Hello everyone, and welcome to the Hermes Solution blog, your go-to source for in-depth analysis on cybersecurity, a critical survival strategy in the digital age!
As cyber threats become increasingly sophisticated, the core sectors that sustain our lives and industries are at risk. Industrial Automation (Industry 4.0, IIoT) and Automotive (Connected Cars, Autonomous Driving), in particular, are experiencing an explosion in connectivity, making cybersecurity not just an option, but a necessity. Past incidents, like the Stuxnet attack on industrial systems or remote car hacking incidents, vividly demonstrate the devastating impact of cyber threats in the real world.
To counter these threats, international standardization organizations are proposing cybersecurity frameworks tailored to specific sectors. Today, we’ll dive deep into IEC 62443, the stalwart shield for the industrial sector, and ISO/SAE 21434, the guiding compass for the automotive industry. If you’re wondering which standard is more suitable for your business, or how these two standards can create synergy, this article will serve as a clear guide.
1. Why Are Sector-Specific Cybersecurity Standards Necessary?
The acceleration of digital transformation, coupled with increasing regulatory pressure and market demands, is strongly driving the adoption of specialized cybersecurity standards for specific industries.
Automotive Sector: International regulations like UN R155 mandate compliance with ISO/SAE 21434 as a prerequisite for vehicle type approval, making it an essential gateway for automotive manufacturers and component suppliers to enter the market.
Industrial Sector: Regulations such as the North American Electric Reliability Corporation’s (NERC) Critical Infrastructure Protection (CIP) standards encourage adherence to industrial best practices like IEC 62443 for protecting critical infrastructure.
This signifies that complying with these standards is no longer just about “following best practices”; it has evolved into a mandatory requirement for market entry and legitimate operation.
As Information Technology (IT) and Operational Technology (OT) converge, IEC 62443, a cornerstone for OT security, and ISO/SAE 21434, which addresses the specific OT domain of automotive, share fundamental security principles like risk management and lifecycle approaches. However, they also exhibit clear differences due to their distinct operating environments, safety-related impacts, and unique threat landscapes. Therefore, understanding the precise standard relevant to your business is paramount.
2. IEC 62443: A Robust Shield for Industrial Automation and Control Systems (IACS)
Core Mission: IEC 62443 focuses on protecting Industrial Automation and Control Systems (IACS) and Operational Technology (OT) within critical infrastructures such as energy, transportation, manufacturing, healthcare, and public utilities from cyber threats. Beyond mere data confidentiality, its top priority is the availability, integrity, and resilience of industrial processes. This is crucial because security breaches can lead to massive financial losses, environmental damage, and even human casualties.
Structural Framework (6 Categories): As of 2024, IEC 62443 is comprised of an expanded series of 6 categories:
General (1-x): Provides an overview, core concepts, and definitions.
Policies & Procedures (2-x): Details requirements for IACS security management systems (CSMS) and security programs for asset owners and service providers.
Systems (3-x): Includes guidelines for designing, installing, and maintaining secure systems in industrial environments, along with technical requirements for industrial control architectures.
Components (4-x): Focuses on technical requirements for individual components of industrial systems, including devices and software, as well as secure development processes.
Profiles (5-x): Defines industry-specific cybersecurity requirements and provides a structured approach for implementing measures based on the cybersecurity profiles described in IEC 62443-1-5.
Evaluation (6-x): Describes evaluation methodologies to ensure consistent and reproducible assessment results for the requirements of individual parts.
Notably, IEC 62443-2-1 (security program for asset owners), -2-4 (security program for IACS service providers), -3-2 (security risk assessment for system design), -3-3 (system security requirements and security levels), -4-1 (secure product development lifecycle requirements), and -4-2 (technical security requirements for IACS components) are highly practical for implementation.
Latest Update (2024): The IEC 62443-2-1:2024 revision includes significant technical changes such as the revision of requirement structures with SP elements, removal of ISMS redundancy, and definition of a maturity model for requirement evaluation. This acknowledges the reality of legacy IACS systems, many of which operate for over 20 years and include unsupported hardware and software, demanding a more realistic approach to security.
