New standard integrates security by design

The ISA/IEC 62443 standards, developed by its ISA99 committee (International Society of Automation) as American National Standards and adopted globally by the International Electrotechnical Commission, are designed to provide a flexible framework to address and mitigate current and future security vulnerabilities in industrial automation and control systems (IACS).

Targeted at product vendors, a newly published standard in the series, ISA/IEC 62443-4-1-2018, ‘Security for Industrial Automation and Control Systems Part 4-1: Product Security Development Life-Cycle Requirements’, specifies process requirements for the secure development of products used in an IACS. It defines a secure development life cycle for developing and maintaining secure products. This life cycle includes security requirements definition, secure design, secure implementation (including coding guidelines), verification and validation, defect management, patch management and product end-of-life.

These requirements can be applied to new or existing processes for developing, maintaining and retiring hardware, software or firmware for new or existing products. The requirements apply to the developer and maintainer of a product, but not to the integrator or user of the product.

“Designing security into products from the beginning of the development life cycle is critical because it can help eliminate vulnerabilities from products before they ever reach the field,” said Michael Medoff of exida, who led the ISA99 development group for the standard. “We all know how difficult and expensive it can be to constantly have to patch software in the field. The new standard gives us a real opportunity to break the cycle of frequent security patches and to produce products that are secure by design.”

Image credit: ©agsandrew/Dollar Photo Club