Les normes CEI 62443-4-1 et UL 2900-1 confirment que les processus de développement et de conception d’Eaton sont conformes aux normes de l’industrie.
C’est à l’occasion de son forum Cybersecurity Perspectives que Eaton a annoncé que ses processus de développement de produits sont désormais certifiés par la Commission électrotechnique internationale (CEI) et UL.
Ces certifications répondent à l’objectif d’Eaton de proposer, dans un monde hyperconnecté, des environnements de confiance qui intègrent la cybersécurité à la base de l’innovation dans ses processus de développement et de conception de produits.
- CEI 62443-4-1 Security for industrial automation and control systems – Part 4-1: Secure product development lifecycle requirements – IEC 62443-4:2018(E) specifies the process requirements for the secure development of products used in industrial automation and control systems. This specification is part of a series of standards that addresses the issue of security for industrial automation and control systems (IACS). IEC 62443-4 defines secure development life-cycle (SDL) requirements related to cyber security for products intended for use in the industrial automation and control systems environment and provides guidance on how to meet the requirements described for each element. The life-cycle description includes security requirements definition, secure design, secure implementation (including coding guidelines), verification and validation, defect management, patch management and product end-of-life. These requirements can be applied to new or existing processes for developing, maintaining and retiring hardware, software or firmware. Note that these requirements only apply to the developer and maintainer of the product, and are not applicable to the integrator or the user of the product.
- UL 2900 establishes that manufacturers have characterized and documented the technologies used in their products that could constitute an “attack surface”. It requires threat modeling based on intended use and relative exposure. The standard demonstrates the efective implementation of security controls protecting both sensitive data (e.g. PII, PHI) and also other assets such as command and control data. It provides objective evidence that software weaknesses, and vulnerabilities have been appropriately dispositioned and further verified via penetration testing and promotes defensive design (e.g. defense-in-depth, partitioning, etc).