MINIMIZE RISKS FOR ICS BY USING STATE-OF-THE-ART SECURITY STANDARDS AND FRAMEWORKSIndustrial Control Systems (ICS) can be found in many of a nations’

critical infrastructures. These include nuclear plants, oil & gas industry,

transportation, chemicals processing, and other process industries. ICS

are also significant elements within the general manufacturing process,

as they can monitor, take decisions and automate parts a company’s

processes.

Due to their wide spread, as well as the criticality of domains in which

they are used, the security of Industrial Control Systems and components

should be equally taken into account, together with other aspects such as

performance or safety.

There are many vectors through which cybersecurity attacks can be

devised targeting ICS, each of them resulting in possible critical threats and

impacts. A successful way to significantly reduce and control these risks

is by aligning the whole life cycle of a system to state of the art standards

There are many vectors through which cybersecurity attacks can be devised targeting Industrial Control Systems (ICS), each of them resulting in possible critical threats and impacts. Secura understands that the security of ICS is a shared process; therefore, we designed our assessment and certification services to cover all involved parties, from manufacturers to end users.

Secura has worked in information

security and privacy for nearly

two decades. This is why

we uniquely understand the

challenges that you face like no

one else and would be delighted

to help you address your

information security matters

efficiently and thoroughly. We

work in the areas of people,

processes and technology. For

our customers we offer a range of

security testing services varying

in depth and scope.

SECURITY TESTING & COMPLIANCE FOR ICS/SCADA

IN CONTROL WITH SECURA

and frameworks. Secura understands that the security

of ICS is a shared process; therefore, we designed our

assessment and certification services to cover all involved

parties, from manufacturers to end users.

ICS/SCADA LANDSCAPEThe ICS industry landscape can be structured as

manufacturers, integrators and end users. Manufacturers

design and produce various ICS components and systems,

such as Distributed Control Systems (DCS), Programmable

Logic Controllers (PLC) or Supervisory Control and Data

Acquisition systems (SCADA).

Integrators and end users make use of the products and

systems developer by the manufacturers. Integrators are

companies which acquire ICS systems from manufacturers

and install them into various environments for a customer

(end user). Note that the integration step can be

performed by the manufacturers as well.

End users make use of the systems within their

organization. They are in charge or supervising and

maintaining the systems, unless other entities (e.g. the

integrators) take this responsibility.

As it can be seen, there is a strong relation between the

involved parties, which is why security responsibility needs

to be shared among each of them.

SECURITY STANDARDS FOR ICS/SCADAThe diagram on the next page provides an overview on the

different actors and phases relevant for the ICS life cycle.

Secura selected relevant standards to perform testing and

compliance assessments for the ICS/SCADA industry

IN CONTROL WITH SECURASecura has worked in information security and privacy for

over 18 years. By leveraging our experience and expertise,

we are a strong partner to address your information

security matters efficiently and thoroughly. Secure

performs testing and compliance assessments in the areas

of people, processes and technology.

For ICS SCADA we offer the following services, in line with

international standards and frameworks:

• For ICS components/systems manufacturers:

• Security Assessment on the development

process

• Security Assessment on product security

• For ICS users and integrators:

• Security Assessment of ICS systems

integration procedures

• Security Gap Analysis for existing ICS systems and

components

• Security Assessment of organization level

cybersecurity practices

SECURITY ASSESSMENTS FOR ICS/SCADA MANUFACTURERS

The security of an off-the-shelf ICS component or system

relies heavily on the design and development process.

Secura supports manufacturers with aligning the individual

development stages to internationally recognized

standards and frameworks, providing assurance on the

security level of their products.

We base our assessment on the internationally well-

known IEC 62443 family of standards, which is highlighting

the state of the art security requirements in the domain

of ICS. For manufacturers, specifically relevant standards

from this family are:

• IEC 62443-4-2, addressing component security

requirements

• IEC 62443-4-1, addressing product development

requirements

 

In addition, the assessment based on IEC 62443 can be

supplemented with the requirements highlighted in UL

2900 and the ENISA baseline requirements. These state

of the art standards provide added value by addressing

specific development process stages, such as risk analysis,

required product documentation, supply chain security or

quality management requirements.

