Assessment and Certification
The increasing prevalence of cyber-physical systems in industries from manufacturing and processing plants to energy suppliers and rail, cyber-physical systems are implemented for higher efficiencies and unmatched flexibility. But the new connectivity increases the risk for companies, as cyberattacks are increasing. Against this backdrop, suppliers and system integrators must optimise the cyber resilience of their components and systems by improving their development, integration and support processes.
A security breach involving a connected industrial application can put an entire facility at risk - and the consequences for operations, people and equipment can be devastating.
Vulnerabilities can appear throughout the component or system lifecycle. Hence, it is necessary to plan and implement security from the onset. From specification, design, production, support to component suppliers need to consider how the cyber resilience of a connected device can be optimised for its entire lifespan. Further down the line, the system integrator must take possible threats of the automated solution into account while suppliers and integrators are required to mitigate risk. Furthermore, transparency is required for customers to place trust in the security capabilities of product suppliers and integrators.
Aiming to mitigate risk for industrial communication networks, the international IEC 62443 standards provide a structured approach to cybersecurity. It has become the leading industrial cybersecurity standard for all types of plants, facilities and systems across industries. These standards apply to component suppliers, system integrators and asset owners.
Through a set of defined process requirements, these standards ensure that all applicable security aspects are addressed in a structured manner throughout the stages of specification, integration, operation, maintenance and decommissioning. Furthermore, these standards foresee that processes are established to facilitate all necessary technical security functions. Adapted to the relevant project scope, IEC 62443 standards lay the foundations for cybersecurity robustness throughout the product and system lifetime.
The implementation of IEC 62443 can also boost the competitiveness of the supplier and system integrator: A third-party certification demonstrates to manufacturers, asset owners and operators that the component or system is in line with industry best practice for cybersecurity.
TÜV SÜD is one of the first companies to provide testing for a wider range of standards under IEC 62443 and ISASecure. Suppliers and system integrators worldwide partner with us to confirm their compliance to applicable process requirements as laid out in the standard.
Testing based on:
IEC 62443-2-4:2017: Security Program for Service Providers
IEC 62443-3-3:2013: System security requirements and security levels
IEC 62443-4-1:2018: Secure Product Development Lifecycle for product suppliers
IEC 62443-4-2:2019: Technical security requirements for IACS components
CSA-311:2019: Functional Security Assessment for Components
SSA-420:2019: Vulnerability Identification Test (VIT) Specification
SS IEC 62443-2-4:2018: Security Program for Service Providers
SS IEC 62443-3-3:2018: System security requirements and security levels
SS IEC 62443-4-1:2018: Secure Product Development Lifecycle for product suppliers
The IEC 62443 standards address security processes along the complete supply chain. For product suppliers, TÜV SÜD provides certification services based on IEC 62443-4-1. The standard applies to the supplier’s overall security programs, and to the security processes connected to the development of the relevant component and control system.
Corresponding certifications are available to system integrators based on IEC 62443-2-4. The compliance of generic processes and security processes for a reference architecture or blueprint can be verified by our experts. The conformity assessment can be based on document reviews, interviews and on-site witness testing. A report and the TÜV SÜD certification mark are issued when found to be compliant with standard requirements. The validity of certification requires an annual surveillance audit.
Beside the generic process aspects during product development and system integration, the IEC 62443 standards specify technical security requirements to components and systems. These technical requirements are described in IEC 62443-4-2 and IEC 62443-3-3. They are the basis for the certification of components and systems, respectively.
Our extensive experience with industrial processes, combined with profound expertise in industrial cybersecurity, make us uniquely positioned to assess your security processes and solutions. Our methodology for risk analysis, applying both security and safety aspects, is proven in the field. TÜV SÜD experts also actively participate in international standardisation committees, gaining valuable insights on the latest regulatory developments. Due to our experts’ relentless commitment to instil safe operations across industries, the TÜV SÜD certification mark has become a globally renowned symbol for safety, security and trust.
Bosnia and Herzegovina