How to implement Cyber Security acc. to IEC 62443 – Ep.3 – Code Analysis

NOTE: This article is not only for organizations that have already been hacked… The IEC 62443 is a generic standard recognized as applicable across critical sectors such as manufacturing, energy, transportation, healthcare, and many others.

This article is the third episode of a series of 8, covering the main practices to be implemented by any organization aiming to meet the State-of-the-Art in Cyber Security for industrial and automation control systems. Based on a pragmatic approach, this article guides you on how to handle the definition of requirements related to a secure development lifecycle (IEC 62443-4-1) within your current organization processes.

In order to systematically develop secure products, security must be emphasized throughout the whole software lifecycle, such that the results are considered as secure by design. Thus, every phase of a common software lifecycle has to be enhanced with security practices. This leads to a secure development lifecycle as illustrated below (in a simplified overview). In this third episode, we will focus on good practices required to validate software parts at an early stage, the Code Analysis and Security Reviews.

This process is required to ensure that the implementation properly covers the secure design (see Episode 2 of this series for more info about secure design) and its associated security requirements and follows implementation best practices.

The IEC 62443-4-1 described such practices as follow:

  • “Having this process means that the product supplier conducts a comprehensive set of security reviews of the implementation and its design. Different types of reviews will typically be used to address different objectives. For example, manual reviews are typically conducted against the implementation design to verify that requirements are being met and that the implementation will adequately protect against threats expected to be present. In addition, manual source code reviews may be used to examine source code for adherence to best practices (see 8.4), and automated static source code analysis may be used to identify anomalies, including security vulnerabilities in the code as well as non-conformities with given programming rules.”

As described above, Static analysis tools provide critical support in the coding and integration phases of software development. Figure below shows the overlay on a software development lifecycle for static and dynamic analysis tools. Ensuring continuous code quality, both in the development and maintenance phases, greatly reduces the costs and risks of security and reliability issues in software.

As a reminder, the ISA/IEC 62443 standard emphasizes a philosophy of defense in depth (protection via multiple layers of defense leveraging multiple facets of security practice) with a secure-by-design approach. In that context, Development tools, automation and static and dynamic analysis tools play a key part in “security guidelines” and “secure implementation.”

 

Security Expertise

The standard defines the need for security expertise in both design and implementation but also in modern tools and techniques which include static analysis tools. In terms of secure implementation, the standard is very clear on the role static code analysis (SCA) tools play. Section 5.5 (Security expertise) says:

  • Having this process means that personnel assigned to security-related processes have evidence that shows their relevant qualifications. This includes knowledge not only of security, but also for the use of any security-related standards (for example, coding standards), techniques (for example, best practices), and tools (for example, static analysis tools).”

 

Third Party Software

Third party software shall also be addressed by similar standards, techniques and tools to ensure that the entire supply chain have the same security concern. In regards to this topic, the standard states:

  • This process is required to ensure that supply chain security is addressed for equivalent security practices, latest security updates, security deployment guides and the supplier’s ability to respond if a vulnerability is discovered. […] c) employing compensating mechanisms for known vulnerabilities on COTS or open source components (such as static code analysis).

In the scope of secure implementation, reviews and inspection are considered as critical for reducing bugs and vulnerabilities. For such purposes, the use of Static Code Analysis is promoted for identifying, characterizing and tracking to closure security-related issues associated with the implementation of the secure design.

 

Static Code Analysis

A Static Code Analysis (SCA) for source code is used to identify security coding errors such as buffer overflows, null pointer dereferencing, and any other violations against the defined coding rules for the supported platform. If available, SCA shall be done using a tool for the language used. In addition, static code analysis shall be done any time the software is changed. The use of such automatic tool is definitely considered as a good practice by the IEC 62443-4-1, as well as manual reviews for examining source code for adherence to best practices.

 

Conclusion

Without excluding manual methods and reviews, automation plays a key role in successfully following the IEC 62443-4-1 best practices. Test automation that includes static and dynamic analysis increases the scope of error and vulnerability detection while decreasing the overall workload.

 

Even if 62443 compliance is not an ultimate target, code analysis and general security reviews should be considered as one of the main activity to be implemented and handled by any organization to ensure a certain trust in a given development lifecycle.

If you have any questions about code analysis, general security reviews and/or certification criteria, please do not hesitate to contact our cyber security specialist: Kilian Marty