TACKLING SOFTWARE SUPPLY CHAIN RISKS WITH IEC 62443 AND SBOM
This whitepaper targets security teams of industrial automation and control systems (IACS) asset owners and product suppliers.
.avif)
Table of content
Product Security Lifecycle for Industrial Automation & Control Systems
Mitigating supply-chain risks is one core requirement of IEC 62443
Integrate automated SBOM into processes automate SBOM generation & link to known vulnerabilities
No shortcut to IEC 62443 compliance!
EXECUTIVE SUMMARY
Components used in an IACS Environment must meet elevated security requirements while preserving essential functions and services. The IEC 62443 standard series provides with part 4-1 a comprehensive framework for product suppliers to build a secure product development lifecycle. While the defense in depth approach implied by this framework can mitigate the impact of vulnerabilities, some vulnerabilities must still be fixed through the product life cycle.
SBOMs help to increase the visibility of the entire supply chain and strengthen the security posture of IACS suppliers and operators by allowing a risk-based patching strategy when new vulnerabilities emerge. The whitepaper discusses how the IEC 62443-4-x proposes to mitigate these risks and how the software development process needs to mature to encompass these mitigating controls. Finally, to reduce time to market, cost and resources due to manual overhead, a high level of automation is required when generating SBOMs and performing security analysis to manage security related issues in compliance with IEC 62443-4-1.
ATTACKS ON IACS ARE ON THE RISE
Cyber-attacks on industrial automation and control systems (IACS) are on the rise.1 In the past, IT and IoT systems were predominantly targeted by cyber criminals. But the same threats, such as ransom- ware attacks and devices being joined into massive botnets, increasingly affect IACS and OT too. The reason for this is simple - before IACS got smart and connected, they were mostly operated in air-gapped environments, not connected to the Internet and mostly not even connected to local corporate networks.
INTERCONNECTION OF IACS INCREASES, SO MUST THEIR CYBER-RESILIENCE
To control IACS components or make changes to their configuration, an engineer would need to physically interact with the machine. With increased digitalization, this is changing rapidly. IACS environments are connected to internal networks and the Internet to feed data into other business processes and to allow for remote configuration and management.
While improved connectivity generally increases productivity and eases administration of IACS environments, those advances go hand in hand with an increased cyber-risk posture: the threat landscape is changing. It is no longer feasible to solely rely on security controls provided by the environment and the perimeter.
As such, the same security principles that apply to IT systems must be adapted to the industrial world. Defense in depth, security by design, and zero trust must be applied to increase resilience of IACS to cyber-attacks while preserving essential functions and services. While traditional IT security mainly deals with confidentiality of data a IACS security solution must protect the integrity and availability of physical assets essential to the controlled process.

Product Security Lifecycle for Industrial Automation & Control Systems
IEC 62443 PROVIDES GUIDANCE TO CREATE CYBER-RESILIENT IACS
This increased risk-posture results in elevated security requirements by asset owner and operators of IACS. To support the increased security demand with IACS, the International Electrotechnical Commission (IEC) worked on a series of standards that address cybersecurity for operational technology in automation and control systems since 2009: the IEC 62443.As shown in Figure 1 (Scope of the IEC 62443)., IEC 62443 consists of 13 parts – targeting all roles of complex industrial environments: asset owner, system integrator, and product supplier (the vendors of IACS components which can be embedded devices, network components, and host devices). At the core of all parts is to supportdefense-in-depth strategies as well as security by design principles for industrial environments. By adhering to defense-in-depth, reliance on network and perimeter security is insufficient. The de- vices themselves need to withstand cyber-attacks.
Parts IEC 62443-4-1 and IEC 62443-4-2 address security requirements for devices. While IEC 62443-4-2 focuses on product security itself, IEC 62443-4-1 defines requirements towards the product development life- cycle processes. This assures, that a secure product is not a result of lucky circumstances, but repeatable, transparent, and measurable with adequate security controls in place.
Ready to automate your Product Cybersecurity & Compliance?
Make cybersecurity and compliance efficient and effective with ONEKEY.