Statement of Compliance of OT Configurations for End Users and Integrators
Compliance with IEC 62443
BYHON is a certification body and laboratory, accredited according to IEC 17065 and IEC 17025, which implements ISASecure® certification processes and provides conformity assessments for Industrial Cyber Security certification as per IEC 62443 with the ISASecure® scheme with license no. ISCI-CL0005.
Since ISASecure® certification is not applicable to an effectively installed automation solution, BYHON has implemented in its model a conformity assessment inspired by Industrial Cyber Security schemes according to IEC 62443 aimed at verification of final OT configurations.
The purpose of the service is to perform an independent assessment that highlights the compliance of specific contract installations according to the requirements of IEC 62443 for verifying the achievement of a specified level of security (SL-A).
The Declaration of Conformity is a valid and proven means of attesting that an OT configuration meets the parameters of security, integrity, availability and confidentiality, as per the ISA/IEC standard.
Some steps for issuing the declaration of conformity
Definition of the scope of application and assessment
Defining the scope of assessment in terms of configurations and security objectives, planning and collecting all relevant documentation, including diagrams related to architecture and information on essential functions, such as a list of accessible network interfaces, protocols and available services. Analysis of the specific configurations of the various parts of the automation solution.
Assessment of compliance with technical requirements
Security features are checked against the requirements defined for a given Security Level target (SL-T) for the different zones and conduits that make up the automation solution, to assess whether the object of assessment complies with the requirements of IEC 62443-3-3 as designed, configured and installed.
Identification of vulnerabilities relating to actual implementation on the final plant. This is done with a vulnerability scan test.
Review of assessment and issuance of IEC 62443 declaration of conformity
Once all the previous steps have been carried out, the result is recorded in an industrial information security assessment report for review by BYHON’s technical committee. If successful, the final Declaration of Conformity is issued to certify that the final configuration of the automation solution conforms to IEC 62443 for a given security level (SL-A).