Download document () of 20
Send email
Download
You have exceeded the download limit
This alone shows just how important the topic of cybersecurity has become for industrial facilities (industrial cybersecurity). These threats are set to increase in the coming years: This is because industry is becoming increasingly immersed in digitalization, as the trend moves toward a fully networked and automated industry (Industry 4.0). This creates new targets and entry points for cyber criminals and attackers that penetrate deep into the company and into the manufacturing environment - cyberattacks can therefore have a serious impact for entire corporate networks.
Various international standards exist to safeguard industrial cybersecurity and to be able to certify companies as well as products accordingly. The most well known and important standards in this context are the IEC 62443 and UL 2900 series of standards.
IEC 62443 is a comprehensive standard with a high level of detail that is mainly used in the European market, while UL 2900 is a practice-oriented standard and relevant primarily to the North American market. Although IEC 62443 and UL 2900 are different, they can be used in complement to each other.
IEC 62443 focuses specifically on industrial cybersecurity, i.e. cybersecurity for industrial automation and control systems (IACS). The standard defines a variety of criteria and requirements for IT security in the relevant networks, systems and components. IEC 62443 covers both the functional requirements for systems and components and process-oriented methods for increasing IT security for operations, systems integration and product development. The standard is targeted at manufacturers, integrators and operators of industrial automation and control systems.
Get every important blog post or new information Eaton is pulishing for machine and systembuilders.
The UL 2900 series of standards provides companies with a set of criteria for measuring and evaluating the security of products, the technologies used and the risk that vulnerabilities could be exploited. The series of standards includes general cybersecurity requirements (UL 2900-1) as well as specific requirements for medical devices (UL 2900-2-1), industrial systems (UL 2900-2-2) and safety and life safety signaling systems (UL 2900-2-3).
The aim of IEC 62443 is to enable the secure implementation of industrial control systems (ICS) with regard to cybersecurity and to ensure their secure operation by means of corresponding rules, procedures and technical reports. Compliance with IEC 62443 increases cybersecurity in production and the automation components and systems that are used there. In addition, companies can use IEC 62443 to check potential vulnerabilities in their control and automation systems and facilities and develop protective measures.
The IEC 62443 series of standards is divided into four basic areas:
Two further areas are currently in progress: Part 5 describes profiles that support the application of the standard in various domains, for example industrial automation, process industry, medical or railroad technology. Part 6 specifies methods of evaluation.
In part 1-1, IEC 62443 describes general basic concepts with which security goals such as availability and integrity are to be ensured.
A key concept here is Defense-in-Depth. This refers to the protective measures that are implemented at various levels of a network or a system. Due to the multi-layered structure, an attacker will have to overcome not one but several security measures to reach his target.
Zones and Conduits
An important element of Defense-in-Depth is the division of the enterprise network into different security zones. Each security zone and conduit is assigned a security level (SL-T) to be implemented. It is assumed that the respective assets in the zone have a comparable need for protection or are exposed to a comparable risk. To secure the flow of information into and out of a security zone, so-called communication lines are defined. In IEC 62443, the connections between security zones are called "conduits". Each connection is protected, for example by its own firewall.
PDCA cycle
IEC 62443 also stipulates that all parties involved review cybersecurity as part of a continuous improvement program, which in principle follows the PDCA cycle. PDCA stands for "Plan-Do-Check-Act".
Running the appropriate PDCA cycle on a regular basis by operators, manufacturers and integrators can minimize the attack surface for current threats.
Security-Level
IEC 62443 defines security levels that are used to classify security zones and conduits in terms of their IT security. This makes it possible to specify how high the security requirements are for the relevant parts of the facility - starting with Level 1 and very basic requirements and going all the way up to Level 4 with protective measures for, for example, government institutions.
Maturity Level
Maturity levels take into account the maturity of organizational processes and employees. These reflect the level of procedural compliance with the relevant guidelines and the level of experience with regard to their application.
ICS development, implementation and operation in accordance with IEC 62443 enables companies and manufacturers to protect themselves in the best possible way against cyberattacks and improve the overall security of their production. Furthermore, IEC 62443 certification confirms that operators, integrators or manufacturers comply with the relevant security standards and comprehensively consider cybersecurity in their facilities, products and processes. This simultaneously minimizes the risk of faults, system shutdowns and damage to the company's reputation. Identifying and eliminating digital vulnerabilities up front reduces costs and risks.
Eaton is the first company in the world to have its development processes evaluated and certified to UL 2900 and IEC 62443. The power management company has implemented a secure development lifecycle process (SDLC) that extends from product design to deployment and maintenance to ensure a high level of cybersecurity at every stage of the product lifecycle. Every product developed or sold by Eaton passes through the secure development lifecycle. Examples of certified products are the Gigabit Network Card and the Industrial Gateway Card: Both have IEC 62443-4-2 cybersecurity certificates and also meet UL 2900-1 standards. These products enable easy networking of single- and three-phase UPS systems in data centers, commercial and industrial facilities. They thus ensure the security of the power supply by protecting it against cyberattacks.
Cybersecurity standards are becoming ever more important at all levels. Companies that integrate cybersecurity-certified components into their systems today are thus well equipped to meet the requirements of the future. Eaton outlines additional measures users can take to protect industrial control systems and automation components from cyberattacks in the white paper "Cybersecurity considerations for industrial control systems."
Contact our team or sign up to ask questions and stay up-to-date on news, product updates and industry trends.
