06/05/2020

Procurement of secure plant components with IEC 62443

Secure OT operation starts already with procurement, we’re therefore looking into the relevance of procurement of secure industrial components with IEC62443 in this post. From the asset owner’s point of view, the IEC 62443-4 part is particularly important for the procurement process. This part addresses component manufacturers and the security capabilities of components. This includes on the one hand requirements for a secure development process (62443-4-1), as well as requirements on the technical security properties of industrial components (62443-4-2).

This article is intended to give a brief insight into the usage of 62443-4-2 and the definition of requirements based on the standard.

Overview of IEC 62443-4-2

Generally, the 4-2 standard is aimed at all industrial components, which are divided into four device categories:

  • Embedded devices (e.g. PLC, sensors, DCS)
  • Host devices (e.g. PC, workstation)
  • Network devices (e.g. industrial routers / switches)
  • Software applications (e.g. configuration software, historian software)

Requirements are divided into foundational requirements (FR), which define general component requirements (CR), as well as specific requirements for each device type (e.g. network device requirements).

Definition of requirements for the plant design

For this purpose, a risk analysis according to the process model of IEC 62443-3-2 should be performed, and based on the identified risks, a system design should be created. In order to mitigate the identified risks, the necessary requirements for the components can be derived. This set of requirements can be specifically defined using a selection of requirements (CR).

Based on the criticality and specific protection needs (e.g. legislation), the so-called security level (SL 1-4) should be defined for each component and the requirements adjusted accordingly. This list of requirements forms the basis for the procurement of components. Mature component vendors who align their products along with 62443-4 provide the requirements and security levels (SL-C) that can be achieved by their products. Of course, there will be cases in which different requirements cannot be met by a specific component – in this case, compensating measures should be planned and implemented to ensure the protection of the component and the system. The selection of components corresponding to the desired security level however forms already the basis for secure plant operation.

In the industrial environment, the IEC 62443-4 part is becoming more and more established, with numerous product certifications, including well-established vendors like Siemens, Phoenix Contact, Rockwell and Cisco.

Limes Security is specialized in the field of IEC 62443 standards and is happy to support you with achieving your desired security level through professional consulting.