Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
ESTABLISHING ZONES
AND CONDUITS
In accordance with the
isa99/iec 62443 standard
Consejos
Alt + left arrow to return to the previous view after going to a hyperlink
Click on icon and visit our website
Clicking on the flags of the cover you can see the activity of CCI in each of those countries
Patrocinadores del CCI
Platinum
Gold
Silver
Bronze
The Industrial Cybersecurity Center (known by its initials in Spanish, CCI), is an independent, non-profit
organisation whose mission is to promote and contribute to the improvement of Industrial Cybersecurity in a context
in which organizations from industrial sectors such as manufacturing and energy play a critical role in the society.
CCI strives to meet its mission by developing research and analysis activities, generating opinion, publishing
studies and tools, and exchanging information and knowledge. CCI’s main focus is on the influence of both
technology -including its processes and practices- and individuals, with regard to the risk derived from the
integration of industrial processes and related infrastructure within cyberspace.
Today, CCI is the meeting point for entities –both private and public- and professionals who work in Industrial
Cybersecurity or feel impacted or concerned by it. CCI is the Spanish-speaking world leader in exchanging
experiences and promoting the sectors involved in this field.
ics@kaspersky.com
www.ics.kaspersky.com
@KasperskyICS
Contents
1 FOREWORD 9
2 INTRODUCTION 11
4 SECURITY LEVELS 27
8 BIBLIOGRAPHY 41
Establishing Zones and Conduits in accordance with the IEC 62443 7
Author
Mr. Javier F. Castillo
Computer Engineer, Faculty of Exact Sciences and Technology,
Universidad Nacional de Tucumán, Argentina.
1
Foreword
Establishing Zones and Conduits in accordance with the IEC 62443 9
As is the case for technical assessments, capability assessments or incident analysis, the analysis of technological risks is a tool
which helps us to establish or update our cybersecurity programmes.
It is important to base such programmes on agile tools that enable better decision-making to protect and respond to incidents in
rapidly changing settings such as technological environments, especially in an industrial context where the integration between
information technologies (IT) and operational technologies (OT), which is essential for current business needs, generates an
increased level of exposure, points of failure and actors in the value chain.
The approach of IEC 62443, based on zones, conduits and security levels, enables a basis for the protection of operating and
information systems in an industrial environment to be established in an agile way, but above all, it provides a common language
between technology owners, integrators and manufacturers when establishing protection requirements in an industrial automation
and control environment.
In this excellent document, written by engineer Javier F. Castillo, you will find orderly, educational and practical information
regarding how zones and conduits should be established for a particular scope. The document also explains how to set security
levels on the five-point scale established by IEC 62443, as well as the requirements of each security level grouped into the seven
fundamental cybersecurity requirements.
This is the first publication of this new ICC working paper series, whose objective is to cover specific aspects of industrial
cybersecurity in an educational and practical manner, based on the experience of professionals, such as Javier F. Castillo in this
case, who has decided to share this document.
José Valiente
ICC Director
2
Introduction
Establishing Zones and Conduits in accordance with the IEC 62443 11
Industry in general, and particularly what is commonly referred to as industry 4.0, faces multiple challenges, among which
industrial cybersecurity emerges as a key topic to consider in the technological evolution of industrial processes. Knowing where
and when to make investments in industrial cybersecurity may result in a competitive advantage for those companies that are
aiming to obtain greater availability, quality and performance in order to improve the efficiency of their business processes or
comply with the regulations of the market to which they belong.
What is industry 4.0? Industry 4.0 involves taking advantage of digitalisation in industrial processes through increasingly frequent
use of sensors and actuators that progress in the incorporation of “smart” technologies and complementary information systems
which enable production processes to be transformed and made more efficient.
The figure below clearly shows the evolution of industrial automation from the incorporation of mechanical equipment in industrial
processes to what is known today as the fourth industrial revolution, where cyber-physical systems play a leading and differentiating
role in improving the management and efficiency of industrial processes.
