Issue link: https://resources.mouser.com/i/1512203
64 ADI | Engineering a More Sustainable Future Table 1. Security Levels Summary Let's take the example of a network-connected programmable logic controller (PLC). Network security requires that the PLC is authenticated so that it does not become an entry door for attacks. A well-known technique is public key-based authentication. With regards to the IEC 62443-4-2: X Level 1 does not consider public key cryptography X Level 2 requires the commonly adopted processes such as certificates signature verification X Levels 3 and 4 call for hardware protection of the private keys used in the authentication process Starting at Security Level 2, many security functions are required, including mechanisms based on cryptography involving secret or private keys. For security levels 3 and 4, hardware-based protection of security or cryptography functions is required Figure 2: The number of ISA certifications over time. 4 involves a learning curve and reaches beyond absorbing the technical language. Each section within IEC 62443 must be understood as a part of a larger whole, as the concepts are interdependent (as shown in Figure 3). For example, as per IEC 62443-4-2, a risk assessment targeting the entire IACS must be conducted and the outcomes will condition the decisions that determine the target security levels for equipment. 5 Designing IEC 62443 Compliant Equipment Highest Security Levels Call for Hardware Implementation The IEC 62443 defines security levels in straightforward language as shown in Figure 4. The IEC 62443-2-1 mandates a security risk assessment. As an outcome of this process, each component is assigned a target security level (SL-T). As per Figure 1 and Figure 3, some parts of the standard deal with processes and procedures while IEC 62443-4-1 and IEC 62443-4-2 address the components' security. Component types as per IEC 62443-4-2 are software applications, host devices, embedded devices, and network devices. For each component type, IEC 62443-4-2 defines the capability security level (SL-C) based on the component requirement (CR) and requirement enhancement (RE) they meet. Table 1 summarizes SL-A, SL-C, SL-T, and their relationship. 2 Figure 3: A high level view of the certification process. 3 DS28S60 DeepCover® Cryptographic Coprocessor LEARN MORE Target Security Level Capability Security Level Achieved Security Level Acronym ( SL-T ) ( SL-C ) ( SL-A ) Definition The security level equipment should reach according to the system-level risk assessment The security level equipment is capable of according to the CRs it supports as per IEC 62443-4-2 The security level that equipment achieves Objective SL-T ≥ level defined by risk assessment SL-C ≥ SL-T SL-A ≥ SL-T Adobe Stock / WilliamJu – stock.adobe.com