IEC 62443 Consulting
Start your Cyber Security journey with Risk Assessment
Request a detailed analysis of the cyber risk with the IEC 62443 method.
The protection of critical infrastructures and key resources is essential for security and productivity, which is why the Cyber Security Risk Assessment service is based on the pillars of the IEC 62443 standard, which sets down a systematic method for managing cyber risks at industrial plants.
The ICS Risk Assessment service provides a two-step path of modular analysis:
- High Level Risk Assessment. Development of high-level IEC 62443 risk assessment according to the process described in IEC 62443-3-2, including business logic.
- Low Level Risk Assessment. Preparation in detail of the risk assessment according to the process described in IEC 62443-3-2, after a high-level risk assessment. The detail is based on the high-level result only for the most critical assets.
In particular, the detailed analysis covers the threats to which the systems are exposed. The analysis focuses on several factors, such as the vulnerabilities already known, their complexity, what countermeasures and procedures have been adopted previously and whether there are operational practices already in place for the correct management of the human factor, often the main vehicle of cyber attacks.
This information is then used for the correct drafting of the Cyber Security Specifications for the protection of the most critical assets installed at the plant.
Try our consulting options to reach your goals.
Develop the OT Security Lifecycle according to IEC 62443 standards
Discover our consulting options for the Security Lifecycle.
The implementation of the lifecycle for the design and manufacture of systems compliant with Industrial Cyber Security standards is based on the technical compliance of the system, machine or plant, with the requirements of IEC 62443, and also paves the way for subsequent certification processes of OT Cyber Security.
The activities recommended by the IEC 62443 standards focus on architecture, policies and testing prior to the installation of automation solutions.
The activities for the OT Security Lifecycle, if aggregated, constitute comprehensive consultancy; they can be agreed separately on request:
- Security Plan for System Integrators. The security plan refers to the management system documents developed by the integrator for other purposes. We offer support for preparation of the cybersecurity plan to implement the IEC 62443-2-4 requirements, considering the specific contractual scope of the integrator. We also offer consultancy for preparation of the security policies to be implemented for the project, related, for example, to endpoint protection, remote access, backup and patch management.
- Support for System Architecture. The definition of the security architecture takes into account the Zone & Conduit diagram recommended by the standards. We offer advice to support organization of the network and data flow permitted by the security specifications, as proof of compliance with IEC 62443 for a given SL-T.
- Analysis of Cyber Security Requirements. The end customer’s requirements can sometimes be generic or more specific ones beyond the IEC 62443 standard. We offer consultancy on detailed analysis of the requirements and support with their application and the identification of requests that may not be applicable to standard products.
- Test Procedures. The security requirements must be tested at the end of commissioning against the Cyber Security specifications to confirm to the end user, when contractually required, that the project implements these requirements. The procedure we prepare for the integrator covers device configuration review, vulnerability testing, backup verification, patch management and all the security features implemented through the specifications. The procedures for testing are attached to the procedure, if carried out independently by the integrator or, if required, by our specialists.
- Operating Procedures. After preparation and delivery of the project, the user needs safety procedures to make the system work properly and maintain the correct level of safety over time. This involves descriptive procedures on how to perform backup and restore, account management, patch management, monitoring, and all other tasks related to the scope of supply. To meet these needs, we support the integrator and the manufacturer in the preparation of operating procedures in accordance with IEC 62443-2-4.
- Security Plan for Machine and Plant Manufacturers. Manufacturers of machines and large plants are for all purposes suppliers in accordance with IEC 62443 for systems that make up machines configured for specific projects. The more developed the Security Plan is, the more robust the machine is in terms of cybersecurity and the easier the work is even for the system integrator. For this reason, the manufacturer can in turn implement processes that comply with OT Cyber Security with the support of our specialists, and there is the possibility of certifying the process according to ISA/IEC standards.
- Support for Artifact Compliance. When implemented in product development, the IEC 62443-4-1 standard requires artifacts for each specific product developed. This includes threat modeling and risk assessment, cybersecurity specifications, testing procedures, design documentation, patch development and implementation, and activities and documentation that we produce entirely for both the integrator and the manufacturer.
Try our consulting options to reach your goals.
IEC 62443 Certification
Certification of compliance with IEC 62443 standards is the pinnacle to aim for to prove the security of a system, machine or plant intended for large End Users
Discover all the Certification options issued by the ISASecure® Accredited Body.
Our internal BYHON division is accredited by ISASecure® for the issuance of certification according to IEC 62443 schemes.
