What exactly does IEC 62443-4-1 certification mean?

Herbert Hufnagel: IEC 62443 is the established international cybersecurity standard for the industrial sector, which comprises several sub-standards. IEC 62443-4-1, to which TTTech Industrial has been certified, relates to secure product development and lifecycles. This is more or less the framework - the sub-standard defines the basics for security processes such as risk analyses, documentation and tests. This must first be established in the company and the employees must also live these processes - this does not happen overnight, but takes one to two years.

The implementation of the processes is checked and confirmed by an institute such as TÜV Austria as part of the certification process - this involves training, regular analyses and tests. This is then the basis on the company side and, building on this, you can look at the individual products. In our case, it's about our IIoT platform 'Nerve', which we will have certified according to the IEC 62443-4-2 sub-standard; our customers can then build their application on a certified basis, which they can then certify more easily.

Can you briefly explain the relationship between process and product certification?

During the Covid-19 pandemic, there was a huge leap in the networking of industrial systems, which unfortunately also led to a large number of cyberattacks in the industry. That's why cybersecurity is also very important for us as a supplier, because ultimately it's an issue that affects the entire supply chain. If a company that we supply has to implement the NIS2 directive, then it naturally also requires its suppliers to be able to meet the directive's requirements. We wanted to be able to offer this to our customers as quickly as possible.

We are therefore also aiming for IEC 62443-4-2 certification for Nerve next year: According to the standard, there are also very precise definitions and processes that must be adhered to at product level. We have already integrated cybersecurity features into 'Nerve', which we are revising and completing - after which TÜV Austria will carry out the audit.

The platform was launched in 2016 and is being continuously developed. What changes and functions will Nerve users have to expect as a result of the certification?

Nerve is an IIoT platform for machine manufacturers that offers scalable, cloud-managed edge computing - a kind of software infrastructure for manufacturing and the cloud that companies can use to implement their IIoT projects.

We have already integrated cybersecurity features into Nerve. With product certification, we can then guarantee customers that we are providing them with a secure system. In terms of handling, certification changes things in one place or another - for example, if authentication is required for certain functions.

Cybersecurity is on everyone's lips, but there are often problems with implementation. What do you generally recommend to potential customers on the way to more cybersecurity?

"Cybersecurity solutions at company level"

Implementation is definitely an issue - you have to provide resources, including trained personnel, and be prepared for a lead time.

Industrial cybersecurity solutions must not only include network-based security and user authentication, but also address the issue holistically at company level. Ultimately, it is of no use if web-based access to a machine is secured, but people can enter the company premises unchecked and access the machine directly.

To ensure cybersecurity, a company must therefore rethink its processes and make them as secure as possible - this is where time must be invested. However, solutions such as 'Nerve' can help to cover individual areas in this overall concept and shorten and facilitate implementation. You can also get help with creating a concept - TTTech Industrial also works with partners who can support customers on their way to secure digitalization of their company.