symmedia attains the IEC 62443 certification

symmedia is one of the first companies in Germany to be certified by TÜV Nord according to the IEC 62443 (Industrial Communication Networks – Networks and System Security) standard which is the most important international standard for OT (operation technology) security in the industrial sector. This formally verifies that symmedia is capable of designing, building and operating software and solutions based on the Secure-By-Design principle.
TÜViT (TÜV Informationstechnik GmbH) has verified the symmedia SP/1 solution as a “trusted product” for several years right now. With the IEC 62443-4-1 certification for the Secure Software Development Lifecycle, we reinforce our USP as a manufacturer of exceptionally secure solutions for the industry and especially the mechanical engineering, and we prove ourselves as a reliable partner for our customers. What exactly is behind this certification and how it benefits our consumers is discussed below.

The risk of cyber-attacks is increasing day by day, and handling of data in a responsible way is more vital than ever. Data is a precious asset, and its loss or manipulation can have major ramifications for our customers. The IEC 62443 has become a globally recognized standard for evidence of conformity in the process and automation industries. The IEC 62443-4-1 standard demands the adoption and compliance with eight so-called practices. When these practices are combined, they establish a Secure Software Development Lifecycle, which serves as the foundation for the holistic creation and operation of secure software products and solutions. In concrete words, these are the eight practices are:

• Security Management
• Specifying Security Requirements
• Secure Product Design
• Secure Implementation
• Security Verification and Validation Testing
• Managing Security Issues
• Releasing Security Updates
• Providing Security User Documentation

The practices are further broken into 47 distinct requirements that must be met. In contrast to many common standards, which force to describe processes and criteria as precisely as feasible, the IEC 62443 takes a far more practical approach. The goal is to consider and integrate safety-related elements at all stages of the product development lifecycle. These characteristics are derived from the three principles listed below:

• Secure-By-Design: The consideration of security requirements for software and hardware already during the development phase of a product to prevent later security gaps.
• Depth-In-Depth: The concept used for IT/OT architectures in which multiple layers of security controls (defense) are placed throughout the entire system.
• Secure-Coding: A practice that demonstrates a shift in responsibility by literally naming the developer as responsible for code security rather than a security team. This also paves the way for the shift-left security concept that is already being widely adopted as part of the Software Development Life Cycle (SDLC) best practices.

As part of the certification process, we put our experience and the most recent cybersecurity discoveries to the test and optimized our symmedia Secure Product Development Lifecycle. The lifecycle is used to develop symmedia products under an agile process model such as SCRUM or Kanban, while keeping security in mind throughout the process. The approach is based on the Security Development Lifecycle, which was released by Microsoft in 2004 and is constantly being improved, and which serves as a market reference model.

The method comprises various phases of best-practice agile software development that are supplemented by corresponding security aspects. As an end-to-end (E2E) process, the process is rooted within the symmedia organization and thus encompasses all aspects and phases of product creation from conception through delivery and future development / maintenance.

As a result, we have established a solid foundation for providing our customers with maximum protection against cyber threats while assuring continual development. The topic of cybersecurity is and will continue to be pervasive, and thus serving as a powerful USP for our products.

Please contact us if you want to learn more. We will gladly supply you with additional information about our products and the IEC 62443-4-1 certification.