IEC 62443 Requirements and What They Mean for IoT Security

IEC 62443 Requirements and What They Mean for IoT Security

SHLOMIT CYMBALISTA

December 8, 2022

What Is IEC 62443?

The International Electrotechnical Commission (IEC) 62443 is a set of cybersecurity standards for industrial automation and control systems (IACS). This series contains several sections dealing with process and technology-related aspects of securing automation and control systems. 

IEC 62433 categorizes security topics based on stakeholders and roles, including IACS product manufacturers, service providers, and operators. Individuals and organizations in each role should follow the specified risk-based approach to preventing and mitigating security risks.

A Breakdown of the IEC 62443 Standards 

There are four parts to the IEC 62443 standards. The first part covers common topics for the whole standards series. The second part covers IACS security processes and techniques. The third part defines system-level requirements, while the fourth part details IACS product and component requirements.

The standards propose a cybersecurity management system (CSMS) with the following elements:

  • Initial risk assessment and prioritization. 
  • Detailed technical risk assessment.
  • Creation of security policies. 
  • Identification and implementation of countermeasures. 
  • Maintenance of the CSMS program. 

Here is a brief outline of the key IEC 62433 standards: 

  • IEC 62443-1-1 defines IACS security concepts and terminology. 
  • IEC 62443-2-1 defines the necessary elements for an IACS program and CSMS, offering recommendations for achieving these elements. 
  • IEC 62443-2-3 addresses security for IACS vendors with IACS patch management programs. It recommends a format for sharing security patch information, although it is also useful for other updates and patches unrelated to security. 
  • IEC 62443-2-4 addresses security capabilities that IACS service providers must offer asset owners when integrating and maintaining the solution. 
  • IEC 62443-3-1 covers IACS security technologies, including available tools and mitigation measures. It assesses these security controls, their benefits and drawbacks for securing critical infrastructure environments.. 
  • IEC 62443-3-2 shows how to define a System Under Consideration (SUC), which is a regulated AICS system. This definition involves breaking up the regulated system into units called conduits and zones, making it easier to assess risks to different parts of the system. In addition, this standard specifies how to design, implement, and operate an IACS system using security best practices and standard engineering practices, identify risks to the system, and apply countermeasures.
  • IEC 62443-3-3 defines technical control system requirements related to the foundational requirements outlined in IEC 62443-1-1. These requirements are useful for various IACS stakeholders. End-users can apply them to an integrated IACS or leverage an automated solution. 
  • IEC 62443-4-1 defines the requirements for building secure IACS products and components, including secure development lifecycle requirements. It recommends security requirements including secure coding and patch management guidelines. 
  • IEC 62443-4-2 defines technical requirements for control system components. Each component can reach a certain security level, based on the requirements the organization chose to implement.. 

IEC 62443 Compliance and the Cybersecurity Lifecycle

IACS is an operational technology (OT) that provides an interface for operations processes. This term distinguishes IACS from IT devices that send and receive information. An IACS could be an industrial device like a manufacturing plant or heavy construction equipment..

The IACS cybersecurity lifecycle is a sequence of steps required to ensure the IACS protection measures comply with the IEC standards’ requirements. IACS providers must assess, implement, and maintain each stage of the IACS security lifecycle.

A cybersecurity management system (CSMS) is a set of tasks and practices designed to identify cybersecurity risks and determine the most appropriate countermeasures. The IEC standards cover all stages of the IACS security lifecycle, starting with risk and vulnerability assessment and ending with long-term security maintenance. 

The main stages of the security lifecycle are:

  • Assessment stage—includes activities to identify high-level risks and analyze low-level risks and vulnerabilities. The company defines minimum required cybersecurity measures for every component of the IACS product.
  • Implementation stage—this is where the company defines a CSMS to defend itself against cyberattacks. They adopt policies and procedures to prevent cyberattacks and secure the industrial control system.
  • Maintenance stage—the cybersecurity process requires continuous monitoring and regular maintenance to ensure the system’s security level. These activities are the only way to protect sensitive data and assets from cyber threats, ensuring safety, product quality, and protecting the company from major legal and financial consequences.

What Does IEC 62443 Mean for IoT Security? 

The IEC 62443 standard applies to many types of devices, but it is highly relevant for internet of things (IoT) devices. Let’s take a closer look at two sub-standards that have a major impact on regulated IoT devices.

IEC 62443-4-1 (Secure Development Lifecycle)

This standard specifies requirements to ensure a secure development process for products used in an industrial automation and control system. IEC 62443-4-1 defines the cybersecurity requirements for a security development lifecycle (SDL), with guidance to help companies meet these requirements. The SDL includes the following elements:

  • Defining the security requirements
  • Designing secure systems
  • Implementing security (includes coding guidelines)
  • Verifying and validating the implementation
  • Managing defects and patches
  • Handling the end of the product life cycle 

These requirements may apply to new or established processes to develop, maintain, or retire software, hardware, and firmware.

