IEC 62443 is the standard for protecting Industrial Automation and Control Systems and the most effective Cybersecurity solution for Industry 4.0.
With increased connectivity of production assets (IIoT), new hazards emerge that must be included in traditional risk management processes.
An industrial automation control system component manufacturer (supplier) shall include the consideration of security requirements under IEC 62443 4-1 in its product development processes.
The IEC 62443 standard Part 4-1 defines a secure development lifecycle to create and maintain secure products used in industrial automation and control systems (IACS). The IEC 62443-4-1 certificate confirms that the developer has implemented a secure-by-design methodology from the first day of product development processes, which includes a complete security lifecycle and patch management.
To make sure that the security requirements relevant to customers are met, these industrial components shall be certified under IEC 62443-4-2. If component suppliers follow the set of guidelines that are defined in the IEC 62443-4-2 subsection, they will equip their customers with the best chance of protecting their networks against cyberattacks.
Although the component suppliers must add certain features and capabilities to their devices for the devices to be suitable for deployment on Industrial IoT networks, conforming to the requirements outlined within IEC 62443-4-2 guarantees secure and resilient components, which are to be procured by 62443 certified and secured IACS organizations.
Accidental
-
-
-
-
Intentional
Simple
Few
General
Low
Intentional
Sophisticated
Moderate
IACS-specific
Moderate
Intentional
Sophisticated
Extensive
IACS-specific
High
IEC 62443-4-1 utilizes four maturity levels, whereas IEC 62443-4-2 is structured around four security levels.
Attaining IEC 62443-4-1 certification is a prerequisite for obtaining certification in IEC 62443-4-2.
IEC 62443-4-1 concentrates on secure product development and the product lifecycle, while IEC 62443-4-2 emphasizes technical security requirements for IACS components, specifically embedded devices, network components, host components, and software applications.
IEC 62443-4-1 encompasses 47 requirements distributed across 8 practices, whereas IEC 62443-4-2 addresses 140 requirements outlined in the standard.
Protection against causal or coincidental violation
Protection against intentional violation using simple means with low resources, generic skills and low motivation
Protection against intentional violation using sophisticated means with moderate resources, IACS specific skills and moderate motivation
Protection against intentional violation using sophisticated means with extended resources, IACS specific skills and high motivation
At the commencement of the process, the client needs to specify the desired level of maturity (4-1) or security level (4-2) for the product evaluation. Various documents are also necessary, with some to be provided by the client, others by the laboratory, and only one by the Certification Body (CB). Following this, the client is required to draft a Conformity Statement, detailing how the requirements are met.
After the evaluation, the lab completes theTest Report Form (TRF) using information from the customer. The TRF serves as the outcome of the evaluation and is submitted to the CB. The CB assumes responsibility for issuing the certificate.
CCLab is ready to provide the following services to in order to conform and comply with the desired standards and security levels.
Gap analysis
Consultation and support the preparations for certification
Online and on-site workshops
Documentation review
Secure product development lifecycle requirements audit & certification (62443-4-1)
Technical security requirements for IACS component evaluation & certification (62443-4-2)
Together with other members of QTICS Group, we provide a wider range of compliance services within the Energy & Industry sector.