Using standards to guarantee cyber security in industrial IoT products
Standards are a powerful tool for ensuring reliability in electronic products. But when it comes to cyber security, what standards are there and how can we use them?
There's no doubt about it: developing electronics is an exercise in mastering many disparate disciplines. Producing a saleable product requires a solid grasp of such topics as circuit design, testing, approval, manufacturing, and logistics. For many, cyber security is yet another topic that must be considered, whether as a manufacturer or a user of these devices.
As the need to remotely control products and build control systems with components from a variety of manufacturers increases, keeping track of security considerations for individual devices and determining requirements for entire systems can be a major challenge.
Similarly, designing security solutions can be extremely challenging for manufacturers. If users' needs aren't clear, developing specific security requirements for a product can be difficult.
Security is particularly important in the field of industrial IoT (IIoT), since the consequences of a device being misused may ultimately be catastrophic for both the equipment and the employees that rely on the application.
Manufacturers must implement processes that account for cyber security in the development phase. Products must be designed with security in mind from the very beginning; attempting to add it on top of an otherwise finished product only makes development more complicated and expensive. In that regard, it is important to clearly define the requirements that identify what must be protected.
Managing cyber security
Particularly for smaller businesses, getting started with a product protection strategy can be a challenge when none of the business's existing employees have the relevant skills. It can be a good idea to review some of the standards and guidelines on basic product cyber security, such as ETSI EN 303 645. This standard can serve as the foundation of a cyber security strategy, and it can help manufacturers to implement tools that make it easier to maintain product security.
ETSI EN 303 645 lists a number of basic requirements that a product must fulfil. For example, it requires that devices have either unique default passwords or user-set passwords, that software must be updatable, and that sensitive data must be stored securely.
One interesting requirement is that manufacturers must have publicly available policies on how to report vulnerabilities discovered in their products. Thus, the standard imposes not only technical requirements on products, but also requirements on managing products' security over their lifetimes.
What should you use?
The approach taken to security in ETSI EN 303 645 could be described as ‘one size fits most’. In other words, the standard is not based on any specific kind of product; instead, its requirements are remedies to the most commonly observed security issues in products on the market.
If you would prefer an approach based on a specific product, standards like UL2900-1 and IEC 62443 may be of use. These standards take a risk-based approach to security. They require the development and implementation of a risk analysis process for products that wish to adhere to these standards. The advantage of doing so is that the result is a tailor-made security strategy for an individual product. However, the success of this approach is highly dependant on how well the risk analysis process is performed and maintained.
Standards for industrial automation systems
The IEC 62443 series is the ideal reference for industrial systems. This standard is written with industrial automation systems in mind, from elements as small as PLCs up to entire factories — including processes. This series of standards covers three main areas:
- vendors, who produce hardware and software;
- integrators, who assemble elements to form whole systems;
- an owner, who uses the systems.
For vendors, there are standards describing how products that will form part of an industrial system should be developed. It includes specific technical requirements, like "No unique default passwords", as well as development process requirements to address who is responsible for which security functions, what tests should be performed, who should perform them, and so on.
For integrators, much as for vendors, there are standards regarding how systems should be designed and what requirements they need to meet in order to achieve a given level of security. The task here is to apply requirements to specific installations, such as sub-component requirements, security zone divisions, and requirements for transitions between zones. It is important to be able to easily communicate which requirements any given component fulfils. One way of managing this is using a Security Level Vector. This describes the levels of security a component can achieve when configured accordingly. This vector makes it easier for an integrator to determine whether a particular component is suited for use in a particular application. This eliminates the need to thoroughly review the documentation for many devices in order to find components suited for a task.
For owners, there are standards that address topics like managing the operation of a system. These standards take into account software updates, users, risk analyses, and so on.
A number of approval programmes for IEC 62443 also exist. These allow vendors and integrators to have a third party review their systems and components, just as is done for ‘normal’ product approvals. This can promote trust in a product's security and minimise the risk of accidentally releasing a defective product.
What about approvals?
From an approval perspective, it can make sense to consider cyber security alongside environmental requirements, EMC requirements, and other kinds of requirements that a product must fulfil. Security, then, can be handled in the same way as compliance in other areas. Ultimately, this is about ensuring the robustness of a product relative to the environment in which it will be used. In a world where cyber security is becoming ever more important, this is a challenge that should be taken seriously, even before regulatory requirements appear to control which products have access to the market.
Standards are something we use to help us with many aspects of product design. They help us maintain uniformity, so we can ensure that products are reasonably reliable when they make it out into the world.
There are good reasons to take the same approach to cyber security. Especially, when we consider the waves of IoT products constantly being launched, and the rising number of devices connected to the internet, it is in everyone's best interests that we make a serious effort to ensure that these products are secure. Not only so that they continue to function, but also so that they do not become vehicles for attacks on other systems.
Standards are a powerful tool here, both for those building security strategies and for businesses that need to deliver uniform solutions across product series. Standards help us ensure that we take a consistent approach to product development and maintain a certain level of security that lives up to the expectations people have for electronic devices.
This article was published in Aktuel Elektronik in 2020.