IEC 63208:2020

The IEC 63208:2020, also known as IEC TS 63208, is a technical specification published by the International Electrotechnical Commission (IEC). It addresses security aspects for low-voltage switchgear and controlgear. This specification focuses on the security features necessary for these devices throughout their lifecycle, with guidelines aimed at reducing vulnerabilities associated with both physical access and data communication. It is relevant to devices that support wired or wireless communication and details countermeasures against cybersecurity risks, particularly for equipment used in industrial settings where data interfaces (e.g., monitoring, data logging, or remote updates) are increasingly common.

IEC TS 63208 is part of an initiative to enhance cybersecurity in industrial environments, where devices like circuit breakers and relays are connected to larger systems and could be potential targets for cyber threats. As a technical specification, it offers recommendations rather than mandatory requirements, helping manufacturers and operators mitigate risks in line with cybersecurity best practices.

IEC TS 63208:2020 is a technical specification focused on cybersecurity for low-voltage switchgear and controlgear. This specification addresses the security measures required for the lifecycle of these devices, particularly when they are integrated with data communication capabilities (wired or wireless) and networked control systems. The specification provides guidelines to safeguard against vulnerabilities in industrial and other environments where such equipment might be exposed to cyber threats.

Key aspects covered in IEC TS 63208 include:

1. Risk Mitigation: It outlines security measures to mitigate risks associated with data interfaces and physical access.

2. Lifecycle Security: The document covers security practices for these devices from installation through decommissioning.

3. Application Scope: Applicable to low-voltage switchgear and controlgear, including devices like circuit breakers and relays often used in industrial settings.

4. Recommendations, Not Requirements: As a technical specification rather than a standard, IEC TS 63208 offers recommendations rather than enforced requirements. It provides guidance to manufacturers and operators on implementing cybersecurity practices to reduce system vulnerability to cyber attacks.

Difference

IEC TS 63208 and IEC 62443 are both IEC specifications that address cybersecurity concerns in industrial systems, particularly for connected devices and systems, but they focus on different types of equipment and have unique goals.

Similarities:

1. Cybersecurity Focus: Both standards aim to provide cybersecurity guidance for industrial environments, focusing on minimizing risks related to unauthorized access, data tampering, and network-based vulnerabilities.

2. Lifecycle Consideration: They both emphasize security measures across the entire lifecycle of the equipment or system, from design through installation, operation, and decommissioning​.

3. Risk Mitigation: Both provide frameworks to assess and mitigate cybersecurity risks in the industrial sector, aiming to support secure design and operational practices against emerging cyber threats​.

Differences:

1. Scope of Application:

2. IEC 63208 focuses specifically on low-voltage switchgear and controlgear, addressing security concerns unique to these devices as they become increasingly connected through wired or wireless communication.

3. IEC 62443, by contrast, applies more broadly to Industrial Automation and Control Systems (IACS) and encompasses a wide range of devices and systems across different industries, including manufacturing, energy, and transportation​.

4. Technical Content:

5. IEC 63208 is a technical specification that offers recommendations to improve security awareness and practices rather than strict requirements. It does not mandate compliance but provides specific guidelines for reducing vulnerabilities related to physical and data accessibility.

6. IEC 62443 is a more comprehensive standard, structured into multiple parts (including policies for suppliers, integrators, and operators) and offering a systematic, tiered approach to implementing cybersecurity controls. It includes requirements for network segmentation, access controls, security levels, and secure communications protocols​.

7. Industry Adoption:

8. IEC 62443 is more widely adopted across various industries due to its broad applicability and structured framework, which can be tailored to different levels of security maturity and system complexity.

9. IEC 63208 is more specialized and is primarily relevant to manufacturers and users of low-voltage control equipment looking to enhance security as these devices are increasingly networked​.

