An unprecedented number of security vulnerabilities have been exposed in industrial control products and regulatory agencies are demanding compliance to complex and confusing regulations. There are well established strategies and techniques that automation professionals can employ to discover and mitigate security vulnerabilities and improve the inherent security of their products and systems. Learning and adopting these strategies will help companies stay ahead of potential vulnerabilities.
IEC 62443 is a series of standards, technical reports, and related information that define procedures for implementing electronically secure Industrial Automation and Control Systems (IACS). This guidance applies to end-users (i.e. asset owner), system integrators, security practitioners, and control systems manufacturers responsible for manufacturing, designing, implementing, or managing industrial automation and control systems.
exida has comprehensive knowledge of the IEC 62443 standards and have developed a robust certification scheme that helps make their client's products safer and enjoy strong market recognition.
exida is accredited per IEC/ISO 17065 by the American National Standards Institute (ANSI) to certify to a series of exida certification schemes for cybersecurity based on the IEC 62443 series of standards. A certification scheme specifies all requirements that must be met and the procedures that must be used in a certification project. These requirements and procedures are documented in a “Security Case.”
The IEC 62443 standards are recently created as a result of a strong global committee effort and are rapidly becoming recognized world-wide. Many automation users consider the IEC 62443 standard to be required. The ISCI schemes will likely be updated to IEC 62443 in the future. A table of the various cybersecurity certification scheme certifications offered by exida is shown below:
|Classification||Program Name||Source||Based On|
|Product Test/Evaluation||EDSA||ISA Security Compliance Institute||ISCI Specification|
|eSDC||exida||IEC 62443‐4‐1, ‐4‐2|
|System Test/Evaluation||SSA||ISA Security Compliance Institute||ISCI Specification|
|eSSC||exida||IEC 62443‐4‐1, ‐4‐2|
|Process Evaluation – Product||SDLA||ISA Security Compliance Institute||ISCI Specification|
|eSDP||exida||IEC 62443‐4‐1, ‐4‐2|
|Process Evaluation – System||System Integrator||Wurldtech (G.E.)||IEC 62443‐2‐4|
|eSSP||exida||IEC 62443‐2‐4 plus|
The exida schemes go beyond IEC 62443 and require:
exida has been accredited by the ISA Security Compliance Institute to offer security certification of automation products per the ISASecureEmbedded Device Security Assurance program.
This vetted, approved compliance specification provides a holistic assessment of the functional security of an embedded device that builds upon but goes well beyond industry recognized network robustness testing. In addition to network robustness testing the assessment includes an evaluation of the security features and functions supported by the device and an audit of the supplier’s software development practices. Similar to the well-established IEC 61508 functional safety certification, the ISASecure EDSA program will certify a product to one of three capability levels (ISASecure Level 1, 2 or 3).
For more information on the program please visit www.isasecure.org.