Adapting to a changing risk landscape

12 July 2021

Paul Taylor explains how IEC-62443 can hold the answer to enhancing cyber resilience in smart factories. 

Industry 4.0 innovations are already having a significant impact on many industries, as they enable higher efficiencies, greater flexibility and innovative business models. 

As Industry 4.0 and the Internet of Things (IoT) advance, we will see machinery, systems and installations become increasingly interconnected on a global scale. By combining the strengths of the physical and virtual worlds, cyber-physical systems have the potential to significantly enhance industry performance, facilitate new products and spark innovative business models. 

While smart factories will see reduced risk in several areas – such as fewer worker injuries as machines take over hazardous tasks – the increasing number of physical and digital interfaces introduces new risks, as serious vulnerabilities can be exploited by new forms of cybercrime. Connected industrial application safety breaches can potentially put people or event whole facilities in danger and repercussions throughout could be very damaging. This new connectivity therefore also translates into a switch in the risk landscape as cyberattacks become increasingly widespread. 

Both industrial IT security and the security of wireless products will become increasingly important and ongoing investment in cyber security is crucial to keep up with technological developments for competitive advantage, alongside effective measures to combat hacker attacks. Planning ahead and optimising cyber resilience throughout the entire system lifecycle – from design to support – is therefore essential.

New vulnerabilities
There are a wide variety of possible cyber security vulnerabilities in the manufacturing environment, and these can appear throughout the entire component or system lifecycle. 

Vulnerabilities include a lack of knowledge about how to apply IT security protection to machinery that has not traditionally required it. These systems may be running legacy communication networks, with which today’s cyber security software is incompatible. Futher, merging traditional ways of working with Industry 4.0 approaches can cause problems. 

Remote maintenance by equipment suppliers or subcontractors requires a connection to their network, which may be infected or have less stringent IT security. Likewise, any existing machines on the factory floor, which lack digital identification and authentication functionality, do not have the capability for end-users to be sure that operating instructions received by the network are from an authorised person and not a hacker. There is also the risk that the smart tags on components or the final product being produced may be manipulated in a cyberattack. 

Machinery suppliers and system integrators must therefore enhance cyber resilience by improving their development, integration and support processes. For machinery end-users, analyses, assessments and tests play a key role in implementing appropriate security controls. The challenge is to successfully harmonise IT requirements with the specific demands of automation and control systems in the manufacturing environment.

Following IEC-62443
The international standard IEC-62443 ‘Security for Industrial Automation and Control Systems (IACS)’ holds the answer here, as it aims to mitigate risk for industrial communication networks by providing a structured approach to cybersecurity. 

Originally developed for the IACS supply chain, it is a collection of multi-industry standards focused on cybersecurity protection methods and techniques. While it has a mix of process, quality and technical requirements, this standard series is mainly directed at systems rather than individual products. Consequently, IEC-62443 has become the leading industrial cybersecurity standard for all types of plants, facilities and systems across a myriad of industries. The standard applies to component suppliers, system integrators and asset owners.

This standards series addresses security processes along the complete supply chain. For example, product suppliers’ certification should be based on IEC-62443-4-1 ‘Product security development life-cycle requirements’. This part of the standard applies to the supplier’s overall security programmes, and also to the security processes connected to the development of the relevant component and control system. 

Through a set of defined process requirements, IEC-62443 ensures that all applicable security aspects are addressed in a structured manner. This includes a systematic approach to cybersecurity throughout the stages of specification, integration, operation, maintenance and decommissioning. Also, the standard foresees that processes are established to facilitate all necessary technical security functions. When adapted to the relevant project scope, IEC-62443 lays the foundations for cybersecurity robustness throughout the product and system lifetime.

Corresponding certifications (IEC-62443-2-4 ‘Security program requirements for IACS service providers’) enables system integrators to verify whether generic processes and security processes for a reference architecture or blueprint are compliant. During the certification process, the auditor executes a conformity assessment based on document reviews, interviews and on-site audits. When compliance with standard requirements has been confirmed, the certification concludes with the issuance of a report and a certification mark. To maintain the validity of this certification, an annual surveillance audit is required.

Beside the generic process aspects during product development and system integration, the IEC-62443 standard also specifies technical security requirements for components and systems. These technical requirements are described in IEC-62443-4-2 and IEC-62443-3-3. The assessment of both process and technical requirements are the basis for the certification of both components and systems.

Industry 4.0 and the IoT presents powerful opportunities for manufacturers to develop new competitive advantages. Across a variety of industries cyber-physical systems are being implemented to enable higher efficiencies, unmatched flexibility and innovative business models. However, as systems and processes become digitised and interconnected, so cybercriminals are increasingly hacking into the critical infrastructure of connected production facilities. Therefore, in order to harness the opportunities, industry must fully understand these new challenges and take steps to minimise the potential risks. 

IEC-62443 provides a holistic approach to help mitigate these risks and provides increased assurance to the entire machinery supply chain. Awareness and understanding of the IEC 62443 standard and its components – among other cybersecurity laws and regulations – can therefore help to prevent cybercrime attacks within your business. Not only will this minimise risk by enhancing cyber resilience of your products and systems through a structured approach to industrial security, it may also increase competitiveness as the implementation of IEC-62443 demonstrates your commitment to industry best practice by optimising security capabilities.

Paul Taylor is head of industrial products (UK) at TÜV SÜD.

Contact Details and Archive...

Related Articles...

Print this page | E-mail this page