Beyond Security Blog
industrial technology ot security isometric concept on purple and pink vector

How to Use SAST and DAST to Meet ISA/IEC 62443 Compliance

What is the ISA/IEC 62443 and what does it mean for industrial cybersecurity? Find out in our quick guide for busy OT security officers.

In a recent cyber-attack, a metallurgy company became infected with ransomware. The firm shut down for a week to deal with the infection; the final costs for the system backup and production downtime came to over 50 million euros ($54 million). 

This follows a Kaspersky report, “The State of Industrial Cybersecurity” that shows 70% of companies expect an attack on their Operational Technology/ Industrial Control Systems (OT/ICS) infrastructure.

The connectivity required for Industry 4.0 has meant that the once tightly controlled, closed perimeter of manufacturing is now hyper-connected. The Industrial IoT (IIoT), the convergence of OT and IT, and connected Industrial Control Systems (ICS), etc., means that the cyber-attack surface has opened up to increasing cyber-threats. 

To reflect increasingly sophisticated cyber-threats in the sector, regulations controlling the manufacturing industry offer a framework for cybersecurity controls and measures. The main regulation covering the sector is ISA/IEC 62443 compliance regulation. This sets out a series of standards that provide advisories and procedures that help manufacturing companies prevent cyber-attacks. 

[ Learn about fuzzing APIs. | Want to see how it works or try 30-day free trial? Request a demo  today. ]

ISA, IEC, and the ISA / IEC 62443 compliance regulation

The International Society of Automation (ISA) 99 Committee, a global team of industrial cybersecurity experts, is behind ISA/IEC 62443. The scope developed for the regulation covers many situations including:

  • hardware and software systems such as DCS, PLC, SCADA, networked electronic sensing, and monitoring and diagnostic systems
  • associated internal, human, network, or machine interfaces used to provide control, safety, and manufacturing operations functionality to continuous, batch, discrete, and other processes.

The work carried out by the ISA99 Committee on ISA/IEC 62443 compliance regulation has been adopted by the International Electrotechnical Commission (IEC) giving the standard global reach.

ISA/IEC 62443 compliance regulation is a series of standards that focus on security for industrial automation and control systems. The different series the standard is composed of, work together to create a holistic framework used to mitigate security vulnerabilities in Industrial Automation and Control Systems (IACS). 

ISA/IEC 62443 has five security levels (SLs):

  • SL 0 – no security
  • SL 1 – protects against accidental security
  • SL 2 – simple but international attack protection
  • SL 3 – protect against more sophisticated attacks with moderate resources and knowledge
  • SL 4 – protect against highly sophisticated attacks e.g., nation-state attacks 

The levels set out the types of security measures needed to meet those requirements. For example:

  • Levels 3 or 4 require hardware, e.g., certified hardware security chips
  • Security levels 1-4 all require user authentication. 
  • Security levels 2-4 require device authentication (in addition to the hardware requirements at levels 3 and 4)

ISA/IEC 62443 part 4-1

ISA/IEC 62443 Part 4-1 “Product Security Development Life-Cycle Requirements”, was published on March 28, 2018, and is part of the standard series. ISA/IEC 62443 Part 4-1 focuses on requirements for achieving a secure product development lifecycle (SDL). Specifically, it sets out the process requirements for the secure development of products used in industrial automation and control systems. The SDL security requirements, which apply to the developer and maintainer of the product, include details on:

  • definition
  • secure design,
  • secure implementation (including coding guidelines)
  • verification and validation
  • defect management
  • patch management 
  • product end-of-life 

The various requirements apply to both new and existing processes within a given product development lifecycle and apply to software, firmware, and hardware.

Where does security testing fit with ISA / IEC 62443

A Deloitte survey of advanced manufacturing companies found that less than half of manufacturing industry executives felt their facility was protected. One of the top concerns being the increasing sophistication of cyberthreats against connected Industrial Control Systems (ICS). This issue was then exacerbated by only half of those surveyed carrying out regular ICS vulnerability testing.

The publication of ISA/IEC 62443 Part 4-1 covers the development lifecycle of products. By referring to the standard, manufacturing companies can design security into their development processes helping to prevent flaws being populated downstream to systems and processes. 

ISA/IEC 62443 Part 4-1 includes the following in the requirements:

  • Static code analysis (tools to check and debug source code)
  • Software composition analysis (tools that generate an inventory of open source code components) 
  • Malformed input testing (e.g., fuzz testing)

Tools for testing 

Vulnerability testing is included in “Practice 5 – Security verification and validation testing” of the standard.  Vulnerability testing is a process that uses a number of tools and procedures to locate flaws in a system, service, product, component or similar. The process is multi-part and includes the use of automation tools to locate vulnerabilities. 

The types of tools that can be used to perform vulnerability testing include:

Static code analyzers: Source code is run through a code analysis engine to look for weaknesses and vulnerabilities. 

Fuzzing and blackbox fuzzing: These tools will cover the requirement for malformed input testing. Fuzz testing is a type of automated testing that adds ‘fuzz’ i.e., random or invalid data to a given system to generate unusual behavior, systems crashes, etc. Any API-driven system can use multi-protocol fuzz testing as this works systematically across the entire API surface.

Static Application Security Testing (SAST): Used during development and can be part of ongoing code analysis. SAST is part of a developer’s toolkit to spot issues before integration into a wider component ecosystem. 

Dynamic Application Security Testing (DAST): Used to look for vulnerabilities in areas such as exposed APIs or open network services. 

Attack Surface Analysis: Looks at the entire system, including software, physical, and network vulnerabilities. Utilizes multiple tools and processes.

Conclusion

ISA/IEC 62443 has been designed to offer a framework to protect Industrial Control Systems (ICS), Programmable Logic Controllers (PLC), and SCADA, as well as general OT/IT systems from cyber-attacks. The use of appropriate testing tools within the context of the guidance offered by ISA/IEC 62443 Part 4-1 can ensure that during the development of industrial systems, vulnerabilities are spotted early. As manufacturing industries embrace the Industrial IoT (IIoT) they come under increasing pressure from cyber-attacks; applying ISA/IEC 62443 standards, developed by industry experts, is vital in protecting our manufacturing systems and infrastructures.

Need to get ISA/IEC 62443 compliant? Contact us to schedule a free demo of our network and application vulnerability assessment products.

Beyond Security

Beyond Security is a global leader in automated vulnerability assessment and compliance solutions – enabling businesses and governments to accurately assess and manage security weaknesses in their networks, applications, industrial systems and networked software at a fraction of the cost of human-based penetration testing.

Contact Us
Want to learn more? Fill out the form below and we'll be in touch shortly.
By clicking Submit, I agree to the use of my personal data in accordance with the Beyond Security Privacy Policy. Beyond Security will not sell, trade, lease, or rent your personal data to third parties.

Advertisement

Vector image of purple colored handshake icon

Affected by Covid-19? Get free vulnerability scanning.

Before You go

Take a second to book a demo. Learn how to secure your networks & applications.

We'll be in touch!

We now have the ability to scan at any time...like having sonar on our own network. We always know what is going on around us.”

man-img

Mike Gutknecht, Spectrum Brands