IEC 62443 is the international reference standard for Industrial Cyber Security of components and systems developed in conformity with ISA/IEC requirements.
IEC 62443 family of standards
The most relevant parts of IEC 62443, for the development of secure products throughout the entire lifecycle, and in order to obtain the ISASecure® Certification as well, are:
- Part 1-1: Terminology, concepts, and models introduce the concepts and models used throughout the series. The intended audience includes anyone wishing to become familiar with the fundamental concepts that form the basis for the series.
- Part 2-1: Establishing an IACS security program describes what is required to define and implement an effective IACS cyber security management system. The intended audience includes asset owners who have responsibility for the design and implementation of such a program.
- Part 3-2: Security risk assessment for system design addresses cybersecurity risk assessment and system design for IACS. The output of this process is Risk Assessments and target security levels. These are documented in the Cybersecurity Requirements Specification. This standard is primarily directed at asset owners and system integrators.
- Part 3-3: System security requirements and security levels describe the requirements for an IACS based on the security level. The principal audience includes product suppliers of IACS products, integration service providers, and asset owners.
- Part 4-1: Product security development lifecycle requirements describe the requirements for a product supplier’s security development lifecycle. It is addressed to product suppliers of IACS systems and IACS components.
- Part 4-2: Technical security requirement for IACS components describes the requirements for IACS components based on the security level. IACS Components include embedded devices, host devices, network devices, and software applications. The principal audience includes product suppliers of IACS component products.
Do you want to contribute to our page? Follow us on Linkedin
IEC 62443 principal roles
As mentioned above, the IEC 62443 standard identifies 3 different stakeholders occurring in product security:
- Asset Owner is the organization that is accountable and responsible for the IACS. The asset owner is also the operator of the IACS and the EUC (Equipment Under Control).
- Integration Service Provider is the organization that provides integration activities for an automation solution including design, installation, configuration, testing, commissioning and handover to the asset owner. The integration service provider may also facilitate the risk assessment.
- Product Supplier is the organization that manufactures and supports a hardware and/or software product. Products may include IACS systems and IACS components such as embedded devices, host devices, network devices, and/or software applications.
Recommended in-depth study:
The picture below shows the relationship between the 3 roles and how they interact with each other.
There is a fourth remaining role, the Maintenance Service Provider, who is the individual or organization that provides support activities for an automation solution, even though he doesn’t actively participate in the ISASecure® Certification process.