NetFoundry Supports IEC 62443

NetFoundry | NetFoundry Supports IEC 62443

Strengthening OT Security with IEC 62443 Compliance

Industrial environments face evolving cybersecurity threats, especially with the growing convergence of IT and OT systems. As legacy OT devices connect to the internet, they become increasingly vulnerable to modern attacks. Recognizing this risk, international standards like IEC 62443 have emerged to guide industrial security practices. In this article, we explore how NetFoundry’s Ziti technology aligns with the foundational requirements of IEC 62443, offering a robust solution to secure industrial control systems.

The Threat Landscape

Industrial control systems face a myriad of threats. Due to the life cycles of equipment, they are often using older technology, that does not have the capability to react to new and novel threats as quickly as IT assets, and they are also under attack by highly skilled, highly funded, and protected nation state and nation state sponsored attackers, particularly in the critical infrastructure space, such a power generation and transmission, water systems, oil and gas production, and others. Even more common problems that IT deals with on a regular basis can find very fertile ground in the OT space, if they are allowed to connect with it, due to the nature of the OT computing and information assets.

NetFoundry’a Ziti architecture and technology has an important advantage over the most common Zero Trust networking solutions, the ability to offer multiple solutions across user and machine to service access.

Note: NetFoundry’s secure networking and connectivity platform is based on NetFoundry’s zero trust architecture called Ziti. The open source version of the platform is part of the OpenZiti project. 

Most Zero Trust offerings come from the IT space, and they are focused on the user to application interface. Ziti operates at the network level, and provides ZTNA for workloads as easily as for users. Providing machine to machine (M2M) security is critical in the ICS/IIoT spaces, as this is the majority of the traffic in automation and control systems. Using strong identity and fine grained access policy allows even highly dynamic systems to communicate securely while preventing unauthorized access by malicious actors whether they are human or software agents.

Governments are Mandating Change

While we have seen big headlines in the last several years, the attack on a water system in Florida, the Colonial Pipeline breach and others, this has been noted for over a decade by the US Government and others. February 12, 2013, an Executive Order was released, along with a Presidential Policy Directive spelling out the policy and direction of the US government for the protection of critical infrastructure. In April 2024, the US National Security Council published the National Security Memorandum on Critical Infrastructure and Resilience; the problems have certainly not gone away.

International organizations outside of governments have been working on these issues for many years as well, seeing the problems in terms of business and safety risks. The most widely adopted standard for ICS cybersecurity and risk management is IEC 62443. The standard covers multiple roles, vendors, integrators, and users, and a wide range of principles, laying the foundation on which to build an ICS cybersecurity program. NetFoundry believes that the Ziti technology we sponsor and use for our business is particularly well suited to the ICS space, offering very advanced processes while operating a network level, capable of delivering Zero Trust connectivity even to devices that have very limited capabilities to protect themselves.

IEC 62443 Basic Requirements

There are 7 Foundational Requirements in IEC 62443, giving the high level goals of the standard and programs built on it. 

FR1 – Identification, Authentication Control and Access Control (AC) – Identifies and authenticates all users (human, process, and equipment) before allowing access to the IACS.

● FR2 – User Control (UC): Ensures that all identified users (human, process, and device) have privileges to perform the required actions on the system and monitors the use of those privileges.

● FR3 – Data Integrity (DI): Ensures the integrity of equipment and information (protection against unauthorized changes) in communication channels and storage directories.

● FR4 – Data Confidentiality (DC): Ensures that information flowing through communication channels and storage directories is not distributed.

● FR5 – Restrict Data Flow (RDF) – Segments the system into zones and conduits to avoid unnecessary data propagation.

● FR6 – Timely Response to Events (TRE): Responds to security breaches with timely reporting and timely decision making.

● FR7 – Resource Availability (RA) – Ensures system and asset availability during denial of service attacks.

How Ziti Addresses the Foundational Requirements of IEC 62443

Identity

Ziti has strong identity at its heart. Using cryptographically secured X.509 certificates to validate that a system is what it says it is, whether that system is hosting a service, or connecting to a service. As it is the first foundational requirement of IEC 62443, it is the first requirement of Ziti networks. Every node, every link with the Ziti software is positively identified 100% of the time. There are many options to further harden these certificates and their storage, as well as add verifications of the device’s security posture, regardless of its identity, before allowing access to information services. As with most things in Ziti, various deployment options can coexist in the same system, so that the default security posture may be used for some assets, and higher security requirement assets can leverage trusted processing modules, removable hardware keys, and other processes to prevent even compromised devices from being allowed to connect to the network. All of this is done by policy configuration, from a single point of administration.

