Digital transformation of the manufacturing sector driven by Industrial Internet of Things (IIoT) and autonomous driving enabled by Internet of Vehicles (IoV) are key focus areas of today's industrial development and they offer tremendous business opportunities. In particular, with 5G commercialization kicking off, vendors have high hopes for the explosive market potential to be ignited by 5G, featuring low latency and high-speed data transmission.
However, flourishing market developments also introduce rising cybersecurity risks to the diversity of connected devices. There have been frequent reports about manufacturers under cyberattacks. It is foreseeable that cybersecurity risks will only multiply when the Internet of Everything (IoE) era is here. Accordingly, both suppliers that look to capture preemptive IoT opportunities and manufacturers that want to undertake digital transformation cannot afford to overlook the importance of how to meet the latest cybersecurity requirements.
During a recent interview, TUV NORD management gave an in-depth look into IEC 62443, a series of standards aimed to address the security of industrial automation and control systems (IACS), Automotive Software Performance Improvement and Capability Etermination (ASPICE), which provides the framework for software development and capability test in the automotive industry, and ISO/SAE 21434, which provides standardized cybersecurity engineering elements for vehicles. TUV NORD hopes to keep vendors abreast of the latest standards and enable them to begin early preparation and to foster a cybersecurity culture so that they can capture rising opportunities and ensure sustainable success.
Becoming the target of cyberattacks, manufacturers must deal with IACS cybersecurity threats
According to David Lin, Senior Technical Manager, Industrial Service, TUV NORD, manufacturers have always focused on safety, making efforts to prevent equipment failure from causing harm to human safety. However, when factory machines now become connected to networks, manufacturers have to start taking into consideration how security will affect safety. IEC 62443 was established with an aim to address this issue. It provides a set of standards for IoT applications that complement what was missing from operational technology (OT) security frameworks in the past. The IEC 62443 standard is different from the Common Criteria for Information Technology Security Evaluation (referred to as Common Criteria or CC), which the IT industry has long been practicing.
Jack Liao, Senior Manager, Product Certification, Industrial Service, TUV NORD, added IEC 62443 makes it clear that it is aimed to ensure the availability of critical infrastructure such as harbors, power plants, docks and airports and prevent cybersecurity breaches from disrupting services. It is not the same as ISO 27001, which is a specification for an information security management system that highlights data confidentiality.
This is also why the EU is strongly promoting IEC 62443 as IACS standards. When cyberattacks are launched against a country, it is imperative that infrastructure services maintain continuous operation without interruption. The same is true in the case of Taiwan, nicknamed Silicon Island. Should the semiconductor supply chain that Taiwan takes great pride in fall under cyberattacks, the global market will feel the impact.
This sheds light on the importance of IEC 62443 and the challenges it is intended to address. Within the vast scope of IACS cybersecurity, IEC 62443 highlights "defense in depth," a multi-layered defense mechanism with several levels of security requirements distributed throughout the system from the outer layer management to the core product technology. More specifically, taking network devices for example, IEC 62443 specifies requirements for each of the seven layers of the Open Systems Interconnection (OSI) model, enabling all-round protection against any potential cybersecurity threat.
IEC 62443 includes four parts - General, Policy and Procedure, system and Component. Taiwan-based manufacturers have to pay attention to establishing a management system that guarantees the security of the connected devices and minimizes the risks of cyberattacks. With global IACS manufacturers taking the lead in obtaining IEC 62443 compliance certification, Taiwan-based IACS manufacturers have to follow suit so as to be able to enter the global market and capture the next wave of opportunities. In the meantime, they also need to build up IEC 62443 compliant development processes and create IEC 62443 compliant products.
David Lin noted that although parts of the IEC 62443 standard are still under development, the quantity of certificates issued worldwide has increased from three in 2019 to more than 50 in 2020, indicating the new standard is growingly accepted. With EU mandating IEC 62443 compliance for all infrastructure equipment by year-end 2023, IEC 62443 will become widespread and vendors should take early action and get a closer look at IACS cybersecurity.
Three main automotive electronics standards ensure information security and functional safety
Among automotive network security standards, the Cyber Security Management System (CSMS) and ISO/SAE 21434 are two new sets of standards. According to Jack Liao, CSMS and ISO/SAE 21434 can be considered as extensions of IEC 62443. CSMS focuses on the management system while ISO/SAE 21434 addresses the technology and development process.
In line with the spirit of IEC 62443, CSMS and ISO/SAE 21434 also highlight availability and defense in depth with an aim to ensure cybersecurity for automotive networks. CSMS is set to go into effect in January 2021. EU will mandate a certified CSMS for approval of new vehicle types from 2022 and for first registrations of all existing vehicle types by 2024.
As to ISO/SAE 21434, which looks at cybersecurity engineering and the entire development process, there is currently only a draft version as IEC 62443 is still under development. The finished version is not expected until the first half of 2021. Nevertheless, with automakers strongly promoting ISO/SAE 21434, all automotive electronics component suppliers will have to get ready to meet their customers' requirements.
Apart from automotive network security, automotive electronics suppliers also need to take functional safety standard ISO 26262 and ASPICE into consideration.
David Lin thinks ISO/SAE 21434, ISO 26262 and ASPICE are the three indispensable elements to Taiwan-based suppliers looking to foray into the automotive electronics market.
In practice, ISO/SAE 21434 and ISO 26262 focus more on the methodology while ASPICE provides a framework that connects the development process. As such, suppliers are advised to first incorporate the ASPICE process and then based on that, introduce the ISO/SAE 21434 and ISO 26262 frameworks to reap the biggest benefit.
Jack Liao added that ISO/SAE 21434 and ISO 26262 are similar in that they are both based on a V-model as a reference process model for the different phases of product development. The difference is that the former targets information security and the latter functional safety. As software will play a critical role in autonomous driving in the future, if suppliers develop software using the ASPICE process, they will be able to ensure robust security for the entire automotive electronics system. Taiwan-based automotive electronics suppliers including developers of IC chips, software, modules and subsystems all need to follow ISO/SAE 21434, ISO 26262 and ASPICE to build their products in accordance with their product's characteristics.
In conclusion, Jack Liao emphasized that IEC 62443, ISO/SAE 21434 and ISO 26262 are all established with an aim to drive security policy formation and foster security culture. This has to be a full-scale effort by every level of the corporation from top to bottom. Only by doing so can a corporation internalize cybersecurity awareness instead of just using the security certification to penetrate into the market.
As a wide variety of IoT applications reach maturity over the next few years, cybersecurity incidents will skyrocket. It should be noted that all these cybersecurity standards will go into effect by 2024. It is essential that suppliers take early action and actively build up a cybersecurity culture to enable themselves to overcome future security challenges and capture rising opportunities.
Jack Liao (right), senior manager of Product Certification and David Lin (left), senior technical manager, Industrial Service, TUV NORD
DIGITIMES' editorial team was not involved in the creation or production of this content. Companies looking to contribute commercial news or press releases are welcome to contact us.