IEC 62443 Industrial CyberSecurity

Assessment and Certification

Assessment and Certification

The increasing prevalence of cyber-physical systems has a significant impact on industries worldwide.  Across a variety of businesses, from manufacturing and processing plants, to energy suppliers and rail, cyber-physical systems are implemented to enable higher efficiencies, unmatched flexibility and innovative business models. But the new connectivity also translates into a shift in the risk landscape, as cyberattacks are increasing. Against this backdrop, suppliers and system integrators must optimize the cyber resilience of their components and systems by improving their development, integration and support processes.

Industrial cybersecurity is a crucial area that deals with industrial information systems. It involves studying potential attacks and threats to industrial information, identifying gaps, devising and implementing industrial cybersecurity solutions and considerably mitigating risks.

Given the damage an industrial cyber-attack can cause to the company's data, infrastructure, connected equipment, the entire ecosystem could be compromised. This makes industrial cybersecurity a critical aspect of any cyber-physical operation.

Industrial cybersecurity solutions are a way to prevent and combat industrial cyber-attacks. However, amid the ever-evolving nature of cyber-attacks and the dynamic cybersecurity horizon, the solutions must be sustainable and solid enough to identify cyberattacks and enhance proactive preventive measures.


Why is industrial security important for your business?

A security breach involving a connected industrial application can put an entire facility at risk - and the consequences for operations, people and equipment can be devastating.

Vulnerabilities can appear throughout the component or system lifecycle; thus, it is necessary to plan ahead and to implement security from the onset. From specification, to design, production and support, component suppliers need to consider how the cyber resilience of a connected device can be optimized for its entire lifespan. Further down the line, the system integrator must take possible threats of the automated solution into account. Consequently, suppliers and integrators are required to mitigate risk, even when the prospective configuration and the potential threats are still largely unknown. Furthermore, transparency is required for a potential buyer to place trust in the security capabilities of product suppliers and integrators.

 

BENEFITS OF INDUSTRIAL CYBERSECURITY

Expert industrial cybersecurity solutions have unique benefits that can help companies in various ways. Industrial cybersecurity solutions can help you with:

  • A customised and comprehensive safety and cybersecurity plan aligned with the company's needs
  • Working with experts who know the collaborative functioning of IT and OT
  • Cybersecurity recommendations that minimise the impact on routine operations
  • Comprehensive handholding in all processes for IEC 62443 standard compliance
  • A smoother transition to a more secure industrial cybersecurity environment and industrial cybersecurity certification

What ARE IEC 62443 standardS?

Aiming to mitigate risk for industrial communication networks, the international standard IEC 62443 provides a structured approach to cybersecurity. Originally developed for the Industrial Automation and Control Systems supply chain, it has become the leading industrial cybersecurity standard for all types of plants, facilities and systems across industries. The standard applies to component suppliers, system integrators and asset owners.

Through a set of defined process requirements, the standard ensures that all applicable security aspects are addressed in a structured manner. This includes a systematic approach to cybersecurity throughout the stages of specification, integration, operation, maintenance and decommissioning. Furthermore, the standard foresees that processes are established to facilitate all necessary technical security functions. Adapted to the relevant project scope, IEC 62443 lays the foundations for cybersecurity robustness throughout the product and system lifetime.

The implementation of IEC 62443 can also boost the competitiveness of the supplier and system integrator: A third-party certification demonstrates to asset owners and operators that the purchased component or system is based on a methodized and coherent approach to cybersecurity, in line with industry best practice.


TÜV SÜD'S IEC 62443 INDUSTRIAL CYBERSECURITY CERTIFICATION SERVICES

TÜV SÜD provides testing and evaluation to the IEC 62443 standards and certifies processes, products and systems under the following Certification Schemes:

  • TÜV SÜD Product Service certification mark for Industrial Cybersecurity
  • IECEE-CB Scheme for Cyber Security (CYBR)
  • ISASecure IEC 62443 Conformance Certification 

Suppliers, development teams and system integrators worldwide partner with us to confirm their compliance to applicable process/product/system requirements as laid out in the standards. 

