Designing and Integrating IEC 62443 Compliant Threat Analysis

Fockel, Markus; Merschjohann, Sven; Fazal-Baqaie, Masud; Förder, Torsten; Hausmann, Stefan; Waldeck, Boris

doi:10.1007/978-3-030-28005-5_5

Cited by 5 publications

(3 citation statements)

References 5 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…A couple of publications focus on the methodology to integrate the security testing and compliance process into the development lifecycle, either at the product development level [10] or at the system integration level [11]. However, our work examines specifically tools that can help this integration of the security testing into the CI/CD pipeline.…”

Section: Related Workmentioning

confidence: 99%

Qualitative Analysis for Validating IEC 62443-4-2 Requirements in DevSecOps

Göttel,

Kabir-Querrec,

Kozhaya

et al. 2023

2023 IEEE 28th International Conference on Emerging Technologies and Factory Automation (ETFA)

View full text Add to dashboard Cite

Validation of conformance to cybersecurity standards for industrial automation and control systems is an expensive and time consuming process which can delay the time to market. It is therefore crucial to introduce conformance validation stages into the continuous integration/continuous delivery pipeline of products. However, designing such conformance validation in an automated fashion is a highly non-trivial task that requires expert knowledge and depends upon available security tools, ease of integration into the DevOps pipeline, as well as support for IT and OT interfaces and protocols.This paper addresses the aforementioned problem focusing on the automated validation of ISA/IEC 62443-4-2 standard component requirements. We present an extensive qualitative analysis of the standard requirements and the current tooling landscape to perform validation. Our analysis demonstrates the coverage established by the currently available tools and sheds light on current gaps to achieve full automation and coverage. Furthermore, we showcase for every component requirement where in the CI/CD pipeline stage it is recommended to test it and the tools to do so.

show abstract

Section: Related Workmentioning

confidence: 99%

Qualitative Analysis for Validating IEC 62443-4-2 Requirements in DevSecOps

Göttel,

Kabir-Querrec,

Kozhaya

et al. 2023

2023 IEEE 28th International Conference on Emerging Technologies and Factory Automation (ETFA)

View full text Add to dashboard Cite

show abstract

“…While some general recommendations may overlap with the suggestions given during the course of this paper, their focus is solely on post-quantum attacks that PKI systems might face and which cryptographic algorithms are needed to correspondingly protect IACS environments. Apart from these publications, other relevant papers focus on ISA/IEC 62443 threat analysis [9] and its application in engineering projects [22,21] without specifically addressing PKIs.…”

Section: Related Workmentioning

confidence: 99%

From Standard to Practice: Towards ISA/IEC 62443-Conform Public Key Infrastructures

Heinl,

Pursche,

Puch

et al. 2023

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Public key infrastructures (PKIs) are a cornerstone for the security of modern information systems. They also offer a wide range of security mechanisms to industrial automation and control systems (IACS) and can represent an important building block for concepts like zero trust architectures and defense in depth. Hence, the ISA/IEC 62443 series of standards addresses the PKI paradigm, but there is little practical guidance on how to actually apply it to an IACS. This paper analyzes ISA/IEC 62443 for explicit and implicit requirements regarding PKI deployment to provide a guideline for developing and operating a standard-conform PKI. For this purpose, the analyzed requirements and IACS-specific constraints are combined with current research and best practices. To assess its viability, a tangible PKI use case is implemented in a test environment. The evaluation of this use case shows that common IACS components are capable of supporting PKI, but that important features are missing. For instance, the handling of PKI turns out to be time-consuming and involves many manual operations, a potential factor to render large-scale operations impractical at this point in time.

show abstract

“…The STRIDE methodology is widely used for the assets and threats identification. An IEC 62443 compliant risk analysis was presented by M.Fockel et al [24] for the development of industrial control systems. This methodology was also used by Zhendong Ma and Christoph Schmittner for the threat modelling of connected and intelligent vehicles [25] and by A. Vasenev et al [3] for a automotive case considering specific OTA threats.…”

Section: Related Workmentioning

confidence: 99%

Safety and Security Concept for Software Updates on Mixed-criticality Systems

Mugarza

Yarza

Agirre

et al. 2021

2021 5th International Conference on System Reliability and Safety (ICSRS)

View full text Add to dashboard Cite

The raising connectivity of critical embedded systems makes them vulnerable to cyber-security attacks that compromise not only privacy but also safety. This results in intricate dependencies between functional safety and security, and higher demands to address both disciplines simultaneously. However, there are still many gaps on the common application of functional safety and cyber-security standards. Over-The-Air (OTA) software updates are a clear example of this challenge. While the installation of regular software upgrades is a crucial cyber-security practice to keep the system up-to-date with the latest security patches, they might involve high re-certification efforts and costs from a safety standpoint. In this paper, a safety and security concept for software updates on mixed-criticality systems is presented. Particularly, a combined safety and security risk assessment on an automotive use case is performed and risk mitigation measures proposed.

show abstract

Designing and Integrating IEC 62443 Compliant Threat Analysis

Cited by 5 publications

References 5 publications

Qualitative Analysis for Validating IEC 62443-4-2 Requirements in DevSecOps

Qualitative Analysis for Validating IEC 62443-4-2 Requirements in DevSecOps

From Standard to Practice: Towards ISA/IEC 62443-Conform Public Key Infrastructures

Safety and Security Concept for Software Updates on Mixed-criticality Systems

Contact Info

Product

Resources

About