The International Electrotechnical Commission, better known by its acronym in English: IEC (International Electrotechnical Commission) is developing a new family of standards. The 62433 standard is based on the work of ISA99, specifying the security requirements against external threats and without losing the functional security features of them.
One of the main security objectives of the IEC 62443 is the defense in depth, considering the requirements of low level, and extending the security to other areas from the manufacturers to the operators to contemplate the different surfaces of attack.
Its acceptance by the Industry is being very enthusiastic, since it develops a flexible, powerful and adaptable methodology to the different application objectives, maintaining its adaptation to the continuous evolutions of the technology and starting from an exhaustive definition of requirements that facilitate its implementation.
The figure shows the different parts that make up each standard, several of them are still under development, but it is expected that they will be recognized as the de facto standard for cybersecurity as IEC 61508 is for functional safety. Contemplating all these changes and bringing together all security measures will make IEC 62443 the most relevant cybersecurity standard.
The scope of application extends from the final IT system, through the different subsystems and equipment involved and even reaching the component level, something critical for its application to the new industry 4.0 and its derivations of IoT in the field of final consumers .
The assets to be protected are defined in a broad framework, suitable for each specific case and far from the obsolete understanding of information theft; IEC 62433 establishes the assets and their capacities to be protected:
The two most important aspects or definitions of the measures present throughout the regulation are two:
- Security areas: Group of physical or logical assets that share common security requirements. An area clearly delimits the set by defining a logical or physical edge that separates the internal and external components.
- Gangways: It is a communication path between two security zones. It provides security features that allow two zones to communicate securely. All communication between different areas must be done through a walkway.
This is important from a security perspective because when grouping assets and communicating them along familiar paths it is easier, in most cases, to put security measures in place to ensure the channels that ensure each of the assets independently
The regulations describe a broad starting list of families of technical requirements, starting with the FR (Foundational Requirements) of level 1 up to specific level 3 requirements, and accompanied by living references to public libraries where the latest news and information are collected to facilitate the correct definition of cybersecurity requirements.
Alter Technology – Methodology IEC 62433
To develop its cybersecurity services Alter Technology TÜV NORD S.A.U. has completed its own methodology of analysis and application of IEC 62443, covering all the necessary cybersecurity requirements applicable to industrial and end user environments. Alter Technology offers end-to-end solutions that completely protect the attack surface, which is only possible with a deep knowledge of the needs of industrial services, with a global vision and specialization along with innovation in cybersecurity as essential elements.
The methodology addresses the analysis of the system or product under study, its vulnerabilities and assets, with known threats and attack vectors, resulting in a final balance of the cybersecurity status and contingency plans to be implemented to obtain the cybersecurity target levels.
The phases of the methodology are the following:
- Understanding and breakdown of the system or product under study, its functionalities and its most critical assets to protect.
- Analysis of their vulnerabilities.
- Segmentation of the system or product under study in security zones, identification of its entrance doors and interaction between zones, signage of the assets to be protected.
- Study of external attack scenarios, identification of possible threats.
- Crossing the scene of my system or known product with the options of external attacks. Evaluation of the impact on your security, the first cybersecurity conclusions of my system.
- Mitigation measures and scope of SL levels (1-4)
This post is also available in: Spanish