IEC 62443

IEC 62443 is a series of international standards developed by the International Electrotechnical Commission (IEC) that provides a framework for implementing cybersecurity in industrial automation and control systems (IACS). The series comprises of several parts, each of which addresses a specific aspect of IACS cybersecurity.

The standards are designed to provide a systematic approach to IACS security, addressing the entire lifecycle of the system from concept to retirement. This includes defining security requirements, designing secure systems, implementing security controls, and continuously monitoring and improving the security posture of the system.

IEC 62443 provides a comprehensive approach to IACS cybersecurity that takes into account the unique requirements and challenges of these systems. The standards are designed to be flexible and scalable, allowing organizations to tailor their approach to their specific needs and risk profile.

The IEC 62443 series is widely recognized as a leading standard for IACS cybersecurity and is used by organizations around the world to help secure their critical infrastructure.

• 1. Category
• 1.1. IEC 62443-1 General Concepts
  • 1.1.1. IEC 62443-1-1 Terminology, concepts and models
  • 1.1.2. IEC 62443-1-2 Master glossary of terms and abbreviations
  • 1.1.3. IEC 62443-1-3 System security compliance metrics
  • 1.1.4. IEC 62443-1-4 IACS security lifecycle and use-case
• 1.2. IEC 62443-2 Policies and Procedures
  • 1.2.1. IEC 62443-2-1 Security program requirements for IACS asset owners
  • 1.2.2. IEC 62443-2-2 IACS Security Program Ratings
  • 1.2.3. IEC TR 62443-2-3 Patch management in the IACS environment
  • 1.2.4. IEC 62443-2-4 Security program requirements for IACS service providers
• 1.3. IEC 62443-3 System Security
  • 1.3.1. IEC TR 62443-3-1 Security technologies for IACS
  • 1.3.2. IEC 62443-3-2 Security risk assessment for system design
  • 1.3.3. IEC 62443-3-3 System security requirements and security levels
• 1.4. IEC 62443-4 Component Security
  • 1.4.1. IEC 62443-4-1 Secure product development lifecycle requirements
  • 1.4.2. IEC 62443-4-2 Technical security requirements for IACS components
• 2. Terminology

1. Category

The IEC 62443 series of standards is organized into four main categories, each of which addresses a different aspect of IACS security.

1.1. IEC 62443-1 General Concepts

The standard provides an introduction to the IEC 62443 series and describes the general concepts and terminology used in IACS security.

1.1.1. IEC 62443-1-1 Terminology, concepts and models

The IEC 62443-1-1 standard provides a common language and conceptual framework for IACS security. It defines terms and concepts used throughout the series and provides a model for understanding the components and interactions of IACS.

Key terms defined in IEC 62443-1-1:

• Cybersecurity

  The prevention of damage to, protection of, and restoration of systems, networks, and information

• Risk

  The potential for loss, damage or destruction of an asset as a result of a threat exploiting a vulnerability.

• Asset

  A resource or component of an organization that has value and requires protection.

• Threat

  A potential cause of an unwanted incident that may result in harm to a system or organization.

• Vulnerability

  A weakness of an asset or group of assets that can be exploited by one or more threats.

• Control

  A measure that reduces the risk of an unwanted incident by preventing, detecting or correcting it.

• Security management system (SMS)

  A systematic approach to managing security risks associated with IACS.

• Security policy

  A document that communicates an organization's approach to managing security risks associated with IACS.

1.1.2. IEC 62443-1-2 Master glossary of terms and abbreviations

The standard includes a master glossary of terms and abbreviations to provide a common language and understanding of key concepts and terminology that are commonly used in the IEC 62443 series of standards.

1.1.3. IEC 62443-1-3 System security compliance metrics

IEC 62443-1-3 provides a systematic approach to defining and measuring system security compliance metrics for IACS. This can help organizations ensure that their IACS meet the necessary security requirements and provide a high level of protection against cyber threats.

The standard defines several key concepts related to system security compliance metrics, including:

• Security level (SL)

  A measure of the degree of protection provided by a security control or set of controls.

