Monitoring data center and distributed IT physical infrastructure systems with management software (e.g., DCIM, BMS, EPMS) means connecting power, cooling, environmental and security monitoring devices to IP networks. These connections provide you with remote visibility and device control. Connecting to and using management software will improve the availability, resiliency, and the efficient use of your physical infrastructure systems and the IT workloads they support.
However, these management networks often extend to remote servers, corporate IT systems, mobile devices, and third-party cloud services. These connections offer potential avenues of attack for hackers. Mitigating these cybersecurity risks requires continuous action from both vendors and those involved in the design, installation, operation, and maintenance of the data center.
Recently, I co-authored a white paper with Schneider Electric Cybersecurity Advisor, Katie Hargraves, titled, “Cybersecurity Guidance for Data Center Power and Cooling Infrastructure Systems”. In the paper, we lay out a comprehensive framework detailing user best practices for each phase of the lifecycle of the site. We identified the crucial first step: evaluate the vendor and their products.
Device manufacturers play a critical role in your cybersecurity strategy
The degree to which a vendor prioritizes security in the design, development, and support of their network connected IoT products should be a key decision factor in which solutions you choose. Always choose to work with security-conscious vendors who are proactive, open, and transparent.
But short of directly interviewing vendors with your “hype detector” set at max power and doing the testing yourself, how do you really know how security conscious your vendors are and whether their products are well designed from a security perspective? The easiest way to validate is to confirm their products are IEC 62443 certified for the parts of the standard relevant to vendors/suppliers. Without this certification, data center and distributed IT operators are forced to spend a lot of time and effort trying to determine and validate conformance to whatever requirements exist. With the certification in hand, operators can avoid all this extra work. Note, Schneider Electric recently announced its Network Management Card 3 platform used to connect UPSs, cooling units, rack PDUs, and other infrastructure devices to management networks have received IEC 62443-4-2 certification from TUVRheinland, one of the world’s largest and leading testing service providers.
The International Electrotechnical Commission (IEC) 62443 series of standards addresses the cybersecurity of “industrial automation and control systems (IACS)”. Although initially developed for IACS, it’s being applied to other types of systems including network-connected power, cooling, and their monitoring systems for IT equipment. Sometimes you will see this listed as “ISA/IEC 62443” or “ISA 62443”. ISA refers to the International Society of Automation. ISA developed the standard within its ISA99 committee, then the IEC adopted it to make it an official IEC standard.
Verifying vendor use and compliance to the framework
IEC 62443 certification is important in ensuring cybersecurity by providing a structured framework for assessing and enhancing the security of these infrastructure systems. Certification verifies vendor use and compliance to the framework and all its defined requirements.
Although this comprehensive series of standards has been around for several years, adoption through certification has been rare for manufacturers of UPSs, data center cooling units, power distribution units, etc., and their software management systems. This is likely because it takes a lot of time and effort to obtain the certification and vendors aren’t yet required to do so by governments. As a result, some vendors have tried to cut corners and use vague language, such as “our products meet requirements” …or “are designed to the IEC standard”, etc. to perhaps fool buyers into thinking they are fully compliant and certified. This, of course, is not the same as being officially certified by a third-party independent lab. So, buyer beware.
Overview of the IEC 62443 series of standards
This IEC blog post does a nice job of providing an overview of the IEC 62443 series of standards, so I will summarize the relevant points here: IEC 62443 addresses not only the technology that comprises a physical infrastructure device or system, but it also comprehends the work processes, countermeasures, and even the employees themselves who are involved in the development. The series takes a comprehensive approach because not all risks are technology-based: e.g., the staff responsible for developing or operating infrastructure devices like a UPS or cooling unit must have the required training, knowledge, and skills to ensure security.
The series is made up of four parts:
- IEC 62443-1: Covers terminology, concepts, models, policies, and procedures that apply to the entire series of standards.
- IEC 62443-2: Covers the methods and processes associated with IACS security including patch management, security program requirements for service providers/vendors who are developing and supporting the network connected devices.
- IEC 62443-3: Covers all the requirements at the system level including about technologies used by the network, risk assessment for the design of the system, as well as security requirements and levels for the system.
- IEC 62443-4: Covers security requirements at the product level including the product development cycle (i.e., secure development lifecycle), requirements for components used in the products, and a security conformity assessment. This assessment verifies that standards are properly applied in real-world technical systems.
How certification helps ensure vendor products are secure
IEC 62443 certification ensures that vendor products meet specific security requirements. As said above, independent, third-party verification of compliance means the vendor actually uses and complies to the framework and all its defined requirements. The following bullets describes what the certification covers:
Standardized Security Requirements
IEC 62443 defines a set of standardized security requirements and guidelines tailored for industrial control systems. These requirements cover various aspects of cybersecurity, including access control, network security, incident response, and more. Vendors seeking certification must demonstrate compliance with these requirements.
The IEC 62443 certification process involves a thorough risk assessment of the vendor’s product. This assessment helps identify potential vulnerabilities and threats that could impact the security of the product when deployed in an industrial setting.
Vendor products undergo rigorous security testing to evaluate their resistance to common cyberattacks and vulnerabilities. This may include penetration testing, vulnerability scanning, and other security assessments to ensure that the product can withstand various attack scenarios.
Secure Development Practices
The certification process evaluates whether the vendor follows secure development practices during the product’s design and development phases. This includes aspects like secure coding, security design reviews, and vulnerability management.
Secure Deployment and Configuration
IEC 62443 certification also looks at how the vendor’s product can be securely deployed and configured within an industrial environment. This ensures that end-users can implement the product in a way that minimizes security risks.
Documentation and Compliance
Vendors are required to provide comprehensive documentation outlining the security features and capabilities of their products. This documentation helps end-users understand how to use the product securely and comply with IEC 62443 standards.
IEC 62443 certification is not a one-time process. Vendors are typically required to demonstrate an ongoing commitment to security by continuously monitoring and improving their products’ security post-certification. And the vendor must continue to go through a re-certification process as new products emerge, which requires a significant investment by the vendor in terms of time, effort, and actual R&D spend.
Certification is often performed by independent third-party organizations or laboratories, which adds credibility to the security claims made by vendors. These independent assessments help ensure the security measures implemented are objective and effective.
Compliance with Industry Best Practices
IEC 62443 aligns with international best practices for industrial control system security, making it a recognized and respected framework in the industrial, IoT, and IT physical infrastructure cybersecurity community.
Certification provides cybersecurity peace of mind
In summary, IEC 62443 certification ensures that vendor products designed for data center and distributed IT environments meet a set of well-defined security requirements and undergo thorough testing and assessment. This helps reduce cybersecurity risks in critical infrastructure and industrial systems, providing confidence to end-users that the products they use are secure and reliable. Choosing products with the certification should dramatically reduce your security validation and compliance efforts while giving you peace of mind.