Hendrik Dettmer, expert of the TÜV TRUST IT GmbH TÜV AUSTRIA Group, on the importance and advantages of this new guideline for companies.
Mr Dettmer, the IEC 62443 standard pursues the goal of mapping safety and security equally. To what extent is it important not to consider these two factors separately?
Correct, the standard is a holistic approach that considers the two important factors as a unit to ensure maximum safety. In principle, IEC 62443 is a security standard, but it also increases the safety factor in the company. This is because when assessing the risk of security, many statements are also included in the safety analysis, so it would be irresponsible to carry out one without the other. The link is simply too strong these days.
As such a holistic standard, it is also considered the standard for secure data exchange in production IT. Which companies are particularly affected by this?
In short, all companies that manufacture or distribute OT products and of course those that use them in their own production. Thus, the security of the entire chain is covered by the standard: starting with the development of an OT product and ending with its use in the production plant. In addition to developers and users, this also includes service companies responsible for software updates, for example, as well as all others who have access to appropriate interfaces. Almost all areas in the companies concerned are involved. In the case of manufacturers, it mainly concerns development, and in the case of users, it particularly concerns the productive environment. Since we are talking about a holistic approach here, more or less entire companies are affected and therefore also benefit from the implementation of the standard.
In what ways do companies benefit directly?
First of all, the company has a clear benefit from the greater resilience. It proves that it can fend off attacks accordingly and thus produce safely, which increases customer confidence in its products and can therefore bring a certain competitive advantage. One also reads again and again about companies that are in the press with cyber attacks and their consequences, which can be prevented to a large extent by complying with this standard. And there are also immediate monetary advantages. For example, certified companies are often rated more favourably by various insurance companies and of course you avoid high costs and losses that can result from an attack.
Why is securing OT systems against such attacks a particular challenge for companies?
The different approaches to an IT environment play a decisive role here. Regular updates, back-up strategies, monitoring options etc., which are common practice in IT, are not used in OT. However, in order to adapt OT to Industry 4.0, old machines in an existing IT environment are often linked to new ones, which results in security gaps. The challenge is therefore to link old and new systems in terms of safety and security in such a way that security-relevant disadvantages of the old components are not adopted or neutralised by appropriate countermeasures. This is often associated with enormous effort. The advantage of new production environments is obvious: the standard can serve as a basis for planning, so that the new systems meet a certain safety standard from the ground up.
What does this “certain safety standard” actually mean and how can companies use it in practice?
The safety standard we are talking about here is first of all proven by certification according to IEC 62443. Certified companies can thus prove the safety of their production environments at a safety level of 1-4, which is a generally valid and tangible statement and which can and should be communicated to customers. This results in the competitive advantage that we have already mentioned above. And even though certification is not yet mandatory, IEC 62443 is already the standard norm in IT security and is always used when talking about requirements in this area. Large corporations already produce only according to this standard and often serve as a best practice example for smaller manufacturers who want to follow suit.
Such a project requires structure. What would you advise companies that want to take the first step towards certification according to IEC 62443?
First of all, I would strongly advise to use this standard as a guide and model on safety issues when introducing any new product or production environment. This also and in particular applies to major innovations. In contrast, I would advise against investing in old processes and instead think in a more forward-looking way and include the standard in the future. And beyond that, it is of course almost indispensable to deal with the topic comprehensively and always be up-to-date.
How can TÜV TRUST IT support companies on the way to certification?
As an expert in this field, we assist affected companies in all steps towards certification according to IEC 62443. This starts with a comprehensive individual consultation regarding the status quo and the possibilities in the respective company, often combined with a risk analysis. In addition, we offer assistance in setting up new development environments, systems and production facilities according to the IEC 62443 standard, as well as in product development. And of course we also carry out certification audits of all plants and products.
Thank you very much for the interview, Mr Dettmer.
Hendrik Dettmer, Head of IoT Security Lab