Introduction to product and system cybersecurity with focus on IEC62443

Purpose of the course

To give an introduction and overview of product Cybersecurity and specifically the IEC62443 standard. Special focus on the early phases, such as risk assessment methods and concept development.

Goals

The participants shall get an overall understanding of

• Introduction and background on Cyber security in general.

• Terminology and definitions.

• Cyber security management

• Continuous cyber security activities including vulnerability analysis.

• Threat analysis and risk assessment including examples of risk assessment methods.

• Cyber security requirements and cyber security concept.

• Product development related to cyber security.

• Cyber security validation.

Day 1

09:00     Introduction

• What is Cybersecurity?

• Why is Cybersecurity important?

• Embedded vs IT Cybersecurity

09:30     Cybersecurity Management

• Cybersecurity Life cycle

• Overall Cybersecurity management

• Cybersecurity roles

• Cybersecurity Culture

10:00     Overview of Cybersecurity standards

0:30     Cyber Resilience Act (CRA)

• What is the Cyber Resilience Act?

• Objectives for the EU initiative

• ENISA

• Time Line and fines

• What needs to be done

• Incident Reporting

• Recommendations CRA

11:00                    Directive on measures for a high common level of cybersecurity across the Union (NIS2)

• What is NIS2

• Which organizations need to comply to NIS2?

• Time line

• Recommendations NIS2

11:15     ISO27001 – Information Security Management

• Overview

• Why ISO27001

11:30     Discussions – Exercise

12:00     Lunch

13:00     ISA/IEC62443 – Security for industrial automation and control systems

• Overview

• IEC62443 for Service providers vs Product providers

• IEC62443 Guidance

• Selections defenitions

• CIA model

• Recommendations IEC62443 1.1-2.4

14:00     System Examples

• Zone examples

• Conduit examples

14:30     Discussions Exercise

15:15     Planning Cybersecurity work and general recommendations

15:30     Summary

16:00     End

Day 2

09:00     Introduction and recap from Day 1

09:30     IEC 62443 System and component level development

• Product life cycle scope

10:00     System level development IEC 62443-3-2

• Concept IEC 62443-1-1

• Security Levels

• Requirement areas IN IEC 62443-3-2

• Initial cyber risk assessment

• Partition the SUC into zones and conduits

• Risk comparison

• Detailed risk assessment IEC 62443-3-2

• Consequence and Impact

• Likelyhood

• Risk Determination

10:45     Discussions Exercise

11:30     System requirements IEC 62443-3-3

• Cybersecurity requirements, assumptions and constraints

• Foundation Requirements (FR) example

• System requirements (SR) example

• Requirement Enhancements (RE) example

• Mapping of SRs and REs to FR Security levels 1-4

12:00     Lunch

13:00     Component level development IEC 62443-4-1; IEC 62443-4-2

• Eight practices

  • Practice 1 – Security management

  • Practice 2 – Specification of security requirements

  • Practice 3 – Secure by design

  • Practice 4 – Secure implementation

  • Practice 5 – Security verification and validation testing

  • Practice 6 – Management of security-related issues

  • Practice 7 – Security update management

  • Practice 8 – Security guidelines

13:30     Risk determination including exercises

• Threat modelling

• Risk Assesment

• Asset identification & damage scenarios

• Threat Scenarios

• Attack path analysis

• Attack feasibility

• Risk determination

15:00     Component cybersecurity requirements IEC 62443-4-2

15:30     Summary

16:00     End