In summary, IEC TS 63208 is a focused guide for low-voltage switchgear security, while IEC 62443 provides a more extensive, flexible cybersecurity framework for broader industrial applications. Both contribute to improving industrial cybersecurity but serve distinct functions and industries.

A Security Protection Profile (SPP) is a formal document in cybersecurity that outlines the necessary security requirements and objectives for a specific type of system, product, or network. It is often used in standardized frameworks to define what security features are needed to protect against expected threats, vulnerabilities, and risks associated with a device or system’s intended operational environment. The concept of a Security Protection Profile is closely tied to standards such as the Common Criteria (CC), where an SPP helps establish a standardized, measurable security baseline for certification and evaluation.

Key Components of a Security Protection Profile

1. Threat Model and Security Objectives: The SPP starts with a threat model, detailing the possible threats to the system, including physical, digital, and human attack vectors. This is followed by high-level security objectives designed to counter those specific threats. For IoT devices, for instance, this could include objectives to secure data transmission, authenticate devices, and protect from unauthorized access.

2. Security Functional Requirements (SFRs): These are specific security features that the product or system must implement to meet the protection profile’s objectives. Examples include encryption, access control, data integrity checks, and secure communication protocols.

3. Assurance Requirements: This includes specific measures to evaluate and ensure that the security functions are effective and correctly implemented. Assurance requirements may cover code reviews, security testing, and system documentation to provide confidence in the product's security.

4. Operational Environment Assumptions: The profile defines assumptions about the environment in which the system or device will operate, such as the expected users, network configurations, and physical security protections. These assumptions guide the profile to ensure realistic security recommendations.

5. Evaluation Assurance Levels (EAL): In Common Criteria, profiles may also define the Evaluation Assurance Level, which indicates the level of rigor applied during the evaluation. Higher EALs correspond to more extensive testing and validation, ensuring greater confidence in the product’s security under the SPP.

Use of SPPs in Standards Like IEC 62443 and IEC 63208

In standards like IEC 62443, SPPs are integral to defining cybersecurity requirements for Industrial Automation and Control Systems (IACS). Here, they provide a structured basis for implementing consistent and verifiable security measures across interconnected industrial devices and networks. For IEC 63208, while it does not formally mandate protection profiles, the document aligns with similar principles by recommending security measures for low-voltage switchgear that could be detailed in a protection profile, especially as these devices are integrated into IoT networks.

SPPs help organizations ensure that security controls are both relevant to the specific environment and verifiable, making them a critical tool in any structured cybersecurity certification process.

A Security Protection Profile (SPP) in the context of IEC 63208 would serve as a framework for identifying and mitigating cybersecurity risks for low-voltage switchgear and controlgear. Since IEC 63208 is a technical specification focused on securing these devices within industrial networks, an SPP tailored to it would include:

1. Threat Identification: Defining the main cybersecurity risks to these devices, such as unauthorized data access or remote tampering, which are relevant to industrial IoT environments.

2. Security Requirements: Establishing specific security functions for protection, like encryption for data communication, secure access controls, and tamper-resistant design.

3. Assurance and Validation: Outlining measures to ensure that these protections are effective, including testing, monitoring, and maintenance guidelines across the device’s lifecycle.

Certification

Currently, there is no formal certification available for IEC TS 63208, as it is a technical specification rather than a fully adopted standard. Technical specifications, like IEC TS 63208:2020, provide guidelines and recommendations but are not structured for conformity assessment or certification purposes. These documents aim to help organizations identify and apply security measures across the lifecycle of low-voltage switchgear and control gear, particularly focusing on cybersecurity requirements for both wired and wireless communications and physical access.

Given that IEC TS 63208 is in an advisory stage, future developments could lead to standards or conformity assessments in the low-voltage equipment sector, especially if further consensus builds around its recommendations. As of now, companies or entities implementing its guidelines typically do so voluntarily, without certification requirements. However, specific industry sectors or regulatory bodies may choose to mandate compliance based on its guidelines over time.