Certifications for manufacturers of industrial control components and systems
BYHON is a certification body and laboratory, accredited according to IEC 17065 and IEC 17025, which implements ISASecure® certification processes and provides conformity assessments for Industrial Cyber Security certification as per IEC 62443 with the ISASecure® scheme.
BYHON has implemented in its compliance assessment model the schemes for compliance verification defined by ISASecure® with license no. ISCI-CL0005, including process verification, Security Development Lifecycle Assurance Certification (SDLA).
The SDLA process scheme is distinctive of ISASecure® certification and preparatory to the assessment of technical compliance of the product – component or system – according to the models of Component Security Assurance Certification (CSA) and System Security Assurance Certification (SSA).
The purpose of the ISASecure® certification service is to perform independent certification showing that a system or component meets the requirements of the IEC 62443 standard for a given level of security (SL-C). The certification scheme is applied in the most comprehensive manner and as the highest recognition of compliance, with a certificate issued by accredited laboratory.
For more information or to request a quote for ISASecure® certification
Other IEC 62443 Certification options
BYHON, a certification body that implements its certification processes in accordance with IEC 17065, also proposes, for component and system manufacturers, a conformity assessment inspired by Industrial Cyber Security certification schemes according to IEC 62443.
In this case, the conformity assessment focuses on the product through verification of technical compliance with security requirements, whether it is a system or component.
The purpose of the IEC 62443 certification service is to perform an independent certification that validly and demonstrably evidences the compliance of a system or component with the requirements of IEC 62443 for a given level of security (SL-C), again guaranteeing the parameters of security, integrity, availability and confidentiality.
For more information or to request a quote for IEC 62443 certification
When the certification of Cyber Security OT applies
For both options, certification is applicable to manufacturers of industrial control components and systems made available by a single supplier. It also applies when the system consists of hardware and software components from multiple suppliers, subject to integration by a single supplier.
In IEC 62443 and ISA terms, a system is specifically a control system understood as the hardware and software components of an industrial control and automation system (IACS), i.e., an object to be integrated within an IACS system of an entire plant and which can be certified according to the requirements of IEC 62443 for Industrial Cyber Security:
- Combined HMI/PLC Systems
- SCADA Systems
- Control system platforms
- Packaged Control Systems (PCS)
- Distributed Control Systems (DCS)
- Security Instrumented Systems (SIS)
Some steps of the certification processes of Cyber Security OT
Definition of the scope of application and assessment
Defining the scope of assessment in terms of products to be certified, related configurations and security objectives, planning and collecting all relevant documentation, including diagrams related to architecture and information on essential functions, such as a list of accessible network interfaces, protocols and available services.
Assessment of the security life cycle
Where required, verification of the manufacturer’s CyberSecurity Management System in order to verify that it has been developed and maintained in accordance with the security practices of IEC 62443-4-1.
Assessment of compliance with technical requirements
The security functionality of the system or component is checked against the requirements defined for each Security Level (SL) to assess whether the object of certification complies with the requirements of the standard according to the product (and therefore with reference to IEC 62443-3-3 for systems or IEC 62443-4-2 for components) and its type (embedded component, networking, etc.) and whether it has been developed as per the life cycle verified in the previous point.
Final testing and vulnerability analysis
Conducting tests as per the validation plan and product vulnerability analysis. This is done with a vulnerability scan and other tests.
Review of assessment and issuance of IEC 62443 certification
Once all the previous steps have been carried out, the result is recorded in an assessment report for review by BYHON’s technical committee. If successful, the final certification of compliance is issued together with the form of an Industrial Cyber Security Certification declaring that the system (or component) complies with IEC 62443 for a given security capability (SL-C).