🔥🔥 Don’t Miss Out on Our End of Autumn Sale. If you have any questions, feel free to click the bottom right corner to contact our customer service..

Concat us[email protected]
Shopping Cart

No products in the cart.

🔍
BS EN IEC 62443-4-2:2019

BS EN IEC 62443-4-2:2019

$215.11

Security for industrial automation and control systems – Technical security requirements for IACS components

Published By Publication Date Number of Pages
BSI 2019 100
PDF Format Searchable Printable Preview Now
Guaranteed Safe Checkout
Categories: ,

If you have any questions, feel free to reach out to our online customer service team by clicking on the bottom right corner. We’re here to assist you 24/7.
Email:[email protected]

This part of IEC 62443 provides detailed technical control system component requirements (CRs) associated with the seven foundational requirements (FRs) described in IEC TS 62443‑1‑1 including defining the requirements for control system capability security levels and their components, SL-C(component).

As defined in IEC TS 62443‑1‑1 there are a total of seven foundational requirements (FRs):

  1. identification and authentication control (IAC),

  2. use control (UC),

  3. system integrity (SI),

  4. data confidentiality (DC),

  5. restricted data flow (RDF),

  6. timely response to events (TRE), and

  7. resource availability (RA).

These seven FRs are the foundation for defining control system security capability levels. Defining security capability levels for the control system component is the goal and objective of this document as opposed to SL-T or achieved SLs (SL-A), which are out of scope.

NOTE 1

Refer to IEC 62443‑2‑1 [1] for an equivalent set of non-technical, program-related, capability requirements necessary for fully achieving a SL-T(control system).

NOTE 2

The trademarks and trade names mentioned in this document are given for the convenience of users of this document. This information does not constitute an endorsement by IEC of the products named.

