Information technology and classic automation technology are increasingly merging. At the same time, different requirements are placed on the security mechanisms in automation technology than in the IT world, especially with regard to update options, real-time capability and heterogeneous hardware environments.

The central standard is IEC 62443, which consists of several parts and is intended to cover all IT security-relevant aspects of industrial automation technology. The IEC 62443-4-2 part of the standard repeatedly raises questions in practice. In particular, it concerns the specification and later also certification of components and devices used in control and automation technology. The question of the correct IT security level of such pro-ducts also regularly arises when applying the standard.

On the one hand, the standard is important for system integrators, machine builders and plant operators who have to consider the security aspects of their applications, and on the other hand, it is also important for device manufacturers who develop routers, gateways and other components for the automation industry.

Some users use the simplified view of the (four) security levels to assess security requirements. In practice, this rather general approach hardly leads to answers that cover all aspects of an application. Another approach is a risk analysis on the system level. Although this approach allows security requirements to be described precisely, it is not so general that they can be easily applied to other applications.

To solve this dilemma, the TeleTrusT working group "Smart Grids/Industrial Security" has formulated IEC 62443 Component Use Cases that take both of the above approaches into account.

In the first step, the functionality and the intended use of the component are defined. Then the application and the environment in which it will be used are considered in order to derive the security requirements in ac-cordance with IEC 62443-4-2. This is done from two perspectives: from the security level perspective and from the application perspective. Finally, the use case specifies concrete points and steps for testing the finished solution as part of internal quality assurance.

In order to simplify practical application, the use cases were not developed in the abstract, but based on two concrete examples: Industrial Firewall and Security Gateway. The two use cases differ in that the Industrial Firewall use case can build on practical experience with existing products, while the Security Gateway use case has hardly any empirical values yet due to the new application fields and products.

More information at TeleTrusT