EN IEC 62443-2-4:2019
(Main)Security for industrial automation and control systems - Part 2-4: Security program requirements for IACS service providers
Security for industrial automation and control systems - Part 2-4: Security program requirements for IACS service providers
This part of IEC 62443 specifies a comprehensive set of requirements for security capabilities for IACS service providers that they can offer to the asset owner during integration and maintenance activities of an Automation Solution. Because not all requirements apply to all industry groups and organizations, Subclause 4.1.4 provides for the development of Profiles that allow for the subsetting of these requirements. Profiles are used to adapt this document to specific environments, including environments not based on an IACS. NOTE 1 The term “Automation Solution” is used as a proper noun (and therefore capitalized) in this part of IEC 62443 to prevent confusion with other uses of this term. Collectively, the security capabilities offered by an IACS service provider are referred to as its Security Program. In a related specification, IEC 62443-2-1 describes requirements for the Security Management System of the asset owner. NOTE 2 In general, these security capabilities are policy, procedure, practice and personnel related. Figure 2 illustrates how the integration and maintenance capabilities relate to the IACS and the control system product that is integrated into the Automation Solution. Some of these capabilities reference security measures defined in IEC 62443-3-3 that the service provider must ensure are supported in the Automation Solution (either included in the control system product or separately added to the Automation Solution).
IT-Sicherheit für industrielle Automatisierungssysteme - Teil 2-4: Anforderungen an das IT-Sicherheitsprogramm von Dienstleistern für industrielle Automatisierungssysteme
Sécurité des automatismes industriels et des systèmes de commande - Partie 2-4: Exigences de programme de sécurité pour les fournisseurs de service IACS
L'IEC 62443-2-4:2015 spécifie les exigences de capacités de sécurité pour les fournisseurs de service IACS qu'ils peuvent proposer au propriétaire d'actif pendant les activités d'intégration et de maintenance d'une Solution d'Automatisation. Le contenu du corrigendum d'août 2015 a été pris en considération dans cet exemplaire.
Zaščita industrijske avtomatizacije in nadzornih sistemov - 2-4. del: Zahteve za program varnosti zaščite za ponudnike storitev IACS (IEC 62443-2-4:2015)
Ta del standarda IEC 62443 določa izčrpen sklop zahtev za zmogljivosti zaščite
za ponudnike storitev IACS, ki jih lahko ponudijo lastniku dobrine med integracijo in
vzdrževanjem Rešitve avtomatizacije. Ker vse zahteve ne veljajo za vse
industrijske skupine in organizacije, podtočka 4.1.4 zagotavlja razvoj profilov, ki
omogočajo podnabor teh zahtev. Profili se uporabljajo za prilagoditev tega dokumenta
posebnim okoljem, vključno z okolji, ki ne temeljijo na skupnosti IACS.
OPOMBA 1: Izraz »Rešitev avtomatizacije« se v tem delu standarda IEC 62443 uporablja kot lastno ime (in je zato zapisan z veliko začetnico), da ga ni mogoče zamenjati z drugimi uporabami tega izraza.
Skupaj se zmogljivosti zaščite, ki jih ponuja ponudnik storitev IACS, imenujejo njegov
program varnosti zaščite. V povezani specifikaciji standard IEC 62443-2-1 opisuje zahteve za
sistem vodenja zaščite lastnika dobrine.
OPOMBA 2: Na splošno so te zmogljivosti zaščite povezane s politiko, postopki, prakso in osebjem.
Na sliki 2 je prikazano, kako so zmogljivosti integracije in vzdrževanja povezane s skupnostjo IACS in
izdelkom nadzornega sistema, ki je integriran v Rešitev avtomatizacije. Nekatere od teh
zmogljivosti se navezujejo na ukrepe za zaščito iz standarda IEC 62443-3-3, za katere mora ponudnik storitev
zagotoviti, da jih Rešitev avtomatizacije podpira (so vključeni v izdelku nadzornega
sistema ali pa so v Rešitev avtomatizacije dodani posebej).
General Information
Relations
Buy Standard
Standards Content (Sample)
SLOVENSKI STANDARD
01-november-2019
Zaščita industrijske avtomatizacije in nadzornih sistemov - 