PDF Catalog

PDF Pages PDF Title
2 undefined
5 Annex ZA(normative)Normative references to international publicationswith their corresponding European publications
7 English
CONTENTS
17 FOREWORD
19 INTRODUCTION
21 Figure 1 – Parts of the IEC 62443 series
22 1 Scope
2 Normative references
23 3 Terms, definitions, abbreviated terms, acronyms, and conventions
3.1 Terms and definitions
29 3.2 Abbreviated terms and acronyms
31 3.3 Conventions
32 4 Common component security constraints
4.1 Overview
4.2 CCSC 1: Support of essential functions
4.3 CCSC 2: Compensating countermeasures
4.4 CCSC 3: Least privilege
4.5 CCSC 4: Software development process
5 FR 1 – Identification and authentication control
5.1 Purpose and SLC(IAC) descriptions
33 5.2 Rationale
5.3 CR 1.1 – Human user identification and authentication
5.3.1 Requirement
5.3.2 Rationale and supplemental guidance
5.3.3 Requirement enhancements
34 5.3.4 Security levels
5.4 CR 1.2 – Software process and device identification and authentication
5.4.1 Requirement
5.4.2 Rationale and supplemental guidance
5.4.3 Requirement enhancements
35 5.4.4 Security levels
5.5 CR 1.3 – Account management
5.5.1 Requirement
5.5.2 Rationale and supplemental guidance
5.5.3 Requirement enhancements
5.5.4 Security levels
5.6 CR 1.4 – Identifier management
5.6.1 Requirement
5.6.2 Rationale and supplemental guidance
36 5.6.3 Requirement enhancements
5.6.4 Security levels
5.7 CR 1.5 – Authenticator management
5.7.1 Requirement
5.7.2 Rationale and supplemental guidance
37 5.7.3 Requirement enhancements
5.7.4 Security levels
5.8 CR 1.6 – Wireless access management
5.9 CR 1.7 – Strength of password-based authentication
5.9.1 Requirement
5.9.2 Rationale and supplemental guidance
5.9.3 Requirement enhancements
38 5.9.4 Security levels
5.10 CR 1.8 – Public key infrastructure certificates
5.10.1 Requirement
5.10.2 Rationale and supplemental guidance
5.10.3 Requirement enhancements
5.10.4 Security levels
39 5.11 CR 1.9 – Strength of public key-based authentication
5.11.1 Requirement
5.11.2 Rationale and supplemental guidance
40 5.11.3 Requirement enhancements
5.11.4 Security levels
5.12 CR 1.10 – Authenticator feedback
5.12.1 Requirement
5.12.2 Rationale and supplemental guidance
5.12.3 Requirement enhancements
5.12.4 Security levels
5.13 CR 1.11 – Unsuccessful login attempts
5.13.1 Requirement
41 5.13.2 Rationale and supplemental guidance
5.13.3 Requirement enhancements
5.13.4 Security levels
5.14 CR 1.12 – System use notification
5.14.1 Requirement
5.14.2 Rationale and supplemental guidance
5.14.3 Requirement enhancements
42 5.14.4 Security levels
5.15 CR 1.13 – Access via untrusted networks
5.16 CR 1.14 – Strength of symmetric key-based authentication
5.16.1 Requirement
5.16.2 Rationale and supplemental guidance
5.16.3 Requirement enhancements
43 5.16.4 Security levels
6 FR 2 – Use control
6.1 Purpose and SLC(UC) descriptions
6.2 Rationale
6.3 CR 2.1 – Authorization enforcement
6.3.1 Requirement
6.3.2 Rationale and supplemental guidance
44 6.3.3 Requirement enhancements
6.3.4 Security levels
45 6.4 CR 2.2 – Wireless use control
6.4.1 Requirement
6.4.2 Rationale and supplemental guidance
6.4.3 Requirement enhancements
6.4.4 Security levels
6.5 CR 2.3 – Use control for portable and mobile devices
6.6 CR 2.4 – Mobile code
6.7 CR 2.5 – Session lock
6.7.1 Requirement
46 6.7.2 Rationale and supplemental guidance
6.7.3 Requirement enhancements
6.7.4 Security levels
6.8 CR 2.6 – Remote session termination
6.8.1 Requirement
6.8.2 Rationale and supplemental guidance
6.8.3 Requirement enhancements
6.8.4 Security levels
6.9 CR 2.7 – Concurrent session control
6.9.1 Requirement
