Annual security review by TÜV Süd completed successfully
Reinhard Mayr, Head of Information Security and Research Operations, is involved in this process for us and he explains what it entails.
Why is it important for COPA-DATA to be IEC 62443-certified?
It is very important to us to ensure that our processes produce high-quality products. The IEC 62443-4-1 standard certifies that our (secure) development lifecycle generates high-quality engineering projects, and thus enables our software users to design state-of-the-art security infrastructures.
What do we have to do in order to continue to hold certification?
Every three years our company will be recertified. The next round will be in 2021. Between certification years, we keep in regular contact with an auditor and receive, so to speak, a content refresher from TÜV Süd. This provides us with more knowledge in the security management team and, from there, across the entire company. In addition, we communicate openly and transparently, if security-related issues could potentially arise from our products.
What measures have been implemented so far this year?
All COPA-DATA employees were provided with comprehensive awareness training about security. The security management team is now well-known within our organization, and we are consulted when matters are unclear. Our developers attended a secure coding training program. In zenon’s development and quality assurance areas, we have expanded fuzzing activities, in order to test the robustness of our interfaces. In addition, we are monitoring licenses and potential weak points, particularly for third-party open source code, using a special software tool. In general, TÜV Süd confirmed that we have further improved and made our external communications more professional in the event of any potential security threat.
What are the next milestones?
We will continue to develop our know-how. We are aware, of course, that this is a never-ending process. We intend to continuously improve our quality, and communicate quickly, professionally and transparently, if we identify or are informed of any issues. Our upcoming product enhancements should all be equipped with security by design. At the same time, we will work on improving the stability of the full system and the tamper detection feature in zenon. We will also keep an eye on the issue of code quality via static code analysis in order to keep the many millions of lines of zenon code up to date.
How will the acquired security expertise otherwise be shared?
We plan to share our security knowledge as soon as possible with our COPA-DATA Partner Community and offer the corresponding training. We recently introduced a policy that ensures partners with the highest status, our Gold partners, must demonstrate a minimum knowledge of cyber security issues. In addition, we will work more closely with the Computer Emergency Response Team Austria (www.cert.at) and other third-party partners such as the Salzburg and St. Pölten Universities of Applied Sciences. A few of our employees are also expected to become more engaged in the security standardization committees for our focus industries.
As a zenon user, do you have any questions about the topic of security? Contact your local zenon representative or send an email to email@example.com.