ClickySkip to main content
Need help with a cyber incident now?
Call 24/7: +31 88-2747800

IEC 62443: what does it mean for you?

By 8 June 2023 August 30th, 2023 Blog
IEC 62443

Introduction

Nowadays, we are seeing that cyberattacks are increasingly often aimed at industrial environments and critical infrastructure. The impact of these attacks affects primary production processes of organizations and can thus have a significant impact on society. For example, think of the consequences of a production shutdown, operation rooms that cannot be used, or the consequences of substandard level of drinking water quality. In each of these examples, the results of a cyber incident cause societal disruption.
In addition to this expanding and quickly changing threat landscape, the industrial sector is also faced with updated regulations, named NIS 2. This directive in implemented in the Netherlands in 2023, in the so-called Wbni (Security of Network and Information Systems Act). Despite not all details being clear now, it is clear that corporate management’s responsibility, risk control and third-party risk management are important parts of the regulations.

The combination of changes in the threat landscape and rules and legislation on one hand, and the digital transition on the other hand create various cybersecurity issues that need to be solved. Think of cases such as: how is production data from an OT environment shared with a Corporate IT environment? And how are vendors granted remote access to supplied systems and/or units? What is clear, is that OT and IT landscapes are increasingly connected. And that poses additional risks.

Integrated approach

Tackling these issues calls for a comprehensive approach to cybersecurity in both the Corporate IT and OT environments, but also requires an integral cooperation between the different operational teams.

A risk-based approach will map the cyberthreats and risks. This results in an overview of the necessary security measures, set out along a roadmap. In this way, the right measures can be implemented in a cost-efficient way at the right time.

Just like ISO 27001 or NEN 7510 form a solid starting point for IT environments, a security framework such as IEC62443 is a good starting point for industrial environments to bring these cybersecurity measures in order and be well-prepared for the new NIS 2 directive.

What is IEC62443?

IEC 62443 is an international cybersecurity standard for the protection of Industrial Automation and Control Systems (IACS). The standard describes a framework of security measures that companies can implement to reduce the risks of cyberattacks on their IACS.

IEC 62443 is made up from four parts: an overview of the standard, security requirements at the system level, security requirements for system implementation and security requirements for system maintenance. In addition, the framework contains guidelines for performing risk assessments and setting up a security maintenance program.

Implementing IEC 62443 provides advantages to organizations that use industrial automation and control systems. For one, it can help reduce the risk of cyber attacks and improve the systems’ security. It also serves as a good starting point for following rules and legislation such as NIS 2.

Although IEC 62443 is aimed at IACSS (Industrial Automation and Control Systems), the principles and measures described in the standard can of course also be applied to other systems and networks. Substantively, IEC 62443 and ISO 27001 do not differ much, only the field of application is different, traditional IT systems and networks (and information security in the broader sense) as opposed to industrial systems. This can help to improve an organization’s cybersecurity as a whole.

Where do you begin if you want to implement IEC62443?

A lot of organizations wish to be compliant with a framework but lack the tools to proceed to implementation. For this reason, we will list a number of steps that can be taken to implement the IEC 62443 security framework in an organization:

  1. Determine the scope: Identify the IACS systems and network that fall within scope of the implementation. This could be SCADA systems, industrial controllers, and networks that connect these systems with each other.
  2. Perform a risk assessment: Identify the possible risks these systems and networks face, and their impact on the organization and its customers. This helps deciding the priority of the various measures you can take to reduce these risks.
  3. Set up an information security management system (ISMS): This is a process with which you can manage the security risks of IACS systems. The ISMS is designed around identifying, analyzing and assessing the security risks and taking suitable security measures.
    Comment: have you already set up an ISMS under ISO 27001, then that can be used.
  4. Implement the IEC 62443 measures: This encompasses the various technical and organizational security measures described in the distinct parts of the IEC 62443 standard. Depending on the chosen Security Level, certain measures will be more or less necessary.
  5. Training and creating awareness: It is important to train employees and make them aware of the security risks and how to avoid them. This includes, among others, training in phishing, password policy, and how to respond to suspicious activity.
    Also letting operational teams in OT and Corporate IT is imperative to bridge differences and gaps in information exchange.
  6. Regularly perform audits and assessments: Regular audits and assessments help to check whether the IEC 62443 measures are effective and to identify any possible areas of improvement.

The IEC 62443 framework’s implementation can be challenging and sometimes even complex, so it can be convenient to hire external expertise to help you with the process. We will happily talk to you about this, no strings attached.