Don’t overshoot your security target

As threat increases, college cybersecurity programs are more in demand
Courtesy of Brett Sayles

Security target insights

  • ISA/IEC 62443 standards guide organizations to align security objectives with business risks, specifying four target security levels that are not universally necessary for all systems.
  • Security levels by ISA/IEC, including Capability (SL-C), Target (SL-T) and Achieved (SL-A), help identify system capabilities and gaps, which inform the necessary enhancements to reach desired security states.
  • Establishing security levels involves assessing threats and impacts of cyberattacks on operational, financial and health/safety aspects.
  • Regular reassessment of target security levels is crucial as threats and technology evolve, ensuring that security measures are adequate and integrated into the organizational risk management strategy.

When evaluating your organization’s security objectives, it’s essential to understand how those objectives align with your overall risk strategy and the resources required to implement those objectives through people, processes and technology. While it may seem best to aim for a highly secure and protected environment, the realities of what this would take to implement should force some conversations on what is necessary for the business risks. The International Society of Automation (ISA) and The International Electrotechnical Organization (IEC) provide guidance on setting these security standards. While ISA/IEC 62443 offers four different target security levels that does not mean every organization should aim to reach security level four.

Understanding ISA/IEC security levels

ISA/IEC 62443 is a set of documents that includes terms, concepts and models that stakeholders responsible for control systems’ cybersecurity can utilize. These documents help asset owners determine the security level required for their business needs and risk appetite. 62443 also contains materials for product developers to ensure their software and devices meet specific cybersecurity requirements and undergo a certification process to attest to them. There are three types of security levels used to identify gaps that organizations should address. Understanding these differences is how to lay the foundation for your facility’s security.

  • Capability security level (SL-C): The level a system or component can achieve

  • Target security level (SL-T): The level the organization wants to reach

  • Achieved security level (SL-A): The evaluated and actual security a system has at the time of evaluation.

The differences between SL-T and SL-A are how to identify which gaps organizations should address. These gaps could be related to the capability of the equipment, such as older devices that don’t support encryption or authentication, which must be mitigated to raise the SL-A.

Beginning with a security level assessment

Another critical reason to establish security levels is that a facility can have multiple security levels for different areas or functions. 62443 has zones, which are logical or physical asset groups based on risks or other criteria, such as the criticality of assets. Facilities may also create these zones based on the organization responsible for or the personnel and access type required for those assets. A ‘conduit,’ the grouping of communication channels, conducts the communication between zones. These zones and conduits enable an organization to partition the System Under Consideration and apply an appropriate security level based on risk and criticality. Not all zones need or should be at the same security level. This partitioning activity should be an organization’s first step when going through a security level assignment process. Getting alignment from all relevant stakeholders on which devices are included within each zone helps choose the requirements to meet the target security level.

When considering an appropriate security level, evaluate which attack types a system can withstand. Is the system defending against coincidental or intentional violations? Should the system be able to withstand simple or sophisticated means of attack? There is a big difference between attackers with extensive resources or high motivation compared to those with little resources or motivation. While news headlines tell about cyberattacks by large hacking organizations, that is most likely not a common threat an organization faces or should plan for in their defenses. Organizations should also think through the threats and attacks their industry peers experience. Different industries may have unique factors that make them a target to attackers with more capability, motivation or resources.

Considering the impact of a cyberattack

The next area to assess is the consequences of a cybersecurity incident on your organization. Here are a few areas to reflect on:

Operational: A cybersecurity incident can cause facility outages. Will the operational impact on the business result in an outage at a single site, multiple locations or the entire organization? How long would the outage last?

Financial: Outages can result in lost revenue, but there may also be legal or regulatory consequences that have a financial impact. Would the incident result in a news event that impacts public confidence in the business?

Health, safety and environment (HSE): Injury of personnel, damage to equipment or buildings and impact on the surrounding environment may all be possible outcomes of a successful attack. Does the system control dangerous processes or hazardous materials? Who and what is affected if the system is compromised?

As part of the sequence of steps in identifying the appropriate security level, categorize the operational, financial and HSE consequences as low, medium or high risk. You can find tables within 62443-3-2 to help an organization with these determination levels. Mapping the risk levels to a specific 62443 security level is slightly different for each organization. As a rule of thumb, the lower the risk level, the lower the security level, but any high-risk levels should not use an SL-1 or SL-2. Similarly, a low risk level should not be assigned an SL-3 or SL-4. The scale and impact of the consequences should drive the target security level and a business should assess if the requirements of a security level would lower the identified risks to a tolerable level.

Putting these security levels in perspective

To make the above concepts practical, consider a facility that creates biodiesel. This facility deals with hazardous processes and chemicals, but many parts of the facility have relatively low-risk activities. The first step in establishing target security levels is partitioning the equipment and devices into zones and conduits. There may be zones for receiving raw materials, a zone for the biodiesel creation process, a zone for the safety systems and other zones for loading the finished goods onto trains or into containers. The risk levels for these different zones are not the same severity of the consequences of an incident. For example, an incident involving spilled soybeans is far lower in size and scale than an incident with the safety systems for the hexane (used in the oil extraction process), which may include fire or explosions. When mapping the risk levels to target security levels in this example, raw material receiving zones may be assigned SL-1 and the safety system zone may be assigned SL-3 or SL-4.

With the target security levels assigned, the organization must review the requirements and align the specific security level for each zone. The business must assess how the environment is configured for existing systems and determine the security functionality to provide the SL-A and SL-C. From this, work can begin to remediate gaps to bring the devices, software and components within each zone to meet the target security level requirements. Existing components may not have the needed functionality to meet these requirements, which may drive conversations about replacing the component, implementing compensating measures or re-evaluating the target security level.

Defining the target security level for zones is not a one-time action, as threats, consequences, or technological changes can impact the designation of the risk level. Evaluating the zones should be conducted periodically or when significant environmental changes occur. During evaluation, working with the asset owners and other stakeholders is essential for obtaining the necessary support and resources to meet and sustain the security requirements. It’s much easier to start a project with security in mind rather than trying to correct gaps after finishing the project. The ISA/IEC 62443 security levels help organizations smartly manage risk by applying appropriate protections to systems instead of a one-size-fits-all solution, which may be a poor fit for many systems within a facility.




Keep your finger on the pulse of top industry news