From baby monitors to nations' electrical grids, we find ourselves suddenly more vulnerable than ever before. When an attacker anywhere in the world can reach out and affect our collective and personal security and privacy and indeed the path of global history, we find that we must defend ourselves proactively—all products must be secure by design.
As with any security—the earlier it is considered—the more effective it can be. Security must be not only considered early, but in all aspects and stages of product development. Only in this way can products that make up our digital world be able to defend themselves and resulting systems that we depend on. This is the goal of secure development lifecycles: to ensure that all aspects of product security are considered at all steps of development.
Those responsible for industrial control systems have long known that their infrastructure can be an attractive target for attackers at all levels and have been working for many years on product security considering this reality. This stands today as the widely respected and adopted ISA/IEC 62443-4-1: Secure product development lifecycle requirements standard.
Recently, to satisfy the need for a secure development framework across a wide range of industries, the US National Institute of Standards and Technology {NIST) developed and released the Secure Software Development Framework (SSDF) also known as NIST SP 800-218. NIST's SSDF serves as an excellent framework within which to build a secure development lifecycle (SDL).
There are differences and similarities between the two approaches that organizations should consider when considering a starting point for a secure development lifecycle.
ISA/IEC 62443-4-1 was developed and agreed upon by an industry at a time significantly before there was widespread recognition of the need. Foremost of the minds of the developers was the need to provide a process that was measurable enough to support certification, as well as to provide a solid foundation for subsequent component and system certifications. Using ISA/IEC 62443, the industry could recognize products that were developed to a strong standard and with the right product features to support a secure automation infrastructure.
In contrast, SSDF was developed for a broad set of industries, without the need to address certification. Its goal is to deliver a usable and flexible framework for nearly any product development team, regardless of industry. For example, SSDF can be applied to anything from baby monitors to automobiles, but not at the expense of supporting a certification scheme.
While ISA/IEC 62443 is meant for industrial automation and control systems, the ISA/IEC 62443-4-1 portion of the standard, which specifies the security development lifecycle, is based on strong development tenets with no special consideration for industrial controls. As such, it stands very well on its own, and provides the foundations of a secure development lifecycle in sufficient detail that teams using it can be externally verified and certified.
As it satisfies all the requirements outlined in SSDF, teams considering a secure development lifecycle can start with SSDF, but then look to ISA/IEC 62443-4-1 for details that contribute to the more complete execution of the tenets put forth SSDF. In addition, teams who choose to, can achieve externally recognized certification under the certification schemes provided by any number of certification vendors. Conversely, teams working with ISA/IEC 62443-4-1 are already following the practices put forth by SSDF.
In summary, ISA/IEC 62443-4-1, originally designed for the rigorous needs of industrial controls and critical infrastructure, can be used as a strong companion to NIST's Secure Software Development Framework as a way to provide detailed guidance for SSDF's practices.