MACHINE SAFETY
REASONS FOR SYSTEM INTEGRATORS TO COMPLY WITH IEC 62443 Massimiliano Latini explains why system integrators need to ensure that their automation systems are IEC 62443-compliant to adhere to international cybersecurity requirements.
T
he evolution of automation and industrial control systems, in terms of digital connectivity, including the use of cloud systems, industrial cyber security has become crucial. While digital connectivity allows for the implementation of increasingly cutting-edge systems, as well as the implementation of more advanced services, it also opens the door to operational technology (OT) cyberattacks. In terms of liability for system integrator, their customers – end-users who succumb to a cyber-attack on a system with no minimum security capabilities, or on a system not implementing protection measures expected by the state-of-the-art – could claim damages. This is especially true in the event of a lack of security implementation, incorrect configuration or inadequate documentation while equipping the plant with prevention measures. The IEC 62443 standard represents the state-of-art in terms of industrial cyber security. It provides a guideline for the protection of industrial control systems, following the life cycle presented by the standard. The system integrator must also comply with IEC 62443 requirements to release an adequately secured automation system to the end user, who will then manage the system according to specific security rules. So, the IEC 62443 relies on the work jointly carried out by the three actors – manufacturer, system integrator andend user. There are several valid reasons why a manufacturer should comply with IEC 62443: • To integrate in an offer, clear performances in terms of cyber security, where security represents a priority. • To expand the whole offer, compared to competitors.
16
September 2020
• Cyber security can also be seen as an opportunity, as end users may need to adapt their old systems to the new standards; so, effective solutions can be proposed to better upgrade existing systems. • Lastly, to meet halfway insurance companies to contain the expected malus. The implementation of a cyber security program in compliance with the IEC 62443 requirements for manufacturers must cover both the organisational assets related to cyber security and business processes; this shall consider any technical aspects related to the automation systems, according to the IEC guideline. Because a cyber security implementation usually takes longer to develop than the final market is able to wait to implement effective cyber security solutions, it is recommended to work in stages. The selection of the system integrator is therefore crucial because: • System integrators allow greater flexibility and less rigid processes, since they are assigned to specific projects and contracts. • The system integrator, as the last actor across the supply chain, would be the first to be called into question, while
www.controlengeurope.com
integrating systems and components which are already in compliance with the IEC standard. It is recommended that a first basic security goal is established without necessarily applying all of the requirements and solutions required by the standard, but by selecting only those minimum requirements applicable to security requests with medium complexity. Then it is possible to use minimal solutions that comply with basic technical standards, to protect the system integrator, while delivering a robust and well-configured solution for the end user, accompanied by the necessary technical documentation that demonstrates compliance with IEC 62443. Subsequently, it will be possible to integrate the requirements and business processes aimed at increasing the security level and offering IEC 62433 compliant solutions. At this stage, solutions will be more complete and will include the basic automation support systems, which, in turn, allow for better and safer integration with the customer’s OT and security systems. ! Massimiliano Latini is ICS Cyber Security & Special Projects Director at H-ON Consulting. Control Engineering Europe
