Interview with Sebastian Fritsch
DKE: Mr. Fritsch, please be so kind as to elaborate upon the new projects for the IEC 62443 series of standards. What is the underlying motivation?
Fritsch: The projects already have a longer history and the motivation to work on them is somewhat different in each case.
When it comes to the project involving the evaluation methodology for IEC 62443-4-2, for example, there is a wide range of certifications on the market, but with little comparability. Among other things, which standards are used to evaluate the security industry components is not transparent. The aim of our project is to define a transparent framework for this purpose, according to which testing and certification companies can define their evaluation programs for components.
Our motivation for the project to develop rules for profiles has grown over time. It also started with the IEC 62443 series of standards, because certain parts already explicitly mention that tailoring has taken place. Thus, there was a tendency in the application for a kind of "arbitrary picking and choosing" of requirements. On the German side we then started to formulate proposals in the standardization process as to what concrete profiles should look like – for individual, specific parts of the standard, in order to make it clear that there is only a certain, meaningful selection of requirements.
From the original discussion the result has been that we need to address this issue on a much broader basis and require rules on how profiles are developed.