Cybersecurity

SPHINX in Europe
IE
  • AT
  • BE
  • DK
  • FR
  • DE
  • IE
  • IT
  • NL
  • PL
  • ES
  • SE
  • CH
  • UK
Cybersecurity

Cybersecurity

Cybersecurity_banner.png

Table of contents

Introduction to the directives

The digital transformation of industries has increased cyber threats on businesses and thedaily number of attacks is increasing.

The EU has introduced new directives:

NIS

Introduced in August 2016, enforced from 2017.

Applied to Essential Entities

  • Energy, transport
  • Digital infrastructure
  • Water
  • Healthcare
  • Financial services
  • Public administration

NIS2

The latest regulation in force since October 2024.

Expands the scope
(with enforcement)
to Important Entities

  • Postal services
  • Chemicals
  • Food production
  • Manufacturing research

Adopts IEC-62664 for hardware compliance.

CRA

Due to come into force in October 2027.

Final details still under review. Approx 50% more content than NIS2


What are the basic requirements?


Security Measures Mandatory incident reporting
  • Incident detection & response
  • Access control & encryption
  • Supply chain security
  • Business continuity planning

For this you will need IEC-62443 certified products!
  • Initial warning within 24 hours
  • Incident report within 72 hours
  • Final report within one month

For this you will need a suitable Compliance Management System (CMS)!

Who does this affect?

Who-does-this-affect_neu-2.png
NIS2 Sector Subdivisions for Industrial & Networking/Computing Solutions
Critical Products Manufacturing Medical and diagnostics equipment, computers & computers systems, electronic / optical / electrical systems, heavy machinery, motor vehicles & trailers , other transport equipment.
Communications Networks Physical fibre / copper / radio infrastructure, service delivery platforms, network operations centres.
Social Networks & Datacentres Physical colocation / hosting infrastructure, power control and HVAC systems, access management, Network back-end infrastructure for Cloud computing, online marketplaces and search engines.
Water Treatment Reservoir / borehole monitoring & control, pumping stations, water quality monitoring, waste water collection / treatment / discharge
Space Satellite tracking & control, telemetry and tracking for mission control centres / launch infrastructure
Food Automated production lines, food storage / cold chain monitoring, quality control, warehouse management and supply chain logistics
Postal Services Automated parcel sorting machinery, conveyor control, video surveillance, logistics / tracking / fleet management
Public Administration Critical departmental networks and data processing facilities, traffic control and public utility management for regional / local government

1
NIS2 has adopted IEC-62443, they should too!
2
Follow the NIS2 CSF (Cyber-Security Framework) to...
  • Protect (against breaches)
  • Detect (if a breach occurs)
  • Identify (the issues)
  • Report (suspect activity) &
  • Recover (from the attack)
3
Buy & implement ISO 37301 CMS
(Compliance Management System) within their business organisation
  • Leading to a process of continuous review &
  • Natural adjustment to comply as the standards evolve
4
Become familiar with the CRA's details.
It's mandatory from October 2027. (NIS2 makes-up about 67% of the CRA.)

IEC-62443 Jargon made simple

"SCOPE"

There are 4 parts to this...

Scope_3.png

Part 1 gives an overview of the secure development processes that apply to everyone.

Part 2 focusses on policies & procedures for the asset owners or service providers, dealing with the organisational and procedural aspects of Cybersecurity.

Part 3 focusses on the system level aspects for systems integrators, including security risk assessment for the system design.

Part 4 focusses on the product for the component-level product suppliers / manufacturers and is a technical-oriented standard.

Products from SPHINX will comply with IEC-62443-4-x only, because these apply to the product supplier and this is our area of operation.

Where '-x' is -1 or -2

-1 relates to the product development requirements

-2 relates to the technical security requirement for IACS* components

*Industrial Automation and Control System

"FOUNDATION REQUIREMENTS (FR)"

Cross industry collaboration against cyber threats has resulted in a list of 123 Foundation Requirements which have been grouped into 7 categories...

FR.png

PDFDownload List of requirements IEC62443-4-2 - 507 kb

"SECURITY LEVELS (SL)"

There are 5 Security Levels...


Each SL (above 0) covers anincreasing proportion of theFoundation Requirements.


For most industrial applications SL2 is deemed to be sufficient.


Higher levels will have anunacceptable impact on day-to-day operation & maintenance &cost much more to produce.

Security_Level.png

"Certification" vs "Compliance"

NIS2 requires IEC-62443 "compliance".


Compliance Certification
  • Self-qualification by the product′s manufacturer
  • Always much cheaper to 'achieve' and may be sufficient for applications not yet covered by NIS2
  • Always carried-out by a thirdparty, so is a guarantee to the endcustomer that the standard is being met
  • Adds cost to a product. The higherthe SL, the higher the cost.

Product ranges from SPHINX

Our IEC62443-4-2 CERTIFIED industrial product ranges include:


No Product Range Advantech InHand Moxa
1 Embedded Computers (RISC)
2 Edge Gateways
3 Routers
4 Managed Network Switches
5 Wireless
6 Touch Panel PCs
7 Management Software
(not actually certifiable)
Accept all Reject Configure

This website uses cookies to provide the best possible experience. More information.