Like any cybersecurity programme, the starting point to manage The ISA99/IEC 62443 standard constitutes the main
this issue is to carry out a risk analysis. Once we have proposed international reference framework for cybersecurity in industrial
this objective, the next question that arises is, ‘what are we systems where availability and integrity are the most important
going to analyse?’ Each industry has its own characteristics factors for the adoption of protective measures against cyber
and as such different elements should be assessed depending threats, but also to reduce unintended technological incidents.
on the level of detail that we hope to obtain. For example, in The ISA99 committee that initially developed the IEC 62443
the oil & gas industry, a refinery comprises multiple processes schema is composed of a series of members including
(separation, transformation, purification, etc.) through which owners, equipment and service providers (manufacturers and
crude oil is converted into a variety of end products. Within integrators), governments, educational institutions and various
each of these processes, more than one industrial system research groups.
is involved, and these systems in turn are composed of an
extensive variety of components (sensors, actuators, PLCs,
RTUs, HMIs, etc.). We can then choose to analyse a process, a
sub-process, an industrial system or each of its components.
It’s quite a challenge ...
12 Establishing Zones and Conduits in accordance with the IEC 62443
According to this standard, the industrial cybersecurity The importance of this definition lies in the premise that each
lifecycle consists of three phases: Assessment, Development & specific scenario has different security levels associated with the
Implementation, and Maintenance. tolerable risk for each organisation. For large-scale or complex
industrial systems, it may not be recommendable or necessary
Each of these phases forms part of the methodology proposed to apply the same security level to all of their components. For
by the standard for the protection of industrial systems against this reason, the concepts of zone and conduit were created,
incidents, whether intentional or otherwise. When we refer to which should be identified within the SuC.
“lifecycle”, it is essential to understand that in cybersecurity
the state of “guaranteed” security does not exist. Rather, each A zone is defined as the logical or physical grouping of
of these phases must be carried out in an iterative manner, industrial assets (which may be physical assets, applications or
feeding off the previous phase and adding value to the next. In information) that share the same security requirements.
this way, we can improve the countermeasures implemented
until a tolerable risk level is achieved. A conduit is a specific type of zone that groups the
communications which enable information to be transmitted
As a starting point, the standard proposes the clear between different zones.
identification of the “System under Consideration”
(SuC), which consists of all infrastructure that will be the Finally, the concept of channel is incorporated, which is defined
subject of the analysis. This can include control networks, as a specific communication link established within a conduit.
tele-supervision, communications infrastructure and The objective of industrial cybersecurity is to provide the SuC
security (routers/firewalls), and may even incorporate with two key concepts: robustness and resilience.
computer networks, depending on the services that they
provide to the industrial process and vice versa. Once the The concept of robustness is defined as the capacity to
SuC has been identified, the “Assessment” phase is operate in the face of a certain level of disturbance produced
initiated, which includes the “Allocation of assets to zones by cyber threats, and resilience is defined as the capacity to
& conduits” stage (see figure 3). In this document, we will reset or restore the system after an undesired event occurs
focus on that stage, leaving matters related to risk analysis with the minimum possible impact, according to the tolerable
for subsequent publications. risks defined by the organisation.
ASSESSMENT
ASSESSMENT
ALLOCATION OF ASSETS TO ZONES
& CONDUITS
DEVELOPMENT &
MAINTENANCE
IMPLEMENTATION
3.1. ZONES Each defined zone must contain a document describing its
security requirements and how to ensure that tolerable
During the creation of a cybersecurity programme, the concept risk levels are achieved. This document should include,
of “zones” is one of the most important resources and its among other details, the scope of the zone, its security
definition constitutes a fundamental aspect for the success of level, the organisational structure to which it belongs and its
this process. responsibilities, the risks associated with the zone, the security
strategy adopted, the types of activities that are permitted
Zones can be a grouping of independent assets, a group of within it, etc. All this information must be documented for
sub-zones or a combination of both. In turn, zones possess each zone, as it serves as a guide for the construction and
inheritance attributes, which means that the “child” zones (or maintenance of the assets contained within the zone.
