IEC 62443

Last updated June 13, 2024

IEC 62443 is an international series of standards that address cybersecurity for operational technology in automation and control systems. The standard is divided into different sections and describes both technical and process-related aspects of automation and control systems cybersecurity.

History

As an international standard, the IEC 62443 family of standards is the result of the International Electrotechnical Commission (IEC) standards creation process where all national committees involved agree upon a common standard. Multiple organizations and committees submitted input to the IEC working groups and helped shape the IEC 62443 family of standard.

Starting in 2002, the International Society of Automation (ISA), a professional automation engineering society and ANSI-accredited standards development organization (SDO) established the Industrial Automation and Control System Security standards committee (ISA99). The ISA99 committee developed a multi-part series of standards and technical reports about Industrial Automation and Control System (IACS) cyber security. These work products were submitted by ISA for approval and then published as North American ANSI standards. The ISA standards documents originally referred to as ANSI/ISA-99 or ISA99 standards were renumbered to be the ANSI/ISA-62443 series in 2010. The content of this series was submitted to and used by the IEC working groups.

In parallel, the German engineering associations VDI and VDE released the VDI/VDE 2182 guidelines in 2011. The guidelines describe how to handle information security in industrial automation environments and were also submitted to and used by the IEC working groups.

In 2021, the IEC approved the IEC 62443 family of standards as 'horizontal standards'. This means that when sector specific standards for operational technology are being developed by subject matter experts, the IEC 62443 standards must be used at the foundation for requirements addressing cybersecurity in those standards. This approach serves to avoid the proliferation of partial and/or conflicting requirements for addressing cybersecurity of operational technology across industry sectors where the same or similar technology or products are deployed at operating sites.

Structure

IEC 62443 Industrial communication networks - Network and system security series of standards is organized into four parts:^[1]

General: This part covers topics that are common to the entire series.
Policies and Procedures: This part focuses on methods and processes associated with IACS security.
System: This part is about requirements at the system level.
Components and Requirements: This part provides detailed requirements for IACS products.

The following table lists the parts of the IEC 62443 series of standards published to date with their status and title.


General			Policies and Procedures			System			Components and Requirements
1-1	Technical Specification, Edition 1.0, July 2009^[2]	Concepts and models	2-1	Edition 1.0, November 2010^[3]	Security program requirements for IACS asset owners	3-1	Technical Report, Edition 1.0, July 2009^[4]	Security technologies for industrial automation and control systems (IAC)	4-1	Edition 1.0, January 2018^[5]	Secure product development lifecycle requirements
			2-3	Technical Report, Edition 1.0, June 2015^[6]	Patch management in the IACS environment	3-2	Edition 1.0, June 2020^[7]	Security risk assessment and system design	4-2	Edition 1.0, February 2019^[8]	Technical security requirements for IACS components
			2-4	Edition 1.1, August 2017^[9]	Requirements for IACS service providers	3-3	Edition 1.0, August 2013^[10]	System security requirements and security levels
1-5	Technical Specification, Edition 1.0, September 2023	Scheme for IEC 62443 security profiles

Part 2-1: This part of the standard is aimed at operators of automation solutions and defines requirements for how security during the operation of plants is to be considered (see ISO/IEC 27001).^[3]
Part 2-4: This part defines requirements ("capabilities") for integrators. These requirements are divided into 12 topics: Assurance, architecture, wireless, security engineering systems, configuration management, remote access, event management and logging, user management, malware protection, patch management, backup & recovery, and project staffing.^[9]
Part 4-1: This part defines how a secure product development process should look like. It is divided into eight areas ("Practices"): management of development, definition of security requirements, design of security solutions, secure development, testing of security features, handling of security vulnerabilities, creation and publication of updates and documentation of security features.^[5]
Part 4-2: This part defines technical requirements for products or components.^[8] Like the requirements for systems (Section -3-3), the requirements are divided into 12 subject areas and refer to them. In addition to the technical requirements, common component security constraints (CCSC) are defined, which must be met by components to be compliant with IEC 62443-4-2:
- CCSC 1 describes that components must take into account the general security characteristics of the system in which they are used.
- CCSC 2 specifies that the technical requirements that the component cannot meet itself can be met by compensating countermeasures at system level (see IEC 62443-3-3). For this purpose, the countermeasures must be described in the documentation of the component.
- CCSC 3 requires that the "Least Privilege" principle is applied in the component.
- CCSC 4 requires that the component is developed and supported by IEC 62443-4-1 compliant development processes.

Maturity and Security Level

IEC 62443 describes different levels of maturity for processes and technical requirements. The maturity levels for processes are based on the maturity levels from the Capability Maturity Model Integration (CMMI) framework.

