TÜV SÜD (part of the German Association for Technical Inspection) has awarded us a certificate of conformity to the new ISA/IEC 62443-4-1:2018 security standard. It confirms that our software development, quality assurance, and support processes have a secure design that is in line with current industrial IT security guidelines.
International series of standards ISA/IEC 62443 provides a framework for closing and reducing security loopholes in industrial automation and control systems, allowing users to take a preventive, systematic approach. Its new standard, ISA/IEC 62443-4-1:2018, aims to make the entire lifecycle of products more secure.
The basis for our certification
The standard governs certain requirements for safeguarding the lifecycle of products such as zenon: security requirements definition, secure design, secure implementation (including coding guidelines), verification and validation, defect management, patch management, and product end of life.
Additionally, our project team – led by Reinhard Mayr, Head of Information Security & Research Operation at COPA-DATA – had to develop a realistic, cross-industry use case. “Our objective was to define a use case that would not only reflect the real use of our software in a networked production environment and take our investments in security features from recent years into account, but would also meet the requirements of the standard,” says Reinhard Mayr.
Security built up layer by layer
In the certification use case, a range of different systems of the kind found in a state-of-the-art, networked production facility are assembled layer by layer to form one complete, secure system. At the heart of the production process, a production cell requires maximum protection against harmful external influences and the vulnerabilities of other components to which it is linked.
The primary tool used to achieve this is a demilitarized zone (DMZ) that is in line with the general IT security concepts outlined in the IEC 27001 standard. “Our DMZ, which is based on zenon technology, keeps external influences away from the operational area and strengthens IT security. The strategies and concepts that we have been pursuing for many years now when developing zenon, such as security by design and defense in depth, also help to achieve this. Thanks to our many native zenon protocols, we are also able to make it more difficult for attackers to cause serious damage,” explains Reinhard Mayr.
Mark Clemens (left) and Reinhard Mayr are two members of our security management team, tasked with improving security throughout the lifecycle of our software zenon.
Security: A complex team effort
With the aim of making industrial IT security an even more significant part of the software development process, we expanded our security management team and gave it more powers. Now that the new certification has been achieved and recertification will take place annually, the entire COPA-DATA security lifecycle will be constantly under scrutiny.
Security remains an issue with which all areas of a company as well as manufacturers of system components need to concern themselves. Everything and everyone linked by an IT network – humans, companies, hardware, and software alike – has a requirement to uphold fundamental security standards. “We are doing our utmost to support our customers’ security strategies and protect them against cyberattacks whenever we can,” says Reinhard Mayr.
Are you a zenon user with questions about security? Get in touch with your local zenon contact or send us an e-mail.