Information Technology (IT) is the personnel, hardware, and software that controls non-physical devices and/or processes such as websites, financial data, personal information, etc.
Operation Technology (OT) is the personnel, hardware, and software that controls physical devices and/or processes such as manufacturing, oil & gas, power, etc. Today, OT has many if not all the components that are found in IT.
SCRUM is a popular process for incorporating agile ideas into IT software development. Companies are now using or wanting to use SCRUM in the OT environment of Industrial Automation and Control Systems (IACS).
The IEC 62443 standards consider IACS cyber security. IEC 62443 considers fundamental criteria to be used in obtaining security for IACS: Controlling Access and Use, Integrity and Confidentiality of Data, Restricting the Flow of Data, Responding to Events in a Timely Manner, and Availability of Resources. The IEC 62443 development process requirements support the implementation of these criteria.
The question then arises “How can a SCRUM development process incorporate the IEC 62443 development process requirements?” The IEC 62443 requirements are not based on any one development model. It considers that the development model has phases or groupings. This means that it is possible, with one slight exception, to incorporate the IEC 62443 development requirements into the SCRUM model.
Developing under the SCRUM model considers many different concepts during a sprint. These considerations are not done using any waterfall or mini-V model; they are usually done almost in parallel with decisions being made continually during the sprint. In order to incorporate IEC 62443, there needs to be some additional security related considerations. These security related considerations may already be a part of the current considerations by some team members however they need to be explicit considerations for all team members.
The one exception for the IEC 62443 process is that security related testers need to be independent from the team. SCRUM as defined by www.scrumguides.org (the official SCRUM definition) cannot meet IEC 62443-4-1 as there can be no differentiation of team members. This however can be overcome by incorporating personnel from other teams to do just the security testing.
So, it is possible to incorporate IEC 62443 into the SCRUM process with a slight modification. This allows for a process that betters the security aspects for any IACS product development team.