IEC 62443 Industrial CyberSecurity

Assessment and Certification

Assessment and Certification

The increasing prevalence of cyber-physical systems has a significant impact on industries worldwide.  Across a variety of businesses, from manufacturing and processing plants, to energy suppliers and rail, cyber-physical systems are implemented to enable higher efficiencies, unmatched flexibility and innovative business models. But the new connectivity also translates into a shift in the risk landscape, as cyberattacks are increasing. Against this backdrop, suppliers and system integrators must optimize the cyber resilience of their components and systems by improving their development, integration and support processes.

Why is industrial security important for your business?

A security breach involving a connected industrial application can put an entire facility at risk - and the consequences for operations, people and equipment can be devastating.

Vulnerabilities can appear throughout the component or system lifecycle; thus, it is necessary to plan ahead and to implement security from the onset. From specification, to design, production and support, component suppliers need to consider how the cyber resilience of a connected device can be optimized for its entire lifespan. Further down the line, the system integrator must take possible threats of the automated solution into account. Consequently, suppliers and integrators are required to mitigate risk, even when the prospective configuration and the potential threats are still largely unknown. Furthermore, transparency is required for a potential buyer to place trust in the security capabilities of product suppliers and integrators.

What is IEC 62443?

Aiming to mitigate risk for industrial communication networks, the international standard IEC 62443 provides a structured approach to cybersecurity. Originally developed for the Industrial Automation and Control Systems supply chain, IEC 62443 has become the leading industrial cybersecurity standard for all types of plants, facilities, and systems across industries. The standard applies to component suppliers, system integrators, and asset owners.

IEC 62443 standard ensures that all relevant security aspects are addressed in a structured manner through a set of defined process requirements. This includes a systematic approach to cybersecurity throughout the stages of specification, integration, operation, maintenance, and decommissioning. Furthermore, the standard foresees those processes are established to facilitate all necessary technical security functions. Adapted to the relevant project scope, IEC 62443 lays the foundations for cybersecurity robustness throughout the product and system lifetime.

Implementing IEC 62443 can also boost the competitiveness of the supplier and system integrator: . A third-party IEC 62443 certification demonstrates to asset owners and operators that the purchased component or system is based on a methodized and coherent approach to cybersecurity, in line with industry best practices.

An overview of the IEC 62443 series of standards

Comprised of 14 separate parts (as of September 2020), the IEC 62443 series details specific cybersecurity responsibilities of individual participants (“roles”) throughout the supply chain that are involved in the development, deployment, use or maintenance of industrial control systems and components. The specific requirements presented in the IEC 62443 series also give equal weight to the contributions of people, processes and technology. Toward that end, individual documents in the series fall into one of the following four categories:

  • General: It provides a general overview of the cyber security process and introduces key concepts, models and definitions.
  • Policies and Procedures: The documents in the Policies & Procedures category emphasize the requirements for a IACS security management system, along with security program (SP) requirements for asset owners and service providers, including system integrators and product suppliers.
  • System: The three documents in the ‘System’ category provides essential guidance of system security requirements, security levels and security risk management and system design.
  • Component: The Component documents put forth technical security requirements for system components along with secure product development lifecycle requirements.

Advantages of IEC 62443 Certification

Certification to one or more of the IEC 62443 standards can serve as an important step in an organization’s overall strategy for minimizing the potential risks from cyber threats. For asset owners and operators, IEC 62443 certification provides assurances of compliance with industrial cyber security requirements and demonstrates an organization’s commitment to the security and integrity of its products. For suppliers and integrators, certification can help meet operator procurement requirements for IACS-related products and services, while also providing objective assurances regarding the security of their offerings.

How can we help you?

TÜV SÜD is one of the first companies to provide certifications according to IEC 62443. Suppliers and system integrators worldwide partner with us to confirm their compliance with IEC 62443 industrial security and IEC 62443 cybersecurity and applicable process requirements outlined in the standard.

The IEC 62443 standard addresses security processes along the complete supply chain. For product suppliers, TÜV SÜD provides certification services based on IEC 62443-4-1 Secure Product Development Lifecycle. The standard applies to the supplier’s overall security programmes and the security processes connected to the development of the relevant component and control system.

Corresponding IEC 62443 certifications are available to system integrators based on IEC 62443-2-4 Security Program for Service Providers. In this case, the compliance of generic processes, as well as compliance of security processes for a reference architecture or blueprint, can be verified by our experts.

During the IEC 62443 cybersecurity certification, the auditor executes a conformity assessment based on document reviews, interviews, and on-site audits. When compliance with standard requirements has been confirmed, the certification concludes with issuing of a report and the TÜV SÜD certification mark. An annual surveillance audit is required to maintain the validity of the certification.

Besides the generic process aspects during product development and system integration, the IEC 62443 standard specifies technical security requirements for components and systems. These technical requirements are described in IEC 62443-4-2 and IEC 62443-3-3. The process and technical requirements assessment are the basis for the IEC 62443 certification of components and systems, respectively.

Why choose TÜV SÜD?

Our extensive experience with industrial processes, combined with profound expertise in industrial cybersecurity, make us uniquely positioned to assess your security processes and solutions. Our methodology for risk analysis, applying both security and safety aspects, is proven in the field. TÜV SÜD experts also actively participate in international standardisation committees, gaining valuable insights on the latest regulatory developments. Due to our experts’ relentless commitment to instill safe operations across industries, the TÜV SÜD certification mark has become a globally renowned symbol for safety, security and trust.

Next Steps

Site Selector