From Standards to Practice : Implementing ISA/IEC 62443-4-1 Secure by Design in a Smart Lighting Company

Abstract

The customer requirements for smart lighting solutions related to cybersecurity are increasing. To be able to produce more secure products efficiently as well as to be able to verify the competencies of the customers adopting the ISA/IEC 62443-4-1 standard could be an answer. This standard is a part of the ISA/IEC 62443 standard family describing a framework that aims at mitigating current and future security vulnerabilities in industrial automation and control systems (IACSs). The purpose of the thesis was to create a tool in the form of a document that would help in the adoption of ISA/IEC 62443-4-1 Secure by Design part in a smart lighting solution company. The research method used was qualitative Design Research Method (DRM) type 2 research, which included a literature review conducted during the first, RC (Research Clarification) stage, 8 individual in-depth interviews conducted during the DS-I (Descriptive Study I) stage, and a focus group interview conducted during the PS (Prescriptive Study) stage of the research. The main outcome of the thesis was support, an initial document template that can be used as part of identifying and characterizing product-related assets accessible through various interfaces, which is one of the requirements presented in the Secure design principles subsection of Secure by design requirements in the abovementioned standard. Being compliant with a huge number of requirements presented in the standard is a process that lasts for even many years. This thesis elaborated on only one part of the requirements, which turned out to be a huge whole in itself also. Complying with the Secure by design requirements is going to be continued in the company and based on this thesis and as stated by multiple participants, is a process that will take probably years and requires resources, that are not available for smaller companies and therefore compliance can be seen as a significant competitive advantage for the company.