Zones and Conduits: Essential Building Blocks of Industrial Network Security

03 Oct 2024
By Thomas Vasen
Anybus
In our ongoing exploration of cybersecurity, Thomas Vasen, Business Development Manager for Network Security at HMS Networks, highlights how adopting ISA/IEC 62443-3-3 standards and implementing zones and conduits can fortify critical industrial operations against evolving cyber threats.


The Growing Need for Robust Cybersecurity

Industrial sectors, encompassing everything from manufacturing plants to energy grids, are increasingly vulnerable to cyber-attacks due to the critical nature of their operations. As cyber threats continue to evolve, safeguarding Industrial Control Systems (ICS) and Operational Technology (OT) environments has become imperative. Implementing rigorous cybersecurity standards, such as ISA/IEC 62443-3-3, and deploying industrial firewalls are crucial steps in mitigating these risks.


Understanding ISA/IEC 62443-3-3

ISA/IEC 62443-3-3 is part of the ISA/IEC 62443 series, a comprehensive framework designed to secure industrial automation and control systems (IACS). This specific standard focuses on system security requirements and levels, detailing the security capabilities that industrial systems must have to defend against diverse cyber threats.



 


Key aspects of ISA/IEC 62443-3-3 include:

  • Access Control: Restricting access to critical components to authorized personnel and systems only.

  • Use Control: Regulating control system usage to prevent unauthorized actions.

  • System Integrity: Ensuring data and system reliability.

  • Data Confidentiality: Protecting sensitive information from unauthorized access.

  • Restricted Data Flow: Controlling communication paths to prevent unauthorized data exchange.

 

This standard is not only increasingly mandated by regulatory bodies but is also recommended by asset owners, regulators, and insurance companies as a framework for designing and operating secure industrial systems.

 


The Importance of Adopting ISA/IEC 62443-3-3

Adopting ISA/IEC 62443-3-3 is essential for several reasons:

  1. Enhanced Security Posture: Following a globally recognized standard strengthens the security framework, making it more challenging for cyber attackers to breach.

  2. Regulatory Compliance: Compliance with evolving cybersecurity regulations is ensured by adopting this standard.

  3. Operational Continuity: Protecting systems from cyber threats helps avoid downtime and operational disruptions, which can be costly.

  4. Reputation Management: A strong cybersecurity posture prevents breaches and maintains the organization’s public image.

 

Asset owners are encouraged to use a risk-based approach to assess cybersecurity needs, understanding how various scenarios impact operations and business. Asset owners are encouraged to use a risk-based approach to assess cybersecurity needs, understanding how various scenarios impact operations and business. To do this, asset owners can use the guidelines in the ISA/IEC 62443 framework, which provide the following four security levels:


Different systems within the same operational environment may require varying levels of security depending on their potential impact if compromised.


Network Segmentation in ISA/IEC 62443-3-3

Network segmentation is a pivotal aspect of cybersecurity, highlighted in foundational requirement FR5, "restrict data flow," within the ISA/IEC 62443-3-3 standard. Proper segmentation isolates and protects distinct network areas, mitigating the potential impact of security breaches.

A common approach to segmentation is through Virtual Local Area Networks (VLANs). VLANs create virtual boundaries within a single physical network, enhancing security by separating traffic. While VLANs are suitable for achieving System Security Level (SSL) 1, physical network segmentation is recommended for more stringent security needs, aligning with System Security Level (SSL) 2.

For example, segmentation between a Safety Instrumented System (SIS) and a Distributed Control System (DCS) can be achieved with layer 3 switches and VLANs for SSL 1. However, to meet SSL 2 standards, physical segmentation is necessary, in line with SR 5.1—Network Segmentation: Physical Segmentation.

Higher security levels come with increased costs, so a thorough risk assessment is vital to determine the most cost-effective security measures based on the specific risk profile of the system.


 


The Role of Industrial Firewalls

Industrial firewalls play a crucial role in implementing the security measures outlined in ISA/IEC 62443-3-3. Rather than relying solely on a layered defense approach, which can often result in vulnerable architectures, the ISA/IEC 62443-3-3 framework advocates for isolating systems within zones and controlling inter-zone communication strictly.

Industrial firewalls, functioning as conduits, contribute significantly to security by:

  1. Segmentation and Isolation: Firewalls divide networks into manageable zones, preventing threats from spreading and preserving overall system integrity.

  2. Access Control: They enforce access control policies, ensuring only authorized entities interact with critical assets.

  3. Traffic Monitoring and Filtering: Continuous monitoring and filtering of network traffic help detect and block malicious activities in real-time.

  4. Incident Detection and Response: Advanced threat detection capabilities allow for rapid responses to potential threats.

  5. Securing Remote Access: Firewalls enable secure remote access, balancing operational efficiency with security best practices.

Implementing industrial firewalls according to ISA/IEC 62443-3-3 involves conducting regular risk assessments, defining and enforcing security policies, updating and patching security devices, and continuous monitoring and improvement. North/South traffic is controlled by firewalls, while East/West traffic is managed by Coupler Gateways, which only permit industrial protocol content and block unauthorized IP communication between zones.



Conclusion

Adopting ISA/IEC 62443-3-3 and implementing industrial firewalls are not merely best practices but essential measures in today’s cyber threat landscape. By strengthening industrial systems' security through these measures, organizations can protect their operations, ensure regulatory compliance, and maintain their reputation. Embracing these strategies helps create a resilient industrial environment capable of minimizing impact and withstanding sophisticated cyber threats. 

About the Author 

Thomas Vasen is Business Development Manager Network Security at Anybus, a division of HMS Networks. With over 25 years of experience in operations and security within telecom, military and critical infrastructures, Thomas now focuses specifically on helping companies managing risks and securing the uptime in their operational technology (OT) environments.   

 

Products used for industrial network security 

Network security products - Discover the variety of industrial network security appliances that will elevate network protection. 

 

View Products