Following the IEC 62443 standard for security software development ensures quality, safety and security
The importance of industrial automation and control systems (IACS) to the critical operations we rely on cannot be overstated. From manufacturing of consumer and commercial products to power generation and water supply to HVAC for the offices where we “once” worked in before COVID-19 (we’ll be back) to smart utility metering for our homes and so much more, these systems are essential to our lives and our economy. It goes without question that keeping these systems secure is a must.
A cybersecurity event targeting ICAS has the potential to have a devastating impact. And, as these devices and systems become “smarter,” more interconnected and exposed to the Internet, security challenges continue to rise and risk becomes exponentially greater. In fact as highlighted by its “Year in Review 2020” report, industrial cybersecurity company, Dragos, saw a threefold increase of cyber threats to ICAS last year.
As stated earlier, these ICAS devices are becoming smarter. This is a result of more complex embedded software enabling remote functionality, automation and analytics. With more complex software, there are now more lines of code which can introduce N-day and 0-day vulnerabilities if not diligently tested throughout the software development life cycle (SDLC).
Thankfully, there are standards for developing secure software, such as IEC 62443, designed to help ensure software code embedded in ICAS devices is free of vulnerabilities. The IEC 62443-4-1 standard (Security for industrial automation and control systems–Part 4-1: Secure product development lifecycle requirements) defines specific requirements for using a secure development lifecycle in the design, implementation, maintenance and testing of products used in industrial automation and control systems.
GrammaTech together with Exida, a leading certification company specializing in ICAS functional safety and cybersecurity, recently issued a joint whitepaper, Using GrammaTech CodeSentry and CodeSonar to Improve Software Security and Comply with IEC 62443.
In this whitepaper, Exida details how GrammaTech’s CodeSentry (Binary Software Composition Analysis - SCA) and CodeSonar (Static Application Security Testing - SAST) tools can be integrated into an ICAS supplier’s SDLC and DevSecOps processes to help comply with the IEC 62443 standard.
Exida describes two major contributors to security vulnerabilities found in products today, which are implementation weaknesses in programs created in languages such as C and C++ and the use of Third-Party Software (TPS). The CodeSentry and CodeSonar tools can address both of these issues.
CodeSonar can be seamlessly integrated into the SDLC to continually find and remediate errors and vulnerabilities in code. With CodeSentry, you can perform a binary analysis to identify the open-source and third-party software components of the software to generate a software bill of materials (SBOM) and vulnerability report.
This whitepaper introduces common causes of security vulnerabilities including implementation programming weaknesses in programing languages and TPS. In addition, it describes TPS types, specific TPS security challenges and provides guidance on how to use the GrammaTech CodeSentry and CodeSonar tools in a workflow to select and manage TPS and overall product security.
If developing secure and vulnerability free code is your priority, we encourage you to the download and read our whitepaper.
To see CodeSentry and CodeSonar in action and how our solutions can solve your specific requirements, book an evaluation today.