Recommendations for ICS Manufacturers and Integrators
ICS Security Compendium Test recommendations and requirements for product suppliers of components
This part of the ICS Security Compendium is written for product suppliers of ICS (Industrial Control System) components and covers both hardware and software components. The subject of security must be taken into account in the design and development of ICS components and plants/machines.
Vulnerability handling
The handling of vulnerabilities by manufacturers and mechanical engineers is central to the security of industrial systems. This document presents the most important actions recommended for responsible incident handling.
Requirements for network-connected industrial components
As in other hardware and software components, vulnerabilities are discovered in industrial components. This document provides an overview of the most important requirements in developing industrial components with a sufficient level of security.
The BSI is currently using this document to create a test guide that is to serve as a basis on which manufacturers, integrators, and operators can conduct security analyses (e.g. acceptance tests).
Security-specific recommendations for mechanical engineers and integrators
Increasing networking in application areas such as factory automation, machines and systems is leading to the same threats as conventional IT systems. There have repeatedly been incidents in which attackers penetrate production networks, typically via a company's office network or remote maintenance access.
Cyber Security Requirements for Network-Connected Medical Devices
Many medical devices follow the trend towards digitization, and offer an option to operate with other devices over an information network. This often involves the use of technologies that have already been proven to be effective in other areas. Manufacturers have to pay special attention to the resulting cyber security challenges while considering the specific conditions for medical devices, such as long product life cycles and the intended use in areas that are directly critical to patient safety. Therefore, this document summarises best practices for manufacturers of network-connected medical devices. These recommendations accompany regulatory requirements and are intended to support implementation and maintenance at an appropriate level of cyber security according to the current state of the art.
In order to meet one of the essential requirements of the Medical Device Directive currently in force, manufacturers must perform a risk analysis during the conformity assessment procedure. The identified risks must be minimised and documented. This cyber security recommendations provide practical assistance on how the therein identified cyber security issues can be reduced in detail.
