The setting of IEC 62443 includes the entire life cycle of products, from their conception in terms of components and systems, their integration into automation systems, up to their disposal by the end user. The fourth part of the standard defines lifecycle and requirements for component manufacturers (understood as embedded, host, network and software) and systems or those products made by combining components and which will be placed on the market as such in order to be configured as necessary in specific installations. This module traces this lifecycle based on IEC 62443-4-1 covering product design, implementation, testing and finally technical support and documentation, in order to implement the processes necessary for the conception and provision of integrators. and end-user of products developed in accordance with a very specific process from a security point of view and with the relative performances (understood as capability) known and declared. In addition, the manufacturer is required to organize a technical assistance service in order to support the end user in resolving potential critical issues that may occur during the useful life of the product in the security field, such as those related to the mitigation of vulnerabilities. that can be found on the products. In addition to the process, the IEC 62443-4-2 standard also defines the technical requirements which, in analogy to the IEC 62443-3-3 systems, with which the components must comply in order to declare the security performance required in terms of security level and therefore be integrated according to the objectives of an end user or integrator in a very specific automation solution.
After attending the course you will be able to:
Understand the key elements related to the development of a safe product, as required by IEC 62443-4-1
Describe and implement a security plan for product development
Explain and what threat modeling is for
Understand the importance of a cybersecurity specification
Understand how important the relationship with suppliers is and explain how it should be managed
Describe the cornerstones relating to the conception and design of a safe product
Understand how to implement a security-related testing program
Understand how to deal with product security issues and how to manage updates
Describe what is required of the manufacturer in terms of documentation
Describe the safety requirements applicable to the product according to the required safety performance.
This course is intended for manufacturers of products (components and systems) and integrators.
From the System Integrator to the supplier of automation systems and subsystems.
Component, System and automation solution, differences and management methods.
System Requirements: how a system or a part of it contributes to security.
Security levels and impacts on system security.
Component requirements and their contribution to system security.
Types of components (host, embedded, network) and related security requirements.
Cyber Security Management System (CSMS) for systems and components general aspects and process management.
Specification of cyber security requirements as a basis for design.
Product development in terms of design: Secure by design, threat modeling.
Secure Implementation as a production method.
Verification and validation, configuration, vulnerability and penetration tests.
Post delivery activities, management of security issues and patch management.
Instructions and dialogue with the user.
Certification of systems or components
The course includes examples, developed on real components and systems, albeit in the laboratory.
During the course, group and individual exercises will be carried out to facilitate and verify the learning of the topics described.
Basic knowledge of automation systems and networks, types of components and management systems.