Cybersecurity is a cornerstone of the digital transformation, underpinning a secure-by-design mindset. However, achieving cybersecurity is a specialism that can prove challenging for many to develop or impart in-house. Cybersecurity practices must align with global standards like IEC 62443 and ISO/IEC 27001 to reduce risk, accelerate compliance and stay ahead of evolving threats. These threats drive the need for stringent regulations and proactive security measures that provide globally recognised frameworks for protecting information systems and managing risk. Regulations highlight the world’s shift toward tighter cybersecurity control, prompting organisations to adopt resolute security frameworks and comply with industry standards.
Fortifying from within
Security is integrated into all phases of Advantech’s product development to identify and address potential vulnerabilities. With IEC 62443-4-1 certification, the company’s Secure Software Development Life Cycle (SSDLC) meets top-level industrial cybersecurity standards. IEC 62443-4-1 defines secure development lifecycle demands related to cybersecurity for products used in the IACS (industrial automation and control systems) environment. SSDLC, based on the IEC 62443-4-1 V-model, integrates security and automation into every stage. Featuring needs-based testing and complete validation, it ensures early risk mitigation, faster compliance and secure, reliable solutions for industrial applications.
Overcoming the challenge
IEC 62443-4-2 focuses on security specifications for systems, components and more, concentrating particularly on protection at the lower embedded level. Advantech joined forces with Bureau Veritas - a global leader in testing, inspection and certification - to help customers overcome security challenges in rapidly evolving technology segments like AIoT and edge computing.
Advantech also offers Verification of Conformity (VoC) or formal certification (CB), with customers able to choose depending on the need for IEC 62443-4-2 compliance. With its existing functional security testing methods, the company can help customers significantly reduce both the time and costs associated with certification.
This proactive approach integrates security-relevant best practice into the traditional Software Development Life Cycle (SDLC) in the functional safety domain. It shows how the use of automated and integrated tools can help to achieve compliance. Verification and validation play an important role in the process, with several testing techniques applicable to the standard’s recommended requirements-based testing strategy.
Multiple benefits
As a result of these measures, design and development engineers at OEMs and system integrators reduce deployment time by integrating Advantech’s pre-certified, security-hardened IIoT solutions. They can also simplify security assessments and regulatory compliance, and enhance system resilience against cyberattacks.
A case in point is Advantech’s TPC-B520 and TPC-B300 human-machine interface (HMI) solutions, which have officially received IEC 62443-4-2 VoC certification from Bureau Veritas. Implementing IEC 62443-4-2 compliant HMI solutions enables system designers to build secure and reliable IACS architectures that safeguard system integrity, data confidentiality and availability - even during cybersecurity incidents.
Of course, cybersecurity isn’t limited to HMI. It’s a critical priority across all computing systems. An example is the ECU-479, a rugged industrial computer specifically designed for power substations, designed as a VoC system, certified to IEC 62443-4-2 Security Level 2. Also certified to IEC 62443-4-2 are Advantech’s EKI-7400 combo-managed and EKI-7700 port-managed ethernet switches. Both support VLAN-based network segmentation and enforce security with access control lists and DHCP (Dynamic Host Configuration Protocol) snooping to prevent malicious access. Moreover, the switches support authentication and identity verification through the 802.1X IEEE standard for port-based network access control, the RADIUS (Remote Authentication Dial-In User Service) network protocol and the MAB (MAC Authentication Bypass) network access control.
For IEC 62443-4-2 functional security, Advantech’s x86-based products will gradually incorporate basic protection measures, including firmware, operating systems, IoT connections and more. These products will utilise tools such as the Trusted Platform Module (TPM) and a whitelist control to enhance overall system security.
For all products, Advantech follows a structured, security-focused design and implementation process that includes threat modelling and security design reviews, security-by-design principles, secure coding guidelines, peer reviews, and audits.
Proactive measures
Design engineers should seek out IIoT module suppliers that maintain a comprehensive vulnerability management process. The Advantech Cybersecurity Incident Response Team (ACIRT) rigorously assesses potential threats to products and provides timely and transparent advice to customers. Ultimately, developing a secure product requires a comprehensive approach to embedded cybersecurity. Core principles like AAA (Authentication, Authorisation, Accounting) and CIA (Confidentiality, Integrity, Availability) form the foundation of secure system behaviour and data protection. Lastly, thorough security testing validates that implemented controls are effective, ensuring the product can withstand real-world cyberthreats.
Together, these practices support the development of robust and trustworthy products, helping OEMs and system integrators shorten project timelines.
Supply chain
As a final note, given that supply chain cyberattacks have become a potential cybersecurity risk for businesses, Advantech has also incorporated information security risks into its supplier evaluation and management mechanisms. Suppliers identified as having significant cybersecurity risks are required to complete a self-assessment, which will then be evaluated by Advantech to reduce the likelihood of introducing cybersecurity risks through third parties.
Of particular note, Advantech has implemented a software bill of materials (SBOM) management mechanism to track the supply chain in software development and update third-party components with security patches. It keeps track of every supplier library, script, CI/CD application, artefact, licence and version integrated into applications. For small businesses with just one application, it might seem like tracking the supply chain is simple, but it can soon become overwhelming as the software development lifecycle adds moving parts. By proactively managing dependencies, organisations can mitigate risks and maintain a resilient, secure development lifecycle.
