Ask this service to upgrade OT Product Security

OT solutions with the highest market potential are designed in accordance with IEC 62443 standards.
For products that are already designed (software applications, embedded components, IoT or network devices), our technical support team can help modify the product to increase its security capacity, in accordance with the SL-T objectives required by the IEC 62443 standard.
With regard to upgrading the product, advice can be given on the flow of data within the component and related authentication and encryption, and on selection of the protocols, hardware and operating system.
A security specification is prepared based on our consultancy that provides the people responsible for design with key information on how to meet the requirements of OT Cyber Security of the market.

Try our consulting options to reach your goals.

Develop the OT Security Lifecycle according to IEC 62443 standards

Lifecycle development in accordance with OT Cyber Security standards. The IEC 62443 standard states that the security of a component passes first of all through specific plans, procedures and artifact control.
The implementation of the lifecycle for the design and manufacture of components compliant with Industrial Cyber Security standards is based on the technical compliance of the product with the requirements of IEC 62443, and also paves the way for subsequent certification processes of OT Cyber Security.
The activities recommended by the IEC 62443 standards focus on the development of Threat Modeling, the drafting of product specifications, testing procedures, the implementation of the Security Plan, the review and auditing of artifacts and the overall product.
The activities for the OT Security Lifecycle, if aggregated, constitute comprehensive consultancy; they can be agreed separately on request:

• Development of Threat Modeling. IEC 62443-4-1 requires the identification of threats to investigate how security measures might be defeated by attackers. We perform Threat Modeling with the most suitable tools for the specific type of product (software applications, embedded components, IoT or network devices) with the aim of analyzing the robustness of security measures.

• Product Specifications. The security capability resulting from the Threat Modeling and contractual requirements must be indicated in a technical safety specification, in which, to facilitate the work of the manufacturer, we include each safety requirement to be implemented from the initial design onwards.

• Test Procedures. To validate cybersecurity requirements, the product must be tested according to IEC 62443-4-1; we conduct type tests outlining the product testing methods in a procedure that accompanies the test report we issue to the manufacturer.

• Security Plan for Component Manufacturers. Component manufacturers are the quintessential suppliers according to IEC 62443. For this reason, with our support, the OT component manufacturer can implement the cybersecurity processes described in the lifecycle of the IEC 62443-4-1 standard, with the possibility of certifying the process according to the ISA/IEC standards.

• Support for Artifact Compliance. When implemented in product development, the IEC 62443-4-1 standard requires evidence of the artifacts developed for each product. This includes threat modeling and risk assessment, cybersecurity specifications, testing procedures, design documentation, patch development and implementation, and activities and documentation that we produce entirely for the manufacturer.

• Product Review. To ensure compliance with the standards, it is recommended to perform a high-level audit to identify the prerequisites for the component’s Cyber Security certification. We review the high-level security level of a specific product according to the requirements of IEC 62443-4-2, with the aim of informing the product manufacturer whether it is appropriate to start a certification program or to perform a more detailed verification.

• Security Audit. To start an ISASecure® certification program, it is important to verify at a high level that the processes required by IEC 62443-4-1 have been addressed and implemented by the manufacturer within its management system, and demonstrate that the security program is active within its organization. We verify the presence of all the processes required by the 8 standard practices established by IEC 62443 and, consequently, the suitability to start a certification process. In case of critical issues, we propose corrective and preparatory solutions for the product certification process according to ISA/IEC standards.

Try our consulting options to reach your goals. 

The certification of conformity to IEC 62443 standards is the pinnacle to aim for to prove the cybersecurity of a component

Discover all the Certification options issued by the ISASecure® Accredited Body.
Our internal BYHON division is accredited by ISASecure® for the issuance of certification according to IEC 62443 schemes.
We implement the compliance verification schemes defined by ISASecure®, with license number ISCI-CL0005, including process verification, Security Development Lifecycle Assurance Certification (SDLA).
The SDLA process scheme is distinctive of ISASecure® certification and preparatory to the assessment of technical compliance of the product – component or system – according to the models of Component Security Assurance Certification (CSA) and System Security Assurance Certification (SSA).

The certification options accredited by ISASecure® for component manufacturers are:

• SDLA (Security Development Lifecycle Assurance) certification. Third-party verification with respect to ISASecure® requirements that the IEC 62443-4-1 standard, focused on the Security Plan, is implemented by the certification applicant
• CSA (Component Security Assurance) certification. Third-party verification with respect to the ISASecure® requirements of the IEC 62443-4-2 standard for the component, of which the application of the SL-T (Zone & Conduit) diagram is verified. The service also includes verification that the artifacts have been developed according to the lifecycle in compliance with IEC 62443-4-1. The lifecycle must also be certified together with the application for CSA Certification. Multiple and different certification requirements may apply depending on the specific product type (embedded, host, software device and network device or a combination thereof).

In addition, we provide other certification methods, inspired by the Industrial Cyber Security certification schemes according to IEC 62443:

• IEC 62443 Certification. Third-party verification with respect to the usual requirements of IEC 62443-4-2 for a standard product, of which the application of the SL-T (Zone & Conduit) diagram is verified.

The purpose of the IEC 62443 certification service is, therefore, to perform an independent certification that validly and demonstrably evidences the compliance of a component with the requirements of IEC 62443 for a given level of security (SL-C), again guaranteeing the parameters of security, integrity, availability and confidentiality.

Discover our certification options to reach your goals.

Plan your company on-the-job training on OT Cyber Security requirements

The IEC 62443 standard suggests that the personnel involved in designing industrial devices and systems must acquire practical skills on how to apply the requirements to products to be put on the market.
You can never know how efficient a safety system is until it is put to the test. Automation is quickly growing and integration between IT technology and OT technology is increasing daily with an enormous amount of data going from OT (Operations Technology) to IT (Information Technology) and vice versa.
We are certain that industrial system safety cannot be guaranteed without appropriate cyber protection. This means that PLCs, HMIs, SCADAs and all automation and control devices must be protected from potential attacks. In order for all this to be possible, personnel involved in safety and automation must be appropriately trained to understand and prevent cyber risks related to industrial networks and devices.
The goal of Industrial Cyber Security Training Program according to IEC 62443 for Component Supply is to support you in acquiring key skills to manage component design according to IEC 62443 standard requirements.
We provide targeted training programs for personnel involved in the manufacturing process in order to understand the conformity requirements of systems and hardware or software components.
Both online and in-person training days can be organized based on what is needed and the number of participants.
The training program develops on the job, as it theoretically and practically follows company roles through the entire device design stage in conformity with IEC 62443 requirements.
Training sessions are given by IEC 62443/ISA 99-certified specialists and are based on the pillars of Industrial Cyber Security:

• General IEC 62443 standard requirements
• Policies and procedures for compliant industrial control systems
• Allocating safety levels of components and systems designed in conformity with the standard

The skills acquired during the training course are preparatory both to implement Cyber Security best practices in the design cycle as well as to the possibility of IEC 62443-certifying the industrial components or systems developed.
The skills acquired can be used to immediately manage these issues within your organization. The participation is proved by the certificate of attendance.

Contact us to realize the benefits of the on-the-job training.