Standards are a powerful tool for ensuring reliability in electronic products. But when it comes to cyber security, what standards are there, and how can you use them?

By Jeppe Pilgaard Bjerre

What does it require to develop solid and saleable electronics products?

Developing electronics is an exercise in mastering many disparate disciplines. Producing a saleable product requires a solid grasp of circuit design, testing, approval, manufacturing, and logistics. Cyber security is a topic to consider for manufacturers and device users alike.

Keep track of industrial IoT security considerations from the beginning

Keeping track of security considerations for individual devices, determining requirements for entire systems, and designing security solutions with components from various manufacturers is challenging. If users' needs are unclear, developing specific security requirements for a product can be demanding.

Security is critical in the industrial IoT (IoT) field since the consequences of a device's misuse can ultimately be catastrophic for the equipment and the employees that rely on it. Manufacturers must implement processes for cyber security in the development phase and design products with security in mind from the beginning. Adding it to a finished product only makes development more complicated and expensive. Always start by defining the requirements that identify what must be protected.

Specific skills and standards help protect IOT products

Getting started with an IOT product protection strategy can be challenging if employees lack the relevant skills. Reviewing some of the standards and guidelines on basic product cyber security like ETSI EN 303 645 is a good start. This standard can serve as the foundation of a cyber security strategy and help manufacturers implement tools that make it easier to maintain product security.

ETSI EN 303 645 lists basic requirements that a product must fulfil, like devices needing either unique default passwords or user-set passwords, that software must be updatable and that sensitive data must be stored securely.

Requirement: have publicly available policies reporting IOT product vulnerabilities

One interesting requirement is that manufacturers must have publicly available policies on reporting vulnerabilities discovered in their products: the ETSI EN 303 645 standard imposes requirements on managing products' security over their lifetimes and not only technical product requirements.

Is a risk-based approach to cybersecurity relevant for you?

The ETSI EN 303 645 approach to security is ‘one size fits most’: not based on any specific kind of product, the standard’s requirements aim to remedy the most observed security issues in IOT products on the market.

Standards like UL2900-1 and IEC 62443 may be helpful if you prefer an approach based on a specific product. These standards take a risk-based approach to security and require developing and implementing a risk analysis process for products that wish to adhere to these standards. The advantage is that the result is a tailor-made security strategy for an individual product. Still, the success of this approach depends on how well the risk analysis process is performed and maintained.

Know the standards for industrial automation systems to maintain their cybersecurity

The IEC 62443 standard series is the ideal reference for industrial systems. This standard is written with industrial automation systems in mind, from elements as small as PLCs to entire factories — including processes. This series of standards covers three main areas:

  1. Vendors who produce hardware and software
  2. Integrators who assemble elements to form whole systems
  3. Owners who use the systems

Vendors have standards describing how products that form part of an industrial system should be developed. It includes specific technical requirements like No unique default passwords and development process requirements to address who is responsible for which security functions, what tests should be performed and who should perform them.

For integrators, much as for vendors, there are standards regarding how systems should be designed and what requirements they need to meet to achieve a given level of security. The task here is to apply requirements to specific installations, such as sub-component requirements, security zone divisions and requirements for transitions between zones. It is essential to easily communicate which requirements any given component fulfils.

One way of managing this is using a Security Level Vector. This describes the levels of security a component can achieve when configured accordingly. This vector makes it easier for an integrator to determine whether a particular component is suited for use in a specific application. It eliminates the need to thoroughly review the documentation for many devices to find components suited for a task.

For owners, some standards address topics like managing the operation of a system. These standards consider software updates, users, risk analyses, etc.

Approval programmes for IEC 62443 promote trust

Approval programmes for IEC 62443 allow vendors and integrators to have a third-party review of their systems and components, just as is done for 'normal' product approvals. This can promote trust in a product's security and minimise the risk of accidentally releasing a defective product.

Cybersecurity processes are a case of compliance

It makes sense to consider cyber security alongside environmental, EMC, and other requirements that a product must fulfil to gain approval. Security can be handled in the same way as compliance in other areas. Ultimately, this is about ensuring the robustness of a product relative to the environment in which it will be used. In a world where cyber security is becoming ever more critical, this challenge should be taken seriously, even before regulatory requirements appear to control which products have access to the market.

Use standards to ensure reliable IOT products

We use standards to help us with many aspects of product design. They help us maintain uniformity, so we can ensure that products are reasonably reliable when they make it out into the world.

There are good reasons to take the same approach to cyber security. Considering the amount of IoT products launched and the rising number of devices connected to the internet, it is in everyone's best interest to make a serious effort to ensure that these products are secure: to ensure that they continue to function and do not become vehicles for attacks on other systems.

Get help to design, test, produce and launch cyber-secure IOT products

Standards are a powerful tool for those building security strategies and businesses that need to deliver uniform solutions across product series. Standards help us ensure that we take a consistent approach to product development and maintain a certain level of security that lives up to people's expectations for electronic devices.

Contact us to find out how we can help you design, test, produce and launch cyber-secure IOT products and systems.

This article was published in Aktuel Elektronik in 2020.