IEC 62443 Standards Series Airgaps in your OT Network

Introduction

As a manufacturer, moving through the levels of IEC 62443 can be a challenging process, and sooner or later comes the question of airgaps. 

Traditionally, OT networks have been isolated from Information Technology (IT) networks and the internet through air-gaps—physical separations intended to prevent cyber threats. However, as connectivity increases and the Industrial Internet of Things (IIoT) becomes more prevalent, the practicality and effectiveness of airgaps are being reevaluated. Here we explore the significance of airgaps in the context of IEC 62443 compliance and the evolving cybersecurity landscape for manufacturers.

Understanding Airgaps

An airgap refers to a network security measure employed in certain computer networks where a literal, physical gap ensures no direct or indirect connections exist between the secured network and any other network, particularly the public internet. This method has been seen as a gold standard for securing OT networks, which are inherently sensitive due to their direct control over physical processes and systems as well as the reliance older technologies typically with far longer lifecycles than traditional IT infrastructure, such as operating systems.

Challenges Posed by Airgaps While effective in theory, air-gapping has practical limitations and challenges, particularly as manufacturers increasingly integrate OT and IT systems to gain operational efficiencies and data insights:

1. Maintenance and Updates: Air-gapped systems can be challenging to update and maintain. Patching software requires physical media and manual intervention, increasing the time and resources needed and potentially exposing the system to risks during the update process.  While sheep dip can be used, it is a laborious, time consuming and expensive approach to updating.  Not to mention the inherent risk of uncontrolled physical media and potential for that to get into the wrong hands.

2. Operational Inefficiency: Complete isolation can hinder the ability of manufacturers to monitor and optimize operations remotely or utilize cloud-based analytics, features that are becoming essential in modern industrial environments.  Maintaining airgaps can have a real impact on operational efficiencies and financial competitiveness.

3. Insider Threats: Airgaps do not protect against threats from insiders who have physical access to the networked environments, which can be a significant vulnerability.

4. Supplier Access: Increasingly suppliers are requesting or even demanding remote access to monitor, perform routine maintenance and even repairs remotely or supply on-site support agreements with increased costs and SLAs.

IEC 62443 and Air-Gapping IEC 62443 recognizes the limitations of air-gapping and advocates for a more nuanced approach to network security. The standard emphasizes a multi-layered security strategy known as "defence-in-depth," which involves the implementation of multiple layers of security controls and procedures. Here’s how it impacts manufacturers:

• Security Levels: IEC 62443 categorizes security into four levels, from SL 1 (protecting against accidental breaches) to SL 4 (protecting against sophisticated attacks). While airgaps might provide effective security up to a certain level, they are not always sufficient for higher security levels without additional measures.

• Zoning and Conduits: The standard encourages the division of network resources into zones with security requirements based on their risk assessment. Conduits control the interactions between these zones. This structured approach helps in managing security in a detailed and organized manner, allowing for some connectivity while still protecting critical systems.

Strategies for Manufacturers

Manufacturers aiming to balance connectivity with security while adhering to IEC 62443 standards might consider the following strategies:

• Layered Security: Instead of relying solely on airgaps, implementing additional cybersecurity measures such as data diodes, firewalls, intrusion detection systems, strict access controls and solutions such as TrustedFilter can provide semantic and syntactic control over all data moving across the network, providing a more robust security posture.

• Regular Assessments and Updates: Conducting regular security assessments and ensuring that systems are updated in a controlled manner can mitigate some of the challenges associated with maintaining air-gapped systems.

• Segmentation and Monitoring: Network segmentation can serve as a middle ground, allowing some degree of connectivity while isolating the most critical systems. Coupled with continuous monitoring, this can enhance security without fully compromising operational efficiency.

While airgaps in OT networks have traditionally been a cornerstone of network security for manufacturers, the evolving digital landscape and the convergence of OT with IT systems demand a more flexible and comprehensive approach to cybersecurity. Compliance with IEC 62443 standards require manufacturers to adopt a strategic view of their network security, utilising airgaps where appropriate but also integrating additional security measures such as TrustedFilter® to protect against a broader range of cyber threats. In this way, manufacturers can ensure the integrity and resilience of their critical operational systems while positioning themselves for future technological advancements.