a look

02:57

at what's happening today and tomorrow

02:59

in the today tomorrow time frame

03:02

what we have over here is the

03:04

introduction of iiot so the ongoing

03:07

convergence of OT and it and the

03:09

introduction of industrial iot into the

03:12

OT landscape what is also happening is

03:14

that in the same way that the cloud

03:16

transformed the I.T landscape the cloud

03:19

is transforming and revolutionizing OT

03:22

in new ways in what is called industrial

03:25

digital transformation or industry 4.0

03:30

what's going to happen in the future is

03:33

even more convergence continued

03:35

convergence of 40 and it okay I would

03:38

say full convergence of otnit with any

03:40

to any Communications in this scenario

03:42

you have digital factories and smart

03:45

factories this trend is going to

03:47

continue this trend is going to

03:49

accelerate there's nothing stopping this

03:52

from happening uh what is slowing this

03:55

down is security right so security is

03:59

one of the factors that is slowing down

04:01

this transition towards a full

04:02

convergence and uh understandably so

04:05

because asset owners need to secure

04:08

OT when doing iiot and Cloud projects so

04:12

this convergence of otnit introduces new

04:15

opportunities

04:16

for manufacturers for industrial digital

04:20

transformation for industry for a door

04:22

but it also introduces new risk which

04:25

needs to be properly managed okay if you

04:28

look at this this architecture over here

04:30

it is drawn out to the ISA 95 model what

04:34

iiot introduces is new connections so

04:37

you can have iiot devices at different

04:39

layers of the stack establishing

04:42

connections to external networks or

04:44

untrusted networks and when this happens

04:46

you increase the attack surface okay so

04:49

this introduces new risk into the

04:51

environment which asset owners need to

04:53

be aware of and need to be able to

04:55

protect the full attack surface

04:58

so let's go ahead and look at the iiot

05:01

threat vectors these threat vectors are

05:04

not unique to iiot but they do exist

05:07

with the industrial internet of things

05:09

okay and essentially an iiot device can

05:13

get compromised or may be compromised

05:15

and may be then used for a denial of

05:17

service attack

05:19

an iiot device can lead to lateral

05:21

threat escalation on the network

05:23

it can lead to surveillance of the

05:26

network

05:27

an iiot device can lead to sabotage

05:29

attacks on operational technology

05:32

some of these devices are pretty

05:33

powerful right some of these Edge

05:35

Computers are powerful devices and if

05:38

compromised they can be used for

05:39

cryptocurrency mining activities

05:42

lastly the data on the device or the

05:45

date on the edge Gateway can get

05:46

encrypted leading to a ransomware attack

05:48

okay or you could have data that is

05:51

being exfiltrated from the factory once

05:54

again these threat vectors are not

05:57

unique to iiot what is different is that

05:59

these devices when introduced into the

06:01

OT environment significantly increase

06:03

the attack surface which needs to be

06:06

protected the consequences of a

06:08

compromise is also what is different

06:09

because if there is a compromise it can

06:12

have environment health and safety

06:15

implications as you're well aware

06:18

so I'll give you a second to read uh

06:20

this view of little Bob that or what

06:23

little Bobby has on the six two four

06:25

four three standards

06:27

[Music]

