Discover how the IEC 62443 security standard for Industrial IoT (IIoT) or Industry 4.0 applies to secure elements and how it affects embedded products.
Watch the video.
The IEC 62443 is a cyber security standard for the industrial market that affects how semiconductor devices are selected. The following questions and answers come from our Ask Our Experts | About Secure Elements playlist on YouTube.
Can you give us a quick overview of the IEC 62443 standard?
IEC 62443 is a specification that is targeted at the industrial market. It is a document that is nearly 900 pages long, which can be a little daunting, but it’s narrowly focused on the industrial automation and control systems market. Virtually all of the major players in this space have adopted it, beginning in the twenty-teens and now into 2020 and beyond. So, this specification has been maturing over time.
Those 900 pages are broken up into four major sections. First, you have your general section which covers terms, a glossary, and an overview of security topics.
Next is policies and procedures; within policies and procedures, they actually define different levels of security. Level zero is no security at all; level one is protections against accidental errors that you may have designed in your system; level two is based on simple sorts of attacks, but intentional attacks on your device, using basically a moderate level of resources and access to design databases or documentation related to that specific product. Then it moves to level four, which also uses sophisticated attack methods, but also increases the level of knowledge; so you would have somebody that is very knowledgeable about the design of the platform and using sophisticated attacks.
As we move from policies and procedures, now we go to system level, which is where things get interesting for our customers, where they have to be concerned about those devices actually attaching to a network. In those sorts of areas, they'll define some risks associated with their particular node. You may determine a variety of ways that a hacker may try and attack a node, and if they do attack a node and they're successful there, you can explore what other nodes might they have success attacking; it is sort of an attack tree analysis.
Then at the component level, that is really where silicon products come in, and that is where we can help our customers select the right device like our CryptoAuthentication™ ECC family or CryptoAutomotive™ Trust Anchor security ICs as well, and we can help them satisfy all these requirements. We ourselves have our own risks and vulnerabilities that have been defined in documents like the Attack Potential to Smartcards Version 3.1 and beyond, where they've identified the types of attacks that are known that you should protect against, which we have and we have third-party assessments to prove that.
To help our customers with that selection, we've also put together an application note and a blog post that highlights some of the vulnerabilities that have been defined in these sets of IEC 62443 documentation, where we can identify how a specific feature of a device can be associated with the spec and help them implement and prove compliance to IEC 62443.
Todd Slack, Apr 4, 2023
Tags/Keywords: Security, Industrial and IoT