i4Q Cybersecurity Guidelines (i4QSG)

General Description

This solution is a guide to achieve data reliability and quality in a manufacturing line by enough cybersecurity mechanisms to ensure some level of security in industrial environments. For security researchers, the increased attacks on key infrastructure served as a wake-up call. External entities such as third-party companies, security experts, and academia, among others, disclose vulnerabilities. Security researchers have been focusing on Industrial Control System (ICS) vulnerabilities as a result of high-profile hacks against vital infrastructure. As a result, additional research into ICS vulnerabilities may be able to help enterprises better identify and handle the cyber risks that critical infrastructure faces.

Relevant ISO 27001 and IEC 62443 standards are introduced and there had been concluded that it is crucial to conduit a four-phase cyclical process that includes (1) Risk Analysis, (2) Comprehensive security management and policy setting, (3) Technical Measures, and (4) Validation and Improvement.

Special relevance has been given to the update, upgrade and patches strategy with a specific section, as well as to the defense-in-deep approach as strategy to protect cyber-related threats.

The usage of a public key infrastructure is proposed in order to guarantee trust between the elements in the ICS ecosystem providing confidentiality, integrity and authenticity among them by means of X509 certificates.

Features

The main aspects considered in i4QSG are as follows:

  1. Secure by Design: is a design approach that requires security measures to be introduced early in the IACS’ lifespan. The goal is to establish strong security policies, security architectures, and secure practices early in the development process and implement them throughout the lifespan.

  2. Reduce Attack Surface: is a design method that lowers the amount of physical and functional interfaces that can be accessed and exploited, making an assault more difficult to succeed.

  3. Defense in Depth: The deployment of various security measures, especially in layers, with the purpose to delay or prevent an attack is known as Defense-in-Depth (DiD). Even on single systems, defense in depth implies numerous layers of protection and detection, and requires attackers to break through or bypass multiple layers without being detected.

  4. Essential Functions: are defined as functions or capabilities that are essential to sustain the Equipment Under Control’s health, safety, the environment, and availability of the Equipment Under Control that include Safety Instrumented Function, the control function, and the ability of the operator to view and manipulate the Equipment Under Control

  5. Public Key Infrastructure: a digital certificate is a digital document that confirms that the public key contained inside it belongs to the identifying entity (person, device, or computer). This is issued by a Certification Authority (CA) and ensures that the identification of the entity to which the certificate belongs has been validated and trusted by the CA. A Public Key Infrastructure (PKI) allows a company to have electronic authentication systems with confidentiality, data integrity and non-repudiation for their network applications.

  6. Updates/Patches in ICS: The ICS system should be separated from other networks such as IT ones maintaining separation and providing isolation between both networks. This makes more complicated to keep software up to date requiring other strategies to updating it. Running firmware and/or application software patches or upgrades under ICS, with antivirus as a separate program, may necessitate extra care to avoid security risks.

Comercial Information

Authors

Company

Website

Logo

IKERLAN

www.ikerlan.es/en/

logo IKER

License

There is no licensing involved for using this solution.

Pricing

The guideline is free to use.

Associated i4Q Solutions

Required

None. Due to the nature of the document, it is expected that it will be serve as reference in the implementation of security mechanisms by the rest of the i4Q solutions.

Optional

None.