ISA 62443 SDLC requirements heads to IEC for confirmation

A draft of ISA 62443-4-1 has been approved and now heads to IEC for final confirmation.

Known officially as ISA-62443-4-1 Security for industrial automation and control systems Part 4-1: Secure product development life-cycle requirements, the document is part of a certification program which assesses a supplier’s product development lifecycle processes for industrial automation control systems. The program offers increasing levels of development lifecycle security assurance. This document determines whether the assurance applies to development of components, systems or both; and the scope of products to which the organization applies the process (which may be all products).

Founded in 1945, the International Society of Automation (ISA) is a nonprofit organization. It currently has more than 40,000 members worldwide. The organization primarily creates standards for automation.

A related organization, International Electrotechnical Commission (IEC), creates International Standards and Conformity Assessment for all electrical, electronic and related technologies.

Of interest for software testers are section 8.2.1 (c) Static Code Analysis (SCA), which states that this testing shall be done if testing exists for that language and/or if the software has changed. A separate section addresses testing for third-party software.

Section 9.4 SV-3 covers vulnerability testing covers fuzz testing and network traffic load testing and capacity testing, attack surface analysis, and black box known vulnerability scanning. For software composition analysis on all binary executable, the following types of problems at a minimum:

(1) known vulnerabilities in the product software components,
(2) linking to vulnerable libraries,
(3) security rule violations, and
(4) compiler settings that may lead to vulnerabilities.

This standard does matter. ISA and IEC standards are often mandated by law in Europe for example.