UKM-SUM23-PG50+51_Layout 1 27/04/2023 10:19 Page 51
MACHINE BUILDING
many industries around the world. Today’s smart factories are actively leveraging the potential of interconnected systems to streamline production, increase output and reduce waste, while also increasing production flexibility. However, while this opens a wealth of opportunities the growing dependence on interconnected technologies in the industrial environment increases our vulnerability to cyber threats. From the theft of proprietary technical knowledge to threats of plant shutdowns and even damage and destruction of critical industrial assets, the risk of cyberattacks on industrial operations represent a genuine concern that can impose significant financial costs and even put lives in danger. Therefore, taking action to strengthen industrial cybersecurity is more important than ever.
Both industrial IT security and the security of wireless products which manufacturers produce will therefore become increasingly important. This means that ongoing investment in cybersecurity is crucial to keep up with both technological developments for competitive advantage, alongside effective measures to combat hacker attacks. Planning ahead and optimising cyber resilience throughout the entire system lifecycle – from design to support – is therefore essential. While efforts to address cyber threats targeting ICT systems are generally well- established in many organisations, the issue of managing threats targeting operational technology has only recently become a priority. As a result, the implementation of internal policies and procedures for addressing the security of technologies and systems used in industrial operations often lags behind an organisation’s other cybersecurity efforts.
SYSTEMATIC APPROACH TO CYBERSECURITY
A different approach is required to address cybersecurity requirements specific to an industrial automation and control system (IACS). IEC 62443 – “Industrial Communication Networks – Network and System Security” is a series of internationally accepted standards, technical reports and technical specifications that provides a systematic approach for assessing and mitigating current and future cybersecurity risks for an IACS.
Based in part on the principles found in a number of different national cybersecurity standards, the IEC 62443 series provides a clear yet flexible framework that is equally applicable in discrete and process-oriented manufacturing environments in a diverse range of industries.
Comprised of 14 separate parts, the IEC 62443 series details the specific cybersecurity responsibilities of individual participants (“roles”) that are involved in the development, deployment, use or
UKManufacturing Summer 2023
maintenance of industrial control systems and components. These roles include:
Asset owner - individual or organisation responsible for one or more IACS
Product supplier - manufacturer or developer of hardware or software components integrated into an IACS
Service provider – individual or organisation that provides support services or supplies to the asset owner for an industrial control system or component. This includes integration and maintenance services.
The specific requirements presented in the IEC 62443 series also give equal weight to the contributions of people, processes and technology in ensuring cybersecurity in an industrial environment.
Six out of the 14 separate documents in the IEC 62443 series represent a good starting point for industrial organisations seeking to secure their IACS from cyber threats:
1. IEC 62443 2 1 - specifies requirements for asset owners of IACS. The security program must define security capabilities that apply to the secure operation of an IACS.
2. IEC 62443-2-4 - details a comprehensive set of security capability requirements for service providers of all types involved in the integration or maintenance of an IACS. The standard provides for the development of “profiles”, which can be used to address the unique characteristics of specific environments.
3. IEC 62443-3-2 - establishes requirements for defining an IACS system, partitioning a system under consideration (SUC) into zones and conduits, assessing the risk for each zone and conduit and establishing their respective target security levels.
4. IEC 62443-3-3 - defines system security requirements applicable to automation systems and networks.
5. IEC 62443-4-1 - describes the product development life cycle requirement related to the cyber security of products intended for use in the IACS environment. Specific aspects of the product life cycle addressed in the standard include security requirements definition, secure design, secure implementation, verification and validation, defect management, patch management and product end-of-life considerations.
6. IEC 62443-4-2 applies the security requirements and security levels presented in IEC 62443-3-3 to the components that constitute an IACS, such as embedded devices, network components, host components and software applications. The intent of the standard is to specify the component security capabilities required to mitigate threats for a given security level without compensating countermeasures.
For asset owners, these six standards provide the foundation for an effective IACS cyber security management system, as well as a path for identifying future vulnerabilities and implementing security improvements as required.
TAKING STEPS To harness the opportunities of Industry 4.0, industry must fully understand cybersecurity challenges and take steps to minimise the potential risks. There are a wide variety of possible cybersecurity vulnerabilities in the manufacturing environment, and these can appear throughout the entire component or system lifecycle, so it is essential that the cyber resilience of any connected devices is optimised. The holistic approach presented in the IEC 62443 series therefore provides a robust and comprehensive cybersecurity solution for industrial organisations seeking to leverage the full potential of Industry 4.0 technologies while minimising their risk. Awareness and understanding of the IEC 62443 standard and its components – among other cybersecurity laws and regulations – can help to prevent cybercrime attacks within a business. It also provides increased assurance to the entire supply chain. Not only will this minimise risk by enhancing cyber resilience of products and systems through a structured approach to industrial security, it may also increase competitiveness as the implementation of IEC-62443 demonstrates a high level of commitment to industry best practice through the optimisation of security capabilities. Machinery suppliers and system integrators must therefore enhance cyber resilience by improving their development, integration and support processes. For machinery end-users, analyses, assessments and tests play a key role in implementing appropriate security controls. The challenge is of course to successfully harmonise IT requirements with the specific demands of automation and control systems in the manufacturing environment.
TÜV SÜD
www.tuvsud.com/en-gb/in- dustries/manufacturing
51
Page 1 |
Page 2 |
Page 3 |
Page 4 |
Page 5 |
Page 6 |
Page 7 |
Page 8 |
Page 9 |
Page 10 |
Page 11 |
Page 12 |
Page 13 |
Page 14 |
Page 15 |
Page 16 |
Page 17 |
Page 18 |
Page 19 |
Page 20 |
Page 21 |
Page 22 |
Page 23 |
Page 24 |
Page 25 |
Page 26 |
Page 27 |
Page 28 |
Page 29 |
Page 30 |
Page 31 |
Page 32 |
Page 33 |
Page 34 |
Page 35 |
Page 36 |
Page 37 |
Page 38 |
Page 39 |
Page 40 |
Page 41 |
Page 42 |
Page 43 |
Page 44 |
Page 45 |
Page 46 |
Page 47 |
Page 48 |
Page 49 |
Page 50 |
Page 51 |
Page 52 |
Page 53 |
Page 54 |
Page 55 |
Page 56