APPLICABILITY SELECTIONDuring the assessment, we select the relevant

requirements from these standards, applicable to your

product based on use case and associated risk level.

SECURITY VALIDATIONAfter this tailored selection step, the product’s security

functions, as well as the processes related to its

development are validated through testing, document

review or audit activities. As an example, IEC 62443-4-2

tests the security controls of the device, such as secure

authentication, role separation, PKI implementation,

events logging, secure port access or data encryption.

REPORTINGThe final deliverable is an Assurance Report, devised

according to international assurance standards such as

ISAE 3000 and signed off by a certified auditor.

ICS/SCADA

Manufacturers Users/integrators

IEC 62443

UL2900

ENISArequirements

IEC62443

IEC 62443, UL 2900,

ENISA requirements

NIST CSF, NIST 800-53,

NCSA,DHS catalog

IntegrationSystem

security gap analysis

Development & DeploymentOrganization cybersecurity

INTERESTED?Would you like to learn more about our services?Please do not hesitate to contact us.

Vestdijk 595611 CA EindhovenNetherlands

Karspeldreef 81101 CJ AmsterdamNetherlands

T +31 (0)40 23 77 990E info@secura.comW www.secura.com

Follow us on

OUR VALUE TO YOUThe assessment will demonstrate compliance with

state of the art security requirements, in the form of an

internationally recognized report. This will enable you to

showcase the security of your product, which could lead to

a significant market advantage. Moreover, implementing

and following the standards applicable to your business

helps you in structurally increasing security and show this

to the markets you are active in.

SECURITY ASSESSMENTS FOR ICS/SCADA USERS/INTEGRATORS

The world of ICS users is at least as dynamic as the one

of the manufacturers. While an ICS component or system

can be secure in its off the shelf state, its integration and

further usage are vital for the security of the organization

as a whole. Secura can support in aligning and certifying

the secure deployment of ICS products against state of the

art standards.

The base of our assessment for ICS integrators and end

users is focused on the IEC 62443 family.

ICS systems integrators can get assurance on their

procedures based on the IEC 62443-2-4 standard.

Once the system is integrated, most of the secure

usage responsibility falls on the end user organization.

Implementation of a correct ICS cybersecurity program

following IEC 62443-2-1 is vital from an organization's

perspective. Moreover, IEC 62443-3-3 can be used to

assess the security capabilities of the deployed systems,

also creating gap analysis for achieving the desired level of

security.

As added service, besides compliance in line with IEC

62443, the assessment for end users can be extended to

include other state of the art standards such as UL 2900

or the ENISA baseline requirements. These standards

can be used to verify additional requirements in terms of

system security functionalities, complementing the set of

requirements in IEC 62443-3-3.

Finally, end user organizations can align their procedures,

policies and implemented security controls to well-known

security frameworks, such as the international NIST CSF,

NIST 800-53, Department of Homeland Security Catalog or

the Dutch specific NCSC ICS security checklist.

APPLICABILITY SELECTIONFor both integrators and end users, we select the relevant

requirements from the above mentioned standards based

on your particular activity domain. Thus, our approach

provides a tailored, risk based way of assessing security.

SECURITY VALIDATIONThe assessment is carried by validating the policies,

processes and security functionalities of the systems.

As examples, IEC 62443-3-3 tests the security controls

of the deployed system, such as secure authentication,

role separation, PKI implementation, events logging,

secure port access or data encryption. On the process

side, IEC 62443-2-1 addresses the implementation of a

cybersecurity management system, including risk analysis,

personnel awareness, security countermeasures and

system monitoring.

REPORTINGThe final deliverable is an compliance report providing

the conclusions of the assessment. This report can also

be made in the form of an Assurance Report, devised

according to international assurance standards such as ISAE

3000 and signed off by a certified auditor.

OUR VALUE TO YOUThrough this report, you obtain a powerful tool for

internationally demonstrating your compliance, thus

empowering your brand on the market.