Industrial Control Systems (ICS)

Dear Community members,

Encountered some challenges and likes to hear advice and recommendations from the community.

A project that utilised a number of IT network devices to form a backbone (comprises of Switches, Firewalls ( this is a 2 tier architecture design)) . Though there are a number of connections coming in from other devices which one of them is considered SIL 1 equipment. The rest of the connections are IT categories.

The client is insisting that this Backbone Network has to be assessed accordance to IEC 61508 (suggested to be part 3 - software SIL).

I had checked with the various IT equipment principal, their products are not IEC61508 certified  (as they are not related to Safety Functions or systems per se).

Hence, do not have that certification or assessment done before. 

I'm in a dilemma as to how to convince the client that:

These are IT equipment and not related to Safety Equipment. Hence, have not gone through the IEC 61508

But if need to may substitute using ISO27001, ISO 9001,  or even IEC 62443 as the assessment for the IEC61508.

Like to hear from the community if this is an appropriate strategy.

Or anyone has a similar situation that IT equipment is required to be assessed based on ICE61508 Part 3 (Software).

Appreciated any comments and sharing of views & advice.

Best regards

William

------------------------------
William Ho
Director of Alliance and Partnership
------------------------------

Hello William,
In my opinion,...
The concepts of probabilistic risk for each safety function are central to the IEC 61508 standard..  A suggestion would be to use a standard that measures "As low as reasonably practicable".  As such, I personally agree with your assertion, and would choose to measure risk against IEC 62443.  That standard is more tailored for the IACS realm.  

Question: Are the ICT (non-OT) equipment(s) in the future architecture readily "testable" (to 62443)?

Cheers,
Shamun

------------------------------
Shamun Mahmud CCSKv3
Vice chair
IEEE Seattle Section - Education Society (EdSoc - E25)
Bothell WA
[email protected]
------------------------------

Original Message:
Sent: Jun 14, 2023 08:47:49 PM
From: William Ho
Subject: IEC 61508 and IEC62443

Dear Community members,

Encountered some challenges and likes to hear advice and recommendations from the community.

A project that utilised a number of IT network devices to form a backbone (comprises of Switches, Firewalls ( this is a 2 tier architecture design)) . Though there are a number of connections coming in from other devices which one of them is considered SIL 1 equipment. The rest of the connections are IT categories.

The client is insisting that this Backbone Network has to be assessed accordance to IEC 61508 (suggested to be part 3 - software SIL).

I had checked with the various IT equipment principal, their products are not IEC61508 certified  (as they are not related to Safety Functions or systems per se).

Hence, do not have that certification or assessment done before. 

I'm in a dilemma as to how to convince the client that:

These are IT equipment and not related to Safety Equipment. Hence, have not gone through the IEC 61508

But if need to may substitute using ISO27001, ISO 9001,  or even IEC 62443 as the assessment for the IEC61508.

Like to hear from the community if this is an appropriate strategy.

Or anyone has a similar situation that IT equipment is required to be assessed based on ICE61508 Part 3 (Software).

Appreciated any comments and sharing of views & advice.

Best regards

William

------------------------------
William Ho
Director of Alliance and Partnership
------------------------------