exida - IEC 62443 Cybersecurity Certification

IEC 62443 Cyber Certification

Cybersecurity has quickly become a serious issue for professionals in critical infrastructure industries. IEC62443 has answers.

IEC 62443 Cybersecurity Certification

An unprecedented number of security vulnerabilities have been exposed in automation and control products and owner/operators are demanding protection. There are well established strategies and techniques that automation professionals can employ to discover and mitigate security vulnerabilities and improve the inherent security of their products and systems. Much of this information is in a series of new international standards – IEC 62443. Learning and adopting these strategies will help companies stay ahead of potential vulnerabilities and reduce the likelihood of an incident.

The IEC 62443 series of standards and technical reports defines procedures for implementing electronically secure systems from many different industries including transportation, medical, robotics, and Industrial Automation and Control Systems (IACS). These strategies and techniques apply to end-users (i.e. owner/operator), system integrators, security practitioners, and control systems manufacturers responsible for designing, manufacturing, integrating, or maintaining systems.

Cybersecurity certification programs have been established to assess compliance with IEC 62443 standards by impartial third party technical organizations.  exida has been accredited per ISO 17065 and ISO 17025 by the American National Standards Institute (ANSI) to provide cybersecurity certification and offers cybersecurity certification programs for design processes, devices, applications, and systems using both the ISASecure® and exida® schemes.

View a List of Cyber Certified Products   

exida Cybersecurity Certification Programs

exida offers IEC 62443 and ISO/SAE 21434 cybersecurity certification programs tailored for four categories: engineering processes, devices/ applications, systems, and personnel. The requirements for each category vary as different standards in the IEC-62443 + ISO/SAE 21434 series are applied. Each program is described by a document includes all requirements from the referenced standards in addition to specific needs expressed by the exida Advisory Board.

Category 1: Cybersecurity Engineering Process Certifications

exida has established cybersecurity certification programs for both:

  • engineering processes used to design and develop components such as  embedded devices, automotive subsystems, network devices, host devices, and software
  • engineering processes used to design systems of devices

The exida Security Development Process program is based upon IEC 62443-4-1 and covers manufacturer design and development, especially software design and coding. This program is well suited to Original Equipment Manufacturer (OEM) product maintenance and development where full variability computer languages (C, C++, etc.) are being used.

The exida System Integrator Process program is based upon IEC 62443-2-4 and covers the cybersecurity aspects of system integration, testing, and installation. The certification covers the process itself not any specific device or system designed using that process. This program allows a system integrator to show cybersecurity competence to potential customers and results in more secure systems.

The exida Security Development Process program for automotive is based upon ISO/SAE 21434 and covers manufacturer design and development.

Category 2: Cybersecurity Device and Application Certifications

A device (an embedded control product, a platform device, or a software application) can get a cybersecurity certification from exida. Each device must be designed and tested following a cybersecurity engineering process per IEC 62443-4-1 and the device must include a set of cybersecurity defense techniques as specified in IEC 62443-4-2. There are four security levels specified in that standard with sets of requirements that increase with higher numbered levels as shown in the Figure below. 

Any device meeting the requirements of this program will be given a certificate stating the achieved security level which demonstrates to potential customers the cybersecurity strength built into the device.

For devices that are to be used in an automotive context, exida offers an ISO 21434 device certification, but this standard currently does not include security levels.

Category 3: Cybersecurity System Certifications

Two cybersecurity certification schemes are available from exida:

  • Original Equipment Manufacturer (OEM) System Certification and
  • Integrated System Certification.

The exida System Security Certification for OEMs is based upon IEC 62443-4-1 and IEC 62443-4-2.  This scheme has similar requirements to a device cybersecurity certification except it is applied a system level where many devices are networked into a system.  With this certification a system supplier can show accredited third party cybersecurity certification for all devices in the system when configured and maintained according to the security manual. 

The exida Integrated System Certification is based upon IEC 62443-2-4 and IEC 62443-3-3.  This certification scheme applies to a networked system designed by an integration company per an engineering process for integrators and provides cybersecurity features as required by IEC 62443-3-3.  Four security levels are specified with additional cybersecurity defense mechanisms needed for each higher level.  

View Completed Cybersecurity Certifications

Category 4: Cybersecurity Personnel Certifications

As a pioneer in IACS personnel competency certification, exida introduced the CFSE/CFSP program in 2000.

Two cybersecurity personnel certification programs based on the same fundamental principles are available from exida – the CACE and the CACS programs. 

Summary of exida Cybersecurity Certification Programs

Based On Classification Program Name Applicable to
IEC 62443-4-1 Product or System Development Process Certification

exida Security Development Process

ISASecure® SDLA Certification

OEM Product Development for Industrial Automation
ISO/SAE 21434 Product or System Development Process Certification

ISO/SAE 21434 Organizational Management Process Certification

Automotive component and item product development
IEC 62443-2-4 System Integration and Maintenance Process Certification exida System Integrator Process System Integrator
       
IEC 62443-4-1, IEC 62443-4-2 Component Certification exida Security Device Certification OEM Product
ISO/SAE 21434 Component Certification ISO/SAE 21434 Product Certification

 

Automotive Components and Items
       
IEC 62443-4-1, -3-3 OEM System Certification

exida System Security Certification

ISASecure® SDLA Certification

OEM Components (Embedded Device, Network Device, Software Application or Host Device)
IEC 62443-2-4, IEC 62443-3-3 Integrated System Certification

exida Integrated System Certification

ISASecure® SDLA Certification

Integrated System
       
IEC 62443-4-1, -4-2 Personnel Certification CACE / CACS Software OEM Developers
IEC 62443-2-4, IEC 62443-3-3 Personnel Certification CACE / CACS Design System Designer
IEC 62443-2-4, IEC 62443-3-3 Personnel Certification CACE / CACS Integrator System Integrator
ISO/SAE 21434 Personnel Certification CACE / CACS Automotive Automotive System Design/Developer
       

Why Choose exida for Cyber?

The team at exida has comprehensive knowledge of the IEC-62443 standards based upon:

Active Participation

Active participation on the cybersecurity standards committees – an understanding of not only the requirements but the reasons for the requirements

Experience

Several years of experience in practical real world automation cybersecurity.

Publications

exida has published many technical papers and books on cybersecurity.

Training

offering and teaching several in-depth training courses on cybersecurity

Understanding

a deep understanding of software engineering and quality engineering processes.

A Formula for Success

When this depth of knowledge and understanding for risk analysis and engineering processes is combined with exida's reputation for service, no better choice can be found.

The exida schemes go beyond and require:

  • a product manufacturer must perform network testing during development for a product or system. It is not sufficient for a test lab to perform testing after a product is ready for production release. exida will witness a sample set of tests before production release.
  • the software development process used to create the product meet requirements of the cybersecurity maturity level.
  • surveillance audits be performed by the CB at regular intervals to ensure testing is being performed and security monitoring in the field / security response systems are working well.
  • security defense mechanisms required by the referenced standards have been implemented as required.
  • equipment failure modes are evaluated per their impact on cybersecurity features.
  • practical system level cybersecurity requirements needed for the product are published in a user document. The information required by exida goes beyond existing standards per the advice of our end user Advisory Board. 

Any manufacturer, system integrator, or security practitioner interested in getting an exida cybersecurity certification is most welcome to contact us for more details.

Request a Proposal       Security Certification Scheme