IEC 62443-4-2 (Technical System Component Requirements)

This standard provides technical component requirements (CRs) for control systems. It relates to the FRs (foundational requirements) defined in IEC 62443-1-1, defining requirements for achieving the security levels of the control system and its components (SL-C).

The seven FRs defined in IEC TS 62443-1-1 are:

  • Identification and Authentication Control
  • Use Control 
  • System Integrity
  • Data Confidentiality 
  • Restricted Data Flow
  • Timely Response to Events
  • Resource Availability 

These FRs form the basis for defining the security capability levels of a control system. This standard’s purpose is to define each component's security capability levels.

Compliance Challenges for IoT Devices  

Achieving IEC 62443 compliance for Internet of Things (IoT) devices is a complex, layered process. The following are two key challenges your organization will probably face when addressing them.

The Black Box Effect

Engineering teams lack visibility into performance, software flaws and operational problems of IoT devices, both in development environments and in the field. As a result, they cannot easily debug issues, improve quality or even fully understand how the devices are being used. What little information does exist, is often siloed and kept in different formats, that prevent standardization and effective collaborations across multiple teams.

As a result, you will find it difficult to:

  • Monitor and identify failed login attempts and automatically track and report these failures.
  • Monitor network activity and IP addresses.
  • Audit and log security events across all platforms and endpoints.
  • Detect unauthenticated activity and attempts to run malware.
  • Store audit data to meet compliance requirements.
  • Monitor all system resources to identify malfunctions and overloads.

No On-device Security

As the rest of the ecosystem continues to evolve at a rapid pace, IoT security is lagging behind. Specifically, it continues to rely on patching and perimeter defenses, lacking the equivalent of on-device (e.g., EDR, XDR) and in-code (e.g., RASP) solutions. This means IoT devices are far behind of cloud native applications and web-applications in terms of the available security defenses.

As a result, you will find it difficult to:

  • Harden existing authorization and authentication processes.
  • Apply automated security policies for all processes.
  • Sandbox and monitor processes.
  • Sandbox and monitor suspicious processes.
  • Provide alerts when resource consumption spikes, such as during a DoS attack.

Easily Meet IEC 62443 Requirements with Sternum: Deterministic Security for IoT

Sternum is an IoT security and observability platform, which lets you meet and exceed the security requirements of the IEC 62443 standards, in particular the requirements for robust threat mitigation and a secure development lifecycle.

Embedded in the device itself, Sternum provides deterministic security with runtime protection against known and unknown threats; complete observability that provides data about individual devices and the entire device fleet; and anomaly detection powered by AI to provide real-time operational intelligence.

Sternum operates at the bytecode level, making it universally compatible with any IoT device or operating system including RTOS, Linux, OpenWrt, Zephyr, Micirum, and FreeRTOS. It has low overhead of only 1-3%, even on legacy devices. This is a quick overview of how it works:

Here is how Sternum can help you improve IoT security to meet regulatory requirements:

  • Agentless security - integrates directly into firmware, making it a part of the core build. This ensures that the solution cannot be externally compromised and leveraged as a point of failure.
  • Automatic mitigation of known and zero-day threats - prevents 96.5% attacks in benchmark (RIPE) security tests. Its vulnerability-agnostic approach makes it equally effective in dealing with known and zero-day threats. This not only improves security but can also cut security patch management costs by as much as 60%.
  • Supply chain protection - relies on binary instrumentation, making it able to protect all running code. This extends to 3rd party and operating system libraries, effectively preventing all supply chain exploit attempts. 
  • Protection of isolated devices - does not rely on external communication to secure devices, making it equally effective for connected and isolated devices.
  • Live attack information with zero false positives - real-time alert system notifies about all blocked attacks, providing - for each - detailed logs and attack path analysis. The deterministic nature of EIV’s integrity checks ensures that all alerts are always valid.
  • Streamlined compliance - helps meet the latest cyber regulations for IoT devices (IEC 62443, FDA, NIST, etc) and the most current FBI recommendations for Internet of Medical Things (IoMT) endpoint protection.

Better Performance with Autonomous Observability

Gain complete visibility by monitoring and analyzing events in your device or across an entire fleet, from the first line of code and until post-deployment maintenance.

Diagnose software bugs and vulnerabilities by using instrumentation, to pinpoint flaws, gain dynamic profiling and analysis of the software, including third-party code.

Learn about Sternum observability >>