Kalmar leads the way in cybersec certification for the terminal industry
In August 2023, the Kalmar Technology and Competence Center in Tampere, Finland and its Automation Business Line received certification for IEC 62443-4-1, the international standard for cyber security for industrial automation and control systems. Kalmar is the first solution provider in the ports and terminals industry to receive the certification for the software development of its automation system for all terminal equipment.
Industrial automation and control systems have a direct effect on the physical world and cybersecurity incidents can lead to financial, health, safety and environmental impacts. Potential threat scenarios range from data security breaches and ransomware attacks to the theft of goods and even shutting down the operations of the entire port. Attacks may be carried out by various types of entities including individual hackers, organised crime and state-level actors. Due to the critical role that ports and terminals play in global supply chains, any security incidents can have serious consequences for the terminal operator, customers and society at large.
IEC 62443-4-1 is an industrial standard that defines Secure Development Lifecycle (SDL) requirements and practices related to the development of products. The certification of the Kalmar One automation system to the standard demonstrates Kalmar's commitment to ensuring the highest level of security for its products and solutions. SDL includes practices such as security requirements definition, security training, secure design, secure implementation, verification and validation, defect management, patch management and product end-of-life.
Securing the development process
The Secure Development Lifecycle process of the Kalmar One automation system was independently audited by leading product certification company Exida, and the process met the requirements of maturity level 3 of the IEC 62443-4-1 standard. Achieving this maturity level demonstrates that the organisation has implemented a structured approach to industrial cybersecurity and is committed to improving its security capabilities. The processes have been practised, and evidence exists to demonstrate that this has occurred.
"To address cybersecurity in Kalmar One, we started implementing the security practices of the standard into our software development," says Jani Mäntytörmä, Chief Cyber Security Engineer, Kalmar Automation Business Line. "We integrated several security tools into our software development process to provide enhanced visibility of what is going on under the hood of our product, and to reduce attack surfaces. Security training courses were made mandatory for software developers and testers and the onboarding process includes the courses.”
"To address cybersecurity in Kalmar One, we started implementing the security practices of the standard into our software development."
Leading by example
The IEC 62443-4-1 standard does not define specific features in end products, but is designed to help companies improve cybersecurity by improving the software development process and addressing best practices in managing the entire lifecycle of the software product. By following the IEC 62443-4-1 standard, companies can ensure that products and solutions are designed, developed, maintained and retired with security in mind. The standard will also help Kalmar fulfil essential health and safety requirements in the new Cyber Resiliency Act and Machinery Regulation of the European Union.
“We are proud to be the first in the automated terminal industry to achieve this certificate for our product development process," says Timo Alho, Director, Product Management Automation, Kalmar. "Customers using our Kalmar One automation system can have the peace of mind to know that not only do they have access to the latest patches and updates to ensure the security of their systems, but also that the tools they use have been developed with the best practices available to the industry."
"We are proud to be the first in the automated terminal industry to achieve this certificate for our product development process."
The SDL process of the Kalmar One automation system was independently audited by Exida, a leading product certification company. Click here to see the Exida, Kalmar One Cybersecurity certificate and assessment report.