Assessment and Certification
Assessment and Certification
The increasing prevalence of cyber-physical systems has a significant impact on industries worldwide. Across a variety of businesses, from manufacturing and processing plants, to energy suppliers and rail, cyber-physical systems are implemented to enable higher efficiencies, unmatched flexibility and innovative business models. But the new connectivity also translates into a shift in the risk landscape, as cyberattacks are increasing. Against this backdrop, suppliers and system integrators must optimize the cyber resilience of their components and systems by improving their development, integration and support processes.
Industrial cybersecurity is a crucial area that deals with industrial information systems. It involves studying potential attacks and threats to industrial information, identifying gaps, devising and implementing industrial cybersecurity solutions and considerably mitigating risks.
Given the damage an industrial cyber-attack can cause to the company's data, infrastructure, connected equipment, the entire ecosystem could be compromised. This makes industrial cybersecurity a critical aspect of any cyber-physical operation.
Industrial cybersecurity solutions are a way to prevent and combat industrial cyber-attacks. However, amid the ever-evolving nature of cyber-attacks and the dynamic cybersecurity horizon, the solutions must be sustainable and solid enough to identify cyberattacks and enhance proactive preventive measures.
A security breach involving a connected industrial application can put an entire facility at risk - and the consequences for operations, people and equipment can be devastating.
Vulnerabilities can appear throughout the component or system lifecycle; thus, it is necessary to plan ahead and to implement security from the onset. From specification, to design, production and support, component suppliers need to consider how the cyber resilience of a connected device can be optimized for its entire lifespan. Further down the line, the system integrator must take possible threats of the automated solution into account. Consequently, suppliers and integrators are required to mitigate risk, even when the prospective configuration and the potential threats are still largely unknown. Furthermore, transparency is required for a potential buyer to place trust in the security capabilities of product suppliers and integrators.
Expert industrial cybersecurity solutions have unique benefits that can help companies in various ways. Industrial cybersecurity solutions can help you with:
Aiming to mitigate risk for industrial communication networks, the international standard IEC 62443 provides a structured approach to cybersecurity. Originally developed for the Industrial Automation and Control Systems supply chain, it has become the leading industrial cybersecurity standard for all types of plants, facilities and systems across industries. The standard applies to component suppliers, system integrators and asset owners.
Through a set of defined process requirements, the standard ensures that all applicable security aspects are addressed in a structured manner. This includes a systematic approach to cybersecurity throughout the stages of specification, integration, operation, maintenance and decommissioning. Furthermore, the standard foresees that processes are established to facilitate all necessary technical security functions. Adapted to the relevant project scope, IEC 62443 lays the foundations for cybersecurity robustness throughout the product and system lifetime.
The implementation of IEC 62443 can also boost the competitiveness of the supplier and system integrator: A third-party certification demonstrates to asset owners and operators that the purchased component or system is based on a methodized and coherent approach to cybersecurity, in line with industry best practice.
TÜV SÜD provides testing and evaluation to the IEC 62443 standards and certifies processes, products and systems under the following Certification Schemes:
Suppliers, development teams and system integrators worldwide partner with us to confirm their compliance to applicable process/product/system requirements as laid out in the standards.
The IEC 62443 standards address security processes along the complete supply chain. TÜV SÜD mark provides certificates based on a set of security profiles from IEC 62443. Surveillance activities would be conducted to certificate owners to check if the compliance is maintained through the duration of certification.
For product suppliers, TÜV SÜD provides industrial cybersecurity certification services based on IEC 62443-4-1. The standard applies to the supplier’s overall security programs, and to the security processes connected to the development of the relevant component or control system.
Corresponding certifications are available to system integrators based on IEC 62443-2-4. The compliance of generic processes and security processes for a reference architecture or blueprint can be verified by our experts. The conformity assessment can be based on document reviews, interviews, and on-site witness testing. A report and the TÜV SÜD Product Service certification are issued when found to be compliant with standard requirements. The validity of certification requires an annual surveillance audit.
Beside the generic process aspects during product development and system integration, the IEC 62443 standards specify technical security requirements to components and systems. These technical requirements are described in IEC 62443-4-2 and IEC 62443-3-3. To participate, the development teams would have to show a mature secure product development lifecycle process based on IEC 62433-4-1. They are the basis for the TÜV SÜD Product Service’s certification of components and systems, respectively.
IECEE Certificates of Conformity are issued for processes/products/systems based on a one-off evaluation in accordance with the rules of the IECEE-CB Scheme. No marks or logo of TÜV SÜD are allowed on a certified product.
The ISASecure Certification program is based on the Industrial Automation and Control security lifecycle as defined in IEC 62443 standards, with additional requirements published in the ISASecure Certification specifications. Depending on the type of certification, vulnerability assessment may have to be performed before certification is granted.
TÜV SÜD is an ISASecure Chartered Laboratory (License No. ISCI-CL0006) authorized by ISA Security Compliance Institute (ISCI), an not-for-profit automation controls industry consortium that manages the ISASecure conformance certification program.
We offer 3 types of certification with four security assurance levels (SAL) in alignment with IEC 62443 standards.
A company’s development process, component, or system that passes evaluation according to the latest version of ISASecure specifications will be granted with ISASecure certification by TÜV SÜD. The ISASecure mark may be affixed on certified products and systems
Our extensive experience with industrial processes, combined with profound expertise in industrial cybersecurity, make us uniquely positioned to assess your processes and products. Our methodology for risk analysis, applying both security and safety aspects, is proven in the field. TÜV SÜD experts also actively participate in international standardization committees, gaining valuable insights on the latest regulatory developments. Due to our experts’ relentless commitment to instill secure and safe operations across industries, the TÜV SÜD IEC 62443 compliance certification has become a globally renowned symbol for safety, security and trust.
Submit your enquiry here to get started on your IEC 62443 certification journey today!
The ISO/IEC 62443 cybersecurity certification programme has four parts –
Individuals need to complete the classroom training course and pass the exam for each certificate. After completing the four certificate requirements, the applicant can be a cybersecurity expert.
The ISA/IEC 62443 compliance framework is a series of standards that the ISA99 committee developed and the International Electrotechnical Commission (IEC) adopted. This flexible framework addresses and mitigates current and future security vulnerabilities in industrial automation and control systems (IACS).
The IEC 62443 assessment standards and technical reports are divided into four categories – General, Policies, Procedures, and System and Component.
The 5 categories of cyber security are –
Take action to strengthen industrial cyber security.
Enhance the cyber resilience of industrial components and systems
Unlocking the potential of Industry 4.0
Manufacture explosion-proof equipment and systems to world-class safety requirements