One need only read recent headlines to appreciate that cybersecurity will continue to be a major concern to companies using Industrial Control Systems (ICS). Ransomware is one of the fastest growing businesses – generating over a billion dollars in 2016. 54% of ICS companies have suffered at least one cyberattack in the last 12 months1. ICS company insiders understand the looming threat – 69% of ICS cybersecurity practitioners feel that the threat to ICS systems is severe to critical2.
The industrial control industry recognizes the threat and has responded by supporting standards to strengthen security. There are several standards that touch on industrial cybersecurity – some target specific countries or industrial segments. ISA/IEC 62443 is one of the major standards backed by both end users and equipment vendors. ISA/IEC 62443 is powerful in that it is written to be applicable across industrial segments and it has been accepted by many countries. It can also be applied to adjacent markets – like building control systems. Major equipment suppliers (Schneider Electric, Honeywell, Siemens, Yokogawa to name a few) have selected ISA/IEC 62443 as a foundational standard to drive device hardening, and have been adding security features to their products to be compliant with ISA/IEC 62443 standards.
Equipment suppliers are not releasing products that are marketed as meeting ISA/IEC 624434 standards. How can an end user insure products compliance? Enter conformity certification. Conformity certification programs utilize independent test laboratories to validate standards compliance. Conformity certifications provide value to both end users and equipment suppliers.
Value of conformity certification for end users
- Simplifies specification process – Specify ISA/IEC 62443 compliance vs. listing pages of individual requirements.
- End users understand product capabilities – End users immediately understand security features implemented in products.
- Capabilities validated by external entity – Confidence that features are properly designed and implemented.
- Confidence that security features will evolve over time – Ensures products are designed and developed within a certified development environment by qualified staff and the security is considered from concept to delivery.
Value of conformity certification for equipment suppliers
- Differentiate solutions – Enables suppliers to derive value from product hardening by allowing promotion of superior products (i.e. our products are certified to level 2, competitors are certified to level 1).
- Assurance products meet cybersecurity requirements – Proper implementation of standards certified by external organization.
- Cybersecurity is a dimension of product quality – Secure development lifecycle insures that cybersecurity is integral in product development.
- Security Development Lifecycle Assurance – ensures products are designed and developed within a certified development environment by qualified staff and the security is considered from concept to delivery.
End users are requiring secure ICS equipment. Implementation of features as defined in ISA/IEC 62443 will result in hardened ICS products and systems. Conformity assessment programs are necessary to give end users assurance that the security features have been properly defined and implemented. Specification of ISA/IEC 62443 conformity certification by ICS end users is the next key step that will drive secure ICS solutions.
1Kaspersky Labs State of Industrial Cybersecurity Survey, 2017.
2Securing Industrial Control Systems, SANS 2017.