Introduction to product and system cybersecurity with focus on IEC62443 (2 day course)
Place: Göteborg
Language: English or Swedish
Request more information
Magnus Kindberg (SE, NO)
Phone: +46 (0)40 59 22 22
magnus.kindberg@nohau.se
Heidi Lehtomäki – Finland
phone: +358 40 196 0142
heidi.lehtomaki@nohau.fi
Klaus Ahrensbach – Denmark
Phone: +45 3116 1019
ka@nohau.dk
Purpose of the course
To give an introduction and overview of product Cybersecurity and specifically the IEC62443 standard. Special focus on the early phases, such as risk assessment methods and concept development.
Goals
The participants shall get an overall understanding of
- Introduction and background on Cyber security in general.
- Terminology and definitions.
- Cyber security management
- Continuous cyber security activities including vulnerability analysis.
- Threat analysis and risk assessment including examples of risk assessment methods.
- Cyber security requirements and cyber security concept.
- Product development related to cyber security.
- Cyber security validation.
Day 1
09:00 Introduction
- What is Cybersecurity?
- Why is Cybersecurity important?
- Embedded vs IT Cybersecurity
09:30 Cybersecurity Management
- Cybersecurity Life cycle
- Overall Cybersecurity management
- Cybersecurity roles
- Cybersecurity Culture
10:00 Overview of Cybersecurity standards
10:30 Cyber Resilience Act (CRA)
- What is the Cyber Resilience Act?
- Objectives for the EU initiative
- ENISA
- Time Line and fines
- What needs to be done
- Incident Reporting
- Recommendations CRA
11:00 Directive on measures for a high common level of cybersecurity across the Union (NIS2)
- What is NIS2
- Which organizations need to comply to NIS2?
- Time line
- Recommendations NIS2
11:15 ISO27001 – Information Security Management
- Overview
- Why ISO27001
11:30 Discussions – Exercise
12:00 Lunch
13:00 ISA/IEC62443 – Security for industrial automation and control systems
- Overview
- IEC62443 for Service providers vs Product providers
- IEC62443 Guidance
- Selections defenitions
- CIA model
- Recommendations IEC62443 1.1-2.4
14:00 System Examples
- Zone examples
- Conduit examples
14:30 Discussions Exercise
15:15 Planning Cybersecurity work and general recommendations
15:30 Summary
16:00 End
Day 2
09:00 Introduction and recap from Day 1
09:30 IEC 62443 System and component level development
- Product life cycle scope
10:00 System level development IEC 62443-3-2
- Concept IEC 62443-1-1
- Security Levels
- Requirement areas IN IEC 62443-3-2
- Initial cyber risk assessment
- Partition the SUC into zones and conduits
- Risk comparison
- Detailed risk assessment IEC 62443-3-2
- Consequence and Impact
- Likelyhood
- Risk Determination
10:45 Discussions Exercise
11:30 System requirements IEC 62443-3-3
- Cybersecurity requirements, assumptions and constraints
- Foundation Requirements (FR) example
- System requirements (SR) example
- Requirement Enhancements (RE) example
- Mapping of SRs and REs to FR Security levels 1-4
12:00 Lunch
13:00 Component level development IEC 62443-4-1; IEC 62443-4-2
- Eight practices
- Practice 1 – Security management
- Practice 2 – Specification of security requirements
- Practice 3 – Secure by design
- Practice 4 – Secure implementation
- Practice 5 – Security verification and validation testing
- Practice 6 – Management of security-related issues
- Practice 7 – Security update management
- Practice 8 – Security guidelines
13:30 Risk determination including exercises
- Threat modelling
- Risk Assesment
- Asset identification & damage scenarios
- Threat Scenarios
- Attack path analysis
- Attack feasibility
- Risk determination
15:00 Component cybersecurity requirements IEC 62443-4-2
15:30 Summary
16:00 End