Commercial Off-the-Shelf Components Need Elevated Cybersecurity Protection: ISA’s New Report
Durham, NC, 23 July 2024 — The International Society of Automation (ISA) — the leading professional society for automation — has announced the release of a white paper describing recommendations for raising the safety and security bar for automation and control systems. ISA published the paper in tandem with its ISASecure® cybersecurity certification program and the ISA Global Cybersecurity Alliance (ISAGCA).
This paper advocates for designing and certifying commercial off-the-shelf (COTS) products to a minimum of security level 2 (SL2) as defined in the ISA/IEC 62443 series of standards, the world’s leading consensus-based standards for control systems cybersecurity. Titled “The Case for ISA/IEC 62443 Security Level 2 as a Minimum for COTS Components,” the 23-page report outlines how SL2 criteria increases product security capabilities over the previous, less stringent requirements in security level 1 (SL1). SL1 security capabilities are not intended to protect against malicious or deliberate security violations. ISA’s report describes how SL2 offers stronger measures to mitigate against attack vectors that are more prevalent today.
“We are seeing an increasing number of intentional cyberattacks against industrial automation and control systems,” said Andre Ristaino, managing director, ISA conformity assessment programs. “Commercial off-the-shelf products are being subjected to these targeted attacks. The ISA/IEC 62443 series is the leading set of international cybersecurity standards for the operational technology (OT) landscape, and security level 2 capabilities present the ideal minimum guidelines for protecting COTS products. This new paper provides a great briefing on the security capabilities necessary to meet ISA/IEC 62443 SL2.”
The report includes a review of how SL2 criteria can increase the resiliency of COTS components in a cybersecurity incident, as well as that of any system into which the components are integrated. SL2 criteria require that a component:
- Uniquely distinguish between individual human or non-human users interacting with the component, increasing the ability to trace the source for user activity that may constitute an attack.
- Authenticate itself to an overall system into which it has been integrated, raising the level of trust between the system and component.
- Provide the ability to tailor human role definitions to reflect site operations, limiting unnecessary insider access.
- Close inactive communication sessions that remain open as potential attack vectors.
- Verify the source of communications to the component, limiting sources for network attacks.
- Protect test interfaces from use as potential attack vectors.
- Increase assurance that code in execution — including mobile code, updates and upgrades — came from a trusted source and has not been subject to tampering.
“The Case for ISA/IEC 62443 Security Level 2 as a Minimum for COTS Components” is available for download on the ISASecure and ISAGCA websites.
About ISASecure
Founded in 2007 by the International Society of Automation (ISA), the ISASecure program’s mission is to provide the highest level of assurance possible for the cybersecurity of automation and control systems.
Founders and key supporters of ISASecure® include: BP, Chevron, ExxonMobil, Saudi Aramco, Shell, YPF, GSK, Honeywell, Johnson Controls, Schneider Electric, Trane, Yokogawa, Carrier, Siemens, YPF, Amazon Web Services, exida, TUV Rheinland, CSSC, FM Approvals, Synopsys, Trust CB, UL Solutions, SecurityGate, Interstates, BYHON, TUV SUD, ITRI and Bureau Veritas.
The Program’s ISASecure™ designation signifies to the marketplace that automation and control system products conform to industry-consensus cybersecurity standards. The ISASecure trademark provides confidence to users of ISASecure-certified products and systems and creates product differentiation for suppliers who conform to the ISASecure specifications. Learn more at www.isasecure.org.
About ISAGCA
The ISA Global Cybersecurity Alliance (ISAGCA) is a collaborative forum to advance OT cybersecurity awareness, education, readiness, standardization, and knowledge sharing. ISAGCA is made up of 50+ member companies and industry groups, representing more than $1.5 trillion in aggregate revenue across more than 2,400 combined worldwide locations. Automation and cybersecurity provider members serve 31 different industries, underscoring the broad applicability of the ISA/IEC 62443 series of standards. Learn more at www.isagca.org.
About ISA
The International Society of Automation (ISA) is a non-profit professional association founded in 1945 to create a better world through automation. ISA’s mission is to empower the global automation community through standards and knowledge sharing. ISA develops widely used global standards and conformity assessment programs; certifies professionals; provides education and training; publishes books and technical articles; hosts conferences and exhibits; and provides networking and career development programs for its members and customers around the world. Learn more at www.isa.org.
###