Lifecycle and Risk Management Philosophy: The risk management philosophy of IEC 62443 heavily emphasizes the characteristics of OT. Unlike IT security’s focus on confidentiality, IEC 62443 prioritizes the availability and integrity of industrial processes. This is clearly reflected in its goals, such as “reducing the potential for cyber-physical failures” and “maintaining production during incidents.”
Key Concepts:
Security Levels (SLs): Defined from SL 0 to SL 4, these levels outline security objectives and capabilities based on the sophistication of threats a system must protect against. For example, SL 1 protects against unintentional misuse, while SL 4 guards against sophisticated attacks from highly resourced adversaries.
Zones and Conduits: This methodology involves segmenting a system into logical zones and identifying communication pathways (conduits) between them, enabling a “defense-in-depth” strategy with targeted security measures.
Risk Assessment: IEC 62443-3-2 details system segmentation and SL determination, while Part 2-1 covers risk identification, assessment, and management.
Foundational Requirements (FRs): Seven core FRs, including user authentication and access control, backup and recovery, form the basis of a “secure-by-design” approach. The standard also emphasizes the balanced contribution of people, processes, and technology.
Governance and Supply Chain Dynamics: Industrial security cannot be achieved through the efforts of a single entity. IEC 62443 explicitly defines the roles and responsibilities of all participants throughout the supply chain, including asset owners, product suppliers, and service providers, encouraging close collaboration.
Zero Trust Alignment: In 2024, the ISA Global Cybersecurity Alliance (ISAGCA) published guidance on how IEC 62443 principles support Zero Trust methodologies, outlining how to apply Zero Trust in OT environments and shaping the future of OT security.
3. ISO/SAE 21434: The Standard for Road Vehicle Cybersecurity
Core Mission: ISO/SAE 21434 addresses cybersecurity for Electric/Electronic (E/E) systems in road vehicles, such as motorcycles, passenger cars, and trucks. It covers the entire vehicle lifecycle, from the concept phase through product development, production, operation, maintenance, and decommissioning, aiming to foster a common understanding and culture of cybersecurity.
Structural Framework (15 Clauses): The process-oriented ISO/SAE 21434 covers various aspects of cybersecurity engineering and management:
Organizational cybersecurity management (Clause 5): Governance, policies, culture.
Project-dependent cybersecurity management (Clause 6): Management of individual projects.
Distributed cybersecurity activities (Clause 7): Supplier management.
Continuous cybersecurity activities (Clause 8): Monitoring, vulnerability management.
Concept phase (Clause 9): Initial definition, objective setting.
Product development (Clause 10): Design, integration.
Cybersecurity verification (Clause 11)
Production (Clause 12)
Operation and maintenance (Clause 13): Incident response, updates.
End of cybersecurity support and decommissioning (Clause 14)
Threat analysis and risk assessment (TARA) method (Clause 15)
The core of this standard is the Cybersecurity Management System (CSMS), a systematic risk-based approach.
Lifecycle and Risk Management Philosophy: ISO/SAE 21434’s risk management philosophy emphasizes the specific nature of the automotive sector, particularly its close link to safety. This standard supplements the functional safety standard ISO 26262, recognizing cybersecurity as a prerequisite for functional safety, as cyberattacks can directly impact the physical safety of a vehicle.
Key Risk Management Elements:
Threat Analysis and Risk Assessment (TARA): As the core of risk management (Clause 15), TARA is a systematic process that identifies assets, threats, vulnerabilities, impacts, and attack paths to determine risk values and derive cybersecurity objectives.
Continuous Activities: The standard emphasizes vulnerability analysis and management throughout the lifecycle, mandating post-production activities such as vulnerability management and incident response.
Fuzz Testing Recommendation: Clause [RQ-10-12] specifically recommends fuzz testing, emerging as an essential testing method for components with Cybersecurity Assurance Levels (CAL) 2 or higher.
Governance and Supply Chain Dynamics: ISO/SAE 21434 emphasizes robust organizational governance (Clause 5) and requires OEMs to manage cybersecurity across the entire supply chain (Clause 7). This is a core requirement directly linked to regulatory approvals like UN R155, meaning ISO/SAE 21434 compliance is mandatory for all suppliers participating in the automotive market. It explicitly clarifies responsibilities between customers and suppliers through documentation like Cybersecurity Interface Agreements (CIAs).
