IEC (International Electrotechnical Commission) publishes IEC 62443-2-1:2024
John Kingsley
ICS/OT Cybersecurity Practitioner | R&D | Product Security | Security Architect | OT GRC | Scrum Master | Community Builder | Trainer
IEC (International Electrotechnical Commission) publishes IEC 62443-2-1:2024, setting security standards for industrial automation and control systems
IEC 62443-2-1:2024 | Security for industrial automation and control systems - Part 2-1: Security program requirements
This document uses the broad definition and scope of what constitutes an IACS as described in IEC TS 62443‑1‑1. In the context of this document, asset owner also includes the operator of the IACS. This document recognizes that the lifespan of an IACS can exceed twenty years, and that many legacy systems contain hardware
This document does not specify that an IACS has these technical requirements. This document states that the asset owner needs to have policies and procedures around these types of requirements. In the case where an asset owner has legacy systems that do not have the native technical capabilities, compensating security measures
This edition includes the following significant technical changes with respect to the previous edition:
a) revised requirement structure into SP elements (SPEs),
Recommended by LinkedIn
b) revised requirements to eliminate duplication of an information security management system
c) defined a maturity model for evaluating requirements
Check the sample document here Source - https://lnkd.in/erU2BP29
Follow John Kingsley and press 🔔 to get instant notifications for such insightfull information.
OT SECURITY PROFESSIONALS #IEC62443 #otcybersecurity #cybersecurity #infosec #IACS #stride #securityprofessionals #threatmodeling #API #informationsecurity #itsecurity #networksecurity #productsecurity #hardwaresecurity #embeddedsecurity #securitybydesign #APIsecurity #securitylevel #generativeAI #chatgpt #threatmodel #IOT #InsiderAttack #dataprivacy #DataProtection #DataSecurity #PersonalDataProtection ISA Bangalore ISA SAFETY AND SECURITY DIVISION Industrial Cybersecurity Hub #AI #secureAI #SmartGrid #assetowners
Product manager and portfolio owner system cyber
5moIt is good that the IEC 62443 is aligned with the real world. Legacy systems for security functions are a fact of life. Expecting that assets always meet the security lifecycle is not how it works in reality. Especially not at the automation layer of an IACS. Any major change might lead to new commissioning, extended engineering, and outages due to the implementation time and functional tests. It will be way more complicated when we have expensive devices at those layers and also require TLS encryption and key management. The lifecycle of TLS is much shorter than the function of devise itself. Who is willing to replace those devices when the latest TLS protocol is not supported anymore and is considered “insecure”? Risk management should play a bigger role for IACS in stead of the latest security technology.
Connector of ideas, people and "dots" | Catalyst for innovative solution creation & delivery | Referral partner business developer with focus on critical function cybersecurity and asset monitoring
5moAnd to me, this is a key aspect to this segment of IEC 62443-2-1 that owner/operators may have been working under or have used it as a crutch to not define and implement compensating measures: "In the case where an asset owner has legacy systems that do not have the native technical capabilities, compensating security measures can be part of the policies and procedures specified in this document." Creating Zones and Conduits to create segmentation and isolation would be a good 1st step in architectural improvement, along with more stringent MFA authentication for improved access management to limit unauthorized access, and implementing encryption where it doesn't impact operational bandwidth or latency parameters