IEC62443-3-3 certification process

In an increasingly connected world, cybersecurity is a critically important issue. Given the need to protect companies' infrastructures and their production processes, industrial cybersecurity is increasingly being demanded by companies as a requirement to be part of their supplier network. 

When looking for solutions to secure industrial assets, there are several approaches. On the one hand, by being more practical or immediate, which will solve a given problem. On the other hand, by being more extensive, which means that a specific procedure must be followed to add cybersecurity as part of the process.

Compliance with cybersecurity standards brings together, in a way, the two approaches mentioned above, ensuring that cybersecurity is an integral part of the company's lifecycle, and ensuring that the necessary measures are implemented to address any shortcomings detected in the implementation process.

Among existing cybersecurity standards, IEC 62443-3-3 is an international standard that specifically addresses the security of industrial control systems. This standard provides a comprehensive approach to identify and mitigate cybersecurity risks in industrial control systems to ensure their integrity, availability and confidentiality. Next, we will explore the IEC 62443-3-3 certification process and how it can help protect industrial control systems against cyber-attacks and other cyber security threats. 
 

IEC 62443 family of standards

The family of standards that make up IEC 62443 may seem overwhelming at first, but by focusing on the scope of application of interest to the enterprise, it will be easier to identify the section of the family that will provide the greatest benefit to the cybersecurity of assets or systems. The IEC62443 family is divided as follows:

- Structure of IEC62443 organized by application areas. Source. -

As can be seen in the image, there are four main areas of application for IEC 62443, the first two being more generic. In the case of most companies, the focus of interest will be on securing systems (manufacturing plants or production lines) or components (end products with industrial applications).

IEC 62443-3-3 Certification

In order to better understand the requirements of the standard and the needs to be addressed throughout the certification process, it is necessary to establish a context.

IEC 62443-3-3 establishes two main areas of requirements, documentary or procedural requirements (which it delegates to IEC 62443-4-1) and security requirements, which must be met with technical implementations. 
 

Maturity levels and security levels

The start of this IEC 62443-3-3 certification process involves defining the maturity level objectives of the safe design life cycle (SL) and the security level of the system to be protected (SL).

The different maturity and security levels are explained below:

The security levels seek to prevent the leakage of unauthorized information and are classified according to the casuistry of these leaks:

• SL 1 – through casual exposure.
• SL 2 – by an actively searching entity with few resources, generic skills and low motivation. 
• SL 3 – by an actively searching entity, using sophisticated methods with moderate resources, specific IACS skills and moderate motivation.
• SL 4 – by an entity in active search, using sophisticated methods with extensive resources, specific IACS skills and high motivation.

On the other hand, they also present different levels of maturity:

• ML 1 – The organization executes product design processes in an ad-hoc and undocumented manner.
• ML 2 – The organization has the capability to manage product design following written policies.
• ML 3 – The organization is able to execute its processes in a repeatable manner throughout the organization. The processes have been employed repeatedly and there is evidence to support this.
• ML 4 – Using appropriate process metrics, the organization is able to monitor process effectiveness and product performance and demonstrate continuous improvement in these areas.

While the target security level can be set to meet the security needs of the organization, the certification process requires that the maturity level of the document system is at least ML2, i.e. documented processes are in place for the various areas of the secure design cycle.

Scope of certification

Once the target security level to be achieved has been established, it is necessary to specify the target system to be secured and, therefore, certified. Although it seems a simple task, the definition of the scope involves several headaches, and is one of the tasks that will most affect the process, since it will determine which devices and processes are considered part of the system. These must comply with the requirements established by the standards.  

GAP Analysis

Once the scope has been defined, it is essential to have a status report of the documentary system and the security of the systems in reference to the requirements established by the standards.

This process is very important to be able to plan and establish the different tasks and deliverables that must be addressed to meet the requirements imposed by the standards, according to the selected target levels.

The GAP analysis, or gap analysis, is the first task where the certification process bifurcates, establishing separate paths for the documentation section (covered by IEC 62443-4-1) and the security requirements section (covered by IEC 62443-3-3).

Once there is a clear picture between the requirements established by the standard and the company's current capabilities, it is necessary to establish an action plan to generate the documentation and implement the necessary security measures. 
 

IEC62443-4-1 implementation and audit

In order to comply with the requirements of IEC62443-4-1, a document guide is not established, but the contents are defined, which, broadly speaking, should cover:

• Security management: procedures that describe and define safe development, (responsibilities, profiles, good practices and safe development environments).
• Product security: procedures describing and defining different aspects of security (potential threats, secure design principles, implementation and verification of security measures).
• Lifecycle management: procedures describing and defining management and continuous improvement (security incident management, security update management, system hardening management).

Once the necessary documents have been developed, a statement of requirements applicability (SOA) should be generated and the available documentation should be related to the requirements being addressed.

It is advisable to perform an internal audit prior to the certification audit to ensure that all requirements have been covered and that all necessary documentation is available.

Once the audit has been carried out, if it is favourable, a certificate will be issued certifying that the document system has met a certain ML for the established scope. Otherwise, the certification process must be carried out again, focusing on those requirements that have not been met. 
 

IEC62443-3-3 implementation and audit.

The implementation of measures to meet the requirements of IEC62443-3-3 has a more practical approach and is mostly focused on the implementation of technological measures or configuration changes in the assets that make up the system.

However, there are certain documentary requirements:

• System Description (SUC): this document should describe in detail the system to be certified, especially concerning inbound and outbound communications with the outside, and its corresponding interfaces.
• Risk analysis: a documented risk analysis of the system and its components is required.
• IEC62443-4-1 certification: as mentioned above, IEC62443-3-3 requires certification of the safe development cycle.

Once the documentary needs have been covered, security measures that address the following groups of requirements must be implemented:

• Common security constraints of control systems: covers requirements that ensure that security measures do not interfere with physical security measures.

• Identification and authentication: requirements related to user and application access and authentication.

• Usage control: requirements related to the roles and privileges assigned to users or applications.

• System integrity: requirements related to measures to ensure the integrity of systems and communications.

• Data confidentiality: requirements related to measures to ensure the confidentiality of data both in storage and in transit.

• Data flow restrictions: requirements related to measures to ensure network security and secure network architectures. 

• Timely response to events: requirements related to measures to ensure security event management and logging of user and application actions.

• Resource availability: requirements related to measures to ensure the availability of systems and communications.

Again, once the measures necessary to comply with the requirements have been implemented and the appropriate documentation is in place, it is advisable to carry out an internal audit prior to the certification audit.

Finally, once the certification process has been passed, the secure system certificate will be obtained in accordance with IEC62443-3-3 for the defined scope, which will guarantee that the system has the necessary measures and processes for the established level of security.

Conclusions

The certification process associated with the IEC 62443-3-3 standard is a fundamental step in providing guidelines for industrial organizations seeking to verify their cybersecurity measures. Through this process, organizations can assess and improve their security practices, identify potential risks and vulnerabilities, and establish appropriate protective measures.

In short, this process provides a robust framework for assessing and improving both the maturity and technical details related to industrial cybersecurity.