What standard applies to industrial control system security?
IEC 62443 is the standard series that applies to all stakeholders involved in protecting Industrial Automation and Control Systems (IACS), offering the most effective cybersecurity solution for Industry 4.0 worldwide.
It addresses technical and process-related aspects of cybersecurity for all stakeholders involved in industrial automation, including asset owners, operators, maintenance service providers, integrators, and product suppliers (developers of control systems and their components).
The standard is designated as “horizontal” by IEC. It provides an achievable model to create security focused processes, handle risks and mitigate cybersecurity threats. With increased connectivity of production assets (Industrial IoT devices - IIoT), new hazards emerge that must be treated in traditional risk management processes. An industrial automation control system and component manufacturer shall apply the security requirements under IEC 62443-4-1 and IEC 62443-4-2 from the very first stage of the product development.
What do ISA/IEC 62443 series of standard include?
The standards are divided into four parts:
GENERAL (62443-1) - Overview of the IEC 62443 security process.
POLICIES AND PROCEDURES (62443-2) - Guidance for creating and maintaining a secure system.
SYSTEM (62443-3) – Includes cybersecurity technologies, risk assessment methods for system design along with the description of system security requirements and security levels
COMPONENT (62443-4) - Describes the technical functionality levels and development life cycle requirements for IACS components.
The IEC 62443 describes 4 levels of security functionality:
SL 1 – Protection against causal or coincidental violation
SL 2 – Protection against intentional violation using simple means with low resources, generic skills and low motivation
SL 3 – Protection against intentional violation using sophisticated means with moderate resources, IACS specific skills and moderate motivation
SL 4 – Protection against intentional violation using sophisticated means with extended resources, IACS specific skills and high motivation
What services does QIMA provide in the field of Industrial Control System Security?
Gap analysis
Consultation and support the preparations for certification
Online and on-site workshops
Documentation review
Secure product development lifecycle requirements audit & certification (62443-4-1)
Technical security requirements for IACS component evaluation & certification (62443-4-2)
Certification services under the CB Scheme
How many levels of security functionality are described in ISA/IEC 62443?
SL1- Protection against causal or coincidental violation
SL2- Protection against intentional violation using simple means with low resources, generic skills and low motivation
SL3- Protection against intentional violation using sophisticated means with moderate resources, IACS specific skills and moderate motivation
SL4- Protection against intentional violation using sophisticated means with extended resources, IACS specific skills and high motivation
What organizational roles are responsible for responding to ISA/IEC 62443 requirements?
There are three organizational role, who have responsibility:
Asset Owner / End-user:
- Owns and operates one or more IACS
- Easy to define a target security level
- Offers a frame of reference to evaluate existing security
System Integrator/ Implementer
- Builds IACS for the Asset owner
- Clear understanding of security requirements
- Simple to define a system security capability
Product Manufacturer/ Supplier
- Designs and creates the components for the System Integrator to build IACS
- Simple to define a product security capability
- Easy to differentiate from competitors
How many chapters does ISA/IEC 62443 have and what are these?
The standard is divided into 4 parts: General, Policies and Procedures,System, Component, which are denoted by the suffixes from 1 to 4.
General (62443-1) - Overview of the ISA/IEC 62443 security process.
Policies and Procedures (62443-2) - Guidance for creating and maintaining a secure system.
System (62443-3) - Includes cybersecurity technologies, risk assessment methods for system design along with the description of system security requirements and security levels.
Component (62443-4) - Describes the technical functionality levels and development life cycle requirements for IACS components.
Which chapters of ISA/IEC 62443 does QIMA have the competence for?
QIMA has expertise primarily in the following parts of the IEC 62443 series:
IEC 62443-4-1: Secure product development lifecycle requirements
IEC 62443-4-2: Technical security requirements for Industrial Automation and Control System (IACS) components
QIMA and CCLab are recognized in the IECEE CB Scheme, the world’s largest certification scheme for electrical and electronic products and components. Based on our evaluation results, we can issue CB certificates that are internationally accepted in several countries.
We are ready to provide the following services to conform and comply with the desired standards and security levels:
Gap analysis
Consultation and support the preparations for certification
Online and on-site workshops
Documentation review
Secure product development lifecycle requirements audit & certification (62443-4-1)
Technical security requirements for IACS component evaluation & certification (62443-4-2)
Certification services under the CB Scheme
For more information visit our cybersecurity certification page.