OT security according to IEC 62443

Information Security

Communication networks in industrial plants are increasingly exposed to hacker attacks. The IEC 62443 standard is relevant for operational technology (OT) security. This also applies to ships, where a more stringent standard will apply from January 2024 - for example, for the control of diesel engines.

  • Initial situation

    From January 2024, ships will be subject to more stringent OT security requirements. WinGD must fulfill these as a manufacturer of ship engines. First, it should be analyzed how great the effort is.

  • Solution SCS

    SCS prepared a gap analysis: How much does it take for the motor controller to meet the more stringent OT security requirements of IEC 62443-3-3? How much effort is required for the next higher security level 3?

  • Added value

    Cyber security is achieved not only through technology, but also through defined processes. This keeps the technical effort within limits and the next higher security level 3 for autonomous driving is feasible.

Project insights

A marine diesel engine is not directly connected to the Internet. The control system is located in the engine room, close to the engine inside the ship. Nevertheless, it is possible for malware to reach the engine room via a service laptop, for example. That's why OT security for all electronic devices on a ship is regulated by the International Association of Classification Societies (IACS). Their Unified Requirements UR E26 and UR E27 on Cyber Resilience of Ships and On-Board Systems will come into force in January 2024. The standard for shipping is closely based on the general IEC 62443-3-3 standard on OT security of industrial communication networks. Previously, ships were subject to Security Level (SL) 1 requirements. From January 2024, all requirements will be subject to SL 2. For WinGD, the question was whether it would not be worthwhile to aim for SL 3, which is required if the ship is to operate autonomously.

From January 2024, all ships must comply with security level SL 2. SL 3 applies to ships that operate autonomously. Image DNV

Newly, the systems on the ship must be able to monitor communications (intrusion detection system) and detect and defend against denial of service attacks. The difference between SL 2 and SL 3 is, for example, that in SL 3 the system is supposed to identify unauthorized users and report them to the responsible personnel.

The first step was a gap analysis to analyze the effort required to adapt and certify the existing motor control according to SL 2. So that the mandatory requirements in January 2024 are met. The second step is SL 3: Is it worth going straight to SL 3?

The gap analysis showed that many safety-relevant mechanisms are already used in motor control. Communication is already encrypted and users have to authenticate themselves. Access by users and services was also restricted according to the least privilege principle. However, a challenge emerged in monitoring.

When working with standards and the subsequent certification, it is important that suitable solutions are found. The requirements should be met with the appropriate effort, not too much and not too little. The delimitation of the system is also crucial: The engine room in a ship is not exposed to the same attacks as a public WLAN.

Security is achieved not only through technology such as encryption and authentication, but also through defined processes and trained personnel. Image DNV

The gap analysis showed that it is possible to fulfill SL 3 directly. Nor does every requirement have to be met with additional hardware or code. It can also be processes: A password must not be passed on, for example. Of course, this includes staff training. SCS's experience with the certification of similar systems according to IEC 62443, in particular also the existing motor control system for Security Level SL 1, helped with the analysis.

Do you have questions about OT-Security from Operational Technology or do you need to secure your own application according to the IEC 62443 standard? Get in touch with Jérôme Stettler!

Related projects

SRF media archive

The media archive for Swiss radio and television SRF enables journalists to access archive material dating back to the 1950s ... learn more

Medical spectrometer with electro-optical circuit board

An electro-optical spectrometer has been miniaturized so that it can be used in the confined space of an intensive care unit. ... learn more

IOBnet - Exchange platform for ophthalmologists

The IOBnet platform offers ophthalmologists the possibility to exchange anonymized cases with experts at any time. With the creation ... learn more

Cloud platform for medical measurement data

The spirometry devices from ndd Medizintechnik AG make a significant contribution to the early detection of lung diseases. Their measurement data are always ... learn more

SDAT data hub for the Swiss electricity industry

The data hub simplifies and standardises market communication. For the company Swisseldex AG, an amalgamation of various ... learn more
Show all projects
Jérôme Stettler Digital Transformation How can I help you?