Security levels Security levels according to IEC 62443-3-3 To categorize the severity of potential threads, protection classes are available for the various data classes a zone stores/processes or a conduit transmits. This is the basis for the required level of protection of an entire zone or conduit. In… Read More
Why cyber security? There are several definitions for cyber security, like Cyber security is the state in which the risks associated with the use of information technology are reduced to a tolerable level. Risks arise from threats and weaknesses to systems and products. Information security is… Read More
(Central) User management General considerations on user management If communication is allowed through a firewall or possible via local access, access should be protected by a user login. Users in this context may be human users, software processes, and devices used to build automation infrastructures and systems. Read More
IEC 62443 standard: security for industrial applications Overview on the parts of the standard The IEC 62443 standard series defines the necessary security processes and functional measures for device/component manufacturers, system integrators, and operators of machines and plants. It is a common security standard for industrial automation systems and… Read More
Anti-malware inspection The list of security incidents in industry is growing longer all the time: Stuxnet, Industroyer, TRITON, or WannaCry are examples of malware/ransomware which attacked SCADA systems, safety controllers etc. While anti-virus/anti-malware software is common and widespread on IT systems, OT components are often still unprotected. Read More
Security-relevant laws and industrial standards It is important to understand that IT security is not only a new “product feature” that a vendor can implement more or less well at its own discretion. Instead, the integration of security features into automation equipment, systems and components is now required… Read More
ISO/IEC 27001 standard: security for traditional IT systems ISO/IEC 27001 is the leading international and most important standard regarding cyber-security of Information Technology (IT) systems. It describes the implementation of an Information Security Management System (ISMS) by providing clear guidelines for planning, implementing, monitoring, and improving your information… Read More
Data classification & protection needs The central task for a threat-risk-assessment is the classification of data which is stored/processed in a zone and transmitted between zones via conduits. This classification is done in two steps: Identification of the data available in your system. Classification of… Read More
Least privilege concept The concept of “least privilege” is a basic security concept: Every access and execution right to components and data in your ICS should be restricted to the maximum possible extend for each user. In doing so, care must be taken to ensure that the availability… Read More
Foundational requirements (FR) and system requirements (SR) Foundational requirements (FR) The IEC 62443 standard defines seven foundational requirements (FR). These are basic requirements regarding the security of an ICS. They are addressed to all stakeholders of a plant and used throughout the standard. FR1: Identification and authentication… Read More
