IEC 62443 is the standard series that applies to all stakeholders involved in protecting Industrial Automation and Control Systems (IACS), offering the most effective cybersecurity solution for Industry 4.0 worldwide. The various parts of IEC 62443 are relevant to asset owners, operators, maintenance service providers, integrators, and product suppliers (developers of control systems and their components).
With increased connectivity of production assets (Industrial IoT devices - IIoT), new hazards emerge that must be treated in traditional risk management processes. An industrial automation control system and component manufacturer shall apply the security requirements under IEC 62443 4-1 and IEC 62443-4-2 from the very first stage of the product development.
The IEC 62443-4-1 standard outlines requirements for a secure product development lifecycle, embedding security from the design phase onward. It ensures security is integrated throughout the entire process, from conceptualization and design to implementation, testing, deployment, maintenance, and decommissioning of industrial automation systems.
An IEC 62443-4-1 certificate confirms that a developer has followed a secure-by-design approach and defense-in-depth strategy, covering the full security lifecycle, including patch management.
In industrial control systems, unlike traditional IT's focus on the CIA principles (Confidentiality, Integrity, Availability), the priority is Availability to safeguard Operational Technology (OT). As a result, the protection goals center on physical assets, plant safety, operational continuity, and ensuring time-critical system responses.
hardware devices that have a specific function within the larger system. In an Industrial Control System (ICS), this category would typically include Programmable Logic Controllers (PLCs), Remote Terminal Units (RTUs), Safety Instrumented Systems (SIS), Intelligent Electronic Device (IED), Distributed Control System (DCS).
components that deal with data transmission and network communication. They include switches, routers, firewalls, and wireless access points.
These are the computers or servers where the industrial software applications run. They serve as the user-facing interface of the systems, and in ICS this may include the Human-Machine Interface (HMI) devices and industrial PCs, operator workstations and Data Historian.
This refers to software programs installed on the host devices to exercise control over the processes and manage the system. This can include control software running on the PLCs, SCADA system software, and other specific software applications required for processes within the ICS system.The purpose of this standard is to define security capabilities that allow a component to address threats at a specified security level (SL) independently, without relying on additional countermeasures.
Accidental
-
-
-
-
Intentional
Simple
Few
General
Low
Intentional
Sophisticated
Moderate
IACS-specific
Moderate
Intentional
Sophisticated
Extensive
IACS-specific
High
IEC 62443-4-1 concentrates on secure product development and the product lifecycle, while IEC 62443-4-2 emphasizes technical security requirements for IACS components, specifically embedded devices, network devices, host devices, and software applications.
IEC 62443-4-1 utilizes four maturity levels of development processes, whereas IEC 62443-4-2 is structured around four security levels for components.
IEC 62443-4-1 encompasses 47 development process-related requirements distributed across 8 practices, whereas IEC 62443-4-2 addresses 141 foundational requirements depending on the applied security level.
To verify compliance with IEC 62443-4-1, in addition to reviewing documentation, the development processes and associated artifacts must be audited at the manufacturer's site.
Protection against causal or coincidental violation
Protection against intentional violation using simple means with low resources, generic skills and low motivation
Protection against intentional violation using sophisticated means with moderate resources, IACS specific skills and moderate motivation
Protection against intentional violation using sophisticated means with extended resources, IACS specific skills and high motivation
When considering the entire concept of IACS, the asset owner's automation demands and the outcomes of the related risk assessment drive the system integrator to specify the appropriate security capability levels for individual components within the automation solution. The integrator defines security zones to effectively segment the system components, allowing for the implementation of targeted security levels within each zone. This ensures that critical processes are adequately protected against specific threats.
QIMA and CCLab are recognized in the IECEE CB Scheme, the world’s largest certification scheme for electrical and electronic products and components. Based on our evaluation results, we can issue CB certificates that are internationally accepted in several countries. Read more about CB Certification here: https://www.cclab.com/service/cybersecurity-certification
CCLab is ready to provide the following services to conform and comply with the desired standards and security levels.
Gap analysis
Consultation and support the preparations for certification
Online and on-site workshops
Documentation review
Secure product development lifecycle requirements audit & certification (62443-4-1)
Technical security requirements for IACS component evaluation & certification (62443-4-2)
Together with other members of QTICS Group, we provide a wider range of compliance services within the Energy & Industry sector.