Why is IEC 62443 Security Level 2 important for power management systems?

October 12, 2021

Are you an engineering consultant specifying or designing power management systems or components in new or existing facilities? If yes, have you specified at least a cybersecurity IEC 62443 Security Level 1 (SL1) for the system and Security Level 2 (SL2) for the power management software? This post will explain what these security levels mean, why it is essential to choose certified technology to comply with each, and why the new Security Level 2 certification for EcoStruxure Power Operation makes it an excellent choice.

Increasingly, the digitalization of power distribution is changing the way organizations manage their electrical energy. And for a good reason. Smart power management systems are helping maximize uptime, save up to an average of 20% on energy and maintenance costs, optimize CO₂ footprint by an average of 20%, and reduce CapEx by 5 to 20%.

Today’s power management solutions comprise a network of integrated `smart` devices, software applications, and mobile devices often connected to the cloud. This digital transformation is part of the convergence of information technology (IT) and operational technology (OT) that has been happening between many business and facility systems. In fact, IDC says, “IT and OT convergence has been accelerating in recent years” and predicts that “by 2024, 60% of industrial organizations will integrate data from edge OT systems with cloud-based reporting and analytics, moving from single-asset views to sitewide operational awareness.”

But with connectivity and convergence comes a greater risk of cyber threats, as each system and device represents a potential ‘attack surface.’ There have been numerous real-world examples of IT/OT breaches causing significant disruption and costly losses, including the famous attack on Target that came through the HVAC system.

Securing digitally connected power distribution systems is critical to protecting building owners’ and operators’ investment in them. And, given the trend in cross-platform integration, it will also help defend against an attacker gaining access to other connected systems.

ISA / IEC 62443: Standardizing cybersecurity best practices

Power distribution systems must be designed, implemented, and operated with security in mind to ensure maximum resilience to cybersecurity threats. International standards are helping technology suppliers, integrators, end users, and service providers follow well-defined cybersecurity best practices.

The International Electrotechnical Commission (IEC) and the International Society for Automation (ISA) have developed one of the most robust cybersecurity standards under ISA / IEC 62443. These standards provide a framework to help simplify the definition of requirements for securing ‘industrial automation and control systems (IACS)’ and operational technology (OT). Power management fits well within this category.

The standards cover every aspect of cybersecurity in four tiers: the component (product) layer to the system (connected components) layer, policies and procedures, and general topics such as concepts and use cases.

Here’s a brief look at a few components and system standards that are important to our discussion.

At the component level:

62443-4-1: This defines the secure product development process, comprising eight ‘practices’ that address developing, maintaining, and retiring hardware, software, or firmware.
62443-4-2: This defines technical requirements for embedded devices, network components, host components, and software applications. It specifies security capabilities that will mitigate threats for a given security level. We will look closer at security levels below.

At the system level:

62443-3-2: As cybersecurity is essentially risk management, this is a guide for system-level risk assessment based on relevant threats, risk exposure (assets affected), likelihood, vulnerabilities, and consequences.
62443-3-3: This defines the technical cybersecurity requirements for systems, including security levels.

You can see that two of these standards mention ‘security levels’ for components and systems. Let us have a look at what these are and why they are important.

Security levels: Defining the degree of protection needed

IEC 62443 defines seven foundational requirements that include considerations like data integrity, resource availability, timely response to an event, access and use control, etc.

For each of these essential requirements, a required security level must be defined. Security levels define the cybersecurity functions in devices and systems that achieve the necessary resistance to cyberthreats.

The different security levels reflect different classes of attackers. SL1 protects against unintentional or accidental misuse (e.g., by an employee), while SL2 protects against intentional violation by a malicious attacker. SL3 and SL4 address increasingly sophisticated types of attackers (e.g., terrorists, nations).

For each security level, IEC 62443 defines a broad list of requirements necessary to obtain compliance. For example, SL1 includes 37 individual requirements, while SL2 has all the requirements of SL1 plus 23 additional requirements.

Increasing the device and system robustness makes it more resistant to cyber threats. Therefore, when specifying power management solutions, you should seek technology providers to verify that their components and systems comply with the security cybersecurity level that your team has determined is appropriate for the typical risks your facility faces. For example, you may need to protect against malicious attacks (SL2), but not from attacks by a nation-state (SL4).

Third-party certification: Confidence in power management cybersecurity compliance

Beyond showing self-compliance with IEC 62443, certification is even better. Certification gives engineering consultants, integrators, and end users the peace of mind that a vendor and its offers have been independently verified to comply. This certification is performed by an internationally recognized testing organization, such as TÜV Rheinland or exida.

Cybersecurity is a serious matter for Schneider Electric – because it is critical for our customers – and we are responding by adopting the IEC 62443 standards and leading the power management industry with independent certifications for our processes, software, and systems. In fact, our product security engineers participated in the working group that developed the ISA/IEC 62443-4-1 standard.

We also recently announced that EcoStruxure Power Operation software (previously Power SCADA Operation) is now certified to IEC 62443-4-2 Security Level 2.

We are proud to say that this is the world’s first – and currently only – SL2 certification for a power management product. As an essential solution for power management in critical buildings, this SL2 certification will give our partners and customers confidence that they have a strong level of cybersecurity protection against potentially malicious attacks.

EcoStruxure Power Operation is also included in a system-level IEC 62443-3-3 SL1 certification that includes MasterPact™ MTZ air circuit breakers, PowerLogic ION9000, and PowerLogic PM8000 power meters, and more. In addition, many of our products have certifications to the IEC 62443-4-1 and/or -4-2 at SL1, including EcoStruxure Power Monitoring Expert software, Easergy P5 protection relays, and others.

To learn more about cybersecurity best practices for electrical systems, download our white papers, “Understanding cybersecurity for IoT-enabled electrical distribution systems”. And discover EcoStruxure Power Operation software.