Mapping between NIST FW and IEC 62443 2-1

There are currently many standards and regulations in the industrial sector. A wide variety of them allow industrial organizations to check their level of maturity, such as IEC 62443, or to improve the security level of the organization through the application of a series of guidelines, good practices or guides, as in the case of the NIST Framework.

The application and implementation of the IEC 62443 family, in combination with the NIST Framework, will enable organizations to reduce, mitigate and control the possibility of suffering a cyber-attack by implementing the controls and best practices defined in both standards. 

In the following, both the NIST Framework and IEC 62443, specifically IEC 62443-2-1, are presented, where the requirements for a Safety Management System (SMS) in Industrial Control Systems (ICS) are indicated.

NIST FRAMEWORK

The NIST Framework is a guide developed by the National Institute of Standards and Technology (NIST). This guide is designed to help organizations improve the management of various cybersecurity risks by providing standards, guidelines, and best practices.

This guide has the flexibility to be integrated into any organization and has been adapted to apply to any industry sector. Its main focus is to provide the organization with the ability to identify risks that may affect the business, protect assets, detect and respond to threats and recover from them.

This guide is based primarily on five key functions:

• Identify: seeks an organizational understanding of the management of cybersecurity risks we may encounter in systems, assets, data and capabilities.
• Protect: secures the different services offered.
• Detect: identifies that a cybersecurity event is occurring.
• Respond: react to cybersecurity events that are occurring.
• Recover: maintain resiliency plans and restore any capabilities or services that have been affected by a cybersecurity event.

- NIST Framework. Source -

IEC 62443 2-1

This standard is part of the IEC 62443 family of standards. This standard uses the broad definition and scope of what constitutes an IACS (Industrial Automation and Control Systems) described in IEC 62443-1-1 (document in which the models and concepts are collected base for the understanding of the rest of the documents of the family).

The elements of an ICMS (Industrial Cybersecurity Management System) described in the standard relate primarily to policies, procedures, practices and personnel, and describe what must or should be included in the final ICMS.

This regulation is mainly based on eight key points:

• Organizational security measures.
  • Organization and policies related to security.
  • Safety assessments and reviews.
  • Physical access security.
• Configuration management.
  • Inventory management of IACS hardware and software components and network communications.
• Network and communications security.
  • System segmentation.
  • Secure wireless access.
  • Secure remote access.
• Component safety.
  • Devices and supports.
  • Antimalware protection.
  • Patch management.
• Data protection.
  • Data protection.
• User access control.
  • Identification and authentication.
  • Authorization and access control.
• Event and incident management.
  • Event and incident management.
• System integrity and availability.
  • System availability and expected functionality.
  • Backup/Restore/Archives.

In turn, within each of these points, there are the main control objectives, a description, a justification, and the necessary requirements for its fulfillment.

Points in common between the two regulations

Both standards present a similar scheme, being IEC 62443 2-1 the one that goes deeper into the assets within the analyzed industrial system and offers a definition of levels within it, as well as requirements and different maturity levels according to the level of control compliance.

The common points, at a high level, that can be observed between the two regulations are the following:

• Identification and evaluation of the assets that can be found in our system.
• The search for protection of previously identified assets.
• Detection of potential cybersecurity incidents within the industrial system.
• The response and recovery from incidents encountered and possible incidents that may occur within the system.
• Continuous improvement of the solutions provided to protect the system.

On the other hand, the following table shows a list of the controls between both standards. It should be noted that only the references of the controls have been included and, in some cases, there is no match between the two standards.

- Mapping between NIST FW and IEC 62443 2-1. -

Advantajes of applying both regulations simultaneously

The advantages that can be obtained by unifying both regulations are as follows:

• Highly accurate asset management, both in asset identification and in asset protection and recovery.
• In-depth assessment, thanks to the maturity levels offered by IEC and supported by the assessment offered by NIST.
• Well-defined differentiation between the different parts that make up the industrial system and between the IT and OT world.
• Reinforcement of the safety awareness of the company's employees, from a technical and organizational perspective.
• Reduced applicability times, as well as a broader scope of cybersecurity concepts and terms.

Conclusions

To conclude, this article shows that the union of both standards may be the most correct option, although they can also be applied individually without having a great loss in the scope of both standards, the most important thing for this decision should be the idea of whether or not you want to be certified, since in that case the complete standard should be applied.

In short, depending on the reason for applying both IEC 62443-2-1 and the NIST Framework, mapping can be used between the two standards or each one independently, these being two of the most widely used standards or best practice guides.