exida ISA/IEC 62443 Cybersecurity Services
 

IACS Cybersecurity.

exida helps mitigate security risks and assists in delivering intrinsically secure products.

  1. exida
  2. Services
  3. IACS Cybersecurity

ISA/IEC-62443/ISA-99 Based Industrial Automated Control System (IACS) Cybersecurity

Industrial Automated Control System (IACS) Cybersecurity has quickly become a serious issue for professionals in the process and critical infrastructure industries.

An unprecedented number of security vulnerabilities have been exposed in industrial control products and regulatory agencies are demanding compliance to complex and confusing regulations. Very few industries are actually regulated, and of those that are, the regulating agencies are demanding compliance to complex and confusing regulations. Those that are not regulated are dealing with a wide variety of vague and sometimes conflicting standards from multiple sources. 

There are well established strategies and techniques that automation professionals can employ to discover and mitigate security vulnerabilities and improve the inherent security of their products and systems. Learning and adopting these strategies will help companies stay ahead of potential vulnerabilities. 

exida is an ISA/IEC-62443/ISA-99 based industrial automated control system (IACS) and SCADA system security consulting and certification firm that focuses on the unique requirements of industrial automation and process control systems.

Speaking from Experience

exida staff has over 30 years of experience in industrial automation and control system safety and/or cybersecurity design, implementation and assessment.  exida has experience in assessing and developing cybersecurity solutions in the Transportation, Oil & Gas, Electric Utility, Chemical, Water & Waste Water and other industries that rely heavily on the use of industrial automation and control systems.

At exida, we are familiar with the Department of Homeland Security (DHS), Transportation Security Administration (TSA), National Institute of Standards and Technology (NIST), and the American Public Transportation Association’s (APTA) guidelines, recommended practices, and standards.

exida has also led and participated in the definition of cybersecurity standards via: ISA 99 committee work – ANSI / ISA / IEC 62443 (formerly ISA 99), APTA recommended practices for passenger rail (Securing Control and Communications Systems in Transit Environments), and ICSJWG sub-group work.

Request a Proposal     7 Steps to ICS Security   

exida is an industrial automation control system (AICS) and SCADA system security consulting and certification firm that focuses on the unique requirements of industrial automation and process control systems.

Services

exida is involved in each step of the cybersecurity lifecycle from Assessment to Design to Operate & Maintain.  We provide a range of ISA/IEC-62443/ISA-99 based services that is customized to your site’s requirements while following the latest cybersecurity standards and guidelines.  Here is a synopsis of what we offer.

1.  Assess

You wouldn’t begin a journey until you know where you are starting from, where you want to go and how you are going to get there.

Planning the journey to secure your control systems is no different. It starts with understanding the risks that control system security (or insecurity) can have on your business. This is known as a risk assessment and it is used to quantify the threats that pose a danger to your business. exida ranks these risks so you know how to prioritize your security dollars and efforts.

exida can assist you with the following critical steps during the assessment phase:

  1. Assess and evaluate (cybersecurity training and awareness) - see course list below
  2. NIST Cybersecurity Framework gap assessment - NIST Interview, Current vs. Target Tier/Profile Analysis, NIST Framework gap report, Recommended future steps
  3. Cybersecurity Project Scope Definition and Setup - Analyze current profile and recommend steps forward, Analyze and/or create architecture drawing(s), Policy/Procedure  development and/or review
  4. Cybersecurity Vulnerability Assessment (CVA) -  Perform Cybersecurity Vulnerability Assessment, Review and evaluate Architecture Drawing(s), Evaluation of existing countermeasures, Network architecture and traffic assessment, Policy/Procedure Review
  5. High Level Cybersecurity Risk Assessment (HLCRA) - Development of High Level cybersecurity risk assessment procedure, Assist with inventory requirements, Criticality Assignments, Assist with Zone & conduit and Dataflow Information, Train staff on risk assessment procedure, Facilitate and Document Risk Assessment, Initial Security Level (SL) assignments, Threat Modeling
  6. Detailed Level Cybersecurity Risk Assessment (DLCRA) -  Development of Detailed Level cybersecurity risk assessment procedure, Assist with inventory requirements, Train staff on risk assessment procedure, Facilitate and Document Risk Assessment, Documentation of assessment results, Security Level-Target (SL-T) assignment confirmation, Threat Modeling
  7. Process Control Network Defense-in-Depth Review - Zone and Conduit Modeling, Zone and Conduit – Review of corporate reference models, Zone and Conduit - High-level diagrams, Zone and Conduit - Detailed design, Zone and Conduit - design reviews, Barrier device training and commissioning

