Adopting IEC 62443 for Cyber Resilience Act compliance: A roadmap

The Cyber Resilience Act (CRA is well poised to become a cornerstone of EU cybersecurity legislation. It will, however, impose significant obligations on manufacturers, making robust cyber practices not just good hygiene, but a legal imperative.

For many EU manufacturers, navigating the complex landscape of cybersecurity standards can be daunting. However, one standard stands out as a strong enabler for compliance with the CRA. We are talking about IEC 62443. This comprehensive series of standards, often referred to as the gold standard or even the North Star of industrial cybersecurity is specifically designed for industrial automation and control systems (IACS). It offers a structured and systematic approach to managing cybersecurity risks and their consequences. Our latest blog post will delve into how EU manufacturers can leverage IEC 62443 to not only meet the requirements of the Cyber Resilience Act but also to significantly enhance their overall cybersecurity posture and secure their infrastructure from cyberattacks.

What is the Cyber Resilience Act?  

The Cyber Resilience Act is a groundbreaking piece of legislation that aims to ensure hardware and software products placed on the EU market meet essential and robust cybersecurity requirements throughout their entire lifecycle. It shifts the burden of cybersecurity from the end user to the manufacturer, making them fully accountable for the security of their products from design to end-of-life.

What are the key aspects of CRA? Here are a few key elements:

· Essential Cybersecurity Requirements: Products have to necessarily meet specific security requirements related to vulnerability management, risk suppression, secure by design principles, data protection, and resilience against cyberattacks.

· Conformity Assessment: Manufacturers will need to demonstrate with evidence conformity with the CRA through internal controls or third-party assessment, depending on the product's criticality.

· Obligations for Manufacturers: Conducting risk assessments, implementing security measures, providing clear and timely security updates, reporting vulnerabilities, and maintaining documentation.

· Market Surveillance: Member States will be responsible for surveillance of their respective jurisdictional entities to ensure compliance.

· Product Lifecycle Focus: The CRA emphasizes cybersecurity across the entire product lifecycle, right from initial design and development to post-market surveillance and end-of-life considerations.

The CRA's broad scope covers a many connected products, from IoT devices and industrial control systems to operating systems and smart home appliances. For manufacturers, particularly those in the operational technology (OT) space, understanding and implementing the CRA's provisions is essential in order to avoid penalties, maintain market access, secure credibility, and protect their infrastructure.

What is the IEC 62443 family of industrial cybersecurity standards all about?

While the CRA sets the legal requirements, IEC 62443 provides a practical, structured and internationally recognized framework for achieving these very requirements, particularly for manufacturers of industrial products. As we all know, It is not a single document but a series of standards and technical reports that address various aspects of IACS cybersecurity.

The IEC 62443 series is structured into 4 main categories:

· General (62443-1-x): Covers foundational concepts, terminology, and models.

· Policies and Procedures (62443-2-x): Focuses on cyber security program requirements for IACS asset owners and service providers.

· System (62443-3-x): Addresses system-level cybersecurity requirements, including security assurance levels (SALs), ways to conduct a risk assessment for IACS and technical requirements.

· Component (62443-4-x): Specifies secure development lifecycle requirements for products and components, and technical security requirements for control system components.

The strength of IEC 62443 lies in its layered and detailed approach to IACS security. It underscores the premise that cybersecurity is not just about technology but also about processes, people, governance, ownership, understanding the interplay of parameters that influences cyber risk and organizational culture.

The IEC 62443 standards provide a structured methodology for:

· Understanding the role of asset owners for risk management

· Applying appropriate security controls for risk suppression

· Risk Assessment: Identifying and analysing cybersecurity risks specific to IACS environments.

· Threat Modelling: Understanding potential attack vectors and threat actors.

· Identifying and fixing IACS security gaps  

· Security by Design: Integrating security considerations throughout the product development lifecycle.

· Vulnerability Management: Proactively identifying, assessing, and mitigating vulnerabilities.

· Secure Development Lifecycle (SDL): Establishing secure coding practices and testing methodologies.

· Patch Discipline and Management: Ensuring timely and effective deployment of security updates.

· Incident Response: Developing procedures for detecting, responding to, and recovering from cyber incidents.

· Security and Maturity Levels: Defining security assurance levels (SALs) that correspond to the level of risk and required protection.

How can IEC 62443 be mapped to CRA Compliance?  

