– Originally written by Paul Taylor, Business Development Director, Industrial Services at TÜV SÜD –
The increasing prevalence of cyber-physical systems has a significant impact on industries worldwide. For manufacturers deploying such machines this new connectivity also translates into a shift in the risk landscape, as cyberattacks become more prevalent.
A security breach involving a connected industrial application can put an entire facility at risk and the consequences for operations, people and equipment can be devastating. Against this backdrop, suppliers and system integrators must optimise the cyber resilience of their components and systems by improving their development, integration and support processes.
As cyber security vulnerabilities can appear throughout the component or system lifecycle, it is necessary to plan ahead and implement security from the onset. From specification, to design, production and support, component suppliers must therefore consider how the cyber resilience of a connected device can be optimised for its entire lifespan.
Further down the line, the system integrator must take the possible threats of the automated solution into account. Suppliers and integrators are also required to mitigate risk, even when the prospective configuration and the potential threats are still largely unknown.
Furthermore, full transparency from them is necessary for machinery end-users to place trust in the security capabilities of the products and solutions that they offer.
The international standard IEC-62443 ‘Security for Industrial Automation and Control Systems (IACS)’ holds the answer here, as it aims to mitigate risk for industrial communication networks by providing a structured approach to cybersecurity.
Originally developed for the IACS supply chain, it is a collection of multi-industry standards focused on cybersecurity protection methods and techniques. Consequently, the standard has become the leading industrial cybersecurity standard for all types of plants, facilities and systems across industries. The standard applies to component suppliers, system integrators and asset owners.
Through a set of defined process requirements, IEC-62443 ensures that all applicable industrial security aspects are addressed in a structured manner. This includes a systematic approach to cybersecurity throughout the stages of specification, integration, operation, maintenance and decommissioning.
Also, the standard foresees that processes are established to facilitate all necessary technical security functions. When adapted to the relevant project scope, IEC-62443 lays the foundations for cybersecurity robustness throughout the product and system lifetime.
The IEC-62443 standard addresses security processes along the complete supply chain. For example, product suppliers’ certification should be based on IEC-62443-4-1 “Product security development life-cycle requirements”.
This part of the standard applies to the supplier’s overall security programmes, and to the security processes connected to the development of the relevant component and control system.
Corresponding certifications are available to system integrators based on IEC-62443-2-4 “Security program requirements for IACS service providers”. In this case, the compliance of generic processes, as well as the compliance of security processes for a reference architecture or blueprint, can be verified.
During the certification process, the auditor executes a conformity assessment based on document reviews, interviews and on-site audits. When compliance with standard requirements has been confirmed, the certification concludes with the issuance of a report and a certification mark. An annual surveillance audit is required to maintain the validity of this certification.
Beside the generic process aspects during product development and system integration, the IEC-62443 standard also specifies technical security requirements for components and systems. These technical requirements are described in IEC-62443-4-2 and IEC-62443-3-3.
The assessment of both process and technical requirements are the basis for the certification of both components and systems.
By combining the strengths of the physical and virtual worlds, cyber-physical systems offer significant potential. While smart factories will see reduced risk in several areas, such as fewer worker injuries as machines take over hazardous tasks, the increasing number of physical and digital interfaces also introduces new vulnerabilities.
IEC-62443 provides a holistic approach to help mitigate these risks and provides increased assurance to the entire machinery supply chain.