The aim of the standard is to ensure that a product supplier, integrator or an asset owner follows an efficient method for secured process with a key aspect on safety of the personnel and the production, availability, efficiency and quality of the production of the IACS as well as the safety of the environment.
IACS: Industrial automation and control system
Certification example: The company has successfully demonstrated during an audit process that a Security Development Lifecycle Management System has been implemented and fulfils the applicable requirements of the standard, according Maturity Level 3: Defined - Practiced.
Products (devices sold and used by themselves) such as switches, firewalls, dedicated controllers, etc. are covered the in the “-4” series.
What products are certifiable?
Specifies process requirements for the secure development of products used in industrial automation and control systems. It defines a secure development life-cycle (SDL) for the purpose of developing and maintaining secure products. This life-cycle includes security requirements definition, secure design, secure implementation (including coding guidelines), verification and validation, defect management, patch management and product end-of-life.
Certification scenario: Product supplier (manufacturer) has a development process for securely developing and supporting one or more products as required by IEC 62443-4-1:
Foundation in Microsoft Security Development Lifecycle.
ISA Certified organizations
Provides detailed technical control system component requirements (CRs) associated with the seven foundational requirements (FRs) described in IEC TS 62443-1-1 including defining the requirements for control system capability security levels and their components, SL-C(component). As defined in IEC TS 62443-1-1 there are a total of seven foundational requirements (FRs): a) identification and authentication control (IAC), b) use control (UC), c) system integrity (SI), d) data confidentiality (DC), e) restricted data flow (RDF), f) timely response to events (TRE), and g) resource availability (RA).
Certification scenario: Product supplier (manufacturer) has developed a product and supporting services (e.g. patching) using processes that were performed in accordance with requirements of IEC 62443-4-1. Following is the example:
IEC 62443 requires hardware security for Security Levels 3 and 4.
The certification scheme is the set of regulations on the basis of which the certificate of conformity with the referred Standards is issued, maintained, suspended or withdrawn.
ISA: International Society of Automation IECEE: International Electrotechnical Commission
|Based On||Classification||Program Name||Applicable to|
|IEC 62443-4-1||Device Process Certification||Security Development Process||OEM New Product Development|
|IEC 62443-4-1, IEC 62443-4-2||Device and Application Certification||Security Device Certification||OEM Product|
|IEC 62443-4-1||ISCI SDLA||Security Development Process||OEM New Product Development|
|IEC 62443-4-1, IEC 62443-4-2||ISCI EDSA||Security Device Certification||OEM Product|
Note: With regards to the IEC 62443 certification scheme (described in Section 4.2), an IEC 62443 certificate issued under the Industrial Cyber Security Program under the IECEE system does not have an expiration date.
Certx: a Swiss certification body
Exida: Certification assessment
Infineon: Discrete hardware security chips
Schneider: Certified organisation
Horizon 2020 certMils project: Compositional security certification for medium- to high-assurance COTS-based systems in environments with emerging threats
Designing and Integrating IEC 62443 Compliant Threat Analysis