The IEC 62443 standard states that the security of a component passes first of all through specific plans, procedures and artifact control.
Discover our consulting options for the Security Lifecycle
The implementation of the lifecycle for the design and manufacture of components compliant with Industrial Cyber Security standards is based on the technical compliance of the product with the requirements of IEC 62443, and also paves the way for subsequent certification processes of OT Cyber Security.
The activities recommended by the IEC 62443 standards focus on the development of Threat Modeling, the drafting of product specifications, testing procedures, the implementation of the Security Plan, the review and auditing of artifacts and the overall product.
The OT Security Lifecycle development consultancy includes a series of modular activities that make it easier for component manufacturers to comply with IEC 62443 standards:
- Development of Threat Modeling. IEC 62443-4-1 requires the identification of threats to investigate how security measures might be defeated by attackers. We perform Threat Modeling with the most suitable tools for the specific type of product (software applications, embedded components, IoT or network devices) with the aim of analyzing the robustness of security measures.
- Product Specifications. The security capability resulting from the Threat Modeling and contractual requirements must be indicated in a technical safety specification, in which, to facilitate the work of the manufacturer, we include each safety requirement to be implemented from the initial design onwards.
- Test Procedures. To validate cybersecurity requirements, the product must be tested according to IEC 62443-4-1; we conduct type tests outlining the product testing methods in a procedure that accompanies the test report we issue to the manufacturer.
- Security Plan for Component Manufacturers. Component manufacturers are the quintessential suppliers according to IEC 62443. For this reason, with our support, the OT component manufacturer can implement the cybersecurity processes described in the lifecycle of the IEC 62443-4-1 standard, with the possibility of certifying the process according to the ISA/IEC standards.
- Support for Artifact Compliance. When implemented in product development, the IEC 62443-4-1 standard requires evidence of the artifacts developed for each product. This includes threat modeling and risk assessment, cybersecurity specifications, testing procedures, design documentation, patch development and implementation, and activities and documentation that we produce entirely for the manufacturer.
- Product Review. To ensure compliance with the standards, it is recommended to perform a high-level audit to identify the prerequisites for the component’s Cyber Security certification. We review the high-level security level of a specific product according to the requirements of IEC 62443-4-2, with the aim of informing the product manufacturer whether it is appropriate to start a certification program or to perform a more detailed verification.
- Security Audit. To start an ISASecure® certification program, it is important to verify at a high level that the processes required by IEC 62443-4-1 have been addressed and implemented by the manufacturer within its management system, and demonstrate that the security program is active within its organization. We verify the presence of all the processes required by the 8 standard practices established by IEC 62443 and, consequently, the suitability to start a certification process. In case of critical issues, we propose corrective and preparatory solutions for the product certification process according to ISA/IEC standards.
The activities for the OT Security Lifecycle, if aggregated, constitute comprehensive consultancy; they can be agreed separately on request.
In IEC 62443/ISA 99 terms, an OT system is defined as a “control system,” that is, a hardware or software component intended to be integrated into a final industrial automation and control system. PLCs, HMIs, SCADA systems, and safety instrumented systems are examples of OT systems.
The legislative references in the IEC 62443 standard directed at OT device manufacturers are found in IEC 62443-4-1 and IEC 62443-4-2 regarding the design requirements in conformity with legislation for systems, sub-systems, or hardware or software components.
As defined in IEC 62443-4-1, the manufacturer is required to implement certain cyber security practices when developing the product:
- Specification of Security Guidelines
- Security by design
- Secure Implementation
- Security V&V Testing
- Security Guidelines
Why Choose us
- We have gained experience in the OT Cyber Security field since 2014
- We test every solutions thanks to our in-house OT Cyber Security laboratory
- Our specialists are IEC 62443/ISA 99-certified personnel (Fundamentals Specialist and Cyber Security Risk Assessment Specialist)
- Automation and OT Network Security are some of our most performing competences
- We have bulit a wide network of partnerships with the main international OT solution suppliers
- Our BYHON internal division is the ISASecure® accredited certification body
What some of our customers say about us
"Their flexible and innovative approach to Cyber Security Risk Assessment had been the key for the success of our conformity project according to IEC 62443 standards."
"We recommend H-ON Consulting because they are a firm that shares inspiring values, such as continuous professional growth and innovation seeking."
"The collaboration was a very successful experience for both companies."
"The biggest benefit our company received working with H-ON Consulting was a combination of on-going flexibility and most of all speed of delivery."
Sirio Sistemi Elettronici
"We highly recommend H-ON Consulting service for their expert industrial knowledge concerning machines, process, digital data."