What is the IEC 62443 standard?

Over the last couple of years, the industry has been undergoing significant transformations, driven by the digitalization of the manufacturing process. It brings so many new opportunities, fundamentally changing the way the industry is operated. By utilizing the industrial-grade network, the entire system becomes interconnected, allowing communication between each production segment and thus, a high level of process automation. Having large scale integration and connectivity at all levels undoubtedly offers numerous benefits; however, without the implementation of appropriate security measures, it can also pose a serious risk for the entire system. This is where robust, yet flexible and well-thought security standards such as the IEC 62443 can make a huge difference.

IEC 62443 successfully addresses specific requirements of the industrial security

Unlike the office environment where time is not a critical parameter and where the focus is the confidentiality, industrial cyber-security must provide continuous operation of the production line, protecting the integrity of essential automation functions. The IEC 62443 standard series developed by the ISA99 committee provides a robust and flexible security standard framework that covers various aspects of a typical Industrial Automation Control System (IACS), offering a cohesive, holistic protection concept.

The best security solution is the one with no implementation gaps

An effective security solution includes both technical and organizational security measures. It cannot be implemented by neglecting the importance of the roles that the stakeholders must perform, starting with the Product Supplier, over the System Integrator and ultimately – the Asset Owner. The IEC 62443 standard series recognizes these roles and describes a set of actions in various cases for each of them, as illustrated in the picture below:

Figure 1) IEC 62443 addresses all stakeholders for a holistic protection concept

Segmented and layered security solution offers the highest level of protection

The IEC 62443 standard series also recognizes the need for a layered, partitioned implementation of technical security solutions, preventing over-protection of less critical parts of the system and increasing the overall effectiveness of the implemented security solution. Based on the risk assessment process, the entire IACS is partitioned into “zones” and “conduits”. Each partition is assigned a Target SL (SL-Target or SL-T). Once the SL-T has been determined for a particular partition, System Integrator continues the design process using components from the Product Supplier. To achieve a specific SL-T, System Integrator must use components with sufficient SL Capabilities (SL-C). Once deployed, the achieved Security Level (SL-Achieved or SL-A) of the partition is measured and evaluated. This process is repeated until the SL-A reaches the SL-T.

Generally speaking, SLs are sorted from SL 0 to SL 4 according to the immunity they provide against third-party attackers with different amounts of motivation, expertise, and with different amounts of resources invested. Note, that IEC 62443 does not prescribe any strict rules for achieving a specific SL, allowing implemented security measures to evolve dynamically in relation to the severity of the attacks. The standard does, however, provide a mechanism for the continuous evaluation of the SL ratings based on the well-accepted “Plan-Do-Check-Act” or PDCA evaluation model.

From an organizational perspective, the IEC 62443 standard series describes four “Maturity Level” ratings (ML 1 – ML 4). The ML rating system is used to evaluate how well an organization defines and describes security processes and how well the processes are followed by the personnel involved: ML 1 describes organization with unpredictable, poorly controlled and reactive processes, while ML 4 describes organization with well defined, measured, controlled, and continuously improved processes.

The IEC 62443 standard series offers a holistic protection concept, taking all the external factors into account

A holistic protection concept such as the IEC 62443 relies on implementing appropriate security solutions at each level. This involves technology, processes, and people. Technology alone, without properly trained staff or with poorly defined processes and procedures, is not sufficient to achieve the desired level of protection, regardless of its capabilities. The same applies if the selected components and systems lack the required security capabilities. Therefore, the overall protection level directly depends on all three factors mentioned above: technology, processes, and people. The Protection Level (PL) rating is used to qualitatively describe how well protected the production plant is during the operation, taking into account both ML and SL ratings, together with relevant technical and organizational safety measures.

Figure 2) Relation between the achieved technological Security Levels (SL), Maturity Levels of an organization (ML), and the resulting Protection Levels (PL)

The IEC 62443 is a flexible and dynamic security framework

The IEC 62443 standard series does not prescribe any strict methods for dealing with security threats. Instead, the standard offers a solid framework for developing a complete security solution for an industrial environment. The standard reaches far beyond what is presented in this short article, outlining various methods for maintaining a consistent level of protection throughout the entire lifecycle of an IACS, and much more.

As one of the leading global technology solutions provider, EBV Elektronik offers services beyond distribution: if you are looking for more detailed information and an in-depth explanation of the IEC 62443 standard series, you can always get in touch with EBV Security & Identification specialists who will gladly help with your IACS security-related designs.

EBV Technology FAE Identification and Security. With many years of experience in the smart card business I support EBV customers with all their NFC design and embedded security needs.