06:34

uh so what I am going to add is that uh

06:36

62443 is comprehensive

06:39

it's a comprehensive set of Standards it

06:42

also uh is consensus based and it can

06:46

actually run into thousands of pages

06:48

right thousands of pages of guidance

06:50

which makes reading all of this a

06:52

challenge

06:55

in order to level set on 62443 and the

06:59

standards uh so that we are all on the

07:01

same page it is a series of security

07:04

standards for Industrial Automation and

07:06

control systems it was jointly developed

07:09

and supported and managed by Isa and IEC

07:12

and therefore it's called Isa

07:15

iec62443 standards

07:18

it is structured into different groups

07:20

and you can see the groups of years you

07:22

have a general category you've got uh

07:24

policies and procedures components as

07:27

well as system

07:29

uh it is important to note that these

07:32

standards predate iiot right so they

07:35

were written before iiot uh you know

07:38

came into existence and therefore iiot

07:42

is not already represented in 62443 that

07:45

needs to change and that's one of the

07:47

challenges

07:48

so let's go ahead and take a look at the

07:50

the challenges uh with using 62443 for

07:53

the industrial Internet of Things the

07:56

first is that it predates iiot so it

07:58

came basically before iiot and therefore

08:01

you know the standards need to be

08:02

updated

08:04

um iiot introduces new communication

08:07

channels into the OT environment but

08:09

also brings in lots of new functionality

08:12

which asset owners can take advantage of

08:15

uh there are different roles in 62443 so

08:19

there is the asset owner role uh there

08:21

is the product supplier role there's

08:23

also a service provider role there is no

08:25

formal role for the cloud provider okay

08:28

so that needs to change a recognition

08:30

that a cloud provider can play a role in

08:33

62443 in the iiot environment uh and and

08:36

that's one of the changes that needs to

08:37

happen many of the requirements that

08:40

62443 has or does actually apply to

08:43

Cloud providers okay so it's not that so

08:46

there are some changes that need to be

08:48

made but many of the requirements

08:49

already apply to a cloud provider

08:53

uh six two four four three considers a

08:56

segmented environment so it considers

08:58

the segmentation it considers this

09:00

parameter-based security guess what when

09:02

you have iiot and you have these

09:04

connections coming in

09:06

um from that iiot introduces into the OT

09:09

environment and if you look at the

09:10

Purdue model you've got these

09:12

connections to external networks and

09:14

untrusted networks okay uh so Network

09:17

segmentation

09:18

is important but parameter-based

09:20

security alone is not sufficient you

09:23

really need to get into a zero trust

09:24

security model because now you have

09:26

these incremental connections uh that

09:29

are different layers of the OT stack

09:32

that have connections to external

09:33

untrusted Networks uh iiot upsets the

09:37

traditional para model and we took a

09:39

look at that in one of my earlier slides

09:40

where I showed you a different layers of

09:42

the Purdue model you can have iot

09:44

devices making connections to external

09:46

untrusted Networks

09:48

so what's actually changing in the

09:50

standards uh this is one of the

09:52

important changes that you will see to

09:55

the standard it is uh the TR or

09:58

technical report six to four four three

10:00

four dash three this was jointly created

10:03

and published by Isa 99 working group

10:06

nine I'm part of that committee and they

10:09

published this technical report it's

10:10

called 62443 4-3 it's also available as

10:14

an iecpas 62443 4-3 it is yet in draft

10:19

so it is not yet part of the standards

10:22

but it will be

10:23

uh it discusses the application of 62443

10:27

to iiot and in my view it's a great

10:30

document for asset owners because it

10:32

provides asset owners with prescriptive

10:34

guidance on introducing iiot into OT

10:38

environments and yet following the 62443

10:41

security standards

10:45

security Concepts like zones and

10:47

conduits have a new meaning for iiot and

10:49

we'll take a look at that momentarily

10:51

there is a section in the document that

10:53

has that talks about the special

10:55

considerations of using iiot with

10:58

cloud-based services

11:01

the document has no normative content so

11:03

there are no obligations and also this

11:06

document has got guidance but no

11:08

technical requirements the technical

11:10

requirements have not yet been written

11:12

and and that's one of the ongoing works

11:14

for the standards

11:17

so we'll now transition and take a look

11:19

at using Zone and conduit models uh

11:22

those of you in the room that have used

11:23

62443 this should not be a surprise

11:26

these are Zone and conduit diagrams they

11:29

follow six to four four three three-2