47 6.9.2 Rationale and supplemental guidance
6.9.3 Requirement enhancements
6.9.4 Security levels
6.10 CR 2.8 – Auditable events
6.10.1 Requirement
6.10.2 Rationale and supplemental guidance
6.10.3 Requirement enhancements
48 6.10.4 Security levels
6.11 CR 2.9 – Audit storage capacity
6.11.1 Requirement
6.11.2 Rationale and supplemental guidance
6.11.3 Requirement enhancements
6.11.4 Security levels
6.12 CR 2.10 – Response to audit processing failures
6.12.1 Requirement
49 6.12.2 Rationale and supplemental guidance
6.12.3 Requirement enhancements
6.12.4 Security levels
6.13 CR 2.11 – Timestamps
6.13.1 Requirement
6.13.2 Rationale and supplemental guidance
6.13.3 Requirement enhancements
6.13.4 Security levels
50 6.14 CR 2.12 – Non-repudiation
6.14.1 Requirement
6.14.2 Rationale and supplemental guidance
6.14.3 Requirement enhancements
6.14.4 Security levels
6.15 CR 2.13 – Use of physical diagnostic and test interfaces
7 FR 3 – System integrity
7.1 Purpose and SLC(SI) descriptions
51 7.2 Rationale
7.3 CR 3.1 – Communication integrity
7.3.1 Requirement
7.3.2 Rationale and supplemental guidance
52 7.3.3 Requirement enhancements
7.3.4 Security levels
7.4 CR 3.2 – Protection from malicious code
7.5 CR 3.3 – Security functionality verification
7.5.1 Requirement
7.5.2 Rationale and supplemental guidance
7.5.3 Requirement enhancements
53 7.5.4 Security levels
7.6 CR 3.4 – Software and information integrity
7.6.1 Requirement
7.6.2 Rationale and supplemental guidance
7.6.3 Requirement enhancements
7.6.4 Security levels
7.7 CR 3.5 – Input validation
7.7.1 Requirement
54 7.7.2 Rationale and supplemental guidance
7.7.3 Requirement enhancements
7.7.4 Security levels
7.8 CR 3.6 – Deterministic output
7.8.1 Requirement
7.8.2 Rationale and supplemental guidance
7.8.3 Requirement enhancements
55 7.8.4 Security levels
7.9 CR 3.7 – Error handling
7.9.1 Requirement
7.9.2 Rationale and supplemental guidance
7.9.3 Requirement enhancements
7.9.4 Security levels
7.10 CR 3.8 – Session integrity
7.10.1 Requirement
56 7.10.2 Rationale and supplemental guidance
7.10.3 Requirement enhancements
7.10.4 Security levels
7.11 CR 3.9 – Protection of audit information
7.11.1 Requirement
7.11.2 Rationale and supplemental guidance
7.11.3 Requirement enhancements
7.11.4 Security levels
57 7.12 CR 3.10 – Support for updates
7.13 CR 3.11 – Physical tamper resistance and detection
7.14 CR 3.12 – Provisioning product supplier roots of trust
7.15 CR 3.13 – Provisioning asset owner roots of trust
7.16 CR 3.14 – Integrity of the boot process
8 FR 4 – Data confidentiality
8.1 Purpose and SLC(DC) descriptions
8.2 Rationale
8.3 CR 4.1 – Information confidentiality
8.3.1 Requirement
58 8.3.2 Rationale and supplemental guidance
8.3.3 Requirement enhancements
8.3.4 Security levels
8.4 CR 4.2 – Information persistence
8.4.1 Requirement
8.4.2 Rationale and supplemental guidance
8.4.3 Requirement enhancements
59 8.4.4 Security levels
8.5 CR 4.3 – Use of cryptography
8.5.1 Requirement
8.5.2 Rationale and supplemental guidance
8.5.3 Requirement enhancements
8.5.4 Security levels
60 9 FR 5 – Restricted data flow
9.1 Purpose and SLC(RDF) descriptions
9.2 Rationale
9.3 CR 5.1 – Network segmentation
9.3.1 Requirement
9.3.2 Rationale and supplemental guidance
61 9.3.3 Requirement enhancements
9.3.4 Security levels
9.4 CR 5.2 – Zone boundary protection
9.5 CR 5.3 – General-purpose person-to-person communication restrictions
9.6 CR 5.4 – Application partitioning
10 FR 6 – Timely response to events
10.1 Purpose and SLC(TRE) descriptions
62 10.2 Rationale
10.3 CR 6.1 – Audit log accessibility
10.3.1 Requirement
10.3.2 Rationale and supplemental guidance
