The International Electrotechnical Commission, IEC 62443 is a set of four cyber security standards for Industrial Automation and Control Systems (IACS). This set is holding a subset of process and technology details to secure OT systems. It breaks security topics down to stakeholders and roles, OT/IoT/IIoT product manufacturers, operators and service providers. Each identity should be assessed and protected following a risk-based approach to comply with cyber security best practices. With focus on prevention and mitigation of security incidents. Basically it specifies the process and product requirements for "Secure Development" of IACSs (and IIoT, Industrial IoT assets).  

IEC 62443 Industrial communication networks - Network and system security consists of 4 parts:

1. General | This part covers topics that are common to the entire series
2. Policies and Procedures | This part focuses on methods, techniques and processes associated with IACS security
3. System | This part is about system-level requirements
4. Components and Requirements | This part provides details on product and component requirements for IACS products

The key standards of the series are IEC 62443-4-1 and IEC 62443-4-2.

IEC 62443-4-1 (Secure Development Lifecycle) is process related and defines the requirements for developing secure products, throughout the whole product and application lifecycle, including Security Development Lifecycle. It recommends security requirements including:

• Defining the security requirements
• Designing secure systems
• Implementing security as well as coding guidelines
• Verification and validation of the implementation
• Managing defects and patches
• Handling the end of the product life cycle

These requirements apply to the processes such as the development process of the OT asset itself, how to maintain, firmware retire software and hardware.

IEC 62443-4-2 (Technical System Requirements) is product related, it defines the technical requirements. It provides CRs, Component Requirements for control systems relating to FRs, Foundational Requirements defined in IEC 62443-1-1.

There are 7 FRs defined:

1. Identification & Authentication Control
2. Use Control
3. System Integrity
4. Data Confidentiality
5. Restricted Data Flow
6. Timely Response to Events
7. Resource Availability

These FRs form the base of the security levels of a controls system, called Security Capability Levels. It refers to “hardening” of a OT asset.

IEC 62443 compliance challenges for IIoT assets

Achieving IEC 62443 compliance for Industrial IoT assets is a complex, layered process. Lack of visibility and insight on the development process, "the running in production" process and missing on-device security, embedded security will all prevent successful standardization.

Check Point introduced Quantum IoT Protect Nano agent to help manufacturers secure embedded devices. It includes a risk assessment service and a Nano Agent to embed into a device. Cyber security experts of Check Point review the product, perform a full risk assessment and provide the manufacturer with a Nano Agent – a customized package that provides the top security capabilities. Check Point Nano Agent is especially designed for embedded devices. It requires only minimal resources, and it is an out-of-the-box solution that doesn’t require intrusive code changes. At the same time, it serves as a frontline to secure the device. We secure the device from within.

Securing IoT and IIoT, Industrial Internet of Things has become an imperative business strategy for any industry utilizing Operational Technology.