2.  Design

The design phase starts with a structural assessment of your  security system's architecture and configuration. A detailed study together with full, up-to-date documentation will be reviewed to discover potential cybersecurity vulnerabilities.  Together with exida, the target design is compared in detail with your current network architecture. A road map with technical details and execution time schedule are then finalized.

exida conducts the following during the design phase:

  1. Cybersecurity Requirements Specification (CSRS) - Technical writing - Templates, Development of Requirements, Review of Cybersecurity Requirements Specification
  2. Cybersecurity Design Specification (CSDS) - Consultation, Review, Technology Investigation & Recommendation
  3. Defense-in-Depth Analysis -  Analysis of effectiveness of defense layers, Detection-in-Depth Analysis (analysis of effectiveness of monitoring layers)
  4. User account Administration, Access, and Authorization Philosophy  - Policy/Procedure Review, Policies/Procedures Development, ACL Review, Design Reviews
  5. Cybersecurity Factory Acceptance Test (CFAT) - Cybersecurity Factory Acceptance Test plan development, CFAT execution and reporting
  6. Cybersecurity Site Acceptance Test (CSAT) -  Cybersecurity Site Acceptance Test plan development, CSAT Execution and reporting

3.  Operate & Maintain

Even after your solution is put into place, exida assists you with the processes required to keep your process safe, secure, and reliable.

exida can assist you with the following during the operate & maintain phase:

  1. Cybersecurity Monitoring & Maintenance - Develop logging requirements, Assess monitoring methods, Assess Countermeasures, Assess Security Levels (SL) to requirements
  2. Modifications or Decommissioning of ICS - Impact Analysis Review
  3. Cybersecurity Vulnerability Assessment (CVA)  -  Perform Cybersecurity Vulnerability Assessment, Review and evaluate Architecture Drawing(s), Evaluation of existing countermeasures, Network architecture and traffic assessment, Policy/Procedure Review

Request a Proposal     7 Steps to ICS and SCADA System Security   

Case Study

Regional Wastewater Treatment Facility Secures Network PLCs with Belden-exida Solution and Hands-on Training.

Learn More   

exSILentia Cyber - Industrial Control System Cybersecurity Risk Assessment Tool

exSILentia Cyber helps to streamline communication across an organization and between different departments when performing cyber risk assessments. It provides a standardize approach across all disciplines while aligning cyber security activities with overall corporate risk criteria.

Learn More    

"We’re proud to be at the forefront of industrial control system cyber security for our industry and region, and with the training we received, we’re confident in our ability to maintain, troubleshoot and expand our Tofino system in the future,”

plant electronics technician - the city’s Department of Water Resources.

IACS Cybersecurity Courses

We offer a range of IACS Cybersecurity training courses for today's industry professional, from basic to advanced concepts. We also offer customized training options available upon request.

Students benefit from exida's in-depth knowledge and expertise , enabling them to fully understand cybersecurity and implement procedures in their organizations to ensure that they are not vulnerable to cyberattacks.

CS 001 - IEC 62443 for Product Marketing, Sales and Senior Leadership Training

This short course provides an overview of the IEC 62443 series of standards including the information that product marketing, sales, and senior leadership needs to know about these standards. In addition, the course talks about marketing strategies for getting out the word to your customers that your products or processes have been certified to this standard.

More Info    

CS 002 - Introduction to Automation Cybersecurity for Asset Owners

This short course (2 hours) provides an overview of industrial control system (ICS) cybersecurity for asset owners/operators and system integrators including an overview of the current cybersecurity environment, cybersecurity hygiene, and the ISA/IEC 62443 series of standards including the cybersecurity lifecycle.

