The American standards institute ISA has conducted a study on the applicability of the ISA/IEC 62443 standard for certification of industrial IoT components. The findings are relevant in Germany in that the first manufacturers here are seeking certification for their automation components or at least want to lay the groundwork for doing so. Along with connected devices in general, the study especially covers IoT gateways. It is based on research conducted by such recognized institutions as ENISA and NIST as well as well-known product security providers.
What key insights does the report offer?
In brief, the ISA/IEC 62443 standard provides a good basis for certification. However, the authors also recommend additional requirements beyond those specified in Parts 4-1 and 4-2 of the standard. They include, for instance, software updates via remote access and the related management of update functions.
The reason for the additional requirements are a number of developments that have occurred since the ISA/IEC 62443 was published, especially
- Increasingly enabled direct Internet connectivity
- Unsecured physical access
- Increasing miniaturization of components
- Increasing virtualization and the associated integration of functions on the same hardware platform, rather than distribution in components with classic zones and zone transitions (“conduits”)
- High production volumes of identically built components
Furthermore, the report outlines certification along two levels: a “core tier” level that corresponds with security level SL2 with several adjustments (i.e., partly with requirements from SL3 and SL4) and an “advanced tier” level, which corresponds with SL4 end-to-end.
What requirements are recommended beyond the standard components already published?
1. Separating functions (“compartmentalization”) in order to limit the impact of attacks (e.g., also separation of run environments from software modules)
2. Clear default security settings for initial start-up (“secure by default”)
3. Authentication of machine users when accessing untrusted networks
4. Personalized access data for each device (rather than identical access data for all devices provided during production of a series)
5. Protection of data during processing (in addition to protection of saved data or data to be transferred)
6. Updates/upgrades via remote access
7. Configuration ability that allows for switching off automatic software updates
8. Maintaining the security configuration when software is updated
p. Filtering network access for management and configuration functions, namely on the port, protocol, and application levels
10. No storage of information such as circuitry or other development data that would enable reverse engineering of the device when physically accessed
11. Detection of missing components, e.g., in remote locations
12. Maintaining relevant functions when detaching from the Internet
In its current state, the study is far from establishing binding guidelines. Instead, it has more of a recommendation nature – and therefore, doesn’t necessarily make the life of a product security manager any easier. But it does raise lots of good questions that companies can use in assessing their own security concepts. Our experts anticipate that a variant of the recommendations mentioned above will eventually be incorporated into a new version of the ISA/IEC 62443.
Is cybersecurity a topic of interest for your company? As an independent entity with a portfolio of proven security providers, CyberCompare can provide you with comparative offers at no charge and with no obligation. Reach out to us (mail us) or use our to learn more about your cyber risk profile.
Please remember: this article is based our knowledge at the time it was written – but we learn more every day. Do you think important points are missing or do you see the topic from a different perspective? We would be happy to discuss current developments in greater detail with you and your company’s other experts and welcome your feedback and thoughts.
And one more thing: the fact that an article mentions (or does not mention) a provider does not represent a recommendation from CyberCompare. Recommendations always depend on the customer’s individual situation.