Maturity Level

Based on CMMI, IEC 62443 describes different maturity levels for processes through so-called "maturity levels". To fulfill a certain level of a maturity level, all process-related requirements must always be practiced during product development or integration, i.e. the selection of only individual criteria ("cherry picking") is not standard-compliant.

The maturity levels are described as follows:

Maturity Level 1 - Initial: Product suppliers usually carry out product development ad hoc and often undocumented (or not fully documented).
Maturity Level 2 - Managed: The product supplier is able to manage the development of a product according to written guidelines. It must be demonstrated that the personnel who carry out the process have the appropriate expertise, are trained and/or follow written procedures. The processes are repeatable.
Maturity Level 3 - Defined (practiced): The process is repeatable throughout the supplier's organization. The processes have been practiced and there is evidence that this has been done.
Maturity Level 4 - Improving: Product suppliers use appropriate process metrics to monitor the effectiveness and performance of the process and demonstrate continuous improvement in these areas.

Security Level

Technical requirements for systems (IEC 62443-3-3) and products (IEC 62443-4-2) are evaluated in the standard by four so-called Security Levels (SL). The different levels indicate the resistance against different classes of attackers. The standard emphasizes that the levels should be evaluated per technical requirement (see IEC 62443-1-1) and are not suitable for the general classification of products.

The levels are:

Security Level 0: No special requirement or protection required.
Security Level 1: Protection against unintentional or accidental misuse.
Security Level 2: Protection against intentional misuse by simple means with few resources, general skills and low motivation.
Security Level 3: Protection against intentional misuse by sophisticated means with moderate resources, IACS-specific knowledge and moderate motivation.
Security Level 4: Protection against intentional misuse using sophisticated means with extensive resources, IACS-specific knowledge and high motivation.

Concepts

The standard explains various basic principles that should be considered for all roles in all activities.

Defense in depth

Defense in Depth is a concept in which several levels of security (defense) are distributed throughout the system. The goal is to provide redundancy in case a security measure fails or a vulnerability is exploited.

Zones and conduits

Zones divide a system into homogeneous zones by grouping the (logical or physical) assets with common security requirements. The security requirements are defined by Security Level (SL). The level required for a zone is determined by the risk analysis.

Zones have boundaries that separate the elements inside the zone from those outside. Information moves within and between zones. Zones can be divided into sub-zones that define different security levels (Security Level) and thus enable defense-in-depth.

Conduits group the elements that allow communication between two zones. They provide security functions that enable secure communication and allow the coexistence of zones with different security levels.

Certification to standards

Processes, systems and products used in industrial automation environments can be certified according to IEC 62443. Many testing, inspection, and certification (TIC) companies offer product and process certifications based on IEC 62443. By accrediting according to the ISO/IEC 17000 series of standards, the companies share a single, consistent set of certification requirements for IEC 62443 certifications which elevates the usefulness of the resulting certificates of conformance.

Accredited certification schemes

IEC 62443 certification schemes have been established by several global testing, inspection, and certification (TIC) companies. The schemes are based on the referenced standards and define test methods, surveillance audit policies, public documentation policies, and other specific aspects of their program. Cybersecurity certification programs for IEC 62443 standards are being offered globally by many recognized Certification Bodies (CB), including Bureau Veritas, Intertek, SGS-TÜV Saar, TÜV Nord, TÜV Rheinland, TÜV SÜD and UL.

A global infrastructure of national accreditation bodies (AB) ensures consistent evaluation of the IEC 62443. The ABs operate per the requirements of ISO/IEC 17011, a standard that contains requirements for the competence, consistency, and impartiality of accreditation bodies when accrediting conformity assessment bodies. ABs are members of the IAF for work in management systems, products, services, and personnel accreditation or the ILAC for laboratory accreditation. A Multilateral Recognition Arrangement (MLA) between ABs will ensure global recognition of accredited CBs.

TIC companies are accredited by an AB to provide inspection according to the ISO/IEC 17020, testing laboratories according to ISO/IEC 17025 and certification of products, processes, and services according to ISO/IEC 17065.

IECEE CB Scheme

The IEC System for Conformity Assessment Schemes for Electrotechnical Equipment and Components (IECEE) Certification Body Scheme (CB Scheme) is a multilateral agreement that facilitates market access for manufacturers of electrical and electronic products. Under the CB Scheme processes, products and systems can be certified according to IEC 62443.