11:31

for risk assessments this is a really

11:34

simple example where I have a secondary

11:35

sensor connected to in the OT

11:38

environment connected to an asset so it

11:40

could be a temperature sensor or a

11:41

vibration sensor it is connected to an

11:43

industrial iot Gateway this gateway then

11:47

establishes a connection to an external

11:48

network or an untrusted Network like the

11:50

internet in order to get out get

11:53

connected to cloud services running

11:55

remotely okay so this is really a simple

11:58

use case in this use case we're using

12:01

the zone and conduit model so you've got

12:03

different zones you've got the local

12:04

Zone you've got an edge Zone and you can

12:07

have multiple trust zones in the cloud

12:09

as you can see right over here

12:12

uh this Zone and conduit model diagrams

12:14

are very useful even for industrial iot

12:18

use cases in order to understand threats

12:21

and vulnerabilities right in order to in

12:24

order to then inform your risk as well

12:26

as understanding consequences

12:29

so we briefly spoke about this earlier

12:31

that 62443 has got standards uh has got

12:35

sorry roles these roles are the acetona

12:38

role the product supplier role the

12:40

service provider role there is no role

12:42

for cloud provider okay and the cloud

12:45

provider can actually play multiple

12:47

roles multiple of the multiple existing

12:49

roles that 62443 has so for example uh

12:53

the cloud provider can be a product

12:54

supplier why is that because cloud

12:56

services is the product

12:58

uh the cloud provider can also be a

13:00

maintenance service provider and why is

13:02

that because the cloud provider

13:04

maintains cloud services and in some

13:06

cases the cloud provider can even be a

13:08

system integrator if the cloud provider

13:10

is playing the role of a system

13:11

integrator on an iiot project

13:14

so these are the changes that need to

13:16

happen in the standards in order to

13:18

recognize that there is a cloud provider

13:20

and the cloud provider does play a role

13:22

on iiot projects and related with 62443

13:27

so when asset owners do use iiot and

13:31

introduce iiot into their OT

13:33

environments uh there's always going to

13:36

be cloud services

13:38

so it's important for the asset owner to

13:40

understand what is called the shared

13:42

responsibility model for the cloud so

13:45

what is the shared responsibility model

13:46

essentially it is defined as security of

13:49

the cloud versus Security in the cloud

13:52

okay so the cloud provider is

13:54

responsible for security off the cloud

13:56

and the asset owner is responsible for

13:59

security in the cloud what does that

14:01

mean exactly

14:04

so this is another view of what I just

14:08

mentioned where the cloud provider is

14:10

responsible for the cloud infrastructure

14:12

right the data centers the services the

14:15

cloud infrastructure that's the cloud

14:17

provider's responsibility to secure that

14:19

part of the solution the asset owner on

14:22

the other hand is responsible for

14:24

security in the cloud which means that

14:26

they are applications okay they are OT

14:29

and iot applications that they place in

14:31

the cloud security for those

14:33

applications and security of that data

14:35

is the responsibility of the asset owner

14:37

the cloud provider does provide a lot of

14:39

Security Services as well as

14:41

prescriptive guidance in order to help

14:44

the asset owner with their part of the

14:46

responsibility

14:48

in addition to that the cloud provider

14:50

is continuously monitoring and achieving

14:52

third-party validation for literally

14:55

thousands of different

14:57

compliance requirements security

14:58

compliance requirements and the asset

15:01

owner can take advantage of all of that

15:02

okay because the asset owner inherits

15:04

those security controls that are

15:06

operated by the cloud provider

15:13

so we talked about the Purdue model and

15:16

how the Purdue model gets upset I do

15:18

want to mention that the Purdue model is

15:20

yet very useful okay and this is an

15:23

example of using the Purdue model with

15:26

industrial internet of things with

15:28

Industrial Automation and control

15:30

systems and uh this is the iiot security

15:33

architecture it is aligned and it is

15:36

based on the Purdue model you can see

15:39

the different layers or levels of the

15:40

model at the bottom so you've got level

15:42

zero one two and three zero one two and

15:46

three that's part of the OT Network or

15:48

the operational technology network if we

15:50

take a look at that I actually have some

15:53

details in this architecture which is

15:56

shown in in different cells so in the

15:59

top cell you've got plcs or industrial

16:01

automation systems that support insecure

16:04

protocols and in this security

16:06

architecture we're converting the

16:07

insecure protocol to a secure protocol

