IEC 62443 defines procedures for implementing electronic system security in Industrial Automation and Control Systems (IACS). In response to the growing trend of smart industrial control systems, both industry and governments have introduced cybersecurity regulations and standards. One of the most frequently referenced standards is IEC 62443, proposed by the International Electrotechnical Commission (IEC).
Originally developed by the International Society for Automation (ISA) and published by the American National Standards Institute (ANSI), the standard was later adopted by the IEC. Initially known as ANSI/ISA-99 or ISA99, it is now published as ISA-62443-x-y by ISA and IEC 62443-x-y by IEC.
Cybersecurity issues in industrial control systems are closely related to the level of computerization or intelligence of the system. Recent government reports indicate that hackers are increasingly targeting critical infrastructure and high-tech manufacturing sectors. They infiltrate external networks and gradually penetrate the networks housing industrial control systems, creating a ripple effect. Preventing cybersecurity vulnerabilities in upgraded systems is a major challenge before transitioning to Industry 4.0. These issues can affect product quality, public health, and safety, potentially causing significant damage.
IEC 62443 addresses these concerns by providing security standards for IACS to tackle a wide range of cybersecurity challenges.
Overview of IEC 62443
The technical specifications of this standard apply to all users of IACS, including organizations involved in operations, maintenance, engineering, component manufacturing, and those affected by or involved in control systems. It emphasizes the importance of collaboration between IT and operations and the role of engineering and manufacturing in ensuring enterprise-wide security. The standard is also crucial for network administrators working with IACS. Here comes a structured figure of the standard for reference and simplified elaboration as follows.
Figure 1: IEC 62443 Standard Level Category
Source: IEC
IEC 62443 is structured into four main categories:
1. General: Covers foundational concepts, terminology, and methodologies. It explains the threats and issues in industrial automation systems and introduces a reference model to help organizations analyze and implement protective mechanisms.
2. Policies & Procedures: Describes the IT security management system and requirements for asset owners (e.g., factory managers), outlining how to ensure operational safety through management policies and processes.
3. System: Provides technical specifications from the perspective of system integrators. It discusses how to ensure integrated automation solutions are secure from cyber threats, including conducting security assessments.
4. Component: Focuses on the design and development requirements for control system components. It guides product suppliers on how to develop secure products and ensure the safety of automated equipment.
Goals of IEC 62443 and Overview of IEC 62443-4 Certification Requirements and Device Categories
Table 1: IEC 62443 standard for product design flow and certification requirements
Source: IEC
IEC 62443 certification involves evaluating, integrating, and maintaining specific product functions or solutions under development. The IEC 62443-4 standards apply to asset owners, system integrators, product suppliers, and certification bodies (including government and regulatory agencies).
- System Integrators use the standard to procure IACS-compliant control system components and define the required security levels (SL-T) for different zones.
- Product Suppliers use the standard to understand the security level requirements (SL-C) for their components. Even if a component doesn't provide all required capabilities, it may still meet requirements when integrated with higher-level systems.
IEC 62443-4 defines component requirements (CR), derived from system requirements (SR) in IEC 62443-3-3, which in turn are based on foundational requirements (FR) from IEC 62443-1-1. CRs may include requirement enhancements (RE), and the combination of CR and RE determines the achievable security level.
The four types of component requirements are:
• Software Application Requirements (SAR)
• Embedded Device Requirements (EDR)
• Host Device Requirements (HDR)
• Network Device Requirements (NDR)
Winbond's Secure Flash Memory Solutions
Winbond, a global leader in semiconductor memory solutions, offers secure flash memory products that meet stringent cybersecurity certification requirements. These high-performance, secure flash memories support:
• Secure Boot
• Secure Storage
• Post-Quantum Cryptography (PQC) authenticated firmware updates
• Platform Integrity Verification
They comply with global security standards such as NIST 800-193, NIST 800-208, EN18031, and are certified under Common Criteria and SESIP (Security Evaluation Standard for IoT Platforms).
Winbond's secure flash memory products, W75F, W77Q, and W77T, support the full range of IEC 62443 Security Levels (Target), aligning with major cybersecurity standards.
Figure 2: Cybersecurity Standards
Source: Winbond
Conclusion
Winbond's secure flash memory solutions help system manufacturers meet regulatory compliance, enhance platform security, and defend against hardware-based cyberattacks. For more information, visit Winbond Secure Flash Memory.
Article edited by Jack Wu
