Industrial control systems (ICS) and their facilities are becoming prime targets for cyberattacks. Just look at what happened at Norwegian aluminum manufacturer Norsk Hydro in 2019, or even more ominous — at the Sellafield nuclear plant in 2023.
That's why cyber resilience must be baked into automation from the very start — these systems are integral to a functioning society. We can't just tack on security as an afterthought. It has to be fundamental to how these systems are designed and built.
This article explores the basic concepts behind building cyber-resilient operational technology (OT) while highlighting a few ways the ISA/IEC 62443 series of standards offer guidance.
Automated systems, particularly those in critical infrastructure, face increasing cyber threats as IT and OT converge. These threats are growing more sophisticated every day. A whopping 85% of cybersecurity professionals believe that generative AI makes social engineering much easier to execute in a cyberattack — and subsequently replicate.
Let's take a look at some of the most common types of cyberattacks. For the most part, the main cybersecurity risks threatening automated systems include:
We’re also seeing attacks on other links in the supply chain beyond industrial automation and control systems, including third-party IT vendors.
That’s why attacking an insurance company that uses AI through a vulnerable API, for example, might tell hackers more about an industrial facility that’s insured by the company. Albeit slower, this method may be more effective for the hackers compared to a brute force attempt.
With threats not only plentiful but also multi-faceted, the key lies in being proactive and making sure OT can contain attacks if they occur and continue functioning uninterrupted. To achieve that, an organization needs to base their approach on the following four principles:
Even during the conceptual phase, modern OT must abide by security-by-design principles, introducing built-in security protocols to the fold. A variety of stakeholders and industries can consult ISA/IEC 62443-4-1, which outlines the secure product development lifecycle.
Any systems connected to ICS must also be strictly vetted, including software, communication platforms and simple access clearances.
Implementing a multi-layered defense strategy is crucial for protecting automation systems. This involves taking a proactive approach toward network segmentation, access controls and intrusion detection systems.
In terms of standards, ISA/IEC 62443-3-3 establishes the concepts of zones and conduits. The goal is to ensure that an attack on one industrial network zone does not compromise the entire network. It assumes that robust access controls have also been implemented to prevent unauthorized access.
Continuous monitoring and real-time detection of anomalies are vital for identifying potential threats early. This approach might seem cost-intensive, but it’s the most effective way of preventing large expenditures after the incident occurs. Tools with enhanced threat detection capabilities that incorporate big data analytics can increase the likelihood of identifying sophisticated threats early.
To help with this, ISA/IEC 62443-2-4 provides guidelines for security program requirements for IACS service providers to offer to asset owners during integration and maintenance.
Even if an organization swears by security-by-design, has a complex defensive strategy and monitors everything in real time, that doesn’t mean they’re completely immune to cyberattacks.
Hence, a comprehensive incident response plan is essential for minimizing impact and ensuring rapid recovery, and should include:
Despite the buzz around generative AI-fueled cyberattacks and other looming risks, it’s crucial to remain proactive and committed to making cyber resilience integral to organization-wide culture and not just an afterthought.
And with guidance in the form of ISA/IEC 62443, automation professionals have a global consensus-based series of standards they can rely on to protect their systems and mitigate cyber threats.