ISO / IEC 62443: Cybersecurity in industrial automation

The IEC 62443 series was developed to secure industrial communication networks and Industrial Automation and Control Systems (IACS) through a systematic approach.

It currently comprises nine standards, Technical Reports (TR) and Technical Specifications (TS), with four parts still under development. IACS can be found in an increasing number of sectors and industries, many of which, such as energy supply and distribution, transport, manufacturing, etc., are central to critical infrastructure (PH 9.860.2: The Review of Measures to be Implemented by Critical Infrastructure Operators Pursuant to Section 8a (1) BSIG).

IACS also include Supervisory Control and Data Acquisition (SCADA) systems, which are often used by organisations operating in critical infrastructure industries, such as power generation, transmission and distribution, gas and water supply networks. Ensuring risk mitigation and resilience is therefore essential.

Prevention of illegal or inappropriate access

In IEC 62443 publications, “the term ‘security’ is considered to be the prevention of illegal or unwanted intrusion, intentional or unintentional interference with the proper and intended operation of, or inappropriate access to, confidential information in Integrated Administration and Control System (IACS).”

Security “includes computers, networks, operating systems, applications and other programmable, configurable components of the system”.

IEC 62443 standards cover all aspects of cyber security at all stages and are a cornerstone of a secure-by-design approach.

Therefore, a broad overview of the IEC 62443 publications is necessary as they are relevant to all industrial communication networks and IACS users, including plant owners, system integrators, equipment manufacturers, suppliers, plant operators, maintenance professionals and all private and governmental organisations involved in or affected by cyber security of control systems (IEC / TS 62443-1-1 Industrial communication networks, network and system security – Part 1-1: Terminology, concepts and models).

The IEC 62443 series of standards is divided into four parts, which cover the following:

• General (IEC 62443-1.* – one part of four published).
  The general documents provide an overview of the industrial safety process and introduce essential concepts.
• Policies & Procedures (IEC 62443-2.* – three parts of four published)
  The Policies & Procedures documents emphasise the importance of policies – even the best safety is useless if employees are not trained and committed to support it.
• System (IEC 62443-3.* – all three parts published)
  Since safety can only be understood as an integrated system, the system documents provide important guidance on the design and implementation of safe systems.
• Components (IEC 62443-4.* – both parts published)
  Since you cannot build a solid building from weak bricks, the component documents describe the requirements that must be met for safe industrial components.

Information technology (IT) and operational technology (OT)

International IEC standards such as ISO / IEC 27001 and IEC 62443, together with testing and certification (conformity assessment), are important tools for a successful and holistic cyber security programme. Such an approach increases stakeholder confidence by demonstrating not only the use of security measures based on best practices, but also that an organisation has implemented the measures efficiently and effectively. This must be integrated into an overarching strategy that encompasses people, processes and technology. This not only looks at the technical measures themselves, but also the organisation around these measures, which ensures that cyber-attacks are detected in a timely manner.

Implementation challenges

Although IEC 62443 has many benefits and advantages, implementing the standard also brings some challenges.

However, the standard is not complete. Some of the specifications in the standard have not yet been published.

Nonetheless, the standard is very comprehensive: with a total volume of more than 800 pages so far and further specifications which will be published successively, a considerable amount of time and effort is required to read and understand the complete standard.

With our auditing standard in accordance with IDW PS 860 (IT auditing outside the audit of financial statements), we ensure compliance with legal or regulatory requirements.

The exam notes are intended for

• Cloud / Cybersecurity
• Examination of the principles, procedures and measures in accordance with the EU General Data Privacy Regulation and the Federal Data Privacy Act (PH 9.860.1)
• Audit for operators of critical infrastructures (PH 9.860.2)
• Conformity with GoB requirements

Einhaltung von Industriestandards und anerkannter IT-Frameworks

• PCI-DSS
• ISO standards
• COSO, COBIT or ITIL

With our attestation, we ensure that the mechanisms, implemented measures and controls are subjected to an appropriateness test (time consideration) and that the criteria are suitable. We examine the implementation of the controls and measures to ensure cyber security and subject them to an effectiveness test (period consideration), thus ensuring that the controls and measures were effective during the period.