If you search for IEC 62443, you will likely stumble upon a few articles about companies esteeming themselves for getting certified with this cybersecurity standard. Moxa’s UC-8200 Series, for example, is touted as the first ARM-based industrial computer with IEC 62443 cybersecurity certification. Other major companies like Siemens Mobility, LS Electric, and Nozomi Networks have also proudly announced their compliance with this standard.
What is in this cybersecurity standard that makes it an achievement for organizations? Read along for a deeper understanding of IEC 62443, especially when it comes to its role in the modern cyber threat landscape.
IEC 62443: Why it exists
IEC stands for International Electrotechnical Commission, a globally-recognized organization created to formulate and publish standards for electronic and electrical technologies. The IEC 62443 standards were created in response to the evolving challenges in securing control systems and the automation of various functions.
The IEC 62443 standards aim to secure IACS (industrial automation and control systems) as they establish responsibilities among manufacturers of IACS products, operators, and service providers. They set a risk-based approach to stopping and reducing risks.
The standards lay out a management system focused on cybersecurity. This system consists of five major components, namely the preliminary evaluation and prioritization of risks, meticulous technical risk scrutiny, the formulation of policies, countermeasure spotting and implementation, and the maintenance of the cybersecurity system. The standards help ensure that these components ensure IT security in light of the rapidly evolving and growing aggressiveness of cyber attacks.
IACS vs IT devices
One important distinction to make here is the specificity of IEC 62443. They are not just another cybersecurity standard that broadly covers all IT devices. They focus on IACS, which refers to operational technologies that facilitate interaction for operations processes. IACS devices are industrial in nature like those employed in manufacturing plants or the operation of heavy equipment.
IACS are also IT devices, but not all IT devices are IACS. Industrial automation and control systems are sets of hardware and software that are vital in the operation of critical infrastructure and services. As such, they need to be holistically and meticulously secured.
Securing IACS should cover all three stages of the security lifecycle, namely the assessment, implementation, and maintenance stages. Low and high-level risks and vulnerabilities should be properly identified and minimum cybersecurity requirements established. A cybersecurity management system has to be defined to have clear mechanisms when mitigating and preventing threats. Also, all security mechanisms or measures must be maintained through continuous monitoring and the prompt resolution of vulnerabilities.
Why IEC 62443 compliance matters
As mentioned, IACS is used in modern critical infrastructure. Hence, it should be carefully defended to avoid grave consequences like rail derailments, poisoned water supplies, chaotic ports, and economically debilitating traffic mismanagement. However, some organizations may not necessarily be looking at these severely adverse outcomes as they seek IEC 62443 certification. They could be more focused on earning customers’ trust (by being independently verified as cyber secure) and enabling better systems integration, which is not necessarily inappropriate since these ultimately help avoid worst-case scenarios.
In Siemens Mobility’s press release for its IEC 62443 certification, the rail tech and intelligent traffic systems provider implied its acknowledgment that cybersecurity is not just a self-imposed goal. For enterprises to gain the trust of clients, business partners, and stakeholders keen on cyber defense, it is important that cybersecurity is clearly established. This does not happen with a unilateral declaration.
“All operational processes profit from digitalization and need to be protected to international standards and assured by third parties,” explained Frank Hoffmann, Siemens Mobility Rolling Stock’s chief engineer. There have to be objective bases and independent arbiters to provide an impartial evaluation of an organization’s cyber protection.
For its part, LS Electric noted how cyber risks have worsened as industrial automation solutions have been networked while automation hardware and software have been standardized for distribution. Industrial automation solutions are crucial as issues in them can lead to dire consequences. This makes them the favorite targets of cybercriminals. To make sure that they are kept secure, it is not enough to be familiar with standards and self-determine compliance. There is a need for a third party to make the determination.
Meanwhile, buyers of tech products are also becoming more security conscious. Chief cybersecurity officer Pascal LeRay or Bureau Veritas (BV), the body that granted the IEC 62443 certificate to Moxa’s ARM-based industrial computer, noted that more customers now are asking for proof of the security of the products they are buying. They know that they need more than the manufacturer’s assurance of cyber protection.
Also, compliance with IEC 62443 helps IT asset owners and system integrators in bringing IIoT applications together. “The IEC 62443-4-2 certified UC-8200 Series computer makes it easier for asset owners and system integrators to integrate IIoT applications by providing a secure platform that has already been tested and validated,” remarked George Y Hsiao, Moxa IPC Business Product Manager.
Ensuring IoT security
While IEC 62443 mainly targets IACS, this set of security standards is also notably helpful in securing the IoT ecosystem. In particular, standards IEC 62443-4-1 and IEC 62443-4-2 define security requirements applicable to IoT devices.
IEC 62443-4-1 focuses on ensuring the security of the development lifecycle of IACS and similar devices, including IoT appliances or gadgets. This standard provides guidelines on how device makers should manufacture products that follow security requirements and are inherently secure. It sets rules on security implementation, including guidelines for secure coding. It also sets rules for security validation, the management of defects and patching, and the proper handling of the end of a product’s life cycle.
IEC 62443-4-2 refers to technical system requirements. It focuses on proper user identification and authentication management, resource use control, system integrity, data flow limits, data protection, appropriate resource availability, and the need to respond to security events promptly.
There are already more IoT devices than people in the world. Estimates show that from 15 billion in 2023, the number of connected IoT devices globally will closely approach 30 billion by 2030. IoT devices are among the most common cyber-attack surfaces. It is vital to secure them since they can easily create opportunities for attacks. The IEC 62443 set of standards can help address the IoT threat not only as far as users are concerned. IEC 62443 also compels device manufacturers to make their products secure.
Significant set of standards
Organizations cannot be faulted for self-promoting over getting IEC 62443 certified. This set of standards may appear as just another set of cybersecurity standards, but it is one of the significant steps toward improving cybersecurity to meet emerging challenges. It provides significant benefits many will likely not appreciate until they become part of a serious cybersecurity breach with unprecedented damages.
