The short answer is we are not quite there yet, but we are investing a lot of resources to achieve conformance to IEC 62443-4-1. The current effort is focused on extending and complementing the processes that are already in place to guarantee the quality of our products so that they also support the specific requirements of IEC 62443-4-1.

We are currently focusing on fulfilling the requirements of the following laws, standards and norms:

• CRA (Cyber Resilience Act)
• IEC 62443
• IEC 29147
• IEC 30111
• IEC 27036
• California Password Law (2020 California Senat Bill SB-327)

Murrelektronik has established processes that proactively cover all aspects of the tasks we perform. Projects use these standard processes and tailor them where needed. This corresponds to Level 3 (“defined”) according to CMMI.

Yes. The product development process for all new products developed in or after 2024 includes taking cyber security aspects into consideration through the development of the relevant threat models.

Yes. The product development process for all new products developed in or after 2024 includes the development of a defense-in-depth concept to counter all the risks identified in the threat modelling.

Yes. Security Testing and validation is a standard part of the extensive testing and validation we perform on our products developed in or after 2024.

Yes. We have established coding standards, and they are continually updated to reflect the latest requirements, including those derived from cybersecurity considerations.

Yes. The development of new products includes defining the security requirements as part of the concept phase of development.

We are implementing the requirements specified in IEC 62443-4-1 (SM-9 and SM-10) and the requirements in IEC 27036. We are currently focusing on defining the processes and acquiring the necessary tools to support this task.

There are several steps we recommend. It is not possible to give a short and concise answer that covers all situations and all products. The most important sources to check are:

1. The cybersecurity chapter in the product documentation, which has become a standard part of the documentation of newer products
2. The general cybersecurity guidelines which are covered in the following documents:

• General Cybersecurity Guidelines 

This information can be found in the cybersecurity chapter in the corresponding product documentation, which is a standard part of the documentation of new products developed in or after 2024.

This information can be found in the cybersecurity chapter in the corresponding product documentation, which is a standard part of the documentation of new products developed in or after 2024.

The most direct way to reach Murrelektronik PSIRT is by using this E-Mail address: psirt@murrelektronik.de

Our vulnerability handling process is started when a vulnerability is reported, either from an external source or through the continuous internal monitoring performed by internal stakeholders (R&D, test, etc.) or by external testing service providers acting on behalf of Murrelektronik. 

The report is acknowledged, and an initial assessment takes place. PSIRT is the coordinator of this process externally and internally and it maintains communication with all stakeholders. 

When the vulnerability is verified and analyzed, PSIRT coordinates with all stakeholders to develop remediation. This is followed by publishing a security advisory using the various channels defined in section “Disclosure” below.

For a more detailed description check our “Vulnerability Handling Process” document.

You can subscribe for updates on the CERT@VDE where we publish all our advisories, here.

The advisories we publish normally contain most or all of the following elements: 

1. Advisory ID 
2. Date and time of initial publication, and a revision history if updates to the advisory are made. 
3. Title: including enough information (for example about the affected product) to enable the reader to quickly decide if the advisory is relevant. 
4. Overview: a short general description of the vulnerability. 
5. Affected products: including product name(s), affected hardware and firmware version(s) and if applicable a safe way to test for the presence of the vulnerability. 
6. Description: containing just enough details to enable the users to assess their risks without making exploitation easier or more likely. The class and CVSS score may be included in the description. 
7. Impact: To include the potential consequences if the discovered vulnerability is exploited and the attack scenarios it enables. 
8. Severity: A classification of the vulnerability according to the Common Vulnerability Scoring System (CVSS). 
9. Remediation: The steps users can take to reduce or prevent the exploitation of the vulnerability (workarounds) and the steps required to remove the vulnerability (e.g. by installing software patches or updates). 
10. References to related information, like related advisories or CVE (Common Vulnerabilities and Exposures. 
11. Acknowledgement of the reporters of the vulnerability, if applicable. 
12. Contact information of Murrelektronik PSIRT 
13. Terms of use: Terms for copywrite and redistribution. 

The security advisories published by Murrelektronik can be accessed using several channels: 

• Website: Our PSIRT web page has a list with the most recent and active advisories. It also contains a link to the archive of all published advisories 
• CERT@VDE: We post our advisories to the CERT@VDE database. 

Yes. We provide our security advisories in CSAF format. When downloading the advisories you have the choice between a human readable PDF file and a machine-readable CSAF file.

You can always find the latest firmware or software version of the specific product you are using under the “download” section of this product in our online shop.

The published security advisories also contain all the links and instructions you need to install security-related updates or patches.