Page 44 - Industrial Technology July 2021
P. 44
SYSTEMS INTEGRATION
CYBER RESILIENCE
SMART FACTORIES
PAUL TAYLOR, BUSINESS DEVELOPMENT DIRECTOR FOR
INDUSTRIAL SERVICES AT TÜV SÜD, A GLOBAL PRODUCT
TESTING AND CERTIFICATION ORGANISATION, DISCUSSES
CYBER RESILIENCE FOR INDUSTRIAL SYSTEMS.
yber physical systems are being deployed across Machinery suppliers and
manufacturing and processing plants to deliver integrators must therefore optimise
unmatched flexibility and innovative business the cyber resilience of their
Cmodels. However, this new connectivity also connected components and systems.
translates into a shift in the risk landscape as cyberattacks For machinery end-users, analyses,
are increasing. assessments, and tests play a key
A security breach involving a connected industrial role in implementing appropriate
application can put an entire facility at risk – and the security controls.
consequences for operations, people and equipment could
be devastating. As vulnerabilities may appear throughout IEC-62443 integrators to verify whether generic processes and
the lifecycle of a component or system, it is necessary to The international standard IEC-62443 “Security for security processes for a reference architecture or blueprint
plan ahead and implement security from the outset. This Industrial Automation and Control Systems (IACS)” aims are compliant.
means that ongoing investment in cyber security is crucial to mitigate risk for industrial communication networks by During the certification process, the auditor executes a
to keep up with both technological developments for providing a structured approach to cybersecurity. conformity assessment based on document reviews,
competitive advantage, alongside effective measures to Originally developed for the IACS supply chain, it is now interviews and on-site audits. When compliance with
combat hacker attacks. the leading industrial cybersecurity standard for all types standard requirements has been confirmed, the
Vulnerabilities include a lack of knowledge about how of plants, facilities and systems across all industries. certification concludes with the issuance of a report and a
to apply IT security protection to machinery that has not This standards series applies to component suppliers, certification mark. To maintain the validity of this
traditionally required it, as well as systems running legacy system integrators and asset owners, and addresses certification, an annual surveillance audit is required.
communication networks, with which today’s cyber security processes along the complete supply chain. For Beside the generic process aspects during product
security software is incompatible. Also, merging traditional example, product suppliers’ certification should be based development and system integration, the IEC-62443
ways of working with Industry 4.0 approaches can cause on IEC-62443-4-1 “Product security development life- standard also specifies technical security requirements for
problems. cycle requirements”. This part of the standard applies to components and systems. These technical requirements
Remote maintenance by equipment suppliers or the supplier’s overall security programmes, and to the are described in IEC-62443-4-2 and IEC-62443-3-3.
subcontractors requires a connection to their network, security processes connected to the development of the The assessment of both process and technical
which may be infected or have less stringent IT security. relevant component and control system. requirements are the basis for the certification of both
Likewise, any existing machines on the factory floor, which Through a set of defined process requirements, IEC- components and systems.
lack digital identification and authentication functionality, 62443 ensures that all applicable security aspects are While Industry 4.0 and the IoT presents powerful
do not have the capability for end-users to be sure that addressed in a structured manner. This includes a opportunities for manufacturers to develop new
operating instructions received by the network are from an systematic approach to cybersecurity throughout the competitive advantages, as systems and processes
authorised person and not a hacker. There is also the risk stages of specification, integration, operation, become digitised and interconnected, so cybercriminals
that the smart tags on components or the final product maintenance, and decommissioning. Also, the standard are increasingly hacking into the critical infrastructure of
being produced may be manipulated in a cyberattack. ensures that processes are established to facilitate all connected production facilities. To harness these
necessary technical security opportunities, industry must therefore fully understand
functions. When adapted meet a these new challenges and take steps to minimise the
particular project scope, IEC-62443 potential risks.
lays the foundations for a robust IEC-62443 provides a holistic approach to help
cybersecurity approach throughout mitigate these risks and provides increased assurance to
the product and system lifetime. the entire machinery supply chain. Awareness and
A third-party IEC-62443 understanding of the IEC 62443 standard and its
certification demonstrates to asset components – among other cybersecurity laws and
owners and operators that the regulations – can therefore help to prevent cybercrime
purchased component or system is attacks within a business. Not only will this minimise risk
based on a methodised and coherent by enhancing cyber resilience of products and systems
approach to cybersecurity which is in through a structured approach to industrial security, it may
line with industry best practice. also increase competitiveness as the implementation of
Corresponding certifications (IEC- IEC-62443 demonstrates a high level of commitment to
62443-2-4 “Security program industry best practice through the optimisation of
requirements for IACS service security capabilities.
providers”) enables system MORE INFORMATION: www.tuvsud.com/uk
44 INDUSTRIAL TECHNOLOGY • July 2021