The origin of the CB Scheme comes from the CEE (former European "Commission for Conformity Testing of Electrical Equipment") and was integrated into the IEC in 1985. Currently, 54 Member Bodies are in the IECEE, 88 NCBs (National Certification Bodies), and 534 CB Test Laboratories (CBTL). In the field of product certification, this procedure is used to reduce the complexity in the approval procedure for manufacturers of products tested and certified according to harmonized standards. A product that has been tested by a CBTL (certified testing laboratory) according to a harmonized standard such as the IEC 62443, can use the CB report as a basis for a later national certification and approval such as GS, PSE, CCC, NOM, GOST/R, BSMI.

ISCI ISASecure

The ISA Security Compliance Institute (ISCI), a wholly owned subsidiary of the ISA, created an industry consensus conformity assessment scheme that certifies to the ISA/IEC 62443 standards and operates under the ISASecure brand. This scheme is used to certify automation control systems, components and processes. ISASecure certifications were expanded to include the Industrial IOT component certification (ICSA) in December 2022. Certification Bodies in the ISASecure certification scheme are independently accredited by ISO 17011 Accreditation Bodies to the ISASecure technical readiness requirements and the ISO 17025 and ISO 17065 standards. Multilateral recognition agreements under the IAF ensure that the ISASecure certifications are mutually recognized by all global IAF signatories.

The ISCI offers multiple certifications under the ISASecure brand:

SSA (System Security Assurance) certification of systems according to IEC 62443-3-3 and IEC 62443-4-1
CSA (Component Security Assurance) certification of automation components according to IEC 62443-4-1 and IEC 62443-4-2
ICSA (IIOT Component Security Assurance) certification of IIOT automation components according to IEC 62443-4-1 and IEC 62443-4-2 with four exceptions and seventeen extensions to the IEC 62443-4-2 standard to account for unique characteristics of IIOT components
SDLA (Secure Development Lifecycle Assurance) certification of automation systems development organizations according to the IEC 62443-4-1
EDSA (Embedded Device Security Assurance) certification of components based on the IEC 62443-4-2. This certification was offered in 2010 and phased out when the IEC 62443-4-2 standard was formally approved and published in 2018.
In 2023, ISASecure announced the development of a new certification for assessing and certifying automation and control systems in operation at asset owner sites. It is named the Automation and Control System Security Assurance (ACSSA) certification. It is slated for completion at the end of 2024.

Related Research Articles

The Common Criteria for Information Technology Security Evaluation is an international standard for computer security certification. It is currently in version 3.1 revision 5.

<span class="mw-page-title-main">International Society of Automation</span>

The International Society of Automation (ISA), formerly known as The Instrumentation, Systems, and Automation Society, is a non-profit technical society for engineers, technicians, businesspeople, educators and students, who work, study or are interested in automation and pursuits related to it, such as instrumentation. It was originally known as the Instrument Society of America. The society is more commonly known by its acronym, ISA, and the society's scope now includes many technical and engineering disciplines. ISA is one of the foremost professional organizations in the world for setting standards and educating industry professionals in automation. Instrumentation and automation are some of the key technologies involved in nearly all industrialized manufacturing. Modern industrial manufacturing is a complex interaction of numerous systems. Instrumentation provides regulation for these complex systems using many different measurement and control devices. Automation provides the programmable devices that permit greater flexibility in the operation of these complex manufacturing systems.

COBIT is a framework created by ISACA for information technology (IT) management and IT governance.

In functional safety, safety integrity level (SIL) is defined as the relative level of risk-reduction provided by a safety instrumented function (SIF), i.e. the measurement of the performance required of the SIF.

Information security standards or cyber security standards are techniques generally outlined in published materials that attempt to protect the cyber environment of a user or organization. This environment includes users themselves, networks, devices, all software, processes, information in storage or transit, applications, services, and systems that can be connected directly or indirectly to networks.

Product certification or product qualification is the process of certifying that a certain product has passed performance tests and quality assurance tests, and meets qualification criteria stipulated in contracts, regulations, or specifications.

IEC 61508 is an international standard published by the International Electrotechnical Commission (IEC) consisting of methods on how to apply, design, deploy and maintain automatic protection systems called safety-related systems. It is titled Functional Safety of Electrical/Electronic/Programmable Electronic Safety-related Systems.

The Common Criteria model provides for the separation of the roles of evaluator and certifier. Product certificates are awarded by national schemes on the basis of evaluations carried by independent testing laboratories.

The ISO/IEC 27000-series comprises information security standards published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).

ISO/IEC 27006 is an information security standard published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). Part of the ISO/IEC 27000 series of ISO/IEC Information Security Management System (ISMS) standards, it is titled Information technology - Security techniques - Requirements for bodies providing audit and certification of information security management systems.