10.3.3 Requirement enhancements
10.3.4 Security levels
10.4 CR 6.2 – Continuous monitoring
10.4.1 Requirement
10.4.2 Rationale and supplemental guidance
63 10.4.3 Requirement enhancements
10.4.4 Security levels
11 FR 7 – Resource availability
11.1 Purpose and SLC(RA) descriptions
11.2 Rationale
64 11.3 CR 7.1 – Denial of service protection
11.3.1 Requirement
11.3.2 Rationale and supplemental guidance
11.3.3 Requirement enhancements
11.3.4 Security levels
11.4 CR 7.2 – Resource management
11.4.1 Requirement
11.4.2 Rationale and supplemental guidance
11.4.3 Requirement enhancements
11.4.4 Security levels
65 11.5 CR 7.3 – Control system backup
11.5.1 Requirement
11.5.2 Rationale and supplemental guidance
11.5.3 Requirement enhancements
11.5.4 Security levels
11.6 CR 7.4 – Control system recovery and reconstitution
11.6.1 Requirement
11.6.2 Rationale and supplemental guidance
11.6.3 Requirement enhancements
66 11.6.4 Security levels
11.7 CR 7.5 – Emergency power
11.8 CR 7.6 – Network and security configuration settings
11.8.1 Requirement
11.8.2 Rationale and supplemental guidance
11.8.3 Requirement enhancements
11.8.4 Security levels
11.9 CR 7.7 – Least functionality
11.9.1 Requirement
11.9.2 Rationale and supplemental guidance
67 11.9.3 Requirement enhancements
11.9.4 Security levels
11.10 CR 7.8 – Control system component inventory
11.10.1 Requirement
11.10.2 Rationale and supplemental guidance
11.10.3 Requirement enhancements
11.10.4 Security levels
12 Software application requirements
12.1 Purpose
12.2 SAR 2.4 – Mobile code
12.2.1 Requirement
68 12.2.2 Rationale and supplemental guidance
12.2.3 Requirement enhancements
12.2.4 Security levels
12.3 SAR 3.2 – Protection from malicious code
12.3.1 Requirement
12.3.2 Rationale and supplemental guidance
12.3.3 Requirement enhancements
12.3.4 Security levels
69 13 Embedded device requirements
13.1 Purpose
13.2 EDR 2.4 – Mobile code
13.2.1 Requirement
13.2.2 Rationale and supplemental guidance
13.2.3 Requirement enhancements
13.2.4 Security levels
13.3 EDR 2.13 – Use of physical diagnostic and test interfaces
13.3.1 Requirement
70 13.3.2 Rationale and supplemental guidance
13.3.3 Requirement enhancements
13.3.4 Security levels
13.4 EDR 3.2 – Protection from malicious code
13.4.1 Requirement
13.4.2 Rationale and supplemental guidance
71 13.4.3 Requirement enhancements
13.4.4 Security levels
13.5 EDR 3.10 – Support for updates
13.5.1 Requirement
13.5.2 Rationale and supplemental guidance
13.5.3 Requirement enhancements
13.5.4 Security levels
13.6 EDR 3.11 – Physical tamper resistance and detection
13.6.1 Requirement
13.6.2 Rationale and supplemental guidance
72 13.6.3 Requirement enhancements
13.6.4 Security levels
13.7 EDR 3.12 – Provisioning product supplier roots of trust
13.7.1 Requirement
13.7.2 Rationale and supplemental guidance
13.7.3 Requirement enhancements
73 13.7.4 Security levels
13.8 EDR 3.13 – Provisioning asset owner roots of trust
13.8.1 Requirement
13.8.2 Rationale and supplemental guidance
13.8.3 Requirement enhancements
13.8.4 Security levels
74 13.9 EDR 3.14 – Integrity of the boot process
13.9.1 Requirement
13.9.2 Rationale and supplemental guidance
13.9.3 Requirement enhancements
13.9.4 Security levels
14 Host device requirements
14.1 Purpose
14.2 HDR 2.4 – Mobile code
14.2.1 Requirement
75 14.2.2 Rationale and supplemental guidance
14.2.3 Requirement enhancements
14.2.4 Security levels
14.3 HDR 2.13 – Use of physical diagnostic and test interfaces
14.3.1 Requirement
14.3.2 Rationale and supplemental guidance
76 14.3.3 Requirement enhancements
14.3.4 Security levels
14.4 HDR 3.2 – Protection from malicious code
