Secure Development LifeCycle - An IEC 62443-4-X approach

As per regulatory and compliance requirements, it is becoming mandatory for OEMs to develop OT devices and applications in a secure way. IEC 62443-4-1 along with IEC 62443-4-2 (component) and IEC 62443-3-3 (system), gives a very good approach to establish ‘Secure Development Life Cycle’ to maintain security throughout the lifecycle of devices and applications.

Note - Here the product includes single OT component or group of components to form system or sub-system.

Approach as per IEC 62443-4-1

IEC 62443-4-1 is the standard primarily to establish Secure Development Life-Cycle in development environment of OEM/ Product supplier. It is also a requirement for Secure Development Life-Cycle Assurance (SDLA) Certification from ISCI (ISA Security Compliance Institute). The contribution for IEC 62443-4-1 is from the following standards.

Common Criteria – IEC 15408-3
OWASP
Security development life cycle by Michael Howard & Steve Lipner
Functional Safety for programmable electronic safety system (PES) – IEC 61508
Software Considerations in Airborne Systems and Equipment Certification -RCTA DO-178B

The above combination of standards clearly states that the priority is around the following (but not limited to).

Safety culture in process or manufacturing industrial complexes.
Availability of the system/ application.
Deterministic behaviour and robustness.
Longer life cycles of OT products.
Rigid processes in operations which doesn’t change over longer durations.
Changing dynamics of IT-OT convergence.
Accommodation of more stable and interoperable protocols like OPC UA, traversing multiple levels in PERA.
Industry 4.0, demanding more connected systems.
Secure-by-Design and Defence-in-Depth as key philosophies.
Confidentiality and Integrity.

Process flow depicting relation between IEC 62443 standards in context of SDLC

Compliance with IEC 62443-4-1

IEC 62443 wants product supplier to have well-defined and proven product development processes in place that can be extended to comply with the requirements specified by IEC 62443-4-1. This is ensure correct OT context is preserved in the development process. For this purpose Microsoft Secure Development Lifecycle can be referred and extend the same for IEC 62443-4-1.

IEC 62443-4-1 has 08 practices with requirements to comply with. The practices are as follows, which can be referred back at SDLA-300, ISASecure portal.

Requirements in respective practices can be carefully evaluated for applicability and induction. The documented & approved process for SDLC along with evidence of practice will serve to qualify for SDLC compliance and SDLA certification.

Maturity Model

IEC 62443-4-1 also provides maturity model which is based on CMMI-Dev. The standard refers maturity level 1 – 3 as in CMMI but converge level 4 & 5 as single level i.e ‘improving’. This maturity model can be used to track the progress and align the strategy to progress next level.

Conclusion

IEC 62443-4-1 (along with IEC 62443-4-2 and IEC 62443-3-3) provides a solid framework to establish an effective secure development lifecycle. This progress can be assessed using maturity model based on recognised KPIs.