• Security assurance level (SAL)

  A measure of the confidence that a security control or set of controls will perform its intended function in a given environment.

• Security capability level (SCL)

  A measure of the degree to which a security control or set of controls can meet the security requirements of a given environment.

• Security compliance level (SCL)

  A measure of the degree to which a system meets the security requirements specified in a security policy or standard.

IEC 62443-1-3 provides a framework for defining and measuring system security compliance metrics based on these concepts. The framework includes four key steps:

• Define security requirements

  The first step is to define the security requirements for the system based on the security policy or standard. This includes defining the SLs for each security control and the overall system.

• Assess security capability

  The next step is to assess the security capability of the system by evaluating the effectiveness of each security control in meeting its SL.

• Evaluate security assurance

  The third step is to evaluate the security assurance of the system by assessing the confidence that each security control will perform its intended function in the given environment.

• Measure compliance

  The final step is to measure the security compliance of the system by comparing the security capability and security assurance levels to the security requirements.

1.1.4. IEC 62443-1-4 IACS security lifecycle and use-case

IEC 62443-1-4 provides a comprehensive framework for the security lifecycle and use-case of IACS, which can help organizations ensure that their systems are designed, implemented, and operated in a secure manner that meets their specific security requirements and objectives.

The standard defines a security lifecycle model for IACS that includes six phases:

• Initiation

  In this phase, the need for security is identified, and the scope and objectives of the security program are defined.

• Requirements and risk assessment

  In this phase, the security requirements for the IACS are identified, and a risk assessment is conducted to identify potential threats and vulnerabilities.

• Design and implementation

  In this phase, the security controls and countermeasures are designed and implemented to mitigate the identified risks.

• Verification

  In this phase, the effectiveness of the security controls is verified through testing, evaluation, and auditing.

• Operation and maintenance

  In this phase, the IACS is operated and maintained in accordance with the security requirements and the security controls are monitored and updated as necessary.

• Decommissioning

  In this phase, the IACS is decommissioned and the security controls are removed or transferred to another system.

The standard also provides guidelines for the use-case of IACS security. A use-case is a description of how the system will be used to meet a specific set of objectives or requirements. The use-case should consider the specific security requirements and the potential threats and vulnerabilities of the system.

The use-case guidelines include the following steps:

1. Identify the system components and their roles in the use-case.

2. Identify the security requirements and objectives for the use-case.

3. Identify the potential threats and vulnerabilities that could impact the use-case.

4. Design and implement security controls and countermeasures to mitigate the identified risks.

5. Verify the effectiveness of the security controls through testing and evaluation.

6. Operate and maintain the system in accordance with the security requirements and the use-case.

1.2. IEC 62443-2 Policies and Procedures

The standard describes the requirements for establishing, implementing, maintaining, and continually improving an IACS SMS.

1.2.1. IEC 62443-2-1 Security program requirements for IACS asset owners

IEC 62443-2-1 provides a framework of requirements and guidelines for implementing a Security Management System (SMS) for Industrial Automation and Control Systems (IACS) for asset owners. The SMS framework helps asset owners to establish, maintain, and continually improve their security programs in a structured and efficient manner.

Compliance with IEC 62443-2-1 help asset owners to identify and mitigate security risks in their IACS environments and to establish a culture of security awareness and continuous improvement. The standard provides a comprehensive set of security program requirements that include:

• Governance and Organization

  Establishing and maintaining security governance and organizational structure, roles, and responsibilities for IACS security.

• Asset Management

  Managing the inventory of IACS components, understanding the associated risks and vulnerabilities, and defining asset criticality.

• Risk Assessment

  Conducting risk assessments of IACS components to identify and prioritize security risks and define appropriate mitigation measures.

• Security Requirements

  Establishing and implementing security requirements for IACS components based on risk assessments and security goals.

• Secure Development

  Ensuring that IACS components are designed, developed, and tested in accordance with security requirements.