We implement the compliance verification schemes defined by ISASecure®, with license number ISCI-CL0005, including process verification, Security Development Lifecycle Assurance Certification (SDLA).
The SDLA process scheme is distinctive of ISASecure® certification and preparatory to the assessment of technical compliance of the product – component or system – according to the models of Component Security Assurance Certification (CSA) and System Security Assurance Certification (SSA).
The certification options accredited by ISASecure®, for integrators and manufacturers of machines and systems, are:
- SDLA (Security Development Lifecycle Assurance) certification. Third-party verification with respect to ISASecure® requirements that the IEC 62443-4-1 standard, focused on the Security Plan, is implemented by the certification applicant
- SSA (System Security Assurance) certification. Third-party verification with respect to the ISASecure® requirements that the IEC 62443-3-3 standard is implemented in a standard product solution, of which the application of the SL-T (Zone & Conduit) diagram is verified. The service also includes verification of the conformity of the artifacts to the IEC 62443-4-1 lifecycle. The lifecycle must also be certified together with the application for SSA Certification.
The purpose of the ISASecure® certification service is to perform independent certification showing that a system meets the requirements of the IEC 62443 standard for a given level of security (SL-C). The certification scheme is applied in the most comprehensive manner and as the highest recognition of compliance, with a certificate issued by an ISASecure® accredited laboratory.
In addition, we provide other certification methods, inspired by the Industrial Cyber Security certification schemes according to IEC 62443:
- IEC 62443 Certification. Third-party verification of compliance with the requirements of IEC 62443-3-3 for a standard solution, of which the application of the safety level (SL-T) envisaged in the Zone & Conduit document is verified.
- Inspection and Declaration of Conformity. Third-party evaluation of an automation solution (a system, machine or plant) configured for a specific order in accordance with the requirements of IEC 62443, and considering the applicable SL-T requirements. The service includes the review of the project documentation and an inspection at the installation site to test the plant before delivery to the end user. The result is a test report with declaration of conformity issued by BYHON.
The purpose of the IEC 62443 certification service and inspection service is to perform an independent certification that validly and demonstrably evidences the compliance of a system or machine with the requirements of IEC 62443 for a given level of security (SL-C), again guaranteeing the parameters of security, integrity, availability and confidentiality.
Discover our certification options to reach your goals.
IEC 62443 Training
Plan your company on-the-job training on OT Cyber Security requirements
The IEC 62443 standard suggests that the personnel involved in designing industrial devices and systems must acquire practical skills on how to apply the requirements to products to be put on the market.
You can never know how efficient a safety system is until it is put to the test. Automation is quickly growing and integration between IT technology and OT technology is increasing daily with an enormous amount of data going from OT (Operations Technology) to IT (Information Technology) and vice versa.
We are certain that industrial system safety cannot be guaranteed without appropriate cyber protection. This means that PLCs, HMIs, SCADAs and all automation and control devices must be protected from potential attacks.
In order for all this to be possible, personnel involved in safety and automation must be appropriately trained to understand and prevent cyber risks related to industrial networks and devices.
The goal of our Industrial Cyber Security training is to support you in acquiring key skills to manage machinery and system design according to IEC 62443 standard requirements.
We provide targeted training programs for personnel involved in the manufacturing process in order to understand the conformity requirements of systems and machineries.
Both online and in-person training days can be organized based on what is needed and the number of participants.
The training program develops on the job, as it theoretically and practically follows company roles through the entire device design stage in conformity with IEC 62443 requirements.
Training sessions are given by IEC 62443/ISA 99-certified specialists and are based on the pillars of Industrial Cyber Security:
- General IEC 62443 standard requirements
- Policies and procedures for compliant industrial control systems
- Allocating safety levels of systems designed in conformity with the standard
The skills acquired during the training course are preparatory both to implement Cyber Security best practices in the design cycle as well as to the possibility of IEC 62443 certification for the industrial components or systems developed.
The skills acquired can be used to immediately manage these issues within your organization. The participation is proved by the certificate of attendance.
Find out the benefits of the on-the-job training.
Faq
- Specification of Security Guidelines
- Security by design
- Secure Implementation
- Security V&V Testing
- Security Guidelines
Recommended Posts
Why choose us
We have gained experience in the OT Cyber Security field since 2014
We test every solutions thanks to our in-house OT Cyber Security laboratory
Our specialists are IEC 62443/ISA 99-certified personnel (Fundamentals Specialist and Cyber Security Risk Assessment Specialist)
Automation and OT Network Security are some of our most performing competences
We have bulit a wide network of partnerships with the main international OT solution suppliers
Our BYHON internal division is the ISASecure® accredited certification body