Tip / Sign in to post questions, reply, level up, and achieve exciting badges. Know more

cross mob

Do you have a handle on IEC 62443?

Do you have a handle on IEC 62443?

5 sign-ins First like received First question asked

In 2021, the International Electrotechnical Commission (IEC) approved the IEC 62443 international family of standards as horizontal standards, thus meeting the growing need to secure industrial automation and control systems (IACS) across many industrial sectors.

Why is IEC 62443 so important?

IACS are widely deployed in industrial settings and even in critical infrastructure (power, energy, transport, etc.). In recent years, many of these industrial users have adopted and adapted technologies and standards originally developed for the world of IT (e.g. IP networks). And that is where the problem lies. IT standards can be dangerous in IACS and other industrial settings. Not only do performance and availability needs differ, cybersecurity takes on a whole new dimension in an IACS environment.

While cyberattacks on IT systems may have business or financial impacts, cyberattacks on critical infrastructure can have devastating ramifications for public health and safety. Growing connectivity is increasingly exposing the vulnerabilities of these systems, widening the attack surface and creating new attack paths. There are plenty of scary examples. Take the Triton malware supposedly developed specifically to disable safety systems designed to prevent catastrophic industrial accidents – first discovered in a petrochemical plant.1 Or the Stuxnet malware with the ability to mount cyber-physical attacks against critical infrastructure as initially discovered in a uranium enrichment plant of all places!2 Not forgetting the BlackEnergy Trojan reportedly used to launch attacks on industrial control systems (ICS) and energy markets around the world, more specifically in December 2015 on several Ukrainian power companies.3 You get the picture ….

So we are all agreed on the need for more robust security as defined by IEC 62443. What is not quite so clear, however, is how to best go about this.

What you need to know about IEC 62443 …

In addition to defining various roles (operator, integrator, manufacturer), IEC 62443-3-3 also defines four security levels (SL1, SL2, SL3, SL4). These reflect IEC 62443’s risk-based approach to cybersecurity. In other words, not all assets need to be protected in equal measure.

  • SL1 – Protect against casual or incidental security violations
  • SL2 – Protect against intentional security violations using simple means with limited resources, generic skills and low motivation
  • SL3 – Protect against intentional security violations using sophisticated means with moderate resources, IACS-specific skills and moderate motivation
  • SL4 – Protect against intentional security violations using sophisticated means with extended resources, IACS-specific skills and high motivation.

The risk and most likely the strength/skill of possible adversaries rise with each level. Thus the most robust cybersecurity countermeasures are required at SL4. This is obviously the level of most interest to us as microelectronics engineers.

Go with the gold standard

Drawing on various best practices, IEC 62443 mandates the need for hardware-based security to meet the requirements of SL3 and SL4. In other words, hardware-based security is seen as the gold standard in enabling IACS to resist even the most sophisticated of attacks launched using the extended resources typically available at this level. The best way to implement this type of hardware-based security – as specifically recommended by IEC 62443 – is with a Trusted Platform Module (TPM), such as OPTIGA™ TPM from Infineon.

But there is a catch. The IEC 62443 norm establishes the relevant security requirements for SL4, but does not define an evaluation methodology for hardware-based security that would enable evaluation labs and certification bodies to establish that a system or component satisfies SL4 criteria. The fastest workaround is to build on recognized schemes such as Common Criteria certification.

You don’t have to go it alone!

Regardless of the underlying hardware security certification scheme, the IEC 62443 certification process involves many steps. The good news is: You can fast-track this process with a trusted partner at your side.

Certification programs for IEC 62443 and SL4 specifically have been established by renowned organizations such as TÜViT (member of TÜV Nord Group). Consequently, certified products such as the OPTIGA™ TPM are already available on the market – based on standards such as CC. Here at Infineon, we anticipate that certifications such as these will probably become mandatory for IACS, especially for critical infrastructure. They thus provide an excellent starting point for IEC 62443-compliant IACS development work for IoT environments.

To accelerate and simplify your IEC certification process, TÜViT offers an end-to-end service covering all steps in your certification roadmap. Starting with phase one (a gap analysis and action plan), TÜViT then moves on to the audit phase (documentation and on-site assessments, technical testing and conformity statements plus organizational audits), and finally to phase three, where the certification report is submitted to a certification body such as IECEE. You are then presented with a certificate of conformity and are free to focus on what you do best – developing IACS microelectronics solutions that meet the most robust security requirements demanded by today’s standards.

For more information, please read our latest white paper.

For more information about IoT security please visit www.infineon.io/secure

1 https://www.technologyreview.com/2019/03/05/103328/cybersecurity-critical-infrastructure-triton-malw...
2 https://www.langner.com/wp-content/uploads/2017/03/to-kill-a-centrifuge.pdf
3 https://www.kaspersky.com/resource-center/threats/blackenergy