Assessment and Certification
Assessment and Certification
The increasing prevalence of cyber-physical systems has a significant impact on industries worldwide. Across a variety of businesses, from manufacturing and processing plants, to energy suppliers and rail, cyber-physical systems are implemented to enable higher efficiencies, unmatched flexibility, and innovative business models. But the new connectivity also translates into a shift in the risk landscape, as cyberattacks are increasing. Against this backdrop, suppliers and system integrators must optimize the cyber resilience of their components and systems by improving their development, integration, and support processes.
Industrial cybersecurity is a crucial area that deals with industrial information systems. It involves studying potential attacks and threats to industrial information, identifying gaps, devising and implementing industrial cybersecurity solutions and considerably mitigating risks.
The entire ecosystem could be compromised, given the damage that an industrial cyber-attack can cause to the company's data, infrastructure, connected equipment. This makes industrial cybersecurity a critical aspect of any cyber-physical operation.
Industrial cybersecurity solutions are a way to prevent and combat industrial cyber-attacks. However, amid the ever-evolving nature of cyber-attacks and the dynamic cybersecurity horizon, the solutions must be sustainable and solid enough to identify cyberattacks and enhance proactive preventive measures.
A security breach involving a connected industrial application can put an entire facility at risk - and the consequences for operations, people and equipment can be devastating.
Vulnerabilities can appear throughout the component or system lifecycle; thus, it is necessary to plan ahead and to implement security from the onset. From specification, to design, production and support, component suppliers need to consider how the cyber resilience of a connected device can be optimized for its entire lifespan. Further down the line, the system integrator must take possible threats of the automated solution into account. Consequently, suppliers and integrators are required to mitigate risk, even when the prospective configuration and the potential threats are still largely unknown. Furthermore, transparency is required for a potential buyer to place trust in the security capabilities of product suppliers and integrators.
Expert industrial cybersecurity solutions have unique benefits that can help companies. Industrial cybersecurity solutions can help you with:
● A customised and comprehensive safety and cybersecurity plan aligned with the company's needs
● Working with experts who know the collaborative functioning of IT and OT
● Cybersecurity recommendations that minimise the impact on routine operations
● Comprehensive handholding in all processes for IEC 62443 standard compliance
● A smoother transition to a more secure industrial cybersecurity environment and industrial cybersecurity certification
Aiming to mitigate risk for industrial communication networks, the international IEC 62443 standards provide a structured approach to cybersecurity for all types of plants, facilities and systems across industries. These standards apply to component suppliers, system integrators and asset owners.
Through a set of defined process requirements, these standards ensure that all applicable security aspects are addressed in a structured manner throughout the stages of specification, integration, operation, maintenance and decommissioning. Furthermore, these standards foresee that processes are established to facilitate all necessary technical security functions. Adapted to the relevant project scope, IEC 62443 standards lay the foundations for cybersecurity robustness throughout the product and system lifetime.
The implementation of IEC 62443 standards can also boost the competitiveness of the supplier and system integrator: A third-party certification demonstrates to manufacturers, asset owners and operators that the component or system is in line with industry best practice for cybersecurity.
TÜV SÜD provides testing and evaluation to the IEC 62443 standards and certifies processes, products and systems under the following Certification Schemes:
Suppliers, development teams and system integrators worldwide partner with us to confirm their compliance to applicable process/product/system requirements as laid out in the standards.
TÜV SÜD Product Service certification mark (or TÜV SÜD mark) for Industrial Cybersecurity
The IEC 62443 standards address security processes along the complete supply chain. TÜV SÜD mark provides certificates based on a set of security profiles from IEC 62443. Surveillance activities would be conducted to certificate owners to check if the compliance is maintained through the duration of certification.
For product suppliers, TÜV SÜD provides industrial cybersecurity certification services based on IEC 62443-4-1. The standard applies to the supplier’s overall security programs, and to the security processes connected to the development of the relevant component or control system.
Corresponding certifications are available to system integrators based on IEC 62443-2-4. The compliance of generic processes and security processes for a reference architecture or blueprint can be verified by our experts. The conformity assessment can be based on document reviews, interviews, and on-site witness testing. A report and the TÜV SÜD Product Service certification are issued when found to be compliant with standard requirements. The validity of certification requires an annual surveillance audit.
Beside the generic process aspects during product development and system integration, the IEC 62443 standards specify technical security requirements to components and systems. These technical requirements are described in IEC 62443-4-2 and IEC 62443-3-3. To participate, the development teams would have to show a mature secure product development lifecycle process based on IEC 62433-4-1. They are the basis for the TÜV SÜD Product Service’s certification of components and systems, respectively.
IECEE-CB Scheme for Industrial Cybersecurity
IECEE Certificates of Conformity are issued for processes/products/systems based on a one-off evaluation in accordance with the rules of the IECEE-CB Scheme. No marks or logo of TÜV SÜD are allowed on a certified product.
ISASecure® IEC 62443 Conformance Certification
The ISASecure Certification program is based on the Industrial Automation and Control security lifecycle as defined in IEC 62443 standards, with additional requirements published in the ISASecure Certification specifications. Depending on the type of certification, vulnerability assessment may have to be performed before certification is granted.
TÜV SÜD PSB is an ISASecure Chartered Laboratory (License No. ISCI-CL0006) authorized by ISA Security Compliance Institute (ISCI), a not-for-profit automation controls industry consortium that manages the ISASecure conformance certification program.
We offer 3 types of certification with four security assurance levels (SAL) in alignment with IEC 62443 standards.
A company’s development process, component, or system that passes evaluation according to the latest version of ISASecure specifications will be granted with ISASecure certification by TÜV SÜD. The ISASecure Mark may be affixed on certified products and systems
Our extensive experience with industrial processes, combined with profound expertise in industrial cybersecurity, make us uniquely positioned to assess your processes and products. Our methodology for risk analysis, applying both security and safety aspects, is proven in the field. TÜV SÜD experts also actively participate in international standardization committees, gaining valuable insights on the latest regulatory developments. Due to our experts’ relentless commitment to instill secure and safe operations across industries, the TÜV SÜD IEC 62443 compliance certification has become a globally renowned symbol for safety, security and trust.