• Security Operations

  Defining and implementing security policies, procedures, and controls for secure operations and maintenance of IACS components.

• Incident and Vulnerability Management

  Establishing processes for identifying, reporting, assessing, and responding to security incidents and vulnerabilities in IACS components.

• Continual Improvement

  Establishing processes for continual improvement of the security program and for measuring and monitoring the effectiveness of security controls.

1.2.2. IEC 62443-2-2 IACS Security Program Ratings

IEC 62443-2-2 provides guidance on how to rate and evaluate the effectiveness of an Industrial Automation and Control Systems (IACS) security program. The standard provides a framework for developing security program ratings that can be used to compare different security programs and to identify areas for improvement.

The security program ratings are based on a set of security program requirements and guidelines defined in IEC 62443-2-1. These requirements cover all aspects of the security program, including governance and organization, risk assessment, security requirements, secure development, security operations, incident and vulnerability management, and continual improvement.

The security program ratings framework can be used by organizations to evaluate their own security programs, or to compare their security programs with those of other organizations. The ratings can also be used by regulators and other stakeholders to evaluate the security posture of critical infrastructure sectors and to identify areas for improvement.

The security program ratings framework defines four levels of security program maturity:

• Baseline

  This level indicates that the security program meets the minimum requirements defined in IEC 62443-2-1, but there are areas for improvement.

• Managed

  At this level, the security program is managed and monitored, and there are processes in place for measuring and reporting on security program effectiveness.

• Established

  This level indicates that the security program is well-established and integrated into the organization's culture and operations. There are mature processes in place for managing security risks, responding to incidents and vulnerabilities, and continually improving the security program.

• Robust

  At this level, the security program is considered best-in-class and has achieved a high level of maturity. The organization has a proactive and strategic approach to managing security risks and has demonstrated a commitment to continual improvement.

1.2.3. IEC TR 62443-2-3 Patch management in the IACS environment

IEC TR 62443-2-3 is a Technical Report that provides guidance for patch management in Industrial Automation and Control Systems (IACS) environments. Patch management is an essential process to address vulnerabilities in IACS software and firmware that can be exploited by attackers to compromise the security of IACS.

The Technical Report covers the following aspects of patch management:

• Patch Management Process

  Describes the patch management process, which includes identification of patchable assets, vulnerability assessment, patch prioritization, testing, deployment, and validation.

• Patch Management Roles and Responsibilities

  Defines the roles and responsibilities of various stakeholders involved in patch management, including asset owners, vendors, system integrators, and service providers.

• Patch Management Best Practices

  Provides best practices for effective patch management, such as maintaining an up-to-date inventory of assets, establishing a patch management policy, testing patches before deployment, and validating the effectiveness of patches.

• Patch Management Tools

  Describes the tools and technologies that can be used for patch management, such as vulnerability scanners, patch management software, and configuration management databases.

1.2.4. IEC 62443-2-4 Security program requirements for IACS service providers

IEC 62443-2-4 provides security program requirements for IACS service providers, which are entities that provide services related to the design, development, implementation, and maintenance of IACS. The standard recognizes that service providers play a critical role in the security of IACS, as they are responsible for ensuring that their services meet the security requirements of their customers and the IACS industry.

The standard defines security program requirements for IACS service providers in the following areas:

• Management Commitment

  Demonstrating management's commitment to information security and establishing a security program that addresses the unique needs of IACS service providers.

• Security Management System

  Developing and implementing a security management system (SMS) that includes policies, procedures, and controls for managing security risks and ensuring the confidentiality, integrity, and availability of information.

• Personnel Security

  Ensuring that personnel are qualified, trustworthy, and trained to perform their roles and responsibilities in a secure manner.

• Physical Security

  Protecting the physical environment of IACS service providers, including facilities, equipment, and assets, against unauthorized access, theft, and damage.

• Communications and Operations Management

  Establishing and maintaining secure communications and operations management practices to ensure the secure delivery of services and the protection of IACS information.

• Access Control

  Implementing access control measures to ensure that only authorized personnel and entities have access to IACS information and resources.

