TÜV SÜD (part of the German Association for Technical Inspection) has awarded COPA-DATA, the manufacturer of zenon software for industrial automation, a certificate of conformity to the new ISA/IEC 62443-4-1:2018 security standard. This confirms that COPA-DATA’s software development, quality assurance, and support processes are securely designed in line with current industrial IT security guidelines.
Developed by the International Society of Automation (ISA), a non-profit professional organization, and adopted by the International Electrotechnical Commission (IEC), the ISA/IEC 62443 series of standards provides a framework for closing and reducing security loopholes in industrial automation and control systems, allowing users to take a preventive, systematic approach. January 2018 saw the publication of a new standard as part of this series: ISA/IEC 62443-4-1:2018, Security for industrial automation and control systems, Part 4-1: Secure product development lifecycle requirements.
This provides companies with process specifications to follow when developing products that conform to security requirements. The standard aims to make the entire lifecycle of products more secure. This includes security requirements definition, secure design, secure implementation (including coding guidelines), verification and validation, defect management, patch management, and product end of life.
Use case forms the basis for certification
To ensure that COPA-DATA would receive its certification in line with the latest IEC 62443-4-1-standard, the project team – led by Reinhard Mayr, Head of Information Security & Research Operation at COPA-DATA – had to develop a realistic, cross-industry use case. Structured with multiple layers, this practical example involved a range of different systems of the kind found in a state-of-the-art production facility. These were assembled layer by layer to form one complete, secure system. “Our objective was to define a use case that would not only reflect the real use of our software in a networked production environment and take our investments in security features from recent years into account, but would also meet the requirements of the standard,” says Reinhard Mayr.
At the heart of the use case is a production cell that forms part of a production process. It requires maximum protection against harmful influences from the production areas to which it is linked, such as control rooms that carry out monitoring, network and management levels, and cloud solutions. For this reason, the example that was used for certification purposes also contains a demilitarized zone (DMZ) that is based on zenon technology and in line with the general IT security concepts outlined in the IEC 27001 standard. “The DMZ keeps external influences away from the operational area and strengthens IT security. The strategies and concepts that we have been pursuing for many years now when developing zenon, such as security by design and defense in depth, also help to achieve this. Thanks to our many native zenon protocols, we are also able to make it more difficult for attackers to cause serious damage,” explains Reinhard Mayr.
Security: A team effort
With the aim of making industrial IT security an even more significant part of the software development process, COPA-DATA expanded its security management team and gave it more powers. Now that the new certification has been achieved and recertification will take place annually, the entire COPA-DATA security lifecycle will be constantly under scrutiny. As Reinhard Mayr explains: “COPA-DATA has always dedicated itself to achieving continuous improvements in security. It is a pillar of our corporate strategy. We actively promote this wherever we need to, working closely together with official bodies and other manufacturers.”
Security remains an issue with which all areas of a company and manufacturers of system components need to concern themselves. Everything and everyone linked by an IT network – humans, companies, hardware, and software alike – has a requirement to uphold fundamental security standards. “We are doing our utmost to support our customers’ security strategies and protect them against cyberattacks whenever we can,” says Reinhard Mayr.