It happened again in the comments … IEC 62443 covers this topic. Last week I wrote about vendors providing patch compatibility information as a first step down the SBOM path of automating the providing, importing and use of information. Vendors are testing patch compatibility and providing this information to asset owners who are using it. What is lacking is the automation. I then received a well meaning comment, this time from 62443 guru Khalid Ansari, that 62443 covers this topic.
TR-62443-2-3 Clause 6 says: “IACS product suppliers should: … (b) qualify in terms of applicability and compatibility, all patches, by analyzing and verifying the patches, including patches that are released by the supplier of the OS that is used, and all suppliers of third-party software, that may be used by the IACS products;
(c) provide a list of all patches and their approval status, including the information and data in the format described in clause 7 and Annex A;
(d) inform the asset owners, and update the list of patches… periodically…”
IEC 62443 is best described as an attempt to create a comprehensive compendium of conservative consensus on how to secure ICS (or IACS in 62443 speak). A comprehensive compendium because they are trying to briefly cover all aspects of ICS, and IIoT, cybersecurity in the hundreds, or perhaps now thousands, of pages of guidance. When new areas arise, a new document is started.
The process is explicitly called “consensus-based”. The standards and other documents are voted on by members. If the consensus is the earth is flat, then the standard will say the earth is flat. The consensus-based process leans toward the most conservative guidance on an issue. Even when it is wrong or out of date.
My last swing at participating in 62443 was in 2007. Sitting in a working group and suggesting the standard should require secure by default configuration settings. The solution should ship in a secure configuration, telnet turned off, require passwords, etc. By 2007 Microsoft and others had shifted to secure by default configuration. It was necessary to make a dent in improving security posture. The 62443 draft standard did not require this. It only required secure options be available. Security would only exist if the asset owner chose to read and act on security configuration guidance. Do nothing and it would be insecure.
The working group vote wasn’t close. A couple brave, and I’d say forward looking, souls voted with me, but secure by default configuration got about 10% of the vote. The consensus said secure by default couldn’t be in the standard.
Slow. Very slow. And late. The Technical Report on Patch Management in the IACS Environment that Khalid pointed to was issued in June 2015. This is at least 5 years after the process described was implemented by vendors and asset owners who wrote the technical report, and ten years after the early adopters and influencers were recommending this approach.
If you permit an old man story from my days as a teen in the ’70s … middle school and high school assignments included written reports. Most students began their “research” on the topic by looking up the topic and related entries in the encyclopedia. Britannica was the big name, but most teens preferred the World Book because it was easier to read and had more pictures. A trip to the library was usually required as most families didn’t own an encyclopedia set.
The encyclopedia, like IEC 62443, was an attempt to create a comprehensive compendium of conservative consensus. No entry, Brazil, cotton gin, or zebra, was covered in the detail you would find in a book. And the encyclopedias were slow to generate and change. The same set of conservative consensus would sit in a library for ten years or more.
Encyclopedias were better organized and easier accessed that IEC 62443, but both provide credible, widely held for 5+ years information.
ChatGPT and AI
We all have heard about the amazing and far from perfect ChatGPT. The attraction to the concept is you can ask a question and get an answer without having to go through a large amount of information input.
There are many people who are the equivalent of a slower Chat62443. You can ask them an ICS security question, and within an hour they can come back with the place in the IEC 62443 that covers this information and the applicable text. Unfortunately most of us can’t afford to hire our own Chat62443 employee, but this is where the value of the IEC 62443 documents lies.
It is a slog to read through all these documents once, let alone keep that information and document organization in your head so it is useful. Whenever I have a project that requires 62443 “compliance” (don’t get me started on that), I have to build time into the project to get all those interlocking documents straight in my head again.
What would be very helpful is if AI, perhaps different than what is used in ChatGPT because the input is limited and considered authoritative, could provide a means to ask questions and get answers based on the conservative consensus view that 62443 represents.
IEC 62443’s Future
The business model for the IEC 62443 standards is in many ways similar to the encyclopedia business, with the same level of success. You have to pay hundreds of dollars for access to a document, often without certainty the content will be of use. Often with the need to buy another standard or technical report to get what you need.
The result is most people find ways to avoid buying for use, like the encyclopedia’s in a library. They are borrowed, viewed in late draft form found with some searching, or otherwise accessed. I would love to see the sales numbers, and I’m convinced that the volunteer labor to create the documents are the only way they remain available and growing.
I almost never look to the 62443 documents for guidance. Most early adopters won’t as the information is old and conservative. Not on the leading edge where they want to be. The much larger early majority and late majority could make great use of IEC 62443 content. It is an impressive body of work that is vastly underutilized because it is difficult to access, both the documents and knowledge in the documents.
Access to the 62443 documents should be very low cost to encourage use, and this is what most of the volunteers who wrote the documents want. A subscription fee of $10/month for 62443 access (see update at bottom), or similar would be an easy decision for almost anyone with even a thought it could help and the gumption to dive into that large collection of information.
The value of the 62443 documents, their impact on creating a reliable and secure IACS environment in all sectors, globally, would be greatly improved if a Chat62443 could answer questions based on the 62443 conservative consensus body of knowledge.
Update on 18 Jan: Mosab Elamin pointed out in the comments that an ISA membership provides individual online access to the 62443 standards. So I tried it. Joined ISA for $140. Was able to get access to view the 62443 documents via a web viewer. Clumsy interface, but it does allow you to comment, highlight, save for offline viewing through a web browser.
I tried to copy a paragraph, let’s say I wanted to include it in a report or presentation. Didn’t let me. Also stated for individual use only in the terms. Consistent, but not very friendly for use.
On the positive side, if I wanted to see if the document was worth purchasing, I can do that with an ISA membership. If I had a casual one off question, I could do that. If I wanted to use this for a project that would require repeated access. I would go crazy with the interface and need to buy one or more standards.