The manufacturing industry is growing increasingly vulnerable to cyber attacks, as automation, data-rich production cycles and connected sensor technology move mainstream.
In industrial environments, the growth of connected devices has accelerated the convergence of the once separate domains of Information Technology (IT) and Operational Technology (OT), resulting in Industrial IOT (IIOT). This has made cyber security intrusions and threats more difficult to detect and prevent, while at the same time, things have never been easier for hackers.
Tools like the IoT search engine Shodan have made it relatively straightforward for hackers to pinpoint vulnerable devices in a network, whether it is refrigerators, heating systems, or in the case of hackers targeting a casino in North America, a fish tank. The only way to safeguard factories now and in the future is by providing uniform protection measures for all participants and stakeholders in the life cycle of industrial automation and control systems (IACS).
Efficient security processes and procedures must cover the whole value chain, from the manufacturers of automation technology to machine and system builders and the final link, the operators themselves. Measures must address and mitigate not only current, but also future security vulnerabilities.
The IEC 62443 series of Standards is well-known to cyber security experts for “defence in depth” - the concept that security requires a set of coordinated measures to be taken. The series is tailor-made for industrial automation systems, but can be applied to nearly all electrotechnical products and systems. It provides a robust and flexible framework that takes into account all participants and stakeholders in the life cycle of IACS, including component and system suppliers, system integrators, asset owners and service providers.
The series recommends that security should be an integral part of the development process, with security functions already implemented in the machinery. The most important parts of the series from the perspective of mechanical and plant engineering are:
- IEC 62443-2-1: Establishing an industrial automation and control system security programme
- IEC 62443-2-3: Patch management in the IACS environment
- IEC 62443-2-4: Security programme requirements for IACS service providers
- IEC 62443-3-3: System security requirements and security levels
- IEC 62443-4-1: Secure product development lifecycle requirements
The latest addition to the list is the newly published IEC 62443-4-1-2018, which covers security requirements definition, secure design, secure implementation (including coding guidelines), verification and validation, defect management, patch management and product end-of-life. IEC TC (Technical Committee) 65: Industrial-process measurement, control and automation develops the IEC 62443 series of Standards.
International Standards are only one side of the coin. In addition, the IEC develops programmes and procedures for third-party Conformity Assessment to determine whether a device or other object corresponds to the requirements set down in a Standard.
The IECEE Industrial Cyber Security programme was created to test and certify cyber security in the industrial automation sector. The service provides a framework for assessments in accordance with the IEC 62443 series of International Standards on security for industrial automation and control systems, which results in an IECEE Certificate of Conformity – Industrial Cyber Security Capability.