Cyber security: ensuring IEC 62443 is implemented correctly

News & blogs

2022-02-02

Editorial Team

Image by Pete Linforth from Pixabay

A growing number of organizations are implementing IEC 62443, the world’s most trusted series of industrial cyber security standards, to reduce threats and vulnerabilities, as well as to mitigate the effects of cyber-attacks. Many organizations are applying for IECEE conformity assessment certification to verify that the requirements of IEC 62443 have been met.

IECEE provides a framework for assessments in line with IEC 62443, which specifies requirements for security capabilities, whether technical (security mechanisms) or process (human procedures) related. To achieve this, two evaluations can be done, of an applicant’s security capabilities, which are used to develop, integrate and/or maintain specific products or solutions:

evaluate an applicant’s ability to provide IEC 62443 compliant security capabilities
evaluate that IEC 62443 compliant security capabilities have been applied to either a specific product, automation solution, or industrial automation control system.

Successful recipients receive the IECEE industrial cyber security capability certificate of conformity.

The IEC 62443 series was developed to secure industrial automation and control systems (IACS) throughout their lifecycle. It currently includes nine standards, technical reports, and technical specifications.

IEC 62443 is a horizontal standard, which reflects the fact that IACS are found in an ever-expanding range of domains and industries. They include, for example, the power grid, hospitals, and transport.

The standard was developed because IT cyber security measures are not always appropriate for IACS, which must run continuously to check that each component in an operational system is functioning correctly. Compared to IT systems, they have different performance and availability requirements and equipment lifetime.

Cyber-attacks on IT and OT systems often have different consequences. The effects of cyber-attacks on IT are generally economic, while cyber-attacks on OT systems, including critical infrastructure, can impact the environment or even threaten public health and lives.

IEC 62443 takes a risk-based approach to cyber security, which is based on the concept that it is neither efficient nor sustainable to try to protect all assets in equal measure. Instead, users must identify what is most valuable and requires the greatest protection and identify vulnerabilities.

The standard series stresses the importance of ensuring that this process is very closely aligned with organizational goals because mitigation decisions may have a serious impact on operations. The aim is to implement defence-in-depth measures to ensure business continuity.

Both IEC 62443 and the IECEE programme help to protect critical infrastructure. In this way, they contribute to the United Nations Sustainable Development Goal 16, which promotes peaceful and inclusive societies.

International standards such as IEC 62443 are based on industry best practices and reached by consensus. Conformity assessment is often seen as completing the process by ensuring that the standard has been implemented correctly.

Understanding IEC 62443

Recents Posts