sub-zones) must comply with all security requirements of the
“parent” zone. When we refer to assets, we are referring to The asset inventory constitutes a decisive factor in
“the assets necessary for the industrial process”, which we will achieving the objectives defined in the security policy. A
define as “all elements belonging to an industrial system (PLCs, document must be created that specifies all logical and
RTUs, operator and engineering workstations, communications physical assets that form part of the zone. This document
equipment, etc.) that has value or potential value for an includes an example of an asset matrix (for reference
organisation”. The value threshold from which an element is purposes) which facilitates the definition of a zone, as well
considered an asset varies depending on the organisation and as cataloguing, with some minor changes, the industrial
its size. systems associated with an industrial process.
Each zone has a set of characteristics and security requirements Although obtaining the information detailed in the “reference
that constitute its attributes: matrix” usually requires a significant initial effort, this must
be carried out in the greatest possible detail, given that, as
› Security policies and security levels mentioned previously, it constitutes a fundamental element
› Asset inventory when creating an industrial cybersecurity programme. In
› Access requirements and controls addition, due to the nature of industrial systems, it is well
known that their lifecycle is in the range of 15 to 20 years.
› Threats and vulnerabilities
As such, a significant initial workload is expected, with few
› Consequences of a security breach modifications for prolonged periods of time. Furthermore,
› Authorised technology we should mention that there are currently automated tools
› Change management process which, although they were not specifically designed to meet
this requirement, significantly speed up its implementation.
1
GENERAL SUPERVISION AND CONTROL SYSTEM 2 3
SECURITY LEVELS
Name of
the device IP address IP address
Unique Brief description SCADA, HMI, Engineering in the Switch, PLC, in the Target Achieved Capability
Province, state, DCS, data Commercial xxx station, operating which OS version Device IP case NAT Anti-virus router, Brand and model Brand and Communication Component IP case NAT security security security
identifier of Industrial sector of the industrial Supervisor name name executes address brand model protocol used address
region, etc. acquirer, other station, server protocol is modem KTU, etc. protocol is level level level
the zone process the
used used
system
1 3
GENERAL SECURITY LEVELS
Industrial sector SL-T SL-A SL-C
Geographic Industrial
Zone to which it Contact
location process
belongs
Target Achieved Capability
Unique Brief description security security security
Province, state,
identifier of Industrial sector of the industrial Supervisor name level level level
region, etc.
the zone process
2
SUPERVISION AND CONTROL SYSTEM
3.2. CONDUITS
“Conduits” are particular zones that are applied to specific Upon finalising the technological risk analysis proposed by IEC
communication processes, providing security functions that 62443, the optimal grouping of zones and conduits will have
enable two zones to communicate securely. All communication been established in such a way that the system can be secured
between different zones must be carried out via a conduit. by design, achieving target security levels and tolerable risk
for the organisation, without spending too much or investing
As with a zone, conduits constitute a logical and/or physical too little. This approach is valid for existing systems, usually
grouping of assets (communication assets in this case). A referred to as the “installed base”, or for new systems that
“security conduit” protects the security of the channels must comply with their different engineering stages (basic
which the conduit contains, in the same way as a physical engineering, detailed engineering, design, procurement,
conduit protects cables from physical damage. construction, testing, launch, operation, maintenance, until
Conduits can be thought of as the “tubes” that join different retirement or decommissioning).
zones, or which are used to bind components within the
same zone. Whether they are internal (within a zone) or
external (outside of a zone), conduits protect the channels
that provide communication links between industrial assets.
In industrial systems, conduits usually constitute the network
devices (switches, routers, firewalls, etc.) that form part
of their architecture, but in some cases they may also be
servers or communications gateways used for the conversion
of different protocols.
