Focus on IT and OT cybersecurity – Secure product development lifecycle

As threats to and even breaches of IT and OT systems become increasingly common, governments implement legislation to ensure appropriate and proven risk mitigation. Across the world, efforts to improve cybersecurity focus on critical sectors. The definition of “critical” varies, but typically includes the following sectors, to name a few:

• Energy & Transportation
• Food & Agriculture
• Chemical & Industry application
• Communication & Digital infrastructure
• Water supply & Wastewater treatment
• Defense
• Financial Markets
• Health

Examples of such legislative initiatives are the NIS and NIS 2 Directives in Europe and the National Cyber Security Strategy in the US. Many elements of the upcoming legislations are in place, and implementation of the supporting standards has begun. Here, the frame of IEC 62443 for OT is expected to play an essential role.

For OT systems, the standard IEC 62443 provides processes and guidance on how to implement best-practice cybersecurity measures in industrial automation and control systems (IACS). Depending on your role, all parts of the standard IEC 62443 are relevant, separately or combined. For example:

• IEC 62443-2-1 Measures to mitigate cybersecurity risk in Information Technology (IT) and Operational Technology (OT) 
• IEC 62443-3-3: Technical requirements for control systems
• IEC 62443-4-1: Secure product development lifecycle processes
• IEC 62443-4-2: Technical requirements for components

An important element of the standard is the concept of Security levels (SL). SLs help you to determine the cybersecurity risk exposure of a specific system and to find relevant measures to mitigate this risk. The overall purpose of the standard is to protect entire systems and therefore, cascading each risk mitigation measure is a valid strategy. For example, this means that a well-placed and well-maintained firewall can protect several devices behind it. Not every component requires its own firewall.

Variable speed drives and power converters from Danfoss control physical processes in operational facilities.  In most installations, Security Level 1 (SL1) provides a good balance between mitigating risk exposure of the drive, while maintaining good usability for commissioning and service situations. The development process at Danfoss Drives is certified according to IEC 62443-4-1, ensuring that customers receive securely developed drives following a strict process. This process ensures that internal agents cannot manipulate the firmware.

At Danfoss Drives, we take the role of cybersecure supplier seriously, and strive to ensure the most up-to-date protection against unauthorized access for our customers. Our product development processes are certified for cybersecurity, ensuring optimal cybersecure design of the products manufactured in our own factories. Danfoss is a proud member of the Charter of Trust alliance. This alliance brings together flagship companies around the globe, to establish and promote the highest standards of cybersecurity. As an industry alliance, the Charter of Trust is a non-profit alliance, working to strengthen the commitment to advancing harmonized cybersecurity approaches to make the digital world of tomorrow safer.

Although cybersecurity is not a new field, it is advancing fast. To support the security of your power train, Danfoss is in the process of implementing the required risk mitigation measures in products and providing helpful documentation.

Find further information in the following section. Or contact our experts directly: Find contact details for Danfoss and partners in our contact center.

Danfoss is certified for its secure product development lifecycle.