IEC 62443 defines requirements for system operators, system integrators and component manufacturers

© Phoenix Contact

• Components: IEC 62443-4-1 "Secure process for the development and life cycle of components (products)" and IEC 62443-4-2 "Security requirements for components"
• System: IEC 62443-3-3 "Security requirements for systems"
• Operator: IEC 62443-2-1 "Security management system", IEC 62443-2-3 "Patch management" and IEC 62443-2-4 "Security requirements for system integrators (service providers)".

A special element of IEC 62443 is the holistic security-by-design approach, which extends from the requirements for the operating processes to the framework conditions for the systems and products and sets out both procedural and technical measures and requirements. The key security concept of the standard is "Defense in Depth": By staggering several security measures one after the other, access is made more difficult for the attacker. In the case of an attack via the network, for example, one or more firewalls must first be overcome before the attacker can reach the target component. Once there, the attacker has to overcome a user login and is then stopped by internal security mechanisms.

Defense in Depth: Staggering several security measures makes access more difficult for attackers

© Phoenix Contact

The cybersecurity measures listed were previously only required by law for critical infrastructures. In addition, they are implemented by large, mostly internationally active plant operators. This is now changing significantly with the EU's NIS 2 Directive.

Extension of regulations through NIS 2

The NIS 2 directive (Network and Information Security) obliges operators of public or private institutions to introduce suitable security tools to protect their systems from cyber attacks. Compared to the existing NIS, NIS 2 expands the regulations for organizations with more than 50 employees and a turnover of more than ten million euros. NIS 2 applies to "essential" and "important" institutions in the EU.

Cyber legislation on secure operations and secure products go hand in hand

© Phoenix Contact

The term "essential facilities" covers companies operating in critical infrastructure, such as electricity/gas generation, storage and transmission, water, road and rail transportation, drinking water and wastewater facilities and digital infrastructure. "Key facilities" are selected from a list of seven sectors based on their criticality to their business and type of service. Examples include the manufacture and distribution of food and chemicals and the production of electrical equipment, machinery and vehicles.

The NIS 2 Directive came into force on January 16, 2023 and must be transposed into national law by the EU member states by October 18, 2024. However, it is difficult to meet these requirements if the products used have not been developed in accordance with security-by-design. To solve this challenge, the EU has defined the Cyber Resilience Act (CRA).

Security-by-design products in accordance with the Cyber Resilience Act

The CRA obliges manufacturers to develop security-by-design products. In future, products that fall under the CRA will no longer receive a CE mark if they do not comply with the CRA regulations. Corresponding minimum requirements are defined for the implementation of security measures. Depending on the product class, these must be verified as part of a conformity test by notified bodies - such as TÜV - or by the manufacturer itself using a harmonized standard.

The essential requirements of the CRA must be taken into account in the design, development and manufacture of a product, i.e. they must be based on a safe development process. The requirements include access protection, protection of confidentiality, integrity and availability as well as a secure delivery status. An additional component of the CRA is vulnerability management and regulations for the period in which manufacturers must provide security updates for their products. The draft text of the Cyber Resilience Act was published in September 2022 and is currently in the trilogue vote. As an EU act, it does not have to be transposed into national law and is therefore expected to come into force throughout the EU in 2024. IEC 62443 covers both the safe development process and the technical requirements for individual products and systems. As a result, IEC 62443 or a derived sector standard is a promising candidate for a harmonized CRA standard.

In order to meet the requirements for vulnerability management, a standardized software bill of material (SBOM) must be available for all products, i.e. a list that describes all software components of a product. Furthermore, the known vulnerabilities must be provided in a standardized digital format - such as the Common Security Advisory Framework (CSAF). This is the only way to meet the short deadlines for reporting and eliminating vulnerabilities in accordance with CRA and NIS 2.

Security in the new Machinery Ordinance

To protect people and the environment from negative consequences - such as injuries and contamination - machines must be equipped with functional safety technology and comply with the Machinery Directive 2006/42/EC. This standard requires an update, as the risks posed by new technologies and new product safety regulations must be taken into account. It has also become apparent that the directives - and consequently their transposition into national law - require different regulations in some cases.

In future, functional safety in combination with cybersecurity must also be taken into account. These requirements have resulted in the Machinery Ordinance (MVO) 2023, the final text of which will be published by mid-2023. The MVO supplements the Cyber Resilience Act, which also regards machinery as a product. For machines with functional safety, however, the Machinery Ordinance comes first.

360-degree security based on IEC 62443

Phoenix Contact began implementing IEC 62443 back in 2017. The company's 360-degree security concept is based on the principle that security is anchored in the entire life cycle of its products and solutions:

• Secure development process: the secure development process in accordance with IEC 62443-4-1 is the prerequisite for the design and complete life cycle of the products. It defines the development according to the common cybersecurity methods security-by-design and defense in depth, but also ensures the monitoring of vulnerabilities and provides regular security updates.
• Secure products: Secure products comply with the development process according to IEC 62443-4-1 and fulfill the functional security requirements of IEC 62443-4-2, including, for example, denial-of-service protection, user management, confidentiality of data during transmission and storage, logging and configuration of least functionality. In 2021, PLCnext Control was the first control system on the market to be certified by TÜV Süd in accordance with IEC 62443-4-1 ML3 and IEC 62443-4-2 SL2 Feature Set. Further safe products are currently in development or will be certified.
• Secure services: In order for security solutions to be discussed, advised, installed and maintained together with system integrators and operators, the teams must have and demonstrate the necessary cybersecurity skills. To this end, the German and other national companies of the Phoenix Contact Group are certified in accordance with IEC 62443-2-4.
• Secure solutions: The security team at Phoenix Contact has developed templates (blueprints) for various solutions and markets and had them certified in accordance with IEC 62443-3-3, where this appears appropriate. On the one hand, the blueprints facilitate discussion and concept work. They also underline Phoenix Contact's expertise in certifying solutions with customers.
• PSIRT: The Product Security Incidence Response Team (PSIRT) has the central task of responding to potential security gaps, incidents and other security problems in connection with Phoenix Contact products, solutions and services. The PSIRT leads the disclosure, investigation and internal coordination and publishes security advisories on confirmed vulnerabilities.

All of the above certifications are monitored through annual audits by TÜV Süd.

Implement by 2026

NIS 2, the Cyber Resilience Act and the Machinery Regulation are currently in the EU legislative process or being transposed into national law. If the typical transition periods are used, all laws and standards will be fully applicable law by 2026. Given their complexity, it is easy to see that there is an urgent need for action on the part of product manufacturers, system integrators and operators.

The author

Boris Waldeck is Master Specialist Security PLCnext Technology and Product Solution Security Expert at Phoenix Contact Electronics in Bad Pyrmont.

© Phoenix Contact