Conduits are used as one of the main inputs to determine
the threats to which a zone is exposed. Clearly identifying the
conduits will enable us to identify the points of access that the
zone possesses, and analyse whether they may be converted
into potential attack vectors. A detailed risk analysis must
include both the zones and their associated conduits to obtain
the best results.
As they are a particular type of zone, each conduit, like zones,
possesses a set of characteristics and security requirements
that constitute their attributes.
› Security policies and security levels
› Asset inventory
› Access requirements and controls
› Threats and vulnerabilities
› Consequences of a security breach
› Authorised technology
› Change management process
› Zones that interconnect
› Communications protocols (highly varied due to the nature
of each industry and manufacturer)
Unlike zones, conduits must include details of the different
zones to which they interconnect, ensuring that the technology
used for the creation of communication channels complies with
the fundamental security requirements specified according
to the associated security level. The definition of the different
security levels and their specific requirements is developed in
greater depth in “Section 4 – Security Levels”.
18 Establishing Zones and Conduits in accordance with the IEC 62443
ENTERPRISE SYSTEMS
LEVEL 4 (BUSINESS PLANNING AND LOGISTICS)
Systems/operations
LEVEL 3 management
Supervisory control
The aforementioned model includes five levels, which are 3.3.3. Initial criteria for the separation of
specified below;
zones & conduits
› Level 4: Covers functions related to the corporate systems I. The assets of business information systems (IT) and
that support the management needs of each organisation. industrial control systems (OT) should be grouped
› Level 3: Covers functions related to the management of into separate zones.
workflows required for the manufacture of end products or
resulting from the industrial process. Under normal conditions, information systems and industrial
control systems should be placed in different zones based
› Level 2: Covers functions related to the supervision and
on their functionality, as different areas of the organisation
operation of the different production areas involved in an
are responsible for them, determined by the results of the
industrial process.
prior risk analysis, and usually because they are in different
› Level 1: Covers functions related to automation and basic locations. It is important to understand that the main
control of the industrial process. (E.g. Discrete, batch, difference between these types of systems is that industrial
continuous). control systems have a direct impact on human health and
› Level 0: Constitutes the process in question. Includes the the environment, in addition to the fact that they may affect
sensors and actuators that are directly connected to the production and corporate image in the event of an incident.
process or its associated equipment.
II. The assets identified as Safety Instrumented
When initiating the task of documenting the zones and conduits,
Systems (SIS) must be placed in separate zones.
all industrial assets involved must be located within the SuC,
as specified in the reference model. This first approximation Safety Instrumented Systems (SIS) by nature have different
enables rapid and practical visualisation of the flow of data and security requirements to the other components of an
information from the lowest levels (sensors and actuators) to the industrial control system.
services that the OT environment shares with the IT environment.
Once the SuC has been modelled, the grouping of industrial III. The assets or devices that are temporarily
assets in zones and conduits should be a consequence of the connected to the SuC must be placed in separate
aforementioned criteria (functionality, location, organisation, zones.
supervisors and results of the risk analysis, etc.), without Devices that may connect to the SuC, such as maintenance
losing sight of the fact that the main focus of this process is to staff laptops, portable cybersecurity analysis devices
contribute to the implementation of a cybersecurity programme. (performance analysis tools based on network traffic capture)
As such, the result of the segmentation into zones and conduits and USB storage devices, among others, are often exposed
must be primarily based on the identification of those assets to a much greater number of threats than those which are
that have common cybersecurity requirements. permanently located within a zone. For that reason, these
The following attributes should be documented for each zone devices must be modelled in a separate zone. The main
and conduit: reason for this is that, as they are temporarily-connected
devices, it is likely that they also connect to other networks
1. Name and unique identifier. outside of the zone whose cybersecurity requirements are
2. Logical limits. less stringent than those established for the zone.
3. Physical limits. IV. Wireless communications should be located in one
4. List of all points of access to the system associated with or more zones, separate from wired communications.
the limits and devices.
