Acerca de

Security Standards and Framework

 

ISA/IEC 62443-3 standard, which plays a vital role in establishing cybersecurity principles for Industrial Automation and Control Systems (IACS). The standard comprises 14 papers categorised into four sections: general, guidelines and processes, system criteria, and component criteria. Understanding the framework allows the professionals to outline precise technical security prerequisites, establishes clear Security Levels, and tackles different levels of risks and consequences.

 

Understand the Requirement of ISA/IEC 62443 standards which includes: (IEC Modules / Descriptions)

General and Concepts

• 1-1 / Concept and Models

• 1-2 / Master Glossary of terms and Abbreviation

• 1-3 / Security System conformance metrics

• 1-4 / IACS Security Lifecycle and Use Case

Guidelines and Processes

• 2-1 / Security Program requirements for IACS asset owners 

• 2-2 / IACS Security Protection Ratings

• 2-3 / Patch management in the IACS environment

• 2-4 / Security Program requirements for IACS service providers

• 2-5 / Implementation guidance for IACS asset owners

System Criteria

• 3-1 / Security Technologies for IACS

• 3-2 / Security Risk Assessment for System Design

• 3-3 / System security requirement and security levels

Component Criteria

• 4-1 / Product security development life cycle requirements 

• 4-2 / Technical security requirements for IACS components

 

Understand the different types of framework in other region which includes:

 

NIST SP 800-53 (National Institute of Standards and Technology) for critical infrastructure such as 

• OT Cybersecurity Program Development   

• Risk Management for OT Systems   

• OT Cybersecurity Architecture   

  • Defense-in-Depth Strategy   

  • Layer  - Security Management  

  • Layer  - Physical Security  

  • Layer  - Network Security  

  • Layer  - Hardware Security  

  • Layer  - Software Security  

• Applying the Cybersecurity Framework to OT 

  • Identify (ID)   

  • Asset Management (IDAM)   

  • Governance (IDGV)   

  • Risk Assessment (IDRA)   

  • Risk Management Strategy (IDRM)   

  • Supply Chain Risk Management (IDSC)   

  • Protect (PR)   

  • Identity Management and Access Control (PRAC)   

  • Awareness and Training (PRAT)   

  • Data Security (PRDS)   

  • Information Protection Processes and Procedures (PRIP)   

  • Maintenance (PRMA)   

  • Protective Technology (PRPT)   

  • Media Protection (PRPT-)   

 

Security Governance Framework including:

 

GOVERNANCE REQUIREMENTS

• (Leadership and Oversight, Risk Management, Policies, Standards, Guidelines and Procedures, Security-by-Design, Cybersecurity Design Principles, Change Management, Use of Cloud Computing Systems and Services, Outsourcing and Vendor Management

 

IDENTIFICATION REQUIREMENTS 

• (Asset Management)

 

PROTECTION REQUIREMENTS

• (Access Control, Account Management, Privileged Access Management, Domain Controller, Network Segmentation, Network Security, Remote Connection, Wireless Communication, System Hardening, Patch Management, Portable Computing Devices and Removable Storage Media, Application Security, Database Security, Vulnerability Assessment, Penetration Testing, Adversarial Attack Simulation, Cryptographic Key Management) 

 

DETECTION REQUIREMENTS 

• (Logging, Monitoring and Detection, Threat Hunting, Cyber Threat Intelligence and Information Sharing)

 

RESPONSE AND RECOVERY REQUIREMENTS 

• (Incident Management, Crisis Communication Plan, Cybersecurity Exercise) 

 

CYBER RESILIENCY REQUIREMENTS 

• (Backup and Restoration Plan, Business Continuity Plan and Disaster Recovery Plan)

 

CYBERSECURITY TRAINING & AWARENESS 

• (Cybersecurity Awareness Programme, Cybersecurity Training and Skills)

 

Other OPERATIONAL TECHNOLOGY (OT) SECURITY REQUIREMENTS (Application of this Section, OT Architecture and Security, Secure Coding, Field Controllers)

​

*Extracted from Cyber Security Code of Practice (CCOP) published in JULY, 2022 for OT Environment.

 

Security Strategy and Design

Strategic concepts such as:

• Design and architecture of OT environment

• Capability to perform Risk Assessments and review in the environment

• Systems' security lifecycle

• Conducting Table Top Exercise

 

Technical Security Capability in OT

Technical concepts such as:

• Architecture and set up of an OT Architecture

• Different Protocol Analysis such as Mobus and ENIP

• Incident response and handling methodologies for OT Environment

• Techniques for securely collecting information about an ICS (Industrial Control System) environment using both active and passive methods.

• Identifying weaknesses and susceptibilities in ICS environments.

• Understanding the methods used by attackers to maliciously disrupt and manipulate processes within ICS systems, and strategies for implementing effective defenses.

• Handling intricate ICS setups and acquiring the skills to detect and respond to security incidents within these environments.

• Simple Network Forensic Concepts in OT

• MITRE ATT&CK for Industrial Control Systems

• MITRE ATT&CK for ICS Matrix™

 

REQUIREMENTS:

To be eligible for the COSS Professionals, candidates must meet the following requirements:

• Have a minimum of three (3) years of direct (or related such as a service provider) full-time Operational Technology work experience, for example, in an OT Plant, and at least three (3) year of Cyber Security experience related to OT Environment. For example, if you are a CISO in an OT Plant for 3 years, you would have met both requirements.

• If a candidate lacks the required working experience, they are allowed a maximum of five (5) years to acquire the relevant experience. During this five-year period, the candidate must obtain the necessary experience and submit the required endorsement form for certification. Once the professional experience requirements are fulfilled, the certification will be upgraded to full COSS Associate certification status.

• It is a requirement to understand ISA/IEC 62443 standards

• It is recommended to complete all the basic courses of 1-x and the advanced course of 2-x, but they are not mandatory

• Note that you need to have associate certificate to proceed to the professional level

• Affirm the accuracy of their claims regarding professional experience and agree to abide by the COSS Code of Ethics.

• Provide information about their criminal history and related background.

 

Successfully pass the multiple-choice COSS exam, which is a four-hour adaptive exam with up to 100 questions. A scaled score of 400 points or higher out of 500 possible points is required to pass the exam.