IEC 62443 Cyber Certification

Cybersecurity has quickly become a serious issue for professionals in critical infrastructure industries. IEC62443 has answers.

IEC 62443 Cybersecurity Certification

An unprecedented number of security vulnerabilities have been exposed in automation and control products and owner/operators are demanding protection. There are well established strategies and techniques that automation professionals can employ to discover and mitigate security vulnerabilities and improve the inherent security of their products and systems. Much of this information is in a series of new international standards – IEC 62443. Learning and adopting these strategies will help companies stay ahead of potential vulnerabilities and reduce the likelihood of an incident.

The IEC 62443 series of standards and technical reports defines procedures for implementing electronically secure systems from many different industries including transportation, medical, robotics, and Industrial Automation and Control Systems (IACS). These strategies and techniques apply to end-users (i.e. owner/operator), system integrators, security practitioners, and control systems manufacturers responsible for designing, manufacturing, integrating, or maintaining systems.

Cybersecurity certification programs have been established to assess compliance with IEC 62443 and ISO 27001 standards by impartial third party technical organizations.  exida has been accredited per ISO 17065 and ISO 17025 by the American National Standards Institute (ANSI) to provide cybersecurity certification and offers cybersecurity certification programs for design processes, devices, applications, and systems using both the ISASecure® and exida® schemes.

exida IEC 62443 Cybersecurity Certification Programs

exida offers IEC 62443 cybersecurity certification programs tailored for four categories: engineering processes, devices/ applications, systems, and personnel. The requirements for each category vary as different standards in the IEC-62443/ISO 27001 series are applied. Each program is described by a document includes all requirements from the referenced standards in addition to specific needs expressed by the exida Advisory Board.

Category 1: Cybersecurity Engineering Process Certifications

exida has established cybersecurity certification programs for both:

  • engineering processes used to design and develop microcomputer based devices and software applications and
  • engineering processes used to design systems of devices. 

The exida Security Development Process program is based upon IEC 62443-4-1 and covers manufacturer design and development, especially software design and coding. This program is well suited to Original Equipment Manufacturer (OEM) product maintenance and development where full variability computer languages (C, C++, etc.) are being used.  

The exida System Integrator Process program is based upon IEC 62443-2-4 and covers the cybersecurity aspects of system integration, testing, and installation. The certification covers the process itself not any specific device or system designed using that process. This program allows a system integrator to show cybersecurity competence to potential customers and results in more secure systems. 

Category 2: Cybersecurity Device and Application Certifications

A device (an embedded control product, a platform device, or a software application) can get a cybersecurity certification from exida.  Each device must be designed and tested following a cybersecurity engineering process per IEC 62443-4-1 and the device must include a set of cybersecurity defense techniques as specified in IEC 62443-4-2.  There are four security levels specified in that standard with sets of requirements that increase with higher numbered levels as shown in the Figure below.

Any device meeting the requirements of this program will be given a certificate stating the achieved security level which demonstrates to potential customers the cybersecurity strength built into the device.

Category 3: Cybersecurity System Certifications

Two cybersecurity certification schemes are available from exida:

  • Original Equipment Manufacturer (OEM) System Certification and
  • Integrated System Certification.

The exida System Security Certification for OEMs is based upon IEC 62443-4-1 and IEC 62443-4-2.  This scheme has similar requirements to a device cybersecurity certification except it is applied a system level where many devices are networked into a system.  With this certification a system supplier can show accredited third party cybersecurity certification for all devices in the system when configured and maintained according to the security manual. 

The exida Integrated System Certification is based upon IEC 62443-2-4 and IEC 62443-3-3.  This certification scheme applies to a networked system designed by an integration company per an engineering process for integrators and provides cybersecurity features as required by IEC 62443-3-3.  Four security levels are specified with additional cybersecurity defense mechanisms needed for each higher level.  

View Completed Cybersecurity Certifications

Category 4: Cybersecurity Personnel Certifications

As a pioneer in IACS personnel competency certification, exida introduced the CFSE/CFSP program in 2000.

Two cybersecurity personnel certification programs based on the same fundamental principles are available from exida – the CACE and the CACS programs. 

Summary of exida Cybersecurity Certification Programs

Based On Classification Program Name Applicable to
IEC 62443-4-1 Device Process Certification exida Security Development Process OEM New Product Development
IEC 62443-2-4 System Process Certification exida System Integrator Process System Integrator
       
IEC 62443-4-1, IEC 62443-4-2 Device and Application Certification exida Security Device Certification OEM Product
       
IEC 62443-4-1, -4-2 OEM System Certification exida System Security Certification OEM System
IEC 62443-2-4, IEC 62443-3-3 Integrated System Certification exida Integrated System Certification Integrated System
       
IEC 62443-4-1, -4-2 Personnel Certification CACE / CACS Software OEM Developers
IEC 62443-2-4, IEC 62443-3-3 Personnel Certification CACE / CACS Design System Designer
IEC 62443-2-4, IEC 62443-3-3 Personnel Certification CACE / CACS Integrator System Integrator
       

Why Choose exida for Cyber?

The team at exida has comprehensive knowledge of the IEC-62443 standards based upon:

Active Participation

Active participation on the cybersecurity standards committees – an understanding of not only the requirements but the reasons for the requirements

Experience

Several years of experience in practical real world automation cybersecurity.

Publications

exida has published many technical papers and books on cybersecurity.

Training

offering and teaching several in-depth training courses on cybersecurity

Understanding

a deep understanding of software engineering and quality engineering processes.

A Formula for Success

When this depth of knowledge and understanding for risk analysis and engineering processes is combined with exida's reputation for service, no better choice can be found.

The exida schemes go beyond IEC 62443 and require:

  • a product manufacturer must perform network testing during development for a product or system. It is not sufficient for a test lab to perform testing after a product is ready for production release. exida will witness a sample set of tests before production release.
  • the software development process used to create the product meet requirements of the cybersecurity maturity level.
  • surveillance audits be performed by the CB at regular intervals to ensure testing is being performed and security monitoring in the field / security response systems are working well.
  • security defense mechanisms required by the referenced standards have been implemented as required.
  • equipment failure modes are evaluated per their impact on cybersecurity features.
  • practical system level cybersecurity requirements needed for the product are published in a user document. The information required by exida goes beyond existing standards per the advice of our end user Advisory Board. 

Any manufacturer, system integrator, or security practitioner interested in getting an exida cybersecurity certification is most welcome to contact us for more details.

Request a Proposal       Security Certification Scheme    


Personnel Certification

Companies are being driven to run leaner operations and optimize performance. This raises the potential for catastrophic industrial safety accidents and cyber attacks. Consequently, it is more important than ever to have personnel that are competent.

Having trained and competent people is a requirement for compliance with international standards like IEC 61508, IEC 61511, IEC 62443, IEC 62061, etc.

It can also save money by simplifying regulatory compliance, reducing engineering costs, and preventing unplanned downtime. Completing a personnel certification program can help address these challenges.

exida offers a number of certification and certificate programs that provides proof of competence, increases your skills and value as an employee, differentiates you from your competitors, and increase opportunities for advancement, responsibility, & increased compensation.


Personnel Certification Programs

  • CFSE / CFSP (Certified Functional Safety Expert amd Professional)
  • CACE / CACS (IEC 62443 Certified Automation Cybersecurity Expert and Specialist)

Certificate Programs

  • FSP (Functional Safety Practitioner)
  • CSP (IEC 62443 Cybersecurity Practitioner)
  • AMP (Alarm Management Practitioner)
  • FGP (Fire & Gas Practitioner)

Request a Proposal