Wireless communications are not controlled by fences, walls
5. List of data flows in access points.
or cabinets, and therefore have a higher level of exposure
6. Connected zones and conduits. than wired communications.
7. List of associated assets and consequences (if a prior risk
analysis has already been carried out).
8. Target security levels.
9. Applicable security policies.
10. External dependencies hypothesis.
20 Establishing Zones and Conduits in accordance with the IEC 62443
ENTERPRISE
WLAN Web server
Interprise firewall
Internet
CONTROL CENTER
Domain controller
SIS-HMI
SIS Enginnering
workstation
IAMS
Domain controller
Handhold programmer
Serial or
Ethermet
FS-PLC Control-PLC BPCS HMI
Discrete
24 VCD 24 VCD
Block valve 4-20 mA 4-20 mA
Control valve
Pump controller
Transmiter Transmiter
4.3. HOW TO USE SECURITY The following figure outlines this process:
4.4. SECURITY LEVEL VECTOR 4.4.3. 4.4.3 Security levels vector format
A vector can be used to depict the cybersecurity requirements
for a zone, conduit or system in a more representative way
4.4.1. Fundamental cybersecurity than a single value. The vector contains a specific value
requirements for the security levels defined for each of the fundamental
Security levels are based on the seven fundamental requirements requirements. (See 4.4.1)
defined in the ISA-62443-1-1 document.
The format used is as follows:
These requirements are:
SL-?([FR,]domain) = { IAC UC SI DC RDF TRE RA }
1. Identification and authentication control (IAC)
Where:
2. Use control (UC)
3. System integrity (SI) SL-? = (Required) Represents the type of SL (see 4.2). The
possible values are:
4. Data confidentiality (DC)
5. Restricted data flow (RDF) › SL-T = Target security level
6. Timely response to events (TRE) › SL-A = Achieved security level
7. Resource availability (RA) › SL-C = Capability security level
[FR] = (Optional) Field that indicates the fundamental
Instead of representing the assigned security level with a single
requirements (FRs) that each SL represents. The FRs are
value, it is possible to use a security level vector which
represented by abbreviations in accordance with the acronyms
represents the security levels defined for each of the seven
provided in point 4.4.1 to facilitate their interpretation.
fundamental requirements.
Domain = (Required) Represents the domain to which the SLs
4.4.2. Definition of security levels are applied. A domain can be a particular zone, a conduit, a
control system or a specific component. Some examples of
The ISA99/IEC 62443 standard defines security levels on a different domains in “Figure 6 - High-level model for industrial
five-point scale (0, 1, 2, 3 and 4), each of which represents an processes” may include: “SIS zone”, “BPCS zone”, BPCS HMI”,
incremental level in terms of cybersecurity measures. “Plant DMZ”, etc.
The defined security levels are as follows: › Example 1 – SL-T(BPCS Zone) = { 2 2 0 1 3 1 3 }
› SL 0: Does not set specific requirements or specify › Example 2 – SL-C(SIS Zone) = { 3 3 2 3 0 0 1 }
cybersecurity protections. › Example 3 – SL-C(RA, BPCS HMI) = 4
› SL 1: Requires protection against casual violations.
Note: Example 3 only defines security level 4 for the RA
› SL 2: Requires protection against intentional violations (resource availability) fundamental requirement in BPCS HMI.
with low resources, general knowledge and low motivation.
› SL 3: Requires protection against intentional violations with
sophisticated resources, specific knowledge of automation
and control systems, and moderate motivation.
› SL 4: Requires protection against intentional violations
with sophisticated resources, advanced knowledge of
automation and control systems, and high motivation.
5
Guide for the
Definition of
Security Levels
Establishing Zones and Conduits in accordance with the IEC 62443 31
SR 2.11 - Timestamps
SR 2.12 - Non-repudiation
RE (3) Fault-closing