Industrial Control Systems (ICS) are essential components for smart manufacturing and the operation of national critical infrastructure; however, the acceleration of IT/OT convergence has led to a rapid increase in exposure to cyber threats. In particular, core control devices such as PLCs and DCSs have become primary targets for hackers due to insufficient security embeddedness during the design phase. To address these challenges, the international standard IEC 62443- 4-2 has been introduced, but practical methodologies and tools for objective and quantitative evaluation of product security levels remain insufficient. Furthermore, industrial infrastructures in developing countries, as well as small and medium-sized enterprises (SMEs) lacking adequate budgets and human resources, often face significant barriers to adopting expensive global security solutions or external consulting services, leaving them ill-equipped to respond properly. This study proposes a quantitative evaluation model and a weighting methodology based on the technical Component Requirements (CR) of IEC 62443-4-2 to assess the security embeddedness of ICS products. The proposed model incorporates differential weighting according to Security Levels (SL) and introduces the “Issue Count Labeling” technique, which reflects user issue frequency and the strategic importance defined by administrators to clearly identify improvement priorities. Furthermore, the designed model was implemented as a web-based assessment tool using PHP and MariaDB, and its effectiveness was verified through a case study on a PLC used in actual industrial fields. The verification results confirmed that quantitative security capability assessment is possible by consolidating the security implementation status of individual products into a single integrated index. The findings of this study are expected to serve as a highly practical tool for product suppliers’ self-diagnosis and as a pre-analysis instrument for complying with global supply chain security regulations, such as the EU Cyber Resilience Act (CRA). Most notably, by providing an intuitive and accessible web-based tool, this research holds significant value as an “Appropriate Technology,” enabling organizations in resource-constrained environments to independently self-assess their security posture and derive improvement priorities.
Jin et al. (Thu,) studied this question.