The cybersecurity sector for industrial control systems (ICS), including the railway industry, has long recognized the IEC 62443 as the unofficial gold standard in cybersecurity. We at Cylus believe that advocating for standards necessitates a total commitment to integrating them into the ecosystem. While our product, CylusOne, offers advanced features to help customers achieve compliance with essential standards, we felt this was just the starting point.
Accordingly, we aim to ensure that our product achieves certification against the highest standards, ensuring our customers can deploy it confidently and aligned with their compliance objectives. Since 2021, Cylus has been certified to IEC 62443-4-2 ML2, demonstrating that our development processes adhere to the highest cybersecurity standards. However, our ambitions extended beyond just meeting these requirements. We set out to obtain IEC 62443 certification for our product, CylusOne. We've now achieved a significant milestone by completing its certification to IEC 62443-4-2 with Security Level 3.
In this post, we'll detail our path to this certification, its significance as a cybersecurity vendor, and its implications for our customers and the railway industry.
Understanding the IEC 62443-4-2
IEC 62443 is a series of standards developed by the International Electrotechnical Commission (IEC) specifically for industrial automation and control systems (IACS). It focuses on the security of industrial automation, control systems, and physical systems cybersecurity. As a series of standards, it tackles to whole lifecycle of ICS systems and networks: the development of products by vendors, the integration of the different solutions by system’s integrators, and the operational lifetime management by the asset owner. This allows different ecosystem actors to communicate better, instruct, and trust each other during the various phases of the systems’ lifecycle.
Cybersecurity for railway systems and networks is most effectively covered by IEC 62443 compared to other standards. This is attributed not only to the diverse and heterogeneous nature of the systems within the railway industry but primarily to the critical safety considerations inherent to rail operations.
The mission to define a dedicated cybersecurity standard for railways is gaining momentum, starting with the European release of CENELEC TS 50701, which integrates the principles of IEC 62443 with rail-specific safety and management standards. Developing IEC 63452 as an international standard for railway cybersecurity represents a significant next step, again drawing on the robust foundations of IEC 62443. Notably, both TS 50701 and the forthcoming IEC 63452 will incorporate IEC 62443-4-2 certified components, underscoring the commitment to leveraging established cybersecurity frameworks within the rail industry.
IEC 62443-4-2 outlines the technical security requirements for components within IACS, providing guidelines for product developers and manufacturers to ensure resilience against cyber threats. Compliance with this standard demonstrates a product's adherence to cybersecurity protocols, which is crucial for protecting critical infrastructure systems like rail transportation against cyber-attacks.
Getting Certified for IEC 62443-4-2
When we started this task, it was what we called a task. Another assignment from our comprehensive portfolio, ready for our R&D and product departments to address. At Cylus, we had previously navigated certification processes for other standards, but we mistakenly assumed it would involve checking off "comply" on a spreadsheet with some accompanying explanations.
In hindsight, it was more of a journey than a task. Our first good move was to contact Bureau Veritas to be our certification auditor. Having worked together in the past, we knew their level of expertise and professionalism. They guided us through this journey with the most accurate and professional approach expected.
The 62443-4-2 Requirements
To comply with 62443-4-2 requirements, we first needed to understand the requirements. They are derived from the seven Fundamental Requirements defined in 62443-1-1 (FRs):
- Identification and authentication control (IAC),
- Use control (UC),
- System integrity (SI),
- Data confidentiality (DC),
- Restricted data flow (RDF),
- Timely response to events (TRE), and
- Resource availability (RA)
In 62443-4-2, these FRs were translated into System Requirements (SR), following the same principles but better adapted to define system components' requirements. The components themselves are organized into categories. This is an essential focus for both the certified vendor and the people who will read the certificates: there are differences between a software application and a firewall device - we cannot require the same standards from them. So, having dedicated requirements for different kinds of equipment clarifies the real metrics behind certification.
The categories are:
- Software Application (SAR)
- Embedded Device (EDR)
- Host Device (HDR)
- Network Device (NDR)
IEC Security Levels
Another thing to understand is the security levels (SL). IEC 62443 aims to deliver certifications based on the level of threat that is dealt with by the component. This is also a significant focus, as we don’t expect every component to be certified for the same level of cybersecurity risk protection.
