IEC 62443 is the international reference standard for industrial cybersecurity of components and systems developed in conformity with ISA/IEC requirements.
IEC 62443 family of standards
The most relevant parts of IEC 62443, for the development of secure products throughout the entire lifecycle, and in order to obtain the ISASecure Certification as well, are:
- Part 1-1: introduces the concepts and models used throughout the series. The intended audience includes anyone wishing to become familiar with the fundamental concepts that form the basis for the series.
- Part 2-1: Describes what is required to define and implement an effective industrial automation and control system (IACS) cybersecurity management system. The intended audience includes asset owners who have responsibility for the design and implementation of such a program.
- Part 3-2: Describes the security risk assessment for system design addresses cybersecurity risk assessment and system design for IACS. The outputs of this process is a risk assessment and target security levels. These are documented in the cybersecurity requirements specification. This standard is primarily directed at asset owners and system integrators.
- Part 3-3: Describes the requirements for an IACS based on security level. The principal audience includes product suppliers of IACS products, integration service providers and asset owners.
- Part 4-1: Describes the requirements for a product supplier’s security development lifecycle. It is addressed to product suppliers of IACS systems and IACS components.
- Part 4-2: Describes the requirements for IACS components based on security level. IACS Components include embedded devices, host devices, network devices and software applications. The principal audience includes product suppliers of IACS component products.
IEC 62443 principal roles
As mentioned above, the IEC 62443 standard identifies 3 different stakeholders involved in product security:
- The asset owner is the organization that is accountable and responsible for the IACS. The asset owner is also the operator of the IACS and the equipment under control (EUC).
- Integration service provider is the organization that provides integration activities for an automation solution including design, installation, configuration, testing, commissioning and handover to the asset owner. The integration service provider may also facilitate the risk assessment.
- Product supplier is the organization that manufactures and supports a hardware and/or software product. Products may include IACS systems and IACS components such as embedded devices, host devices, network devices and/or software applications.
There is a fourth remaining role, the maintenance service provider, who provides support activities for an automation solution, even though they don’t actively participate in the ISASecure Certification process.
Edited by BYHON, division of H-ON Consulting, a CFE Media and Technology content partner. Edited by Chris Vavra, web content manager, Control Engineering, CFE Media and Technology, firstname.lastname@example.org.