The security development process is an expansion of the general product development process. One basic aspect of a standard-compliant development process (in accordance with IEC 62443-4-1 – Secure product development lifecycle requirements) is to perform a risk assessment. It reveals the dangers and risks that a product is subjected to from “cyber space” and the measures to take to minimise them.
Security levels define the security level that plant operators or manufacturers want to achieve using security measures. Information is provided by a prior risk assessment. This defines what is to be protected and determines the probability of this asset being attacked. The security level (SL) is selected accordingly. SL-2, that is protection against “intentional violation using simple means with low resources, generic skills and low motivation” should be seen as a minimum standard today. To keep this minimum standard, the company needs a specific security maturity level. The best firewall is useless if a company’s employees continue to write their passwords on post-it notes and stick them on their PC screens or if they do not run updates. The more the company is involved in security as an issue, the higher the overall protection will be. Therefore an overall security concept is important.
We are safety experts. It’s important to us that our products are not only safe, but also secure. That’s why we commissioned TÜV Süd to scrutinise our development processes and test them on the basis of the standard IEC 62443-4-1, which defines secure product development, the “Security Development Lifecycle Process” (SDL process). This approach examines potential security features, even as a new product is being designed. It is intended to ensure that all of a product’s security risks are detected by modelling the threats and, ideally, rectifying them in the product during the development process.
The international series of standards IEC 62443 “Industrial communication networks – Network and system security” deals with IT security in automation. The range of topics spans from risk analysis, to requirements for safe operation and the secure development of products (security by design). As a result, IEC 62443 currently offers the best orientation guide for plant operators and device manufacturers when it comes to implementing security effectively. http://www.pilz.com
It looks at five areas: the basic industrial security requirements, the principle of zones and conduits, the security levels, the security lifecycle and the risk analysis.