Home News&Events Blog What is IEC 62443?
    Blog
    24.Jun.2024

    What is IEC 62443?

     

    IEC62443

     


    What is IEC 62443?

    ISA/IEC 62443 is an international series of standards designed to secure networked industrial control systems. The standard provides a structured approach to cybersecurity, focusing on the unique requirements of industrial automation and control systems (IACS). It outlines procedures and technical specifications to help manage and mitigate risks associated with industrial cybersecurity. 

    IEC 62443 addresses various aspects of security, including system design, implementation, maintenance, and the security capabilities of both hardware and software components. The standard is applicable across different industrial sectors and is intended to safeguard systems from cyber threats while ensuring their safe and reliable operation. 


     

    IEC 62443 Series of Standards

    IEC 62443 is organized into several parts, each designed to address distinct aspects of cybersecurity in industrial environments:

    • IEC 62443-1: Terminology and concepts
    • IEC 62443-2: Requirements for Industrial Communication Networks
    • IEC 62443-3: System security requirements and security levels
    • IEC 62443-4: Requirements for IACS service providers
     

    IEC 62443 series of standards


     

    IEC 62443 Security Levels

    There are four security levels:
     
    Security Level Description Typical Threats Addressed Specific Requirements
    SL1 Basic protection against unintentional violations with limited effort Casual or coincidental cyber threats - Basic security policies and procedures
    - Device-level authentication
    - Log collection for routine issues
    SL2 Protection against intentional violations using simple means Low-level targeted attacks by attackers with limited skills - All requirements from SL1
    - Stronger authentication and authorization mechanisms
    - Enhanced user access controls and logging
    - Regular security patching and updates
    SL3 Protection against intentional violations using sophisticated means Attacks carried out by skilled adversaries - All requirements from SL2
    - Network segmentation to limit access
    - Real-time intrusion detection systems
    - Advanced security measures like encrypted communications and multi-factor authentication
    SL4 Protection against intentional, sophisticated attacks by expert users Highly sophisticated, targeted attacks by expert adversaries - All requirements from SL3
    - Continuous monitoring and anomaly detection
    - Forensic capabilities
    - Redudancy and resilience measures to maintain operations



     

    The Importance of Cybersecurity for Industrial Edge Computing

    Cyber threats to industrial edge computing pose significant risks, including operational disruptions, data theft, compromised safety, financial losses, and erosion of trust. An example of such a threat is the 2017 WannaCry ransomware attack, which exploited vulnerabilities in industrial edge devices, encrypted data and disrupted operations globally. This incident underscored the critical need for robust cybersecurity measures to protect sensitive information, ensure operational safety, and maintain business continuity, highlighting the severe consequences of neglecting cybersecurity. 

    Edge Computing


    The IEC 62443-4-1 and IEC 62443-4-2 standards specifically address cybersecurity for IAC components. Manufacturers seeking to demonstrate compliance can undergo testing and certification through the IEECE CB Scheme, a global program recognized in over 50 countries.

    IEC 62443-4-1 focuses on integrating security throughout the product development lifecycle of industrial control systems, ensuring that cybersecurity measures are foundational. This standard helps prevent vulnerabilities like those exploited by WannaCry by mandating rigorous security practices from design to deployment and maintenance. Meanwhile, IEC 62443-4-2 specifies detailed technical security requirements for components of these systems such as embedded devices, network and host components, and software applications, enhancing their ability to withstand attacks. By adhering to these standards, organizations can bolster the security of their industrial edge computing systems, effectively mitigating the risks of operational disruptions and data breaches while safeguarding overall system integrity.

     

    How does IEC 62443 certification exactly improve cybersecurity for industrial edge devices?

    IEC 62443 certification directly improves cybersecurity for industrial edge devices in several concrete ways: 

    1. Standardized Security Protocols: IEC 62443 certification ensures that all security measures conform to standardized, up-to-date protocols, ensuring uniform security practices across industrial systems.
    2. Risk Management: The standard offers detailed methodologies for assessing and managing risks, helping manufacturers proactively identify and address potential vulnerabilities in their systems.
    3. Design and Development: It mandates the integration of security measures right from the design and development stages, embedding robust security features into the products from their inception.
    4. Component Security: IEC 62443-4-2 requires that each component of the system, including edge devices, meets rigorous security standards, safeguarding the entire system by securing its individual parts.
    5. Lifecycle Security: The certification ensures that security is a continuous process, maintained throughout the product's lifecycle through regular updates, patches, and secure decommissioning practices.
    6. Vendor Collaboration: Achieving certification requires collaboration among various stakeholders and vendors, enhancing the integration and effectiveness of security measures across different products and platforms.
    7. Auditing and Continuous Improvement: Regular auditing as part of the certification process ensures that security measures are not only maintained but also improved upon, keeping pace with evolving cybersecurity threats.


     


     

    C&T x Bureau Veritas

    At this year's COMPUTEX 2024, C&T Solution and Bureau Veritas (BV) held a joint press conference at the C&T booth, focusing on cybersecurity in the industrial edge landscape. The session highlighted C&T Solution's systematic approach to obtaining IEC 62443-4-1 certification, emphasizing our proactive security enhancements. We discussed overcoming challenges such as aligning existing processes with stringent standards through comprehensive training, technological upgrades, and collaboration with cybersecurity experts from Bureau Veritas. Read press release here.

    Looking forward, C&T Solution plans to continue strengthening its cybersecurity measures, focusing on investment in innovative technologies and expanding its research and development in cybersecurity solutions. Additionally, C&T Solution is also planning to advance to IEC 62443-4-2 certification, further bolstering our commitment to maintaining the highest levels of security.



    FAQ

     

    1. What is IEC62443?
      ISA/IEC 62443 is an international series of standards designed to secure networked industrial control systems.

       

    2. What is the IEC 62443 Series of Standards?
      - IEC 62443-1: Terminology and concepts
      - IEC 62443-2: Requirements for Industrial Communication Networks
      - IEC 62443-3: System security requirements and security levels
      - IEC 62443-4: Requirements for IACS service providers

       

    3. What are they security levels of IEC 62443?
      SL1: Basic protection against unintentional violations with limited effort
      SL2: Protection against intentional violations using simple means.
      SL3: Protection against intentional violations using sophisticated means.
      SL4: Protection against intentional, sophisticated attacks by expert users.

       

    4. What is IEC 62443-4-1?
      IEC 62443-4-1 covers security management, secure design, and implementation through to maintenance and patch management, embedding security deep within the product development lifecycle.

       

    5. What is IEC 62443-4-2?
      IEC 62443-4-2 focuses on the security requirements for components of industrial control systems, emphasizing authentication, encryption, and secure communications to safeguard against breaches.

       

    6. What is the difference between IEC 662443-4-1 and IEC 62443-4-2?
      IEC 62443-4-1 focuses on the secure product development lifecycle processes, while IEC 62443-4-2 specifies technical security requirements for industrial automation and control system components.

       

    7. What is Edge Cybersecurity?
      Edge cybersecurity refers to the protection of edge computing systems, which process data at or near the source of data generation, against cyber threats and vulnerabilities. A SCADA (Supervisory Control and Data Acquisition) system is designed for monitoring and controlling industrial processes over large geographical areas, making it ideal for utilities and infrastructure management. In contrast, a DCS (Distributed Control System) is tailored for continuous and precise control within industrial plants, focusing on complex, high-speed processes in sectors like chemical production and power generation.

       

    Find Product
    Product Finder