Securing your PlantPAx system in The Connected Enterprise

Integrating industrial automation and control systems (IACS) with enterprise-level systems enables better visibility and collaboration, which helps improve efficiency, production and profitability. But greater connectivity also exposes control systems to additional cybersecurity risks.

No doubt, cybersecurity is critical for every industrial operation. However, there is a marked difference in priorities between a standard IT system and an IACS. Availability is the most crucial aspect of a secure IACS. Conversely, data confidentiality and integrity take precedence in a standard IT environment. Therefore, using security standards from IT will not fully suit most plants’ requirements.

To meet the needs of industrial environments, Rockwell Automation aligns systems developed on our technology with international standard ISA-99/IEC 62443-3-3. This standard is designed specifically for industrial automation and control systems and defines procedures to implement an electronically secure system.

Why IEC 62443-3-3?

By aligning PlantPAx with IEC 62443-3-3, Rockwell Automation has committed to following global cybersecurity best practices based on defence-in-depth. The National Institute of Standards and Technology (NIST) and the US Department of Homeland Security also recommend a defence-in-depth approach.

As the term implies, a defence-in-depth strategy is based on the notion that any one point of protection will likely be defeated. Cybersecurity systems based on this strategy establish multiple layers of protection through a combination of physical, electronic and procedural safeguards.

The IEC standard directly supports the defence-in-depth approach through its seven foundational requirements (FR) for securing an IACS:

• FR1: Identification and authentication control (IAC)
• FR2: Use control (UC)
• FR3: System integrity (SI)
• FR4: Data confidentiality (DC)
• FR5: Restricted data flow (RDF)
• FR6: Timely response to events (TRE)
• FR7: Resource availability (RA)
   

These foundational requirements are the cornerstone for the IEC standard.

The first step to securing your system

Cybersecurity is an ongoing process, not a product or policy. The first step in that process is evaluating the specific security risks at each site within your organisation. IEC 62433-3-2 provides guidance on how to identify your risk tolerances and vulnerabilities.

Keep in mind, you may find that different areas in your system have different security needs. For instance, a computer in a demilitarised zone getting patch updates may have less security risk than the primary processor running a turbine program.

To meet diverse requirements, IEC 62443 has established security levels SL0 to SL4. The security levels are suited to scenarios ranging from systems that do not require specific security measures to those that require protection against intentional, sophisticated threats. The IEC 62443-3-3 standard outlines cyber features that must be included to meet each system security level.

Following the foundational requirements

To establish a secure PlantPAx system, Rockwell Automation uses IEC 62443-3-3 foundational requirements as a reference. Rockwell Automation also adheres to industrial cybersecurity best practices, and follows additional standards to address specific application requirements.

Where to begin? Although system availability is critical to any IACS, a secure system must first limit access to intended and qualified users. In line with defence-in-depth, access is controlled through both physical and operational layers of security.

A word about physical security

In any system, the first layer of protection is achieved through multiple physical means.

Passive physical security devices

Passive physical security devices include fences, walls, concertina wire (barbed wire, razor wire, and so on), anti-vehicle ditches, concrete barriers, earthen walls or mounds, and other access-limiting devices. They are used to either help protect physical entities or help prevent access to specific locations. Passive security devices are active at all times. These devices require no manual intervention to either engage or disengage.

Active physical security devices

Active physical security devices engage or disengage based on time intervals, autonomous control or specific interventions from outside sources. These devices include doors, locks of various types, gates and retractable road obstructions.

Identification and monitoring devices

This category includes still and video cameras, motion sensors, vibration sensors, heat sensors, biometric authentication or recording devices and a variety of other devices. These devices do not specifically control or limit access to a physical location or system by themselves. Their design and intended use is to detect, identify or record physical entities.

For more detailed information on the PlantPAx 5.0 IEC 62443-3-3 certification and Rockwell Automation cybersecurity solutions click here.