Principle for the testing and certification of industrial security aspects in functional safety

Project No. IFA 5149

Status:

completed 12/2019

Aims:

At present, test specifications do not exist by which the security aspects of safety components could be evaluated. Since safety components increasingly possess digital interfaces and the level of networking within production facilities is continuing to rise, it must be assumed that a risk now exists of safety components being attacked or manipulated through these digital interfaces. This principle is intended to identify the security requirements deriving from the existing IEC 62443-4-1:2018 (Security for industrial automation and control systems – Part 4-1: Secure product development lifecycle requirements) and IEC 62443-4-2:2019 (Security for industrial automation and control systems – Part 4-2: Technical security requirements for IACS components) standards with regard to safety components. The IEC 62443 series of standards introduces "Security Levels" (0-4) for the evaluation of security. A higher Security Level corresponds to stricter requirements. The new test principle should initially contain the requirements for a Security Level 1, as many current security problems can be solved with this. Following production of the test principles, preliminary tests are to be conducted on selected components to determine their suitability for use in the field. An extension of the requirements in the form of Security Level 2 is envisaged.

Activities/Methods:

Development of test principle for security requirements in accordance with Security Level 1 (IEC 62443-4-2 and IEC 62443-4-1) in a DGUV Test working group with the involvement of the BGETEM, BGHM, BGN, BGRCI, DGUV Test and IFA: In the first instance, this process will be limited to functional safety components and will not cover entire machines or systems. Publication of the test principles in the form of an IFA Test Principle and application of the agreed test principles to selected products: In the first instance, this process will be limited to safety components and will not cover standard components or networks. An extension of the test principles for security requirements in accordance with Security Level 2 (IEC 62443-4-2/IEC 62443-4-1) is envisaged. Whether extension is necessary depends upon current developments on the market in the area of security.

Results:

The test principle for certification of implemented measures with respect to the security requirements upon safety components in accordance with Security Level 1 (IEC 62443-4-2 and IEC 62443-4-1) is drawn up in the DGUV Test working group. The group concluded that the test principle should be published solely by the IFA. The test principle may however be amended only with the approval of the working group, and not unilaterally by the IFA. Publication is planned for mid-February under the code GS-IFA-M24. This test principle now also enable safety components to be tested with consideration for security aspects, and an additional DGUV Test certificate and DGUV Test mark stating "Sicherheit geprüft/tested safety/ industrial security tested" to be issued. Following publication of the test principle, the first tests will reveal whether extension of the existing test principle to cover machines or further Security Levels are required by the market. Some companies have already expressed their interest in having products tested in accordance with the new test principle, but as yet, actual tests have not been commissioned.

Last Update:

28 Apr 2020

Project

Financed by:
  • Deutsche Gesetzliche Unfallversicherung e. V. (DGUV)
Research institution(s):
  • Institut für Arbeitsschutz der Deutschen Gesetzlichen Unfallversicherung (IFA)
  • Berufsgenossenschaft Energie Textil Elektro Medienerzeugnisse (BGETEM)
  • Berufsgenossenschaft Holz und Metall (BGHM)
  • Berufsgenossenschaft Nahrungsmittel und Gastgewerbe (BGN)
  • Berufsgenossenschaft Rohstoffe und chemische Industrie (BG RCI)
  • DGUV Test
Branche(s):

-cross sectoral-

Type of hazard:

questions beyond hazard-related issues

Catchwords:

machine safety

Description, key words:

security, test principle

Contact