 

OUR INDUSTRIAL CYBERSECURITY CERTIFICATION PROCESS


TÜV SÜD Product Service certification mark (or TÜV SÜD mark) for Industrial Cybersecurity

The IEC 62443 standards address security processes along the complete supply chain. TÜV SÜD mark provides certificates based on a set of security profiles from IEC 62443. Surveillance activities would be conducted to certificate owners to check if the compliance is maintained through the duration of certification.

For product suppliers, TÜV SÜD provides industrial cybersecurity certification services based on IEC 62443-4-1. The standard applies to the supplier’s overall security programs, and to the security processes connected to the development of the relevant component or control system.

Corresponding certifications are available to system integrators based on IEC 62443-2-4. The compliance of generic processes and security processes for a reference architecture or blueprint can be verified by our experts. The conformity assessment can be based on document reviews, interviews, and on-site witness testing. A report and the TÜV SÜD Product Service certification are issued when found to be compliant with standard requirements. The validity of certification requires an annual surveillance audit. 

Beside the generic process aspects during product development and system integration, the IEC 62443 standards specify technical security requirements to components and systems. These technical requirements are described in IEC 62443-4-2 and IEC 62443-3-3. To participate, the development teams would have to show a mature secure product development lifecycle process based on IEC 62433-4-1. They are the basis for the TÜV SÜD Product Service’s certification of components and systems, respectively.

 

IECEE-CB Scheme for Industrial Cybersecurity 

IECEE Certificates of Conformity are issued for processes/products/systems based on a one-off evaluation in accordance with the rules of the IECEE-CB Scheme. No marks or logo of TÜV SÜD are allowed on a certified product.

  • Product Capability Assessment (IEC 62443-2-4/ IEC 62443-3-3/ IEC 62443-4-2)
  • Process Capability Assessment (IEC 62443-2-4/ IEC 62443-4-1)
  • Product Application of Capabilities Assessment (IEC 62443-4-1)
  • Solution Application of Capabilities Assessment (IEC 62443-2-4/ IEC 62443-3-3) 

 

ISASecure® IEC 62443 Conformance Certification

The ISASecure Certification program is based on the Industrial Automation and Control security lifecycle as defined in IEC 62443 standards, with additional requirements published in the ISASecure Certification specifications. Depending on the type of certification, vulnerability assessment may have to be performed before certification is granted.

TÜV SÜD is an ISASecure Chartered Laboratory (License No. ISCI-CL0006) authorized by ISA Security Compliance Institute (ISCI), an not-for-profit automation controls industry consortium that manages the ISASecure conformance certification program.

We offer 3 types of certification with four security assurance levels (SAL) in alignment with IEC 62443 standards.

  • ISASecure Component Security Assurance (CSA) Certification
  • ISASecure System Security Assurance (SSA) Certification
  • ISASecure Security Development Lifecycle Assurance (SDLA) Certification

A company’s development process, component, or system that passes evaluation according to the latest version of ISASecure specifications will be granted with ISASecure certification by TÜV SÜD. The ISASecure mark may be affixed on certified products and systems

 

Why choose TÜV SÜD FOR INDUSTRIAL CYBERSECURITY CERTIFICATION?

Our extensive experience with industrial processes, combined with profound expertise in industrial cybersecurity, make us uniquely positioned to assess your processes and products. Our methodology for risk analysis, applying both security and safety aspects, is proven in the field. TÜV SÜD experts also actively participate in international standardization committees, gaining valuable insights on the latest regulatory developments. Due to our experts’ relentless commitment to instill secure and safe operations across industries, the TÜV SÜD IEC 62443 compliance certification has become a globally renowned symbol for safety, security and trust.

 

CONTACT US NOW FOR TÜV SÜD'S IEC 62443 INDUSTRIAL CYBERSECURITY CERTIFICATION SERVICES

Submit your enquiry here to get started on your IEC 62443 certification journey today!

Next Steps

Site Selector