14.4.1 Requirement
14.4.2 Rationale and supplemental guidance
14.4.3 Requirement enhancements
14.4.4 Security levels
14.5 HDR 3.10 – Support for updates
14.5.1 Requirement
14.5.2 Rationale and supplemental guidance
77 14.5.3 Requirement enhancements
14.5.4 Security levels
14.6 HDR 3.11 – Physical tamper resistance and detection
14.6.1 Requirement
14.6.2 Rationale and supplemental guidance
14.6.3 Requirement enhancements
14.6.4 Security levels
78 14.7 HDR 3.12 – Provisioning product supplier roots of trust
14.7.1 Requirement
14.7.2 Rationale and supplemental guidance
14.7.3 Requirement enhancements
14.7.4 Security levels
14.8 HDR 3.13 – Provisioning asset owner roots of trust
14.8.1 Requirement
14.8.2 Rationale and supplemental guidance
79 14.8.3 Requirement enhancements
14.8.4 Security levels
14.9 HDR 3.14 – Integrity of the boot process
14.9.1 Requirement
14.9.2 Rationale and supplemental guidance
14.9.3 Requirement enhancements
80 14.9.4 Security levels
15 Network device requirements
15.1 Purpose
15.2 NDR 1.6 – Wireless access management
15.2.1 Requirement
15.2.2 Rationale and supplemental guidance
15.2.3 Requirement enhancements
15.2.4 Security levels
15.3 NDR 1.13 – Access via untrusted networks
15.3.1 Requirement
81 15.3.2 Rationale and supplemental guidance
15.3.3 Requirement enhancements
15.3.4 Security levels
15.4 NDR 2.4 – Mobile code
15.4.1 Requirement
15.4.2 Rationale and supplemental guidance
82 15.4.3 Requirement enhancements
15.4.4 Security levels
15.5 NDR 2.13 – Use of physical diagnostic and test interfaces
15.5.1 Requirement
15.5.2 Rationale and supplemental guidance
15.5.3 Requirement enhancements
83 15.5.4 Security levels
15.6 NDR 3.2 – Protection from malicious code
15.6.1 Requirement
15.6.2 Rationale and supplemental guidance
15.6.3 Requirement enhancements
15.6.4 Security levels
15.7 NDR 3.10 – Support for updates
15.7.1 Requirement
15.7.2 Rationale and supplemental guidance
15.7.3 Requirement enhancements
84 15.7.4 Security levels
15.8 NDR 3.11 – Physical tamper resistance and detection
15.8.1 Requirement
15.8.2 Rationale and supplemental guidance
15.8.3 Requirement enhancements
15.8.4 Security levels
15.9 NDR 3.12 – Provisioning product supplier roots of trust
15.9.1 Requirement
85 15.9.2 Rationale and supplemental guidance
15.9.3 Requirement enhancements
15.9.4 Security levels
15.10 NDR 3.13 – Provisioning asset owner roots of trust
15.10.1 Requirement
15.10.2 Rationale and supplemental guidance
86 15.10.3 Requirement enhancements
15.10.4 Security levels
15.11 NDR 3.14 – Integrity of the boot process
15.11.1 Requirement
15.11.2 Rationale and supplemental guidance
15.11.3 Requirement enhancements
87 15.11.4 Security levels
15.12 NDR 5.2 – Zone boundary protection
15.12.1 Requirement
15.12.2 Rationale and supplemental guidance
15.12.3 Requirement enhancements
15.12.4 Security levels
88 15.13 NDR 5.3 – General purpose, person-to-person communication restrictions
15.13.1 Requirement
15.13.2 Rationale and supplemental guidance
15.13.3 Requirement enhancements
15.13.4 Security levels
89 Annex A (informative)Device categories
A.1 General
A.2 Device category: embedded device
A.2.1 Programmable logic controller (PLC)
A.2.2 Intelligent electronic device (IED)
90 A.3 Device category: network device
A.3.1 Switch
A.3.2 Virtual private network (VPN) terminator
A.4 Device category: host device/application
A.4.1 Operator workstation
91 A.4.2 Data historian
92 Annex B (informative)Mapping of CRs and REs to FR SLs 1-4
B.1 Overview
B.2 SL mapping table
93 Table B.1 – Mapping of CRs and REs to FR SL levels 1-4
98 Bibliography

Related products

BS EN IEC 62443-4-2:2019
$215.11