POWER June 2021 - 37

CYBERSECURITY
solely on humans, it does not mean that
humans should be removed from the
process altogether. Instead, the idea is
to find the optimum point of interaction
between technology and humans.
The Referral List
The first section of the standard (IEC
62443-1-1) introduces seven fundamental
requirements for cybersecurity, which
are,
identification and
authentication
control, use control, system integrity,
data confidentiality, restricted data flow,
timely response to events, and resource
availability. In addition, the standard also
sets out some system requirements and
suitability for each security level.
Higher levels of security will require
more features and configurations with
high levels of complexity. Similarly, for
lower levels, less features will be required.
Therefore, the security levels
(SLs) established by the standard must
have their requirements implemented
differently to achieve their objectives.
Annex B of IEC 62443-3-3 shows a clear
relationship between requirements and
security levels, allowing the creation of
a fully auditable list for each piece of
equipment for each security level.
The Human Factor
A systematic configuration and verification
system aims to defend automation
systems against the types of threats
defined by the standard, but it has other
advantages as well. As previously mentioned,
an extremely important issue is
how humans can introduce vulnerabilities
to automation systems.
Decisions are necessary when implementing
cybersecurity measures. Decision-making
means something that the
standard leaves for operators to choose.
It often involves complex decisions that
only users are able to determine. In this
sense, the systematic configuration and
verification system should support users,
but does not decide on behalf of users.
It should assist users to implement their
decisions easily, without compromising or
influencing their decision-making process.
An important concept introduced in
IEC 62443-1 that requires decision-making
is security zones, where equipment
within the same zone must be protected
by the same " achieved security level "
(SL-A, where " achieved " denotes the
protection of an asset or zone). However,
this does not mean that all zones
must have the same security level. For
this reason, it is necessary to have the
flexibility to allow lower or even customJune
2021 | POWER
izable levels of security.
The security level required for an asset
or zone and the decision whether or
not to apply specific security settings to
an existing process is determined by asset
owners. Owners can measure and
understand the applicability and impact
of each configuration to the system.
It is essential to highlight that the implementation
of these functionalities in a production
system, even if recommended by
the standard, must be evaluated through
an appropriate risk assessment and its
impact to the current system operation
should be evaluated. The result of this is
that no implementation is performed automatically
without users' consent.
Software-Aided Implementation
Compared to the decision-making process,
the configuration process tends
to be simpler, but as mentioned earlier,
this process has other difficulties, such
as the repeatability and complexity of
certain types of configurations that can
lead to human error. The configuration
process mentioned in this article is defined
as the implementation of the technical
policies and does not require any
decision-making processes, only the
execution tasks.
The list available in Annex B of IEC
62443-3-3 is the basis for the security verification
system. It allows users to compare
without subjectivity whether the audited
equipment is correctly configured or not.
By conducting a network scan and
comparing current settings with desired
ones, deliberate or unintentional acts that
compromise cybersecurity settings are
resolved, ensuring uniform security within
the zone. As zone security is defined
by its weakest link, it is therefore of the
utmost importance that all equipment in
the same zone has the same protections.
Additionally, this feature assists an
automatic system audit, where even if
users have made mistakes, a new audit
can be performed quickly to find vulnerabilities.
It is important to mention that
any verification or changes made to production
systems should be evaluated
and tested prior to implementation.
Using Images Rather Than Lists.
One of the most efficient ways to support
the security checking process without
compromising users' judgment is to
use graphical representations rather than
lists to identify equipment on networks.
It has been acknowledged for a long time
that the human brain processes images
and words differently, and that despite
having many similar cognitive processes,
www.powermag.com
images and words end up having different
processing times. In short, images are
processed faster and are easier to recognize
by the human brain. Therefore, using
graphical representations helps quicken
the identification of the security settings
of each device, as shown in Figure 1.
Using Colors. The second point to be
considered is color differentiation to highlight
different levels of security. The human
brain can easily recognize different color
tones, which means that different colors
can be used to offer users a quick identification
of the security status of each device
and inform them of possible actions that
have to be taken. Due to the importance
of this, a color palette should be selected
that ensures that color-blind people can differentiate
between the colors.
Configuration Level
When the security verification system
scans and finds a mismatch between the
settings recommended by the standard
and the current ones deployed, users
must decide how to proceed. If a mismatch
is found, it is likely to be due to
one of two reasons.
In the first scenario, users identify which
suggestions can be implemented and
authorize the system to perform the update,
assuming the equipment is capable
of performing the update. In the second
scenario, when a mismatch is noted, the
equipment does not have these features
and capabilities. In this scenario, a risk assessment
should be performed to assess
whether or not the system can remain
with these vulnerabilities or whether there
are measures to counteract them. Regardless
of these scenarios, it is important that
where possible, users implement the required
minimum security functionalities
discussed by the standard so that the zone
to which it belongs is secure.
Maintaining a Secure System
A security verification system should not
be seen as the sole resource to ensure appropriate
cybersecurity implementation,
as cybersecurity is complex and requires
a multifocal approach. However, a security
verification system can assist those
responsible for implementing cybersecurity
by helping them to objectively implement
the requirements recommended by
the standard. This approach aims to avoid
the problems that occur when there is
too much reliance on humans performing
the security settings. ■
-Felipe Sabino Costa is an industrial
cybersecurity expert for Moxa's
Latin American region.
37
http://www.powermag.com
POWER June 2021

Table of Contents for the Digital Edition of POWER June 2021
