4 How Our Resources and Our Partner Security Pattern Can Help

The ISA/IEC 62443 standard stresses the need to address security holistically: security cannot be achieved through technology alone. Security is certainly about technology, but it is also about people and processes.

As a natural consequence of this approach, compliance of a product supplier's processes to the ISA/IEC 62443-4-1 standard (“Secure Product Development Lifecycle Requirements”) was made a prerequisite for achieving CSA [1] and EDSA [2] product certification according to part 4-2 of the standard.

Complying to ISA/IEC 62443-4-1 implies adopting a series of robust processes that guarantee that products are indeed managed by product suppliers with a level of security that is commensurate to their technological content, in line with their customers' expectations and sustainable throughout the products lifecycle. These requirements are fully in-line with common recommendations and good practices for security.

These are some of the key activities that the standard requires from product suppliers:

  • The application of security-by-design principles, including defense in depth
  • The proper definition and tracking of security requirements, starting from conception and on to design, implementation, testing, managing of field issues and decommissioning
  • The application of risk management practices to the design of secure components (with threat modeling activities being an integral part of this risk-centric approach)
  • The training of their personnel in those areas of security that are relevant as per the definition of each employee's role and responsibility in product definition, development and management

Security Pattern, as Certified Microchip Security partner, can:

  • Support manufacturers of industrial components in understanding their products’ security requirements and how these relate to the ISA/IEC 62443 standard, by means of focused consultancies or introductory trainings.
  • Aid in the definition and refinement of security-related product requirements (including platform selection/definition).
  • Guide Product Suppliers in making proper applicative use of Microchip components and their rich set of security features.
  • Help Product Suppliers, during product development phases, in the definition of their system, the streamlining of their production flow (considering security of the supply chain and of third-party suppliers), the development of their software.
  • Provide technologies and expertise for public key infrastructure setup, digital certificates management, secure boot, etc.
  • Aid in implementing and executing the Product Supplier’s internal processes according to ISA/IEC 62443-4-1 requirements, providing a structure for their documentation that is compliant to ISA/IEC 62443 standard requirements.
  • Perform product gap analysis vs. the ISA/IEC 62443-4-2 component requirements.
  • Support the technical discussions with the selected ISA/IEC 62443 certification body.
  • Deliver training sessions tailored to meet the needs of Product Suppliers’ personnel, which Practice 1 of the standard mandates security expertise upkeep and assessment for.
Note:
  1. www.isasecure.org/en-US/Certification/IEC-62443-CSA-Certification#tab1
  2. www.isasecure.org/en-US/Certification/IEC-62443-CSA-Certification#tab2