Certification in accordance with IEC 62443

TÜV Süd (part of the German Association for Technical Inspection) has awarded the manufacturer of zenon software for industrial automation a certificate of conformity to the new ISA/IEC 62443-4-1:2018 security standard. This confirms that the company’s software development, quality assurance, and support processes are securely designed in line with current industrial IT security guidelines.

Developed by the International Society of Automation (ISA), and adopted by the International Electrotechnical Commission (IEC), the ISA/IEC 62443 series of standards provides a framework for closing and reducing security loopholes in industrial automation and control systems, allowing users to take a preventive, systematic approach. January 2018 saw the publication of a new standard as part of this series: ISA/IEC 62443-4-1:2018, Security for industrial automation and control systems, Part 4-1: Secure product development lifecycle requirements. This provides companies with process specifications to follow when developing products that conform to security requirements. The standard aims to make the entire lifecycle of products more secure. This includes security requirements definition, secure design, secure implementation (including coding guidelines), verification and validation, defect management, patch management, and product end of life.

To ensure that Copa-Data would receive its certification in line with the latest IEC 62443-4-1-standard, their project team had to develop a realistic, cross-industry use case. Structured with multiple layers, this practical example involved a range of different systems of the kind found in a state-of-the-art production facility. These were assembled layer by layer to form one complete, secure system.

At the heart of the use case is a production cell that forms part of a production process. It requires maximum protection against harmful influences from the production areas to which it is linked, such as control rooms that carry out monitoring, network and management levels, and cloud solutions. For this reason, the example that was used for certification purposes also contains a demilitarized zone (DMZ) that is based on zenon technology and in line with the general IT security concepts outlined in the IEC 27001 standard.