Research Triangle Park, NC (25 September 2018) – The ISA/IEC 62443 series of standards, developed by the ISA99 committee as American National Standards and adopted globally by the International Electrotechnical Commission (IEC), is designed to provide a flexible framework to address and mitigate current and future security vulnerabilities in industrial automation and control systems (IACS).
A newly published standard in the series, ISA/IEC 62443-4-2-2018, Security for Industrial Automation and Control Systems: Technical Security Requirements for IACS Components, provides the cybersecurity technical requirements for components that make up an IACS, specifically the embedded devices, network components, host components and software applications. The standard sets forth security capabilities that enable a component to mitigate threats for a given security level without the assistance of compensating countermeasures.
“The standard definition of the security capabilities for system components provides a common language for product suppliers and all other control system stakeholders,” emphasizes Kevin Staggs of Honeywell, who led the ISA99 development group for the standard. “This simplifies the procurement and integration processes for the computers, applications, network equipment and control devices that make up a control system.”
The new standard follows the February 2018 publication of ISA/IEC 62443-4-1, Product Security Development Life-Cycle Requirements, which specifies process requirements for the secure development of products used in an IACS and defines a secure development life-cycle for developing and maintaining secure products. The life-cycle includes security requirements definition, secure design, secure implementation (including coding guidelines), verification and validation, defect management, patch management and product end-of-life.
The ISA99 standards committee draws on the input and knowledge of IACS security experts from across the globe to develop consensus standards that are applicable to all industry sectors and critical infrastructure. Previous documents in the ISA/IEC 62443 series cover terminology, concepts, and models; establishment of an IACS security program; patch management; and system security requirements and security levels. All may be accessed at www.isa.org/findstandards.
Source: ISA
New ISA/IEC Standard Specifies Cybersecurity Capabilities for Control System Components
Research Triangle Park, NC (25 September 2018) – The ISA/IEC 62443 series of standards, developed by the ISA99 committee as American National Standards and adopted globally by the International Electrotechnical Commission (IEC), is designed to provide a flexible framework to address and mitigate current and future security vulnerabilities in industrial automation and control systems (IACS). A newly published standard in the series, ISA/IEC 62443-4-2-2018, Security for Industrial Automation and Control Systems: Technical Security Requirements for IACS Components, provides the cybersecurity technical
Legitimate Remote Admin Tools Pose Serious Risk to Industrial Systems
(SecurityWeek - Eduard Kovacs) - Remote administration tools (RATs) installed for legitimate purposes in operational technology (OT) networks can pose a serious security risk, allowing malicious actors to abuse them in attacks aimed at industrial organizations, Kaspersky Lab warns. A report published on Friday by the security firm reveals that, on average, in the first half of 2018, legitimate RATs were found on more than two-thirds of computers used for industrial control systems (ICS). The highest percentage of ICS computers with RATs
Serious Vulnerability Found in Honeywell’s Android-based Handhelds
(SecurityWeek - Eduard Kovacs) - Members of Google’s Android team discovered that some of Honeywell’s Android-based handheld computers are affected by a high severity privilege escalation vulnerability. The vendor has released software updates that should address the flaw. Honeywell’s handheld computers are advertised as devices that combine the advantages provided by consumer PDAs with high-end industrial mobile computers. These rugged devices run Android or Windows operating systems and they provide a wide range of useful functions and connectivity features, including Wi-Fi,
Red Team/Blue Team ICS Cyber Security Training
SecurityWeek is happy to be partnering with LEO Cyber Security to offer a half-day Red Team/Blue Team ICS Cyber Security Training workshop at SecurityWeek’s 2018 ICS Cyber Security Conference. The workshop will take place on Monday, October 22 and is available as an option for conference attendees. (Registration available here) What is Red Team/Blue Team Training? Security aware and knowledgeable users serve as the “front line” of your overall security posture. As such, training is one of the most essential components of your