IEC 62443: Security for industrial automation and control systems

The Plattform Industrie 4.0 describes Industrie 4.0 as “the intelligent networking of machines and processes for industry with the help of information and communication technology”. It enhances digital capabilities throughout the manufacturing processes in global value chains. The more interconnected value chains, factories and consumers are, the greater are the risks posed by cyber threats. This is especially important when Information Technology (IT) and Operational Technology (OT) are integrated. Within this integration of IT and OT, cybersecurity becomes undeniably necessary.

 

In this framework, it is more and more important for manufacturing value chains to develop a fully integrated strategic approach to cyber risks.  In fact, cybersecurity should be an integral component of any new Industrie 4.0 initiative. Internationally harmonised standards are significant means to achieve security along value chains - specifically IEC 62443: Security for industrial automation and control systems.

 

On 14 October, around 65 people attended a technical workshop on the IEC 62443 standard. It was organised by GPQI. The aim was to increase the understanding of the importance of cybersecurity for the industry and of IEC 62443. Dr Kai Wollenweber, Chief Technology Office of Siemens Digital Industries facilitated the workshop. Matthias Gommel, Regional Manager for Technical Regulations and Standardization (Siemens AG), and Ricardo Ibáñez, Product and Solution Security Officer, Siemens Mexico participated as well.  

 

IEC 62443: Cybersecurity as a shared responsibility

IEC 62443 defines requirements and processes for a cyber-secure implementation and maintenance of industrial automation and control systems (IACS). Overall, these standards establish best practices in cybersecurity and provide means to evaluate the level of security performance.

 

One of the core principles of IEC 62443 is the concept of shared responsibility as a critical element of automation cybersecurity. To maintain sustainable and resilient systems, it is crucial to consider not only the technology and processes, but also people. However, as Dr Wollenweber mentioned, there is always a top-down approach from a cybersecurity perspective. First, it is important to define the sensitive information and processes that need to be protected.

 

Based on this, key stakeholder groups must be aligned to ensure the safety, integrity, reliability, and security of control systems. As a result, the standards outline requirements for key stakeholder groups involved in the cybersecurity of control systems.

 

Important stakeholders in IACS are:

1. The product supplier is independent from the IACS. It develops components and provides generic systems and machines. These generic components are often independent
of the final environment in which they are to be used.

 

2. The integration service provider commissions and validates, designs and deploys the automation solution. This consists of different functions,
components and systems. They are integrated by the needs of a so-called:

 

3. The Asset owner It is responsible for the whole IACS, for the operation and routine maintenance according to security policies and procedures.

 

4. The maintenance service provider is responsible for the maintenance of the systems on behalf of the asset owner.

 

IEC 62443 standard provides guidance on several issues. It helps users by defining common terms and models that can be used by all parties responsible for the cybersecurity of
control systems. The standard also helps asset owners determine the level of security required to meet their specific operational needs and risks (IEC 62443-3-2). In this sense, IEC 62443 introduces maturity levels of processes. It also defines risk assessment processes which are essential to protect control systems.

 

This standard establishes a common set of requirements and a cybersecurity lifecycle methodology for product developers (IEC 62443-4-1). This methodology includes a certification mechanism for products and supplier development processes. It ensures that a product or component has a secure lifecycle throughout all phases.

 

Conformity Assessment demonstration

As with any other standard, it is important to establish how to demonstrate conformity. Therefore, IEC 62443-6-2: Security Evaluation Methodology for IEC 62443-4-2 is currently under development. Components and their security requirements shall be developed and supported according to IEC 62443-4-1. The aim is to verify the correct implementation of the IEC 62443-4-2 requirements. The evaluation process includes:

 

1.      Security Context Evaluation

2.     Security Requirement Selection Evaluation

3.     Design Documentation Evaluation

4.     User Documentation Evaluation

5.     Component Requirement Evaluation

6.     Security Testing Evaluation

 

Cybersecurity and cooperation

Ensuring cybersecurity is an increasing concern for industries, where cyberattacks can target IT and OT systems. Currently, connected technologies already support critical business processes. And these processes are likely to increase in the future. As a result, many industries increasingly rely on the IEC 62443 series for cyber protection, risk mitigation and resilience, as well as other standards. For example, ISO/IEC 27001:2022 Information security, cybersecurity and privacy protection, previously discussed. Cybersecurity is an essential part of the development of digitalisation. The way to achieve this is the implementation of quality infrastructure mechanisms in cooperation with  companies, organisations, and the government.

 

If you would like to engage in the German-Mexican Dialogue on Quality Infrastructure, please contact us.