The IEC 62443 series of cybersecurity standards include over ten documents covering various subjects. Buying a full set is a bit expensive, but for me the real cost is the time needed to read and understand them. So I often ask one of the experts at exida for a quick overview. Since not everyone has the IEC 62443 expertise that exida has, we hope that the overview info in this blog is useful.
Integrators must perform a number of important tasks if they wish to improve the cybersecurity of any automation system they deliver. And in today’s environment, end users demand strong cybersecurity strength. The IEC 62443 committee has documented their list of these important tasks; IEC 62443-2-4 covers the integration design process and IEC 62443-3-3 covers the cyber features that need to be included in the delivered system. These features are provided as a function of “security level,” with higher numbered levels defining more cybersecurity.
There are accredited certification programs utilizing the IEC 62443 standards for integrators. exida offers certifications based on either the ISCI (ISA Security Compliance Institute) scheme or IEC 62443. And an integrator may choose to have its design process certified per IEC 62443-2-4. Many choose this option rather than having each custom system certified, while others choose to create a “Reference System Design” using their certified process and get it certified to IEC 62443-3-3 for a given security level.
Either choice can provide benefits for both the integrator and their customer. An integrator with an IEC 62443 certification knows that their engineering process and reference designs meet international cybersecurity standards, which hopefully breaks the costly “pen/patch” cycle. Integrators can undergo an evaluation and audit once with an accredited Certification Body. Then they can brag about their accomplishment with their customers.
Integrators’ customers can quickly and precisely specify cybersecurity requirements and build cybersecurity into each RFP (Request for Proposal) by simply asking for IEC 62443 certification. These customers will then know they have chosen a company with a good cybersecurity engineering process and good cybersecurity design practices.
These seem like a good thing to me.