Due to the evolution of automation and industrial control systems, in terms of digital connectivity, including the use of cloud systems, industrial cybersecurity has become crucial. While digital connectivity allows for the implementation of increasingly cutting-edge systems, as well as the implementation of more advanced services, it also opens the door to operational technology (OT) cyber attacks.
In terms of liability for system integrator, their customers – end-users who succumb to a cyber attack on a system with no minimum security capabilities, or on a system not implementing protection measures expected by the state-of-the-art – could claim damages. This is especially true in the event of a lack of security implementation, incorrect configuration or inadequate documentation while equipping the plant with prevention measures.
The IEC 62443 standard represents the state-of-art in terms of industrial cybersecurity. It provides a guideline for the protection of industrial control systems, that a manufacturer shall implement, following the life cycle presented by the standard. The system integrator must also comply with IEC 62443 requirements to release an adequately secured automation system to the end user, who, finally, will then manage the system accordingly to specific security rules. So, the IEC 62443 relies on the work jointly carried out by the three actors – manufacturer, system integrator and end user.
There are several valid reasons why a manufacturer should comply with IEC 62443:
- To integrate in an offer, clear performances in terms of cybersecurity, where security represents a priority.
- To expand the whole offer, compared to competitors.
- Cybersecurity can be also seen as an opportunity, as end users may need to adapt their old systems to the new standards; so, effective solutions can be proposed to better upgrade existing systems.
- Lastly, to meet halfway insurance companies to contain the expected malus.
The implementation of a cybersecurity program in compliance with the IEC 62443 requirements for manufacturers must cover both the organizational assets related to cybersecurity and business processes; further, this shall consider any technical aspects related to the automation systems, according to the guideline given by the IEC international standard.
Because a cybersecurity implementation usually takes longer to develop than the final market is able to wait to implement effective cybersecurity solutions, it is recommended to work in stages. The selection of the system integrator is therefore crucial because:
System integrators allow greater flexibility and less rigid processes, since they are assigned to specific projects and contracts.
The system integrator, as the last actor across the supply chain, would be the first to be called into question, while integrating systems and components which are already in compliance with the IEC standard.
It is recommended that a first basic security goal is established without necessarily applying all of the requirements and solutions required by the standard, but by selecting only those minimum requirements applicable to security requests with medium complexity. Then it is possible to use minimal solutions that comply with basic technical standards, in order to protect the business of the system integrator, while delivering a robust and well-configured solution for the end user, accompanied by the necessary technical documentation that demonstrates compliance with IEC 62443.
It also will be possible to integrate the requirements and business processes aimed at increasing the general security level and offering solutions compliant with the IEC 62433 standard for a given security level. At this stage, solutions will be more complete and will include the basic automation support systems, which, in turn, allow for better and safer integration with the customer’s OT and security systems.
This article originally appread on Control Engineering Europe’s website.