How IEC 62443 standard makes IoT-based electrical systems cyber-secure
Source: Prasanth Aby Thomas, Consultant Editor
A key element of smart building management and smart cities is ensuring efficient operation of electrical power distribution systems. As infrastructure management systems continue to become more and more digitized integrating several different disparate solutions using the Internet of Things (IoT) technology, leveraging the power of intelligent devices in electrical systems is seen as an effective option. Circuit breakers and meters are no longer the simple devices sitting on the wall, but smart machines connected to take advantage of analytic data.
“Whether hosted in the cloud or onsite at the ‘edge
’ of a power distribution system, IoT-enabled applications are helping facility and finance teams reach deeper into their electrical systems to gain the insights needed to achieve a new range of operational benefits,” says Adam Gauci who handles product management for Cyber Security for critical infrastructure solutions at Schneider Electric
, in a blog post.
These benefits include better safety, better performance, better asset performance, and simplifying the process of meeting emission mandates. In short, digitization is a crucial step in improving electrical systems. But the downside of this measure is that organizations have to deal with the continuous threat of cyberattacks
How to handle cybersecurity in power systems
Gauci points out that protecting an electric power distribution system from hackers might sound like herculean task especially when facility teams are not as knowledgeable on cybersecurity as IT teams are. But the good news is that the IEC 62443 makes this a whole lot easier.
IT and OT should work together
Tackling cybersecurity concerns requires the combined efforts of IT and OT divisions but this doesn’t mean their priorities are the same. IT teams would prioritize the security of the data while OT teams would focus on reliability, efficiency, and safety of the operations.
“The IEC 62443 standard offers IT and OT teams a bridge for cooperation, helping both teams understand the cybersecurity requirements for the electrical system,” Gauci notes. “It also provides a framework that makes it simpler to ensure the appropriate level of security while providing consistency of specification.”
One of the primary objectives of IEC 62443 is to help organizations in risk assessment by identifying potential vulnerabilities. This process designates values based on vulnerabilities, threats, likelihood, assets affected, and consequences.
“The next step is determining risk tolerance,” Gauci says. “This will depend on how risk-averse an organization is and will help in analyzing its level of response to risks.”
Prioritizing the “seven pillars”
With the IEC 62443 standard, teams are provided seven factors, known as pillars, for which they need to decide on a certain level of security. These pillars are access control, user control, data integrity, data confidentiality, restrict data flow, timely response to an event, resource availability. There are four levels to choose from, with the highest offering the strongest protection.
“For example, if the organization is only concerned with protecting against casual violations made by a careless employee or contractor, level SL1 [security level] should be adequate,” Gauci writes. “But to protect against hackers, terrorists, or competitors, a minimum of level SL3 is required. Security levels define extensive cybersecurity functions needed from the device level to throughout the entire electrical system level. Typically, a single security level will be applied consistently across all seven of the foundational requirements.”