IEC 62443: The New Gold Standard for Network Segmentation in ICS and SCADA networks

In the past two months, I’ve attended various conferences, including the Smart Grid and SCADA Cybersecurity event in London, where experts discussed the protection of critical infrastructure, more specifically, the electricity, gas and water distribution systems, as well as transportation and emerging smart city grids. Protecting these is paramount to avoid the socio-economical impact of a cyber attack on those grids.

What are some of the fundamental challenges?

1. Commonly used industrial protocols (Modbus, IEC 61850,...) were not designed with security in mind and lack basic authorization features;
2. Industry networks were never designed to account for potential intrusions;
3. There are numerous unpatched and unpatchable systems;
4. New technologies such as mobile computing, smart metering, and the slow but inevitable evolution towards IP-based access exposes operational networks more and more to cyberattacks.

One standard that emerges across all these discussions as a "must-deploy" best practice is IEC 62443 (formerly known as ISA99). This standard prescribes a clear definition of zones and conduits (what traditional enterprise IT would refer to as "network segmentation") to establish better control over access and security within ICS and SCADA networks.

Our approach to network segmentation and traffic control enables you to rapidly deploy the above standard guidelines without disruption to your day-to-day operations. Here are recommendations on how to apply Palo Alto Networks to further secure your environment:

1. Identify the few applications, protocols and control commands that are legitimate on any zones of your SCADA network or ICS;
2. Block everything but the above legitimate applications and systems. Our App-ID technology enables you to easily implement such tight controls at the application level;
3. Apply similar granular control to your user population using our User-ID technology;
4. Turn on our threat detection capability and block known threats and identify unknown ones.

Nos. 1-3 will drastically reduce the scope of your security challenge while providing you complete visibility into which application, user and content is on your network. No. 4 will ensure that any targeted cyber attack gets detected immediately and that its propagation within your environment is automatically stopped.

At Palo Alto Networks, we often refer to the above model as network segmentation based on a zero-trust approach.

If you’re interested in learning more about our approach to cybersecurity for SCADA systems and ICS, visit our web page dedicated to this topic.