4. IEC 62443 vs ISO/SAE 21434: Key Differences Analysis
These two standards exhibit distinct differences in their application domains and risk management philosophies, which are crucial to understand.
Key Differences Summary:
Application Domain: Industrial vs. Automotive (reflecting directness of safety impact, lifecycle, and environmental characteristics).
Risk Assessment: IEC 62443 focuses on system segmentation using ‘Security Levels’ and ‘Zones/Conduits’ to provide more prescriptive objectives. ISO/SAE 21434 emphasizes a detailed analytical process (‘TARA’) to derive tailored cybersecurity objectives based on specific vehicle item risks.
Core Objectives: IEC 62443 prioritizes ‘Availability/Integrity/Resilience’, while ISO/SAE 21434 focuses on ‘Vehicle Safety/Data Privacy/Functional Security’.
5. Choosing the Right Standard and Leveraging Synergy
✔ When IEC 62443 is Needed:
Strengthening OT system security in industrial sites, manufacturing facilities, and critical infrastructures (energy grids, water treatment plants).
Defining and procuring security requirements for IACS components, systems, and solutions.
Establishing and operating IACS cybersecurity programs (for asset owners, system integrators, product suppliers).
Managing security for industrial systems with long operational lifespans (20+ years).
Environments where operational continuity and availability are paramount.
✔ When ISO/SAE 21434 is Essential:
Developing E/E systems, components, or software for road vehicles (automotive OEMs and suppliers).
Entering markets requiring compliance with automotive cybersecurity regulations like UN R155.
Establishing a CSMS that covers the entire vehicle lifecycle.
Meeting regulatory requirements for vehicle type approval.
Managing complex, multi-tiered automotive supply chains.
💡 Overlapping Areas and Synergies: While these standards address different sectors, they share common security principles and can create synergy.
Vehicle Manufacturing Plant Security: IEC 62443 applies to OT systems (robots, control systems) within the plant, while ISO/SAE 21434 applies to vehicle components and finished vehicles produced. Security in the production environment directly impacts vehicle security, necessitating an integrated approach.
Common SDLC (Secure Development Lifecycle) Principles: Utilizing common secure development practices such as threat modeling, secure coding, testing, and vulnerability management can enhance efficiency.
Cross-Domain Expertise: Knowledge of IEC 62443’s Zone/Conduit model or SL determination can be applied to automotive architecture design, while ISO/SAE 21434’s TARA methodology can be adapted for IACS risk assessment.
System of Systems Approach: When vehicles connect with external systems, such as V2X (Vehicle-to-Everything) communications or connected services, securing the boundary and interaction between the vehicle (ISO/SAE 21434) and external infrastructure (IEC 62443 or other standards) requires integrating principles from both.
6. Wise Cybersecurity Choices: A Path to Sustainable Growth
Cybersecurity isn’t a one-time project; it’s an ongoing journey of continuous improvement. As technology and the threat landscape constantly evolve, organizations must regularly assess and update their security posture.
Standard compliance is trust. In complex supply chains and in relationships with end-users/customers, adherence to standards is a key factor in building trust and gaining a competitive edge. Especially when linked to international regulations, standard certifications inform the market that a product complies, provides confidence to users, demonstrates a commitment to cybersecurity, and enhances trust among stakeholders.
Ultimately, standards provide a framework, but their effectiveness depends on skilled personnel, a robust security culture, and sustained management commitment. This is why IEC 62443 emphasizes the “balanced contribution of people, processes, and technology,” and ISO/SAE 21434 highlights “cybersecurity culture” and “top management commitment.”
In an increasingly interconnected and complex environment, ensuring organizational resilience, safety, and reliability through cybersecurity is a strategic imperative. We hope this article has helped you find the most suitable cybersecurity compass for your business and guided you towards a secure future!
Hermes Solution offers expert consulting and solutions for compliance with industrial and automotive cybersecurity standards. Partner with Hermes Solution to build a secure and trustworthy future in the complex cybersecurity landscape!