More Info    

CS 100 - IEC 62443: Automation Cybersecurity Analysis, Design, and Operation

This course provides an overview of the automation cybersecurity lifecycle. The course reviews cybersecurity risk assessment, developing zones and conduits, cybersecurity requirement specification (CSRS), designing secure systems, Security Level Determination and Verification, detailed design considerations, and operations requirements. Detailed workshop problems are used to provide students with practical cybersecurity experience.

More Info    

CS 104 Cybersecurity Fundamentals for Integrators and Solution Providers

This course introduces fundamental cybersecurity concepts that are important for system integrators and maintenance providers. This course is targeted for those who have little or no cybersecurity experience.

More Info    

CS 121 - Introduction to Industrial Networking

Ethernet has become the predominant technology as the fieldbus for modern process and control networks. While this technology brings many advantages, it also brings with it many disadvantages. Among them is that Ethernet is mostly a unfamiliar technology for many Process and Control technicians and engineers. This 1-day course covers the basics of Ethernet Industrial Control Networks found in most process and control environments. We will cover foundation knowledge of Ethernet networks, communications, discuss different network devices and their functions and use, discuss and review a sampling of Industrial protocols. Labs are included to reinforce the knowledge.

More Info    

CS 201 - IEC 62443 Security Software Development

The IEC 62443 Security Software Development training course and workshop was created specifically for developers of industrial control system products with a particular focus on network-enabled embedded control system products such as PLCs, DCSs, SISs, RTUs, VFDs, etc. The objective of this course is to train R&D teams, through a combination of lecture and workshop, on how to properly and effectively integrate software security assurance practices and techniques into their existing software development lifecycle. The training covers all phases of IEC 62443-4-1 (Product Development Lifecycle Requirements) as well as IEC 62443-4-2 (Technical Security Requirements for IACS components.)

More Info    

CS 202:  IIoT Device Certification

CS 202 was created specifically for developers of Industrial Internet of Things (IIoT) products with a particular focus on IIoT Gateways and general IIoT devices. The objective of this course is to train R&D teams through a combination of lecture and workshop, on how to properly and effectively integrate software security assurance practices ,and techniques into their existing software development lifecycle. The training covers all phases of IEC 62443-4-1 (Product Development Lifecycle Requirements) as well as IEC 62443-4-2 (Technical Security Requirements for IACS components.) It Includes additional requirements for IIoT components from the ISA Security Institute’s ICSA (IIoT Component Security Assurance Certification) and discussions on how NISTIR 8259A and 8259B relate to the ICSA certification.

More Info    

CS 203 - Cybersecurity for Industrial Automation Control Systems (IACS) for Employees & Contractors

This course addresses the quality and understanding employees and contractors need to have on the topic of cybersecurity for the IEC 62443 IACS space. The access granted to IACS networks is often the same for employees and contractors. The seriousness of access must be established with a joint work process similar to a Job Safety Assessment. The Job Cyber Assessment is a work process to protect both client and contractor from inadvertent impact on the given IACS cyber protective system The ability to access the client’s network without an impact on the IACS cyber protective systems whilst leveraging the tools on site requires a clear understanding of the following.

More Info    

CS 204 - IEC62443 Cybersecurity for Integrators and Solution Providers

This course addresses solution providers acting in roles of integrators and on-going support of industrial automated control systems, and how they interact with owner / operators as part of the overall supply chain throughout the owner / operator's lifecycle. The maturity model is introduced as a means of measuring the quality of an integrators cybersecurity management system versus the requirements of IEC 62443-2-4, which is largely the basis for this course. Some coverage of IEC 62443-2-1 is also provided as a means to show the interface between owner / operators and the integrator.

More Info    

CS 241 - Cybersecurity Risk Assessment using exSILentia Cyber

This course provides the methodology to systematically review zones of to the degree required by their associated cybersecurity risk. This course also covers the review of key parameters for determining cybersecurity risk and evaluating the effectiveness of countermeasures and other means of improving security. It will show the impact of these parameters on the overall likelihood of a successful attack for a zone under review.

More Info