User Control

Control is managed on a per identity per service basis in Ziti networks. A service can be a subnet, and IP or FQDN, a single port, or even a single process when embedding the software into your own application via the available SDKs. This allows the network owner to separate roles using common attributes, or individual users or workloads, only allowing those that need to connect to services to do so. By controlling the basic connectivity, Ziti enhances the security of any system. Regardless of the attack surface of an organization or solution, if attackers can’t reach it, they can’t attack it. ICS systems are hardly going to be open to the internet at large, but as we have seen multiple times, breached remote access systems, internal malicious actors, and even attacks into otherwise closed systems delivered via USB or other media often penetrate these networks and may wreak havoc. By controlling visa policy, using APIs to do so programmatically in many cases, even highly dynamic systems can be secured at this very fundamental level, slowing or stopping an infection from spreading.

Data Integrity

Data Integrity is critical to all information systems. It is one side of the cybersecurity CIA triad. Ziti systems start with the strong identity and controls above. These systems protect data from manipulation in transit and positively identify the source, protecting the integrity of the system as a whole. The encryption protocols used at each level, and often layered, provide protection of the actual data in motion as well, protecting from any injection or changes even by extremely sophisticated attackers.

Data Confidentiality

Another side of the CIA triad, Data Confidentiality is critical. All the controls that protect integrity protect confidentiality. If every system is guaranteed to be who they claim to be, that is a big step. Once Ziti is providing connectivity for data in motion, simple and common technical controls, like host based firewalls, simple ACLs on network equipment, etc can be used to prevent any communication not via the Ziti network. This allows even an infected system, say from a USB drive, containing valuable information to be blocked from exfiltrating that data over the network. If the only way out of the system is via the Ziti network, and only services configured in policy are allowed to be reached, an intruder has no place to send the information they have gained access to.

Restriction of Data Flow

Policies are configured in Ziti microsegmented networks (AppNets) that allow identities to host or connect to services. These policies can be as granular as a single identity accessing a single service, from anywhere in the world, or a very open resource, like an internal web page that is accessible to all human users. These policies exist in the overlay network and are evaluated at each connection, host or access, and can be modified in real time. Five servers sitting on the same VLAN could be unable to connect to each other, and have five different groups that are allowed to access them, or any combination. The policy expressions allow for dynamic environments like container systems to be deployed rapidly, with the identities sharing attributes and therefore capabilities, while retaining the ability to individually identity the entire lifecycle of the process.

Timely Response

Flexibility and agility are deeply rooted capabilities of Ziti. As noted previously, the policies that control authorization can be modified in real time with immediate effect. Outside of cybersecurity incidents entirely, the mesh of connectivity in a network instance can be modified dynamically as well. New nodes, such as edge routers, can be added to the mesh to increase capacity or to move away from a connectivity problem. These changes can be accomplished to full effect in a few minutes, and could be done automatically, leveraging the available APIs and integrating with other infrastructure orchestration systems. Also available is a stream of highly detailed events and metrics, exposing the operational state of the network and its usage. These streams can be used for both operational and security responses, monitoring the IP locations of all nodes, noting high error rates or latency, or any of dozens of other indicators across the network, regardless of location, network underlay components, or other infrastructure variables. 

Availability 

Lastly, we come to resource availability. Ziti is built to be highly dynamic. Each service access is routed according to the best route available in terms of latency and other cost attributes. Issues in connectivity are addressed immediately in the creation of new circuits, and failures are rerouted by the network whenever possible to maintain connections even in the case of a node loss. Soon, this will also apply to Network Controllers, with a distributed system providing the ability to add, delete, or migrate controllers while maintaining the full system state. Highly available architectures for services are easily deployed, depending on exact needs. NetFoundry has invested in eBPF technology as well, giving us some very advanced capabilities in terms of availability and resistance to DoS attacks.

NetFoundry Zero Trust: Ideal For IEC 62443 Compliance

NetFoundry, the Ziti platform and OpenZiti open source project are extremely well aligned to the needs of ICS cybersecurity. While we have discussed the foundational principles here, we have looked deeply into the standards within our own teams and with customers and partners providing experts in the space. There are very few specific requirements of IEC 62443 that we cannot assist in meeting; anything to do with data at rest, or those requirements specifically calling out application processes (of the control system) are outside the scope of the solution. Ziti, as part of an integrated system, can assist in meeting the compliance requirements of a wide range of industrial systems. Our team can help in determining specific use cases’ needs and putting together designs to meet those needs. Not only can we meet these kinds of needs today, but building a solution or an entire network infrastructure with Ziti means that you have the ability to move quickly to make changes, adopt new strategies, and be ready for the evolution of systems that is sure to come.

Get the latest NetFoundry 
News & Insights