Cyber resilience for industrial systems

Cyber physical systems are being deployed across manufacturing and processing plants to deliver unmatched flexibility and innovative business models. However, this new connectivity also translates into a shift in the risk landscape as cyberattacks are increasing.

A security breach involving a connected industrial application can put an entire facility at risk – and the consequences for operations, people and equipment could be devastating. As vulnerabilities may appear throughout the lifecycle of a component or system, it is necessary to plan ahead and implement security from the outset. This means that ongoing investment in cyber security is crucial to keep up with both technological developments for competitive advantage, alongside effective measures to combat hacker attacks.

Vulnerabilities include a lack of knowledge about how to apply IT security protection to machinery that has not traditionally required it, as well as systems running legacy communication networks, with which today’s cyber security software is incompatible. Also, merging traditional ways of working with Industry 4.0 approaches can cause problems.

Remote maintenance by equipment suppliers or subcontractors requires a connection to their network, which may be infected or have less stringent IT security. Likewise, any existing machines on the factory floor, which lack digital identification and authentication functionality, do not have the capability for end-users to be sure that operating instructions received by the network are from an authorised person and not a hacker. There is also the risk that the smart tags on components or the final product being produced may be manipulated in a cyberattack.

Machinery suppliers and integrators must therefore optimise the cyber resilience of their connected components and systems. For machinery end-users, analyses, assessments, and tests play a key role in implementing appropriate security controls.

IEC-62443

The international standard IEC-62443 “Security for Industrial Automation and Control Systems (IACS)” aims to mitigate risk for industrial communication networks by providing a structured approach to cybersecurity. Originally developed for the IACS supply chain, it is now the leading industrial cybersecurity standard for all types of plants, facilities and systems across all industries.

This standards series applies to component suppliers, system integrators and asset owners, and addresses security processes along the complete supply chain. For example, product suppliers’ certification should be based on IEC-62443-4-1 “Product security development life-cycle requirements”. This part of the standard applies to the supplier’s overall security programmes, and to the security processes connected to the development of the relevant component and control system.

Through a set of defined process requirements, IEC-62443 ensures that all applicable security aspects are addressed in a structured manner. This includes a systematic approach to cybersecurity throughout the stages of specification, integration, operation, maintenance, and decommissioning. Also, the standard ensures that processes are established to facilitate all necessary technical security functions. When adapted meet a particular project scope, IEC-62443 lays the foundations for a robust cybersecurity approach throughout the product and system lifetime.

A third-party IEC-62443 certification demonstrates to asset owners and operators that the purchased component or system is based on a methodised and coherent approach to cybersecurity which is in line with industry best practice. Corresponding certifications (IEC-62443-2-4 “Security program requirements for IACS service providers”) enables system integrators to verify whether generic processes and security processes for a reference architecture or blueprint are compliant.

During the certification process, the auditor executes a conformity assessment based on document reviews, interviews and on-site audits. When compliance with standard requirements has been confirmed, the certification concludes with the issuance of a report and a certification mark. To maintain the validity of this certification, an annual surveillance audit is required.

Beside the generic process aspects during product development and system integration, the IEC-62443 standard also specifies technical security requirements for components and systems. These technical requirements are described in IEC-62443-4-2 and IEC-62443-3-3. The assessment of both process and technical requirements are the basis for the certification of both components and systems.

While Industry 4.0 and the IoT presents powerful opportunities for manufacturers to develop new competitive advantages, as systems and processes become digitised and interconnected, so cybercriminals are increasingly hacking into the critical infrastructure of connected production facilities. To harness these opportunities, industry must therefore fully understand these new challenges and take steps to minimise the potential risks.

IEC-62443 provides a holistic approach to help mitigate these risks and provides increased assurance to the entire machinery supply chain. Awareness and understanding of the IEC 62443 standard and its components – among other cybersecurity laws and regulations – can therefore help to prevent cybercrime attacks within a business. Not only will this minimise risk by enhancing cyber resilience of products and systems through a structured approach to industrial security, it may also increase competitiveness as the implementation of IEC-62443 demonstrates a high level of commitment to industry best practice through the optimisation of security capabilities.