16:10

right so taking like modbus or ethernet

16:12

IP and converting it to a secure

16:14

protocol like OPC UA or mqtt and doing

16:18

that as close to the source as possible

16:21

I have a second cell there and in that

16:23

second cell if you notice I have a data

16:25

diode or a unidirectional Gateway in

16:28

order to Able so that you can get data

16:30

out of that cell without allowing

16:32

anything to go into that cell

16:34

in my third cell I've got modern PLC so

16:38

modern Industrial Automation and control

16:40

systems that support secure protocols

16:42

out of the box

16:44

under the last cell at the bottom is an

16:46

iiot device in the OT Network that

16:49

supports secure protocols like mqtt

16:52

between layer 3 and layer 4 I I'm

16:56

crossing the otit network boundary so

16:59

level four and level five is ITN cloud

17:01

between level three and four I cross the

17:03

otit network boundary and I've

17:05

introduced an idmz or an industrial

17:08

demilitarized zone which can inspect all

17:11

the traffic going northbound as well as

17:13

southbound you can establish there are

17:16

different ways to establish secure

17:17

connectivity to cloud services you can

17:20

see on the top you can go over a VPN

17:23

connection so you can have side to side

17:25

VPN you can have a private connection or

17:27

Direct Connect

17:29

in addition in the center uh you can

17:32

have uh you can go over the public

17:34

internet in order to connect to cloud

17:36

services on the cloud side you've got

17:38

different services that can ingest data

17:40

manage devices store data and build

17:43

industrial iot applications in addition

17:46

to that the cloud provider provides

17:47

Security Services in order to secure the

17:50

edge the industrial Edge and the cloud

17:52

so in the technical report 62443 4-3

17:56

there is a section in that report which

17:59

talks about

18:01

the security capability is that cloud

18:03

providers can provide okay so when

18:05

implementing industrial iot use cases

18:07

the asset owner can take advantage of

18:10

different security capabilities provided

18:12

by the cloud provider what are some of

18:14

these capabilities so you have connected

18:17

asset inventory to manage your assets

18:19

your connected assets and iiot devices

18:21

you have identity and access control so

18:25

the cloud provider provides mechanisms

18:27

that every device every iot device is

18:29

given a unique identity with an x.509

18:32

certificate and you can manage

18:34

fine-grained policies using iot policies

18:36

in addition to that the cloud provider

18:39

provides mechanisms in order to generate

18:41

rotate and revocate credentials for your

18:45

iiot devices

18:47

patching and software updates is super

18:49

important and critical for iiot devices

18:51

and these are capabilities and services

18:53

for over-the-air updates

18:55

securing The Edge Gateway so in iiot

18:58

you'll always have an industrial Edge

19:00

that consolidates the data pre-processes

19:03

the data and then sends it off to the

19:04

cloud so you've got to secure the

19:06

industrial Edge you've got to secure the

19:09

edge Gateway and you've got to secure

19:10

the credentials on the edge Gateway

19:13

uh there are different ways as I

19:15

mentioned to establish secure

19:16

connections to cloud services as well as

19:19

secure remote access to on-prem

19:21

resources you go to encrypt data both at

19:24

rest as well as in transit and the cloud

19:26

provider provides services to encrypt

19:27

your data at the edge in transit in the

19:30

cloud

19:32

alerting and monitoring across the full

19:34

attack surface

19:35

as well as alerting and mitigation the

19:39

ability to create a security data Lake

19:41

in the cloud and security analytics in

19:44

the cloud can be provided by the cloud

19:45

provider and last but not the least is

19:48

backup and recovery of OT data and iiot

19:51

data in the cloud so the cloud provider

19:54

provides lots of different Services very

19:57

useful for asset owners to take

19:59

advantage of when building and securing

20:01

industrial iot applications at scale

20:05

foreign

20:07

so let's transition to Let's transition

20:10

to certifications so Isa secure is the

20:13

certification Institute for 62443 uh and

20:17

with that we've got the first iiot

20:20

certification that is available today it

20:23

is the icsa certification or the iiot

20:26

component security Assurance

20:28

certification

20:30

it is for iiot devices so these include

20:33

iiot sensors they could be temperature

20:35

sensors vibration sensor any iot device

20:38

that establishes a direct connectivity

20:40

to cloud services or it could be an edge

20:43

Gateway that consolidates data from

20:45

multiple devices processes the data at

20:47

the edge and then sends it to the cloud

20:49

so if you have any of these devices an

20:52

iiot sensor or an iot device or an iiot

20:56

