How to assess the cybersecurity of an industrial product under the IEC 62443 scheme?


- Febr
Posted by: Javier Tallón
How to assess the cybersecurity of an industrial product under the IEC 62443 scheme?

The IEC 62443 standard is the main international reference framework for the cybersecurity of industrial systems and specifies a series of measures against cyber-attacks. It also provides a lingua franca for the industrial ecosystem (manufacturers, integrators and test laboratories). Is the only reliable solution for testing the cybersecurity of components in the field of industrial automation.

International standards are based on industry best practices and are reached by consensus. The implementation of IEC 62443 can mitigate the effects of cyber-attacks and often prevent them, strengthening security throughout the lifecycle and reducing costs. The main objective of this standard is to simplify trade between participating countries and increase the compatibility of international standards.

This methodology provides, among other, these advantages:

  • Improving component cyber-security
  • Advance of regulatory requirements that will be coming in the next years
  • Improving cyber security awareness within the company
  • There are two main standards named IEC 62443 4- 1 & 62443 4-2 focused on industrial product cybersecurity.

    Main differences between IEC 62443 4-1 and IEC 62443 4-2

  • IEC 62443 - 4 -1 is based on four maturity levels and IEC 62443 4-2 based on four security levels.
  • It is mandatory to first obtain the IEC 62443-4-1 certification if you want to be certified in IEC 62443-4-2.
  • IEC 62443 4-1 is focused on secure product development and the lifecycle of the product while IEC 62443-4-2 is focused on the technical security requirements for IACS components, in particular embedded devices, network components, host components and software applications.
  • IEC 62443 4-1 covers a total of 47 requirements dividing in 8 practices, IEC 62443 4 – 2 covers 140 requirements in the standard.
  • Which actors are part in the evaluation process?

    The certification process is not simple and can take several months of effort to be completed. For this reason, we recommend using a reputable laboratory. The workload is also considerable for the client, since, mainly in the first part, the client has to justify the requirements it complies with for each standard and how it meets them.

    There are three main actors involved in this process:

  • Applying company: The company who wants to certificate the product
  • CBTL (the laboratory where the tests will be carried out): An accredited lab is necessary to carry out the evaluation.
  • NCB or CB (the certification body): It will validate the reports sent by the lab.
  • Flowchart of the Certification Process.

    In this section we will highlight the most important stages in the certification process. With this graphic, the steps to be followed will become clearer.

    At the top we find the functions that depend on the company that applies and at the bottom those that depend on the laboratory or NCB/CB.

    As we can see, many of the activities depends on the client:

    Important documentation required in the process.

    There are some documents required to be carried out by the client, some others by the lab and just one by the CB/NCB.

    At the beginning of the process, the client must declare at which level of maturity (4-1) or security level (4-2) want to assess the product. After that the client must write a Conformity Statement, which is a description of how the requirements are fulfilled.

    Once the evaluation is done, the lab fills the TRF (Test Report Form) with the information provided by the customer. The TRF is the output of the evaluation process and it will be submitted to the NCB.

    The NCB / CB is the body in charge of issuing the certificate.

    How can we help you achieving IEC 62443 4-1 & IEC 62443 4-2?

    We strive to smooth the process and make it as simple as possible, minimizing the workload for our clients, as well we can highlight:

  • We are editors and leaders of the ERNCIP thematic group for "Industrial Automation & Control Systems (IACS)".
  • Members of the SCCG (Stakeholder Cybersecurity Certification Group).
  • IECEE CB accredited laboratory for industrial cybersecurity".
  • If you want more info do not hesitate to contact us.

    Javier Tallón/Technical Director

    Expert consultant on the Common Criteria standard, and other security assurance standards in the field of the information technology (FIPS 140-2, ITSEC, ISO 27K1, SOC 2, ENS...). Javier has served as an evaluator in the Spanish CB for the country major evaluation labs. As a consultant, he has successfully accompanied national and international companies in several certification processes (to EAL5+). His experience has led him to participate as a speaker at several conferences on computer security and certification (SuperSec, Cybercamp, Navaja Negra, International Common Criteria Conference, International Cryptographic Module Conference, EUCyberact Conference). He is also Cyber Security lecturer, giving classes of Secure Software Engineering at the University of Granada and is CISSP (Certified Information Systems Security Professional) and OSCP/OSCE (Offensive Security Certified Professional & Certified Expert) certified .

    In 2015 he begins to lay the foundations of what will be jtsec. He currently works as Technical Director of the evaluation lab and Chief Operations Officer (COO) of the Granada site from where the company develops most of the work. Recognized expert in various disciplines of cybersecurity (reversing, exploiting, web, ...), assumes the technical direction of most of the projects, directing and organizing the work of the team. He also leads the Research and Development area, encouraging the participation of the jtsec team in multiple Congresses.


    Send us your questions or suggestions!

    By sending your data you allow us to use it to resolve your doubts by sending you commercial information of interest. We will delete it when they are no longer necessary for this matter. Know your rights in our Privacy Policy.