The link between IEC 62443 and the CRA is clearly evident as I have mentioned earlier. To reemphasise, IEC 62443 offers the "how-to" guide for addressing the "what-to" requirements of the CRA, especially when it comes to industrial products. Let us now explore how EU manufacturers can leverage specific parts of IEC 62443 to achieve CRA compliance:

Essential Cybersecurity Requirements (CRA Article 6 & Annex I)

The CRA mandates that products be designed, developed, and produced in such a way that they meet essential cybersecurity requirements. IEC 62443 provides a direct guidance here:

· Secure by Design and Development:

· IEC 62443-4-1 (Secure Product Development Lifecycle Requirements): In my opinion, is perhaps the most crucial standard for manufacturers. It outlines a comprehensive secure development lifecycle (SDL) that integrates security activities into every phase of product development, from requirements definition to retirement. This directly addresses the CRA's emphasis on "security by design" and "security by default." Manufacturers can implement secure coding guidelines, conduct security testing (e.g., fuzz testing, penetration testing), and perform architectural risk analysis as prescribed by 62443-4-1.

· IEC 62443-3-3 (System Security Requirements and Security Levels): While focused on systems, the principles of defining security levels (SL-T, SL-C, SL-P) and corresponding requirements can be applied during the design phase of components that will be integrated into larger systems. This helps ensure components are designed with an appropriate level of security in mind, aligning with the CRA's requirement for a "level of cybersecurity appropriate to the risks."

· Vulnerability Management and Software Updates:

· IEC 62443-2-3 (Patch Management in IACS Environments): Although primarily for asset owners, the principles of managing patches and updates are highly relevant for manufacturers. Manufacturers must establish robust processes for identifying, assessing, and disseminating security updates for their products. This includes providing clear information to users about available updates and their security implications, directly addressing CRA obligations regarding vulnerability handling and continuous security support.

· IEC 62443-4-1 (Secure Product Development Lifecycle Requirements): This standard also covers vulnerability disclosure and response processes, ensuring that manufacturers have a systematic approach to handling reported vulnerabilities and issuing necessary patches.

· Data Protection and Confidentiality:

· IEC 62443-3-3 (System Security Requirements and Security Levels): This standard defines technical security requirements that contribute to data confidentiality, integrity, and availability. For example, it specifies requirements for access control, data encryption, and secure communication protocols, all of which are vital for protecting sensitive data processed or stored by the product, aligning with the CRA's focus on data protection.

· Resilience Against Cyberattacks:

· IEC 62443-3-2 (Security Risk Assessment for IACS): Performing a thorough risk assessment as outlined in this standard helps manufacturers identify potential attack scenarios and design products that are resilient to these threats. This proactive approach is fundamental to meeting the CRA's requirement for products to withstand, resist, detect, and recover from cyberattacks.

· IEC 62443-3-3 (System Security Requirements and Security Levels): The technical requirements within this standard, such as network segmentation, robust authentication mechanisms, and logging capabilities, directly contribute to the overall resilience of the product against various cyber threats.

Conformity Assessment (CRA Article 13)

The CRA mandates that manufacturers demonstrate conformity with the essential cybersecurity requirements. While the CRA outlines the high-level process, IEC 62443 offers a framework for demonstrating that due diligence has been exercised.

· Documentation and Evidence: Adhering to IEC 62443 standards naturally generates a wealth of documentation: risk assessment reports, security architecture diagrams, test plans and results, vulnerability management procedures, and secure development lifecycle artifacts. This documentation serves as concrete evidence for conformity assessment bodies or for demonstrating compliance through internal controls.

· Third-Party Certification: Products or components designed and developed in accordance with IEC 62443-4-1 and IEC 62443-4-2 (Technical Security Requirements for IACS Components) can undergo third-party certification. This certification, provided by accredited bodies, can significantly streamline the CRA conformity assessment process, as it provides an independent assurance of the product's cybersecurity posture.

Obligations of Manufacturers (CRA Article 10)

The CRA places several direct obligations on manufacturers. IEC 62443 provides the practical mechanisms to fulfill many of these:

· Risk Assessment:

· IEC 62443-3-2 (Security Risk Assessment for IACS): This standard provides a detailed methodology for conducting cybersecurity risk assessments, identifying assets, threats, vulnerabilities, and calculating risk levels. This directly supports the CRA's requirement for manufacturers to carry out a cybersecurity risk assessment for their products.

· Vulnerability Handling and Reporting:

· IEC 62443-4-1 (Secure Product Development Lifecycle Requirements): This standard mandates processes for vulnerability disclosure, analysis, and response. Manufacturers leveraging this standard will have established procedures for receiving, triaging, and addressing reported vulnerabilities, and for informing users about them, fulfilling a critical CRA obligation.

· IEC 62443-2-3 (Patch Management in IACS Environments): Provides guidance on how to effectively distribute patches and updates, ensuring users receive timely security fixes.

· Post-Market Surveillance:

· IEC 62443-4-1 (Secure Product Development Lifecycle Requirements): Extends to post-market activities, including monitoring for new vulnerabilities, providing ongoing security support, and issuing security advisories. This directly contributes to fulfilling the CRA's requirement for manufacturers to continuously monitor and manage cybersecurity risks post-placement on the market.