ISO/IEC 17024: Conformity assessment - General requirements for bodies operating certification of persons is an ISO/IEC standard which specifies criteria for the operation of a personnel certification body. The standard includes requirements for the development and maintenance of the certification scheme for persons upon which the certification is based.

Information technology risk, IT risk, IT-related risk, or cyber risk is any risk relating to information technology. While information has long been appreciated as a valuable and important asset, the rise of the knowledge economy and the Digital Revolution has led to organizations becoming increasingly dependent on information, information processing and especially IT. Various events or incidents that compromise IT in some way can therefore cause adverse impacts on the organization's business processes or mission, ranging from inconsequential to catastrophic in scale.

Functional safety is the part of the overall safety of a system or piece of equipment that depends on automatic protection operating correctly in response to its inputs or failure in a predictable manner (fail-safe). The automatic protection system should be designed to properly handle likely systematic errors, hardware failures and operational/environmental stress.

Automotive SPICE is a maturity model adapted for the automotive industry. It assesses the maturity of development processes for electronic and software-based systems. It is based on an initiative of the Special Interest Group Automotive and the Quality Management Center (QMC) in the German Association of the Automotive Industry (VDA).

Control system security, or industrial control system (ICS) cybersecurity, is the prevention of interference with the proper operation of industrial automation and control systems. These control systems manage essential services including electricity, petroleum production, water, transportation, manufacturing, and communications. They rely on computers, networks, operating systems, applications, and programmable controllers, each of which could contain security vulnerabilities. The 2010 discovery of the Stuxnet worm demonstrated the vulnerability of these systems to cyber incidents. The United States and other governments have passed cyber-security regulations requiring enhanced protection for control systems operating critical infrastructure.

ISO/IEC 27001 is an international standard to manage information security. The standard was originally published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) in 2005, revised in 2013, and again most recently in 2022. There are also numerous recognized national variants of the standard. It details requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS) – the aim of which is to help organizations make the information assets they hold more secure. Organizations that meet the standard's requirements can choose to be certified by an accredited certification body following successful completion of an audit. A SWOT analysis of the ISO/IEC 27001 certification process was conducted in 2020.

The Open Trusted Technology Provider Standard (O-TTPS) is a standard of The Open Group that has also been approved for publication as an Information Technology standard by the International Organization of Standardization and the International Electrotechnical Commission through ISO/IEC JTC 1 and is now also known as ISO/IEC 20243:2015. The standard consists of a set of guidelines, requirements, and recommendations that align with best practices for global supply chain security and the integrity of commercial off-the-shelf (COTS) information and communication technology (ICT) products. It is currently in version 1.1. A Chinese translation has also been published.

A cyber PHA or cyber HAZOP is a safety-oriented methodology to conduct a cybersecurity risk assessment for an industrial control system (ICS) or safety instrumented system (SIS). It is a systematic, consequence-driven approach that is based upon industry standards such as ISA 62443-3-2, ISA TR84.00.09, ISO/IEC 27005:2018, ISO 31000:2009 and NIST Special Publication (SP) 800-39.

The testing, inspection and certification (TIC) sector consists of conformity assessment bodies who provide services ranging from auditing and inspection, to testing, verification, quality assurance and certification. The sector consists of both in-house and outsourced services.

Standardisation Testing and Quality Certification (STQC) Directorate, established in 1980, is an authoritative body offering quality assurance services to IT and Electronics domains.

References

External links

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] "Understanding IEC 62443". www.iec.ch. Retrieved 2022-09-02.

[2] IEC 62443-1-1, Industrial communication networks – Network and system security – Part 1-1: Terminology, concepts and models

[:0-3] 1 2 IEC 62443-2-1, Industrial communication networks – Network and system security – Part 2-1: Establishing an industrial automation and control system security program

[4] IEC 62443-3-1, Industrial communication networks – Network and system security – Part 3-1: Security technologies for industrial automation and control systems

[:1-5] 1 2 IEC 62443-4-1, Security for industrial automation and control systems – Part 4-1: Secure product development lifecycle requirements

[6] IEC 62443-2-3, Security for industrial automation and control systems – Part 2-3: Patch management in the IACS environment

[7] IEC 62443-3-2, Security for industrial automation and control systems – Part 3-2: Security risk assessment for system design

[:2-8] 1 2 IEC 62443-4-2, Security for industrial automation and control systems – Part 4-2: Technical security requirements for IACS components

[:3-9] 1 2 IEC 62443-2-4, Security for industrial automation and control systems – Part 2-4: Security program requirements for IACS service providers

[10] IEC 62443-3-3, Industrial communication networks – Network and system security – Part 3-3: System security requirements and security levels

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]