Gateway you can take advantage of this

20:58

certification that's available today

21:00

okay by Isa secure

21:04

getting into some details on the

21:06

certification it is for devices and

21:08

gateways there are two certification

21:10

tiers you have the code here as well as

21:12

the advanced tier it is based on 4-1 and

21:15

4-2 which is the component grouping of

21:18

standards

21:20

um it does have extensions as well as

21:22

exceptions in terms of extensions it

21:25

provides the ability for

21:28

compartmentalization on the device

21:31

um

21:32

controlling software updates so these

21:34

devices need to have the ability to

21:35

control and manage software updates

21:38

secure remote access to the device

21:41

uh strong methods of authentication

21:43

using pki and we talked about x.509

21:45

certificates earlier as well as

21:47

component resilience of to DDOS attacks

21:51

there is also a requirement for security

21:53

maintenance audit in order to maintain

21:56

your certifications it's important to

21:59

note that this certification the

22:01

component certification does not include

22:03

does not incorporate and does not have

22:05

in it cloud services okay so for cloud

22:08

services we've got the system

22:10

certification the system certification

22:12

is yet work in progress it is again

22:15

going to be based on

22:18

um 4-1 3-3 as well as 2-4 it's going to

22:22

consider iiot use cases so one type of I

22:26

iot use case is data being sent to the

22:29

cloud for visualization and analytics a

22:32

second type of use case could be a

22:33

closed loop use case where you have

22:35

command and control from the cloud down

22:37

to on-prem resources yeah so this

22:39

certification the system certification

22:41

is going to consider industrial iot use

22:43

cases most of the requirements that

22:46

62443 has does apply to Cloud providers

22:49

as I mentioned earlier and risk

22:51

assessment and Zone and conduit models

22:52

can be used we took a look at that

22:54

earlier when I showed you a simple iiot

22:57

use case which used the zone and conduit

22:59

model

23:02

so these are the two certifications the

23:04

the component certification and the

23:06

system certification which is yet a work

23:08

in progress

23:10

so finally and I'm almost out of time

23:13

I'd like to end by saying that

23:17

uh 62443 right in terms of

23:22

uh in terms of the standards

23:24

there's a lot in there that can support

23:26

industrial iot use cases okay uh it

23:30

really provides a strong Foundation

23:31

there's no need to start over 62443 can

23:35

be reused and built upon right and and

23:38

the required iot requirements can be

23:40

added four six two four four three to

23:42

support industrial iot use cases a new

23:46

interpretation of six to four for three

23:47

concepts is needed uh the new

23:49

requirements that need to be added to

23:51

the 62443 standards and specifically the

23:54

sections 4-1 4-2 3-3 and 2-4

24:00

it's important to note that the

24:02

technical report that is published and

24:03

the feedback that is received that's

24:05

going to provide valuable inputs to the

24:07

different committees and the different

24:09

working groups in order to go and create

24:11

the technical requirements okay that

24:13

then finally get added and incorporated

24:15

into the standards uh these

24:17

certifications Isa secure certification

24:20

and Ice certifications need to be

24:23

updated new training materials will need

24:25

to be added uh related to iiot and 62443

24:29

and last but not the least uh my view is

24:32

that these standards and certification

24:34

bodies need to move faster because this

24:36

is happening industrial iot is already

24:39

used and will continue to be used in OT

24:42

environments because asset owners need

24:44

to improve and and want to improve

24:46

operational efficiencies as well as you

24:49

know ensure that these continue to stay

24:51

competitive

24:53

a couple of wrap-up slides in terms of

24:55

IC secure supporters you have all the

24:58

traditional Industrial Automation and

24:59

control companies but you can also see

25:01

you've got Cloud providers uh supporting

25:03

the ISA secure standards as you can see

25:05

on the top right hand side

25:08

foreign

25:09

and then finally there's lots of good

25:12

content and material both in terms of

25:14

the study reports as well as the iiot

25:17

component certification and these

25:19

materials are available you know on on

25:21

on these links and the presentation of

25:23

course is is available to to all of you

25:27

uh so with that I want to wrap it up I

25:29

really uh it was a pleasure to give this

25:32

presentation today thank you for taking

25:34

the time uh to attend this uh to attend

25:36

this this presentation I'm happy to take

25:39

questions now I'm going to be around for

25:41

the rest of the week so please find me

25:42

and would love to chat thank you

25:45

thank you

25:48

[Applause]