These levels span from SL1 to SL4. Referring to the rail industry, this reminded us of the Security and Integrity Levels (SIL), a must to define the safety-related environment. There is no expectation that every system in the rail environment will be certified with SIL4, as it does not make sense when looking at the effort involved.
CylusOne's certification process aimed for Security Level 3 (SL3), as per IEC 62443, to prevent unauthorized information disclosure against sophisticated searches by moderately resourced entities with specific skills and motivation. This level aligns with the protection needs of signaling environments, considered SL3, guiding our certification choice.
The Certification Process
With the established process - "CylusOne, as a software application, requires SL3 certification" - we are ready to begin the certification journey. What does this entail? It is a careful, meticulous, and professional activity. Since the certification validates a specific component (in our case, software), the scrutiny level of the audit is as deep as validating particular lines of code for some cases. We had to show our compliance for each requirement, following IEC 62443-4-1 procedures, by pointing out our internal technical design documents handling the development of the features supporting the requirement, then providing testing procedures that verify those features, and finally presenting tangible evidence of successful tests.
Writing “present real evidence” is an understatement. It is not about sharing a screenshot of a test - it is about sharing output logs, traffic capture, pieces of code or configuration, and videos of the full testing documentation. Unlike other kinds of certifications, it is expected to deliver all the evidence during the process - the certification does not take into account “plans,” “backlog,” or “design review” that will be finished during the following year.
The certified component is certified only if the requirements are fulfilled during the certification process. The final certificates contain vectors of the compliance for each SR category - how many are there, how many the product complied with, and how many were “not applicable” to the component. We don’t know if it is possible to be certified if one “small” requirement was not complied with or more - at Cylus, we aimed for the beginning to be fully compliant, so we didn’t ask.
Why Does it Matter?
This certification process requires effort, a lot of it. Before beginning it, the vendor has to run a pre-game, validate all the requirements, and add R&D tasks for the missing features. Even when developing a product with the right processes (SDLC) and a secured-by-design approach, there can be gaps between the product and the IEC 62443-4-2, specifically for the higher Security Levels. So before starting the real audit process, there can be a development phase of features to be ready. Then, during the process, the vendor has to manage it with rigor: have the updated documentation, correct it where there are detailed gaps (because we know how developers can write documentation with different levels of perfection), organize all the testing evidence to be shared with the auditor…and more.
So, why invest all those efforts? In the case of IEC 62442-4-2, we can narrow this question to real-life needs, as we know them at Cylus. We are a vendor, and our customers must manage their cybersecurity risks before bringing any new product on board. Part of them will do that with internal procedures, but most will refer fully or partially to standards. Those international standards are widely accepted in the industry and are more than a baseline for most needs. That is even more true in the case of IEC 62443 and the ICS/OT industry. So when a vendor brings their product to the table, along with 62443-4-2 certification, they bring a kind of warranty for the customer. This is a trust certification, helping the customer guarantee that they aren’t adding more cyber risks to their environment. Our customers, including both railway integrators and operators, align themselves with IEC 62443, TS 50701, and IEC 63452, making our commitment to these standards crucial for their trust and security in our products.
Given that CylusOne is a cybersecurity solution, its significance is even greater for us. It was crafted to safeguard railway networks, and we mustn't become a source of further complications for our clients. They need to know that installing CylusOne is safe, even before they enjoy the security features it will deliver to their networks and systems.
Final Words
As Cylus participates in part of the international standard groups for railway cybersecurity, we can anticipate that this practice will increase. The railway cybersecurity teams are increasing their level of work, so one of the ways to manage that will be to enforce the adoption of significant standards for each of their network components. This way, they will create a first line of defense, based on the trust with their vendors and suppliers. Cylus will continue to find a way to make adopting CylusOne as easy as possible for our customers, leaving them to deal only with the benefits they will receive from using it and have a massive defense layer dedicated and focused on railway technologies.