The setting of IEC 62443 includes the entire life cycle of products, from their conception in terms of components and systems, their integration into automation systems, up to their disposal by the end user. The fourth part of the standard defines lifecycle and requirements for component manufacturers (understood as embedded, host, network and software) and systems or those products made by combining components and which will be placed on the market as such in order to be configured as necessary in specific installations. This module traces this lifecycle based on IEC 62443-4-1 covering product design, implementation, testing and finally technical support and documentation, in order to implement the processes necessary for the conception and provision of integrators. and end-user of products developed in accordance with a very specific process from a security point of view and with the relative performances (understood as capability) known and declared. In addition, the manufacturer is required to organize a technical assistance service in order to support the end user in resolving potential critical issues that may occur during the useful life of the product in the security field, such as those related to the mitigation of vulnerabilities. that can be found on the products. In addition to the process, the IEC 62443-4-2 standard also defines the technical requirements which, in analogy to the IEC 62443-3-3 systems, with which the components must comply in order to declare the security performance required in terms of security level and therefore be integrated according to the objectives of an end user or integrator in a very specific automation solution.
After attending the course you will be able to:
Set up an industrial cyber security risk assessment process
Define the criteria and methods for carrying out a risk assessment
Describe how cyber business risks are assessed and presented
Understand how threat intelligence is acquired and how credible threat assessment can be done
Understand what a vulnerability is, how it is categorized and cataloged, how it can be exploited to carry out an attack
Understand how to carry out a vulnerability analysis, with what purpose and with which tools to carry it out
Understand how a risk is estimated and assigned a security level and how to get to the zoning and segmentation of the network
Describe the reference architectures presented in IEC 62443 and understand how to use them within a specific infrastructure
Understanding how to protect the most critical areas of the plant
Understand the security requirements organized in IEC 62443-3-3 and how they contribute to the security objectives
Describe how a cyber security specification is born and its importance
This course is intended for manufacturers of products (components and systems) and integrators.
The assessment process for IEC 62443-2-1 and the contextualization of the criteria and method with reference to IEC 62443-3-2
The business rationale, as a fundamental criterion and step for determining the impact on the business of a potential attack
High-level risk analysis and determination of critical assets and credible threats
Network analysis, active and passive scans, vulnerability analysis, penetration tests, all tools for obtaining valuable information on an industrial network
Dynamics and simulations of attack, vectors and attack scenarios within the detailed risk assessment.
Detailed risk analysis, how to use the information from the high-level risk assessment and vulnerability analysis to determine the real risk on plants
What is the result of the assessment: security level, zoning and determination of the necessary processes and measures
The link between IEC 62443-3-3 and the result of the risk assessment
From risk assessment to cyber security specifications and related implementation
From the security level target to the security level actually reached, how to measure security performance
The course includes examples, developed on real components and systems, albeit in the laboratory.
During the course, group and individual exercises will be carried out to facilitate and verify the learning of the topics described.
Basic knowledge of automation systems and networks, familiarity with the principles and methods of risk assessment.