· Documentation:

· Throughout the IEC 62443 implementation process, extensive documentation is generated, including security policies, procedures, technical specifications, and test reports. This comprehensive documentation forms the backbone of the technical documentation required by the CRA.

Product Lifecycle Focus (CRA Article 6)

The CRA emphasizes cybersecurity throughout the entire product lifecycle. IEC 62443 inherently adopts this lifecycle approach.

· Design and Development: IEC 62443-4-1's Secure Development Lifecycle (SDL) ensures security is built-in from the ground up, preventing vulnerabilities from being introduced early in the design phase.

· Production: The focus on secure configuration and hardening within various IEC 62443 standards contributes to ensuring that products are securely manufactured.

· Maintenance and Support: The emphasis on vulnerability management, patch management (IEC 62443-2-3), and ongoing security updates ensures products remain secure throughout their operational life.

· End-of-Life: While not explicitly detailed for product decommissioning, the principles of secure data erasure and responsible disposal of sensitive components can be inferred and integrated into a comprehensive cybersecurity program.

What are the strategic Advantages of Adopting IEC 62443 beyond CRA compliance?

While CRA compliance is a major driver, adopting IEC 62443 offers significant strategic advantages for EU manufacturers that extend beyond mere regulatory adherence:

· Enhanced Product Security and Reduced Risk: By systematically implementing IEC 62443, manufacturers build more secure and resilient products, reducing the likelihood of successful cyberattacks and minimizing potential financial losses, reputational damage, and operational disruptions.

· Competitive Advantage: Manufacturers who can demonstrate adherence to an internationally recognized standard like IEC 62443 will differentiate themselves in the market, building trust with customers and gaining a competitive edge, especially as cybersecurity becomes a key purchasing criterion.

· Streamlined Processes and Efficiency: Implementing a structured framework like IEC 62443 can lead to more efficient and repeatable cybersecurity processes, reducing ad-hoc efforts and improving overall operational efficiency.

· Improved Supply Chain Security: As manufacturers increasingly rely on global supply chains, IEC 62443 can be used to communicate and enforce cybersecurity requirements with suppliers, leading to a more secure ecosystem.

· Reduced Legal and Financial Liabilities: Proactive adoption of robust cybersecurity practices through IEC 62443 can mitigate legal and financial liabilities arising from cyber incidents, including potential fines under the CRA and costs associated with breaches.

· Future-Proofing: IEC 62443 is a living standard, continuously updated to reflect evolving threats and technologies. By aligning with it, manufacturers are better positioned to adapt to future cybersecurity challenges and regulatory changes.

· Easier Access to Markets: Demonstrating compliance with IEC 62443 can facilitate market access not only within the EU but also globally, as many international customers and regulators recognize the standard's value.

Challenges and Considerations for Implementation

While the benefits are clear, implementing IEC 62443 and aligning it with CRA compliance can present challenges:

· Complexity and Scope: The IEC 62443 series is extensive. Manufacturers need to prioritize which parts are most relevant to their products and operations. A phased approach is often advisable.

· Resource Allocation: Implementation requires dedicated resources, including cybersecurity expertise, personnel training, and potentially new tools and technologies.

· Integration with Existing Processes: Manufacturers will need to integrate IEC 62443 requirements into their existing product development, quality management, and operational processes.

· Supply Chain Collaboration: Ensuring compliance across the supply chain, particularly for components sourced from third parties, requires strong collaboration and contractual agreements.

· Continuous Improvement: Cybersecurity is not a one-time effort. Manufacturers must establish a continuous improvement cycle to regularly assess their security posture, adapt to new threats, and update their processes.

By embracing IEC 62443, EU manufacturers can:

· Systematically identify and mitigate cybersecurity risks throughout the product lifecycle.

· Implement robust secure development practices, building security in from the ground up.

· Establish effective vulnerability management and incident response procedures.

· Generate the necessary documentation to demonstrate conformity with CRA requirements.

· Secure their infrastructure with confidence

Beyond compliance, adopting IEC 62443 fosters a culture of cybersecurity, leading to more resilient products, enhanced customer trust, and a stronger competitive position in the global market. In an increasingly interconnected world, where cyber threats are a constant reality, leveraging standards like IEC 62443 is not just about meeting regulatory obligations; it's about securing the future of EU manufacturing. The time to act is now.

Connect with a Shieldworkz Compliance Expert to learn how you can comply with CRA and NIS2.

Download our regulatory playbooks to gain a better understanding of the OT cybersecurity regulatory landscape and relevant interventions.

Learn more about IEC 62443-based risk assessment 

Download the latest copy of our OT cybersecurity threat landscape report