SGS, the world’s leading testing, inspection and certification company, is alerting manufacturers operating in Industry 4.0 of a key tool to help them combat cyber-attacks – IoT standard, IEC 62443.
The digitalization of processes and systems to improve supply chain management, drive efficiencies and optimize cost-effectiveness has transformed manufacturing. Yet, the integration of the Internet of Things (IoT) and cloud technologies into value chains opens them up to the risk of cyberattack.
As the most widely recognized industrial IoT standard, IEC 62443 provides critical infrastructure agencies and industrial sectors with established guidelines for ensuring secure industrial automation and control systems (IACS).
The standard sets best practices for security and provides a way to assess the level of security performance, bridging the gap between operations and information technology, as well as between process safety and cybersecurity.
Vulnerabilities
Industry 4.0, seen as the latest industrial revolution, involves the integration of smart technology into everything from energy systems, processes and factories to urban infrastructures and transportation systems. The goal is better efficiency, improved sustainability and interoperability, enhanced reliability and greater cost-effectiveness for asset owners, system integrators, product suppliers and other stakeholders.
Set against these desired outcomes is an increased risk of cyberattack. Where once, a criminal would need direct access to a system to control it, the inherent vulnerabilities of a connected system mean they can now potentially take control without leaving their home.
Cyberattacks are on the rise in all sectors, with attacks on manufacturing doubling in 2022.1 If an attack is successful but kept ‘in-house,’ it will, at the very least, offset any potential benefits accrued from the introduction of IoT solutions.
However, in other cases, the impact can be enormous, spreading beyond the directly affected organization to affect whole communities. An example of this is the US Colonial Pipeline shutdown in 2021. The attack was discovered in the early hours of May 7, 2021, when a ransom note was found in the company’s IT system. Hackers had used DarkSide ransomware to access the company’s systems through an outdated VPN. Data was then encrypted, putting the organization’s whole operational technology (OT) network at risk, including the 5,500-mile pipeline.
In addition to the impact on the company, this attack also led to states declaring emergencies, rapid fuel price rises and supply shortages after consumers panicked and stockpiled fuel. In the longer term, it also highlighted vulnerabilities in relation to industrial control systems (ICS) and OT networks and instilled a sense of urgency around the need to take industrial cybersecurity seriously. 2
Industrial drivers
Business continuity is a major driver for the industrial sector. Disruption caused by a cyberattack can be significant in terms of lost business and damage to infrastructure and reputation.
At the same time, the regulatory landscape is evolving, with authorities now looking for evidence of IoT cybersecurity management, e.g. European Union (EU) Radio Equipment Directive (RED) in 2024. IoT also falls under the provisions of a wide variety of other legislation and standards, including the NIS2 Directive, Cyber Security Act and Cyber Resilience Act in the EU and NIST 8425 in the US.
About IEC 62443
This series of standards originated in 2002 when the International Society of Automation (ISA) established the Industrial Automation and Control System Security standards committee (ISA99). Originally known as the ISA99 standards, they were renumbered in 2010 as the ANSI/ISA-62443 series and submitted to and used by International Electrotechnical Commission (IEC) working groups. In 2021, the IEC approved the IEC 62443 family of standards as ‘horizontal standards,’ meaning they are the foundation for addressing cybersecurity when any sector-specific standard is developed.
The series is organized into four parts:
- Part 1 – General – covers topics common to the whole series of standards (terminology, concepts, models, etc.)
- Part 2 – Policies and procedures – focuses on methods and processes associated with IACS security
- Part 3 – System – system-level requirements
- Part 4 – Components and requirements – provides detailed requirements for IACS products
As a whole, they:
- Define organizational and technical requirements for manufacturers, integrators, operators and industry
- Target people, processes, systems, solutions and components across all industries and facilities
- Support tailored security solutions
- Offer varying levels of security assurance
- Deliver a repeatable, holistic approach to the issue of cybersecurity
SGS Solution
SGS Brightsight’s dedicated IEC 62443 services include:
- Workshops and training sessions that provide a comprehensive look at the standard, its framework and technical security requirements
- Developer support
- Pre-evaluation to reduce the potential for failure during formal security evaluations
- Security evaluation against:
- IEC 62443 2-4 – IACS policy and procedures assessment
- IEC 62443-3-3 – System integration assessment. Examples include SCADA systems, consisting of multiple sensors, control units, HMIs and software applications
- IEC 62443 4-1 – assesses secure development procedures implemented by product manufacturers
- IEC 62443-4-2 – assesses the security capabilities of individual system components. Examples include local programmable logic controllers (PLCs) and the control unit on a building’s smart lights
- Certification via our IECEE-accredited certification body (SGS Fimko in Finland)
Learn more about SGS Brightsight.