Australia | english

Security series of standards IEC 62443

The international series of standards IEC 62443 “Industrial communication networks - Network and system security” deals with IT security in automation. The range of topics spans from risk analysis, to requirements for safe operation and all the way to the secure development of products (security by design). As a result, IEC 62443 currently offers the best orientation aid for plant operators and device manufacturers for effectively implementing security.
It considers five areas: The basic requirements for security, the principle of zones and conduits, the security levels, the security lifecycle and the risk analysis.

An overview of the key parts of the standard:

For component manufacturers For system integrators For operators
62443-4-1 development process 62443-2-4 guidelines and procedures 62443-2-4 guidelines and procedures
62443-4-2 Security functions for the component 62443-3-2 Security functions for automation and control systems 62443-2-1 operation and service
62443-3-3 Security functions for the complete automation and control system

62443-3-3 security functions for the complete automation and control system

 

 

Basic security requirements

Security requirements

The basic security requirements (Foundational requirements) include:

  • Identification and authentication
  • Usage tracking
  • System integrity
  • Confidentiality of data
  • Restricted data flow
  • Timely reaction to events
  • Availability of resources

For each of these basic requirements further system requirements are defined which can be used as a basis for the implementation of security measures.

Security level

Security level

Security levels define the safety level that plant operators or manufacturers want to achieve using safety measures. Information is provided by an advance risk assessment. This defines what is to be protected and determines the probability of this asset being attacked. The security level (SL) is selected accordingly. SL-2, that is protection from “intentional violation using simple means with low resources, generic skills and low motivation” should be seen as a minimum standard today. To keep this minimum standard, the company needs a specific security maturity level. The best firewall is useless if a company’s employees continue to write their passwords on post-it notes and stick them on their PC screens or if they do not run updates. The more the company is involved in security as a topic, the higher the overall protection will be. Therefore an overall security concept is important. The application firewall SecurityBridge can contribute to a high security level as part of an overall concept.

The security levels at a glance:
Security Level 1: Protection against casual or coincidental violation
Security Level 2: Protection against intentional violation using simple means.
Security Level 3: Protection against intentional violation using sophisticated means
Security Level 4: Protection against intentional violation using sophisticated means with extended resources

Security risk assessment

The security development process is an expansion of the general product development process. One basic aspect of a standard-compliant development process (in accordance with IEC 62443-4-1 – Secure product development lifecycle requirements) is to perform a risk assessment. It reveals the dangers and risks that a product is subjected to from “cyber space” and the measures to take to minimise them.

The security risk assessment should always be performed in the following 6 steps:

  1. Identify assets: What do I want to protect?
  2. Analyse threats: What are the risks on the asset I want to protect?
  3. Determine relevant protection objectives: What objectives do I want to achieve?
  4. Analyse and assess risks: How likely is it that a risk will occur?
  5. Select and implement protective measures: How can I protect from possible risks?
  6. Resilience management: What to do after an attack? How can I more strongly anchor security in the company?
Security risk assessment

Security lifecycle

Security lifecycle

Security is a “moving target”, that is, security changes during the lifecycle of a project. Attackers develop increasingly better methods to overcome defence measures, so defence measures against cyber threats have to be improved continuously. The responsibility for this lies primarily with plant operators. An effective security strategy can increase the service life of your plant. Machine builders and component manufacturers should immediately inform the operators about new safety problems. You must provide updates for your device’s software to enable customers to remedy any weaknesses. If system integrators are involved in the process, they act as an intermediary between manufacturer and operator. It is important that everyone involved works in close collaboration throughout the entire product lifecycle. Only this will result in a high degree of protection.

More about Security 4.0

Head office

Pilz Australia Safe Automation
Unit 1, 12-14 Miles Street
Mulgrave, Melbourne, Victoria 3170
Australia

Telephone: +61 3 9560 0621
E-Mail: safety@pilz.com.au

Technical Support

Telephone: +61 3 9560 0621
E-Mail: techsupport@pilz.com.au