Driven by compelling efficiency and productivity benefits, processes in industrial environments are increasingly automated. The convergence between information technology (IT) and operational technology (OT) networks and systems also introduces a range of new vulnerabilities. Ever more aware of these threats, asset owners require a high levels of assurance regarding the cyber security of their Industrial Automation and Control Systems (IACS).
Asset owners can not just take their suppliers’ word for it when it comes to safety assurance; they need a structured approach to assess the level of cyber security of their IACS. That’s why the International Society for Automation (ISA), a non-profit professional association, launched an initiative in 2005 to design a series of cyber security management standards, involving an international community of experts and end-users.
For this purpose, ISA launched ISASecure as a platform with the aim to reduce the time, cost and risk of developing, acquiring and deploying control systems by establishing a collaborative industry-based program among asset owners, suppliers and other stakeholders. This resulted in a series of standards, now known as IEC 62443. These have been widely adopted in the sector and are used for globally-acknowledged certification. The IEC 62443 provides a single, harmonized set of standards to meet global and government security requirements. It simplifies procurement specification processes by establishing corporate standards and definitions that all stakeholders can easily understand.
The IEC 62443 standards provide common terminology and define the process of implementing IACS cyber security. They describe how security practitioners, system integrators and control system manufacturers should interact to ensure security and safety – from the level of components, right up to entire facilities. The standards include guidelines for industrial automation security management systems and for the security architecture of the industrial network. They include definitions for security requirements across the complete system and throughout the entire lifecycle of components. Additional standards are still in the works and some are in the process of being approved.
A simplified breakdown of the IEC 62443 standards
The various IEC 62443 standards are targeted at different audiences, ranging from suppliers and vendors to end-users, in this structure:
IEC 62443 1-X: General
This category contains basic information regarding concepts, models and terminology, forming the foundation for the other categories.
IEC 62443 2-X: Policies & Procedures
Aimed at end-users and solution providers, this category covers the different aspects of creating and maintaining an effective cyber security management system (CSMS)
IEC 62443 3-X: System
This describes the technical requirements for system design and provides guiding principles for the secure development and integration of systems. Focusing on the solution providers, the centre of this category is the zone and conduit model.
IEC 62443 4-X: Components
This last category contains all the technical guidelines for the development of products - by manufacturers, for example – for use in an IACS environment. System integrators and end-users can also use these standards, by taking the requirements as a basis for selecting and purchasing safe components for their systems.
The benefits of IEC 62443 certification
Several global certification bodies have established IEC 62443 certification schemes. Each has defined its own scheme based on the IEC standards and procedures defining its test methods, surveillance audit policies and public documentation policies.
With these certifications, organisations can demonstrate that their systems or products have been independently evaluated to ensure that they are free from known vulnerabilities and have robust protection against network attacks. It also means that the security features of certified systems evolve over time. This provides assurance to end-users and confidence that products comply with the highest standards for employee safety. Nevertheless, deployment efficiency is increased by providing security out of the box and reducing the time consumed during the pre-commissioning stages (design, verification, factory and site acceptance testing).
In terms of what products are certifiable, the following categories are to be mentioned:
- Components: Embedded Devices, Network Devices, Host Devices and Software Applications;
- Systems: An industrial Control System (ICS) or a SCADA system available from a single supplier.
Devices (components) currently holding such a certification are:
- Controllers (incl. PLCs and DCS Controllers);
- Safety Related Programmable Electronic Systems;
- Safety Managers;
- Fieldbus Controllers;
- Remote Terminal Units;
- Unit Operations Controllers;
- Wireless Device Managers;
- Safety Control Systems.
Applied Risk is dedicated to ensuring the highest standard of cyber security robustness for industrial devices. As such, we have recently partnered with the ISA Security Compliance Institute (ISCI) to initiate the process to become an accredited ISASecure certification lab. Once complete, this will enable Applied Risk to certify off-the-shelf industrial automation and control devices for Component Security Assurance, System Security Assurance and Secure Development Lifecycle Assurance.
To learn more about our how we can assist your organisation meet the high levels of security robustness the IEC 62443 standards bring, check out the IEC 62443 Conformance Services page on our website.