Validation of conformance to cybersecurity standards for industrial automation and control systems is an expensive and time consuming process which can delay the time to market. It is therefore crucial to introduce conformance validation stages into the continuous integration/continuous delivery pipeline of products. However, designing such conformance validation in an automated fashion is a highly non-trivial task that requires expert knowledge and depends upon the available security tools, ease of integration into the DevOps pipeline, as well as support for IT and OT interfaces and protocols. This paper addresses the aforementioned problem focusing on the automated validation of ISA/IEC 62443-4-2 standard component requirements. We present an extensive qualitative analysis of the standard requirements and the current tooling landscape to perform validation. Our analysis demonstrates the coverage established by the currently available tools and sheds light on current gaps to achieve full automation and coverage. Furthermore, we showcase for every component requirement where in the CI/CD pipeline stage it is recommended to test it and the tools to do so.

翻译：对工业自动化和控制系统网络安全标准合规性的验证是一个昂贵且耗时的过程，可能延迟产品上市时间。因此，将合规性验证阶段引入产品的持续集成/持续交付流水线至关重要。然而，以自动化方式设计此类合规性验证是一项高度复杂的任务，需要专业知识，并依赖于可用的安全工具、与DevOps流水线的集成便捷性，以及对IT和OT接口与协议的支持。本文针对上述问题展开研究，聚焦于ISA/IEC 62443-4-2标准组件要求的自动化验证。我们对标准要求及当前用于执行验证的工具现状进行了广泛的定性分析。该分析揭示了现有工具所实现的覆盖范围，并阐明了实现完全自动化和全覆盖方面当前存在的差距。此外，我们针对每个组件要求，展示了建议在CI/CD流水线的哪个阶段进行测试，以及可使用的测试工具。