• System Development and Maintenance

  Developing and maintaining secure IACS systems, including processes for testing, validation, and patch management.

• Incident Management

  Establishing an incident management program that includes processes for detecting, responding to, and recovering from security incidents.

1.3. IEC 62443-3 System Security

The standard provides guidance on defining the security requirements for an IACS and establishing security levels based on the criticality of the assets being protected.

1.3.1. IEC TR 62443-3-1 Security technologies for IACS

IEC TR 62443-3-1 is a technical report that provides an overview of the security technologies that can be used to protect IACS from cyber attacks. The standard is designed to help organizations select and implement appropriate security technologies to protect their IACS environments.

The standard covers a wide range of security technologies, including:

• Access control

  The standard provides guidance on access control technologies such as authentication, authorization, and access control lists (ACLs).

• Network security

  The standard provides guidance on network security technologies such as firewalls, intrusion detection and prevention systems (IDPS), and virtual private networks (VPNs).

• Data security

  The standard provides guidance on data security technologies such as encryption, data loss prevention (DLP), and digital signatures.

• Application security

  The standard provides guidance on application security technologies such as secure coding practices, application firewalls, and web application firewalls.

• Physical security

  The standard provides guidance on physical security technologies such as surveillance systems, access control systems, and security alarms.

• Communication security

  The standard provides guidance on communication security technologies such as secure protocols, secure email, and secure instant messaging.

• Cloud security

  The standard provides guidance on cloud security technologies such as encryption, virtualization, and access control.

• Industrial control system security

  The standard provides guidance on ICS-specific security technologies such as secure remote access, secure firmware updates, and secure protocol gateways.

1.3.2. IEC 62443-3-2 Security risk assessment for system design

The standard defines security requirements as the set of security objectives and measures necessary to ensure the protection of IACS assets, including people, information, and physical assets. The security requirements are derived from the security risk assessment and should be based on the principles of confidentiality, integrity, and availability including identifying potential threats, vulnerabilities, and consequences.

The standard also defines security levels as a set of security requirements that must be met to ensure a certain level of security for IACS assets. The security levels are used to provide a common language and framework for describing the security requirements and to enable the comparison of different security solutions. The security requirements cover a range of areas, including access control, data integrity, network security, physical security, and security management.

There are four security levels defined in the standard, with level 4 being the highest level of security:

• Security Level 1

  Basic Security This level is appropriate for systems where the impact of a security breach is low, and the likelihood of a breach is also low. The security requirements at this level focus on basic measures such as password policies, user authentication, and basic network segmentation.

• Security Level 2

  Enhanced Security This level is appropriate for systems where the impact of a security breach is moderate, and the likelihood of a breach is also moderate. The security requirements at this level include more advanced measures such as secure communication protocols, intrusion detection systems, and more robust access control mechanisms.

• Security Level 3

  High Security This level is appropriate for systems where the impact of a security breach is high, and the likelihood of a breach is also high. The security requirements at this level include more advanced measures such as encryption, advanced intrusion detection and prevention systems, and more comprehensive network segmentation.

• Security Level 4

  Very High Security This level is appropriate for systems where the impact of a security breach is extremely high, and the likelihood of a breach is also extremely high. The security requirements at this level include the most advanced measures such as physically isolated networks, highly secure access control mechanisms, and advanced threat intelligence systems.

The standard recommends that the security requirements and security levels be documented in a security specification for the IACS. The security specification should include a description of the security objectives, the security requirements for each security level, and the procedures for verifying compliance with the security requirements.

1.3.3. IEC 62443-3-3 System security requirements and security levels

IEC 62443-3-3 provides a comprehensive framework for defining and implementing appropriate security requirements and security levels based on IEC 62443-3-2 for IACS systems. The standard is designed to help organizations define and implement appropriate security requirements and security levels for their IACS environments.

The standard defines security levels as a way to measure the security robustness of an IACS system. Security levels are assigned based on the level of protection needed for the system based on its criticality, the consequences of a security breach, and the potential impact on safety, production, and the environment.

The standard provides guidance on defining security requirements for IACS systems based on their security level. The security requirements are divided into categories, including access control, communications security, system integrity, data confidentiality, and data integrity. The requirements for each category vary depending on the security level assigned to the system.

IEC 62443-3-3 also provides guidance on the process of selecting and implementing security measures to meet the defined security requirements. The standard recommends a risk-based approach to security, where risks are identified, assessed, and mitigated through the selection and implementation of appropriate security measures.

1.4. IEC 62443-4 Component Security

The standard provides guidance on incorporating security into the product development lifecycle of IACS components, including hardware, software, and firmware.

1.4.1. IEC 62443-4-1 Secure product development lifecycle requirements

IEC 62443-4-1 provides a set of requirements for developing and implementing a secure SDL for IACS products. By following these requirements, organizations can ensure that their products are designed and implemented with security in mind, reducing the likelihood of security vulnerabilities being introduced into the product. The standard is designed to help organizations develop and implement a secure SDL for their IACS products.

The standard provides a set of requirements that should be considered when developing and implementing a secure SDL for IACS products. These requirements include:

• Security management

  The standard requires that the SDL should be integrated with the organization's overall security management system (SMS) and that the SDL should be aligned with the organization's security policies and procedures.

• Secure design

  The standard provides guidance on designing products with security in mind, including threat modeling, risk assessment, and security requirements definition.

• Secure coding

  The standard provides guidance on writing secure code, including coding standards, code reviews, and testing.

• Security testing

  The standard provides guidance on testing products for security vulnerabilities, including vulnerability scanning, penetration testing, and fuzz testing.

• Secure deployment

  The standard provides guidance on securely deploying products, including secure configuration, hardening, and deployment processes.

• Security maintenance

  The standard provides guidance on maintaining product security throughout its lifecycle, including patch management, vulnerability management, and incident response.

1.4.2. IEC 62443-4-2 Technical security requirements for IACS components

IEC 62443-4-2 provides a set of technical security requirements for IACS components, including network devices, controllers, and sensors. The standard is designed to help organizations ensure that their IACS components are developed and implemented with security in mind.

The standard provides a set of technical security requirements that should be considered when developing and implementing IACS components. These requirements include:

• Security capabilities

  The standard requires that IACS components should have security capabilities that are appropriate for the intended use of the component. This includes capabilities such as access control, secure communication, and secure storage.

• Secure communication

  The standard requires that IACS components should use secure communication protocols to protect against eavesdropping, tampering, and other attacks.

• Secure storage

  The standard requires that IACS components should use secure storage mechanisms to protect against unauthorized access and tampering.

• Access control

  The standard requires that IACS components should use access control mechanisms to ensure that only authorized users can access the component and its data.

• Security monitoring

  The standard requires that IACS components should have security monitoring capabilities to detect and respond to security incidents.

• Security updates

  The standard requires that IACS components should have the ability to receive security updates to address known vulnerabilities.

2. Terminology

IEC 62443 provides a comprehensive terminology to describe the different aspects of securing IACS.

• Industrial automation and control systems (IACS)

  Systems that control and monitor industrial processes, such as manufacturing, energy production, and transportation.

• Cybersecurity

  The practice of protecting computer systems, networks, and data from unauthorized access, theft, damage, or other malicious actions.

• Threat

  A potential event or action that could harm a system or network.

• Vulnerability

  A weakness in a system or network that could be exploited by an attacker.

• Risk

  The likelihood and potential impact of a threat exploiting a vulnerability.

• Security management system (SMS)

  A comprehensive set of policies, procedures, and controls that are implemented to manage an organization's information security risks.

• Security level

  A measure of the effectiveness of a security control or set of controls in mitigating a risk.

• Security capability

  A set of security features or functions that are designed to address a specific security need.

• Security zone

  A logical grouping of assets or systems based on their security requirements.

• Conduit

  A pathway for data flow between security zones.