Cloud Hosting

Following the IEC 62443 standard for security software development ensures quality, safety and security

The importance of industrial automation and control systems (IACS) to the critical operations we rely on cannot be overstated. From manufacturing of consumer and commercial products to power generation and water supply to HVAC for the offices where we once worked in before COVID-19 (well be back) to smart utility metering for our homes and so much more, these systems are essential to our lives and our economy. It goes without question that keeping these systems secure is a must.

A cybersecurity event targeting ICAS has the potential to have a devastating impact. And, as these devices and systems become smarter, more interconnected and exposed to the Internet, security challenges continue to rise and risk becomes exponentially greater. In fact as highlighted by its Year in Review 2020 report, industrial cybersecurity company, Dragos, saw a threefold increase of cyber threats to ICAS last year.

As stated earlier, these ICAS devices are becoming smarter. This is a result of more complex embedded software enabling remote functionality, automation and analytics. With more complex software, there are now more lines of code which can introduce N-day and 0-day vulnerabilities if not diligently tested throughout the software development life cycle (SDLC).

Thankfully, there are standards for developing secure software, such as IEC 62443, designed to help ensure software code embedded in ICAS devices is free of vulnerabilities. The IEC 62443-4-1 standard (Security for industrial automation and control systemsPart 4-1: Secure product development lifecycle requirements) defines specific requirements for using a secure development lifecycle in the design, implementation, maintenance and testing of products used in industrial automation and control systems.

GrammaTech together with Exida, a leading certification company specializing in ICAS functional safety and cybersecurity, recently issued a joint whitepaper, Using GrammaTech CodeSentry and CodeSonar to Improve Software Security and Comply with IEC 62443.

In this whitepaper, Exida details how GrammaTechs CodeSentry (Binary Software Composition Analysis SCA) and CodeSonar (Static Application Security Testing SAST) tools can be integrated into an ICAS suppliers SDLC and DevSecOps processes to help comply with the IEC 62443 standard.

Exida describes two major contributors to security vulnerabilities found in products today, which are implementation weaknesses in programs created in languages such as C and C++ and the use of Third-Party Software (TPS). The CodeSentry and CodeSonar tools can address both of these issues.

CodeSonar can be seamlessly integrated into the SDLC to continually find and remediate errors and vulnerabilities in code. With CodeSentry, you can perform a binary analysis to identify the open-source and third-party software components of the software to generate a software bill of materials (SBOM) and vulnerability report.

This whitepaper introduces common causes of security vulnerabilities including implementation programming weaknesses in programing languages and TPS. In addition, it describes TPS types, specific TPS security challenges and provides guidance on how to use the GrammaTech CodeSentry and CodeSonar tools in a workflow to select and manage TPS and overall product security.

If developing secure and vulnerability free code is your priority, we encourage you to the download and read our whitepaper.

To see CodeSentry and CodeSonar in action and how our solutions can solve your specific requirements, book an evaluation today.

*** This is a Security Bloggers Network syndicated blog from Blog authored by Christian Simko. Read the original post at: https://blogs.grammatech.com/iec-62443-securing-industrial-automation-and-control-systems-starts-in-software-development

Link:
Securing Industrial Automation and Control Systems Starts in Software Development - Security Boulevard