Call for interest in accreditation based on IEC 62443: ‘Safety for industrial measurement and control engineering – Network and system safety’

Since the publication of the standards IEC 62443-4-1 and IEC 62443-4-2, the RvA received some requests for accreditation of activities under this series of standards. As the RvA did not grant accreditation for these standards before, we first have to perform a development process. We will do this together with interested clients in order to establish a robust and proportionate assessment approach. The RvA wants to assess the potential interest in accreditation in this area, in order to make a proper assessment in the deployment of our resources. If there is sufficient interest, we will start a development process. The focus will initially be on test accreditation (under EN ISO/IEC 17025). If there is also considerable interest in other areas, we may also start a development process for those activities.

Importance of conformity for security of process automation

How safe is a product against an external attack? The composite system is as weak as the proverbial weakest link. A hack of a production process can have very large consequences. A high-profile example is the February 2021 hack on the Florida water treatment plant. A hacker penetrated the system. Remotely, he added a large dose of sodium hydroxide to the drinking water without any active notification from the system. If the staff on duty had not recognized the problem in time, the hacker could have poisoned the drinking water of the entire region. This shows that the cybersecurity of automated production processes is essential.

In the process automation of production processes (which are controlled by OT (Operational Technology) systems), other factors come into play than in the automation of IT systems. The production process should not come to a prolonged halt, but implementing a new system or maintaining it takes time. The IEC 62443 series of standards provides a framework with which a company or institution can demonstrate that it guarantees the integrity and availability of the systems used within the production process.

 

How does a joint development process work?

During a development process for an activity that has not yet been accredited by the RvA, the way in which accreditation is granted still has to be determined. This is done via a joint trajectory with involved clients. During the trajectory, the RvA assesses all participating organizations. The participants are given the opportunity to submit corrective measures for any nonconformities found in accordance with an agreed time schedule. Then the RvA makes a decision on the accreditation of the participating organizations. As long as the development process is running, the RvA will not accept any new applications for this activity.

Cost of participating in the development process

Starting in 2022, the RvA will charge a development fee to organizations participating in development projects, in addition to the normal assessment costs. In this way, only clients who benefit from the development will bear the additional development costs.

Any questions or interested in participating? Let us know

Do you have questions or would you like to participate as an organization in the development process? Please let us know before Friday, September 30, 2022 via an email to ontwikkeling@rva.nl. Also if your organization is (additionally) interested in accreditation for activities other than testing under this standards series, we would like to hear from you.

The interested organizations will be contacted by the RvA about the terms of the project, a proposed timetable for the main phases and an estimate of the development fee.

Note: Your registration as an interested party does not oblige you to participate in the development process. Nor does it oblige the RvA to start the development process. Your participation in the development process is only definite after you have submitted a complete application.