3 minute read
REGULATIONS
10 MACHINERY UPDATE SEPTEMBER/OCTOBER 2022 www.machineryupdate.co.uk 10 MACHINERY UPDATERegulations NOVEMBER/DECEMBER 2021 www.machineryupdate.co.uk
Industrial security is becoming standard…
Paul Laidler Joe Lomako
BUSINESS DIRECTOR FOR MACHINERY SAFTEY AT TÜV SÜD PRODUCT SERVICE IOT BUSINESS DEVELOPMENT MANAGER
The implementation of internal procedures to address the security of systems used in industrial operations often lags behind other cybersecurity efforts, so a different approach is required
Today’s smart factories are actively leveraging the potential of interconnected systems to streamline production, increase output and reduce waste, while also increasing production flexibility.
However, the growing dependence on interconnected technologies in the industrial environment increases our vulnerability to cyber threats. From the theft of proprietary technical knowledge to threats of plant shutdowns and even damage and destruction of critical industrial assets, the risk of cyberattacks on industrial operations represent a genuine concern that can impose significant financial costs and even put lives in danger. Therefore, taking action to strengthen industrial cybersecurity is more important than ever.
While efforts to address cyber threats targeting ICT systems are generally well-established in many organisations, the issue of managing threats targeting operational technology has only recently become a priority. As a result, the implementation of internal policies and procedures for addressing the security of technologies and systems used in industrial operations often lags behind an organisation’s other cybersecurity efforts.
A different approach is required to address cybersecurity requirements specific to an industrial automation and control system (IACS). IEC 62443 – ‘Industrial Communication Networks – Network and System Security’ is a series of internationally accepted standards, technical reports and technical specifications that provides a systematic approach for assessing and mitigating current and future cybersecurity risks for an IACS.
Based in part on the principles found in a number of different national cybersecurity standards, the IEC 62443 series provides a clear yet flexible framework that is equally applicable in discrete and process-oriented manufacturing environments in a diverse range of industries.
14 SEPARATE PARTS Including 14 separate parts, the IEC 62443 series details the specific cybersecurity responsibilities of individual participants (‘roles’) that are involved in the development, deployment, use or maintenance of industrial control systems and components. These roles include: •Asset owner – individual or organisation responsible for one or more IACS •Product supplier – manufacturer or developer of hardware or software components integrated into an IACS •Service provider – individual or organisation that provides support services or supplies to the asset owner for an industrial control system or component. This includes integration and maintenance services.
The specific requirements presented in the IEC 62443 series also give equal weight to the contributions of people, processes and technology in ensuring cybersecurity in an industrial environment.
Six out of the 14 separate documents in the IEC 62443 series represent a good starting point for industrial organisations seeking to secure their IACS from cyber threats: 1.IEC 62443-2-1 – specifies requirements for asset owners of IACS.
The security program must define security capabilities that apply to the secure operation of an IACS. 2.IEC 62443-2-4 – details a comprehensive set of security capability requirements for service providers of all types involved in the integration or maintenance of an IACS.
The standard provides for the development of
‘profiles’, which can be used to address the unique characteristics of specific environments. 3.IEC 62443-3-2 – establishes requirements for defining an IACS system, partitioning a system under consideration into zones and conduits, assessing the risk for each zone and conduit and establishing their respective target security levels. 4.IEC 62443-3-3 – defines system security requirements applicable to automation systems
and networks. 5.IEC 62443-4-1 – describes the product development life-cycle requirement related to the cybersecurity of products intended for use in the IACS environment.
Specific aspects of the product life-cycle addressed in the standard include security requirements definition, secure design, secure implementation, verification and validation, defect management, patch management and product end-of-life considerations. 6.IEC 62443-4-2 applies the security requirements and security levels presented in IEC 62443-3-3 to the components that constitute an IACS, such as embedded devices, network components, host components and software applications. The intent of the standard is to specify the component security capabilities required to mitigate threats for a given security level without compensating countermeasures.
For asset owners, these six standards provide the foundation for an effective IACS cybersecurity management system, as well as a path for identifying future vulnerabilities and implementing security improvements as required.
i For more information contact W www.tuv-sud.co.uk TÜV SÜD Product Service is the PPMA’s technical and legislative partner
