How PAM Enables IEC 62443 Implementation
The IEC 62443 standard is a sprawling, highly complex collection of cybersecurity standards addressing the unique needs of Industrial Automation and Control Systems (IACSs). It covers the full spectrum of security, from risk analysis through the definition and implementation of security policies for IACSs. As with most security standards, the issues of user access control and identity management are critical to success. In particular, an organization seeking to be certified for complying with the IEC 62443 standard should address the matter of Privileged Access Management (PAM). PAM relates to administrative, or privileged, users who can set up or modify the IACS elements that are being secured through the standard.
What is IEC 62443?
It’s a bit misleading to call IEC 62443 a standard. It’s really a library of rules and connected standards from entities like the American National Standards Institute (ANSI) and the International Standards and Auditing (ISA). IEC 62443 is published by the venerable International Electrotechnical Commission (IEC), which has been promulgating standards for use in electrical and electronics products since 1906. (They literally gave us the Hertz standard!) A number of global Certification Bodies have established IEC 62443 certification programs. Each body defines its own scheme based on referenced standards and procedures.
IEC 62443 us a library of rules and connected standards for security Industrial Automation and Control Systems (IACSs).
The elements of IEC 62443 are intended to be multi-industry in nature, listing cybersecurity protection methods and techniques. There are dozens of sub-rules and components. At a high level, the following are relevant to understanding IEC and access control:
Standards Group | Elements |
Policies and Procedures—associated with IACS security. |
|
System Requirements—addressing requirements at the system level. |
|
Understanding Privileged Access Management (PAM)
One of the best ways to implement IEC standards is to utilize a PAM solution to maintain complete control over access to the most critical data and systems.
Privileged users have the permission (or privilege, you might say) to access the administrative controls of a particular system. They’re also called administrative or “root” users. They may be able to set up, modify, or delete other user accounts. Often, they can access or modify data. In some cases, they can alter system configurations or uninstall the system completely.
Security risks abound with poorly managed privileged users. If a hacker impersonates a privileged user, for example, he or she could wreak havoc on IACSs. To mitigate such risks, PAM solutions establish a secure, streamlined way to authorize and monitor all privileged users.
PAM solutions like WALLIX grant and revoke privileged access right. They can act as an intermediary between privileged users and the systems they manage. This way, the privileged user does not have direct, backend access. With some solutions, like WALLIX, the privileged user does not even know the actual password to the IACS he or she is administering. This reduces the risk of a manual override. In industrial settings, a manual override represents a serious threat.
PAM provides the capabilities organizations need to limit and monitor access to critical systems.
Mapping IEC 62443 to PAM
PAM offers an optimal approach to implementing several elements of IEC 62443. The standards can be a bit overwhelming, so the table lists them and matches them with familiar parts of the NIST Cybersecurity Framework.
PAM’s alignment with IEC 62443 occurs in reference to access controls, which are the subject of NIST PR.AC standards: Access to assets and associated facilities is limited to authorized users, processes, or devices, and to authorized activities and transactions.
Relevant NIST Cybersecurity Framework Part |
Corresponding IEC/ISA 62433 Element | Role of PAM in implementation |
PR.AC-1: Identities and credentials are managed for authorized devices and users | ISA 62443-2-1:2009
4.3.3.5.1 – Access accounts [and] implement authorization policy – “Access privileges implemented for access accounts should be established in accordance with the organization’s authorization security policy (4.3.3.7.1).” |
The PAM solution is able to define and enforce authorization security policy across multiple IACS administrative backends. |
ISA 62443-2-1:2009
4.3.3.7.1 – Define an authorization security policy |
The PAM solution can serve as the repository of authorization security policy as it relates to all IACSs in an industrial facility. | |
ISA 62443-3-3:2013 (Security for industrial automation and control systems Part 3-3: System security requirements and security levels)
SR 1.1 – Human user identification and authentication – “The control system should provide the capability to identify and authenticate all human users. This capability shall enforce such identification and authentication on all interfaces which provide human user access to control system to support segregation of duties and least privilege in accordance with application security policies and procedures.” |
“Least privilege” is a PAM concept. The PAM solution can grant or revoke privileges to specific users, ensuring that each user has “least privilege” according to policy. | |
ISA 62443-3-3:2013
SR 1.3 – Account management – “The control system shall provide the capability to support the management of all accounts by authorized users, including adding, activating, modifying, disabling and removing accounts.” |
Under this element, each control system is supposed to support management of all accounts by authorized users and privileged users. This is not practical in an environment with multiple IACSs. PAM can provide a single point of management for all privileged users affecting all IACSs. | |
ISA 62443-3-3:2013
SR 1.4 – Identifier Management – The control system shall provide the capability to support the management of identifiers by user, group, role or control system interface.” |
PAM can manage privileged access according to user, group or role. | |
ISA 62443-3-3:2013
SR 1.5 – Authenticator management – “The control system shall provide the capability to… change/refresh all authenticators; and protect all authenticators from unauthorized disclosure and modification when stored and transmitted.” |
PAM gives IACS admins a single point of control over all authenticators used by privileged users. It can protect authenticators from unauthorized disclosure and modification. | |
ISA 62443-2-1:2009
4.3.3.3.8 – Establish procedures for monitoring and alarming |
Monitoring and alerting are core features of most PAM solutions, allowing admins to be aware of possible violations of privileged account policies. | |
PR.AC-3: Remote access is managed | ISA 62443-2-1:2009
4.3.3.6.6 – Develop a policy for remote login and connections |
Remote access is a risk for privileged accounts. Impersonators of privileged users often try to log in remotely to conduct malicious acts. PAM can mitigate this risk. |
ISA 62443-3-3:2013
SR 1.13 – Access via untrusted networks – “The control system shall provide the capability to monitor and control all methods of access to the control system via untrusted networks.” |
PAM can monitor privileged account sessions, tracking, and recording network access details. | |
ISA 62443-3-3:2013
SR 2.6 – Remote session termination – “The control system shall provide the capability to terminate a remote session either automatically after a configurable time period of inactivity or manually by the user who initiated the session.” |
Many PAM solutions can execute preset workflows based on alerts. For example, if the PAM solution detects unauthorized activity, it can be set to terminate the privileged account session. | |
PR.AC-4: Access permissions are managed, incorporating the principles of least privilege and separation of duties | ISA 62443-2-1:2009
4.3.3.7.3 – Establish appropriate logical and physical permission methods to access IACS devices |
Physical device access is an attack surface for attackers impersonating privileged users. If the attacker can log onto a device locally, he or she can often circumvent privileged account usage policies. PAM reduces this risk by prohibiting the privileged user from knowing the actual physical device password. |
ISA 62443-3-3:2013
SR 2.1 – Authorization enforcement – “On all interfaces, the control system shall provide the capability to enforce authorizations assigned to all human users for controlling the use of the control system to support segregation of duties and least privilege.” |
PAM provides an overall solution for segregation of duties and least privileges, a more efficient and secure approach than trying to make the interface on each IACS perform this task. |
Implement PAM for ICS Security
PAM solutions have the potential to streamline the process of becoming certified on the IEC 62443 standard. This is true in both direct and indirect terms. As the table shows, a number of key IEC 62443 elements relate directly to access control and privileged account protection. Indirectly, a strong PAM solution underscores an organization’s ability to comply with the broader IEC 62443 controls. For instance, with PAM in effect, it becomes easier to keep up with patch management and risk assessment—both areas are dependent on knowing who is doing what. This is what WALLIX is all about.
To learn more about how the WALLIX PAM solution