IEC62443

The aim of the standard is to ensure that a product supplier, integrator or an asset owner follows an efficient method for secured process with a key aspect on safety of the personnel and the production, availability, efficiency and quality of the production of the IACS as well as the safety of the environment.

IACS: Industrial automation and control system

Certification example: The company has successfully demonstrated during an audit process that a Security Development Lifecycle Management System has been implemented and fulfils the applicable requirements of the standard, according Maturity Level 3: Defined - Practiced.

Products (devices sold and used by themselves) such as switches, firewalls, dedicated controllers, etc. are covered the in the “-4” series.

What products are certifiable?

62443-4-1: Secure product development lifecycle requirements

Specifies process requirements for the secure development of products used in industrial automation and control systems. It defines a secure development life-cycle (SDL) for the purpose of developing and maintaining secure products. This life-cycle includes security requirements definition, secure design, secure implementation (including coding guidelines), verification and validation, defect management, patch management and product end-of-life.

Certification scenario: Product supplier (manufacturer) has a development process for securely developing and supporting one or more products as required by IEC 62443-4-1:

Foundation in Microsoft Security Development Lifecycle.

ISA Certified organizations

62443-4-2: Technical security requirements for IACS components

Provides detailed technical control system component requirements (CRs) associated with the seven foundational requirements (FRs) described in IEC TS 62443-1-1 including defining the requirements for control system capability security levels and their components, SL-C(component). As defined in IEC TS 62443-1-1 there are a total of seven foundational requirements (FRs): a) identification and authentication control (IAC), b) use control (UC), c) system integrity (SI), d) data confidentiality (DC), e) restricted data flow (RDF), f) timely response to events (TRE), and g) resource availability (RA).

Certification scenario: Product supplier (manufacturer) has developed a product and supporting services (e.g. patching) using processes that were performed in accordance with requirements of IEC 62443-4-1. Following is the example:

IEC 62443 requires hardware security for Security Levels 3 and 4.

Certification schemes

The certification scheme is the set of regulations on the basis of which the certificate of conformity with the referred Standards is issued, maintained, suspended or withdrawn.

ISA: International Society of Automation IECEE: International Electrotechnical Commission

ISASecure scheme

CB Scheme Scheme

Programs

Based On Classification Program Name Applicable to
IEC 62443-4-1 Device Process Certification Security Development Process OEM New Product Development
IEC 62443-4-1, IEC 62443-4-2 Device and Application Certification Security Device Certification OEM Product
IEC 62443-4-1 ISCI SDLA Security Development Process OEM New Product Development
IEC 62443-4-1, IEC 62443-4-2 ISCI EDSA Security Device Certification OEM Product

Note: With regards to the IEC 62443 certification scheme (described in Section 4.2), an IEC 62443 certificate issued under the Industrial Cyber Security Program under the IECEE system does not have an expiration date.

Personnel certification

https://www.isa.org/training-and-certifications/isa-certification/isa99iec-62443/isa99iec-62443-certificate-program-requirements/

https://www.shopexida.com/products/self-paced-cs-201-iec-62443-cybersecurity-software-development

1600 EUR

Certx: a Swiss certification body

Exida: Certification assessment

Infineon: Discrete hardware security chips

Schneider: Certified organisation

Horizon 2020 certMils project: Compositional security certification for medium- to high-assurance COTS-based systems in environments with emerging threats

Papers

CERT-MILS

Designing and Integrating IEC 62443 Compliant Threat Analysis

Chip security:

NIST 800-193

Automotive cybersecurity:

#embedded #cybersec