IECEE training raises awareness of cyber security for industrial automation

In order to increase awareness of dealing with cyber security through international standards and IECEE Conformity Assessment, IECEE, has run three workshops, the most recent held in Singapore in October.

“In the new and very dynamic environment of cyber security it is more important than ever to establish an efficient harmonization among the participants of an international conformity assessment system, to ensure transparency and mutual trust for recognition of results and certificates”, said Wolfram Zeitz, Deputy Secretary, IECEE.

On the agenda

Hosted by the Singapore Standards Council and Enterprise Singapore, the three-day international event was attended by participants from different testing services.

Lee Neitzel, expert with over 30 years in security and network standards has led or contributed to a number of industrial cyber security standards in the IEC 62443 series. His work includes the role of Chair for IEC TC 65 Working Group 10 - Cyber Security, Industrial Automation - IEC 62443 and Convenor of the former IECEE CMC Task Force Cyber Security (conformity assessment programme) as well as editor of ISA 99/ IEC 62443-2-1, Security for industrial automation and control systems - Part 2-1: Requirements for IACS asset owners.

“This workshop has been given in North America, Europe, and Asia to provide a common understanding of the conformance assessment programme and the IEC 62443-2-4 requirements for NCBs and CBTLs around the world. It gives the attendees the opportunity to gain first-hand knowledge of the programme mechanics and the details of the requirements, and to ask questions to enhance their understanding. Without the workshop, each NCB and CBTL would have to develop their own unique ideas for these topics”, said Neitzel.

Neitzel presented the first two days of the workshop covering aspects of IEC 62443, Security for industrial automation and control systems, including:

• Explaining the IECEE guidance Operational Document (OD 2016), which describes how conformity assessment can be handled and applied to certain Standards in the IEC 62443 series. OD-2061 also explains under which conditions IECEE Cyber Certificates of Conformity – Industrial Cyber Security Capability – can be delivered. They are valid only when “signed by an approved Certification Body (CB) Testing Laboratory and appended to a certificate issued by a National CB”.
• Providing an overview of an assessment of IEC 62443-4-1, which specifies the process requirements for the secure development and support of products used in industrial automation and control systems
• Reviewing the individual requirements of an assessment for IEC 62443-2-4, which specifies requirements for security capabilities for integrated administration and control system (IACS) service providers that they can offer to the asset owner during integration and maintenance activities of an automation solution.

Other topics discussed covered:

• The links between IEC Standards and IEC Conformity Assessment Systems
• How IECEE conformity assessment schemes (e.g. IECEE Cyber security Scheme) help address business needs on cyber security
• Introduction “Security and Safety “in context of Industry 4.0 - Threat landscape and adversaries
• IT-Security and OT- Security (Industrial Security)
• Overview of IEC 62443, use cases and how to implement IEC 62443 in your organization;
• Differences between IEC 62443 and ISO/IEC 27001

The urgent need to take measures to handle cyber security threats was emphasized through a live demonstration, which showed a successful cyber hack on mobile ICS kits, as well as a successful cyber attack through a security antivirus and a firewall.

Together with IEC cyber security related standards, the deployment of comprehensive IEC CA certification schemes should ensure that systems which rely on industrial communication networks and industrial automation control systems (IACS) are better protected against cyber threats.