But How to Actually Do It? Practical Applications of IEC 62443 to Asset Security by Marina Krotofil

Marina Krotofil

Industrial Automation and Control Systems (IACS) assets are long-living systems with several distinct life-cycle phases and different stakeholders involved at each stage. IEC 62443 is an international industrial security set of standards which specifies comprehensive requirements for the secure development, integration and maintenance of assets used in IACS environments. Additionally, the standard establish context, a common vocabulary and concepts so that at a minimum, a group of cybersecurity professionals, who have read the IEC 62443, can have productive interchanges, because they are “talking the same language.”

Consisting of 13 standards in total, IEC 62443 provide answers to the “what must I do” question for all stakeholders in the IACS life cycle, including asset vendors/suppliers, integrator/solution providers, and owner/operators/end users. Despite being well-articulated, it is not actually straight-forward how to implement IEC 62443 requirements in practice. This presentation will cover several non-trivial challenges of applying the standard in real world settings. The talk is predominately thought to assist asset owners when conducting dialog on assets’ security requirements with vendors/suppliers and making sure that the requirements are actually met. However, members of other stakeholder groups such as vendors themselves, integrators, certification bodies, pentesters and researchers will also find relevant bits of information in this talk.