Phoenix Contact Awarded Certification In Accordance With IEC 62443-4-1 and 2-4 by TÜV SÜD
- Published: Wednesday, 24 April 2019 08:55
Phoenix Contact is one of the first companies in Germany to have been certified by TÜV SÜD in accordance with the IEC 62443-4-1 and 2-4 series of standards for IT security.
This confirms that the company:
• Develops secure by design products in compliance with the IEC 62443-4-1 process
• Designs secure automation solutions in compliance with the IEC 62443-2-4 process
These certifications emphasize Phoenix Contact's strategy of offering standardised security in products, industry solutions, and consulting services to ensure the future-proof operation of machines, systems and infrastructures.
In the case of secure by design products, the security requirements for software and hardware are already taken into consideration during the development phase. This prevents security vulnerabilities later down the road. These security mechanisms are becoming ever more important, as devices and sensors are increasingly being networked via the Internet. With more and more processes being run via software, new targets for attack are emerging.
The central elements of part 4-1 and 2-4 of the IT security standard are, on the one hand, a threat and risk analysis based on the application scenario. ie; application examples and the required hardening measures are defined for devices and systems. For automation solutions, a security concept is devised with the required precautionary measures. On the other hand, a product or solution development process is established which ensures that all identified security requirements are implemented, verified and documented with traceability.
In addition, device manufacturers are required to respond appropriately to security vulnerabilities and publish security updates in a reliable manner. Phoenix Contact has satisfied this requirement with the newly established Product Security Incident Response Team (PSIRT). The team informsusers of Phoenix Contact products about known security vulnerabilities and, at the same time, also acts as the point of contact for users to report any security vulnerabilities they find in a confidential way. PSIRT is responsible for the processing, assessment and publication of reports and updates to the process chain, as set out in IEC 62443.
“The product development process at Phoenix Contact was certified in accordance with standard IEC 62443-4-1 back in fall 2018. Secure by design is therefore integral to our development of a security product,” says Roland Bent, CTO Phoenix Contact, highlighting the measures implemented in the company. “The next logical step has now also been taken. Our recent certification confirms that our industry market management can develop and implement secure automation solutions for our customers in accordance with standard IEC 62443-2-4.”
“Our collaboration with TÜV SÜD was highly goal-oriented and professional,” confirm Boris Waldeck, Project Manager for IEC 62443-4-1, and Werner Neugebauer, Project Manager for IEC 62443-2-4. “With this being a new standard, it was very important that we had a common understanding of the requirements and their implementation.”
Cyber security is relevant in every industry
Whether manufacturers or operators, industry or critical infrastructure – cyber security concerns us all. The automation technology and IT worlds are growing closer together. System boundaries are becoming blurred, the amount of available data is increasing, and the exchange of data and information is growing as a consequence. Industrial control systems (ICS) are also increasingly exposed to cyber attacks due to the growing networking of these systems and their connection to the Internet.
Remote control technology is an essential component in the automation of water management systems. In the course of digitalisation, Ethernet-based solutions offer numerous advantages, but also present some challenges. Ethernet is commonly used to exchange data with external installations. However, Ethernet-based networking can also be used to substantially influence the availability of the technology. Reports of malware attacks and their serious consequences appear in the media on an almost daily basis. It is therefore crucial that the digitalisation of processes is accompanied by a solid strategy for the implementation of IT security.
Energy supply and network control are part of the critical infrastructure in Germany. Without power and gas, everyday life would come to a standstill in a very short space of time and it would no longer be possible to provide vital services. The functional capability of energy supply is dependent on information and communication technology being in good order. This makes IT security essential in the energy industry.
Many operators want to be able to use the data from existing process technology systems for new technologies and thus benefit from the added value of cloud-based evaluations. To be able to install Industry 4.0 technologies in an existing process technology system, the operating data must first be collated. New analysis and monitoring methods are easier to use if full access is granted to the process system data. It is important that data access is secure and impact-free.
However, it is not just the Internet that poses a threat; mistakes by service providers or internal staff can also lead to malfunctions and production downtimes. Failures, sabotage or data loss can cause substantial economic damage. This is because downtimes represent not only a financial loss, but also jeopardise delivery deadlines and consequently the company's image and reputation. ICS security is therefore becoming increasingly important.
Standard IEC 62443 comprises a series of documents handling the IT security of industrial automation and control systems (IACS). The term IACS represents all elements, such as systems, components and processes, which are required for the secure operation of an automated production system. By specifically focusing on industrial applications, IEC 62443 also clearly sets itself apart from ISO 27001, which deals instead with traditional IT systems.
For operators of critical infrastructure, ICE 62443 covers all the requirements for secure solution design, start-up, operation, and maintenance. IEC 62443 has become the “in-house standard” in the process industry.
IEC 62443 is the international security standard for automation systems.