Once you’ve read it a few times “IEC 62443” genuinely does roll off the tongue. It’s a suite of standards for the “Security of Industrial Automation and Control Systems” maintained by the International Electrotechnical Commission (IEC).
Industrial Automation and Control Systems (IACS) are all those systems which, as it says “on the tin”, control and automate the operations within an industrial organisation. From a purely technical point of view they’re sometimes called just Industrial Control Systems (ICS), and sometimes they’re more generically called Operational Technology (OT). IACS/ICS/OT are typically found in critical national infrastructures (CNI) such as energy, water and transport, as well as in manufacturing, defence and smart cities.
More specifically IEC 62443 describes IACS as:
“A collection of personnel, hardware, software, and policies involved in the operation of the industrial process that can affect or influence its safe, secure, and reliable operation.”
As these systems are those that control critical and vital services to society, their security is of the utmost importance. However, the cyber security of these systems is still in the early stages of maturity. Regulations such as the NIS Directive came into force in recent years to prompt CNI to improve their cyber security policies and procedures. There are also standards/frameworks such as the NCSC Cyber Assessment Framework (CAF) and IEC 62443 to assess and guide improvements towards a baseline and (hopefully) beyond.
We have developed Dot specifically to help industrial organisations to increase the situational awareness and cyber maturity of their OT environments, but it can also help organisations meet compliance of several areas of the IEC 62443 standard.
Dot’s Asset and Vulnerability Discovery and Management within OT has special applicability a few key parts of the IEC 62443:
✔️ IEC 62443-2-1, Establishing an IACS security program
✔️ IEC 62443-2-3, Patch management in the IACS environment
✔️ IEC 62443-3-1, Security technologies for industrial automation and control systems
✔️ IEC 62443-3-2, Security risk assessment for system design
✔️ IEC 62443-4-2, Technical security requirements for IACS components
One key thing to note is that Dot is not an Industrial Intrusion Detection System (IDS), it is an asset and vulnerability discovery system specifically built for Operational Technologies. Dot can be used for the preparation of deployment of an IDS, and to cover areas of a network (and the legacy equipment) that an IDS cannot reach. In particular we see it providing a lot of value as part of cyber risk assessments, compliance processes, change management processes and incident response planning. An IDS would typically be more useful to companies which are very mature in their IEC 62443 compliance, and have very modern architecture based purely on an ethernet network (or wireless equivalent).
Here is a visualisation of where our software products fall within the IEC 62443:
Part 1-1: Terminology, concepts and models
Part 2-1: Establishing an industrial automation and control system security program
Part 2-3: Patch management in the IACS environment
Part 2-4: Security program requirements for IACS service providers
Part 3-1: Security technologies for industrial automation and control systems
Part 3-2: Security risk assessment for system design
Part 3-3: System security requirements and security levels
Part 4-1: Secure product development lifecycle requirements
Part 4-2: Technical security requirements for IACS components
If Dot, as an Asset and Vulnerability Discovery software product built for Operational Technology, sounds interesting and you would like to learn more, then please do contact us today.
We are also happy to talk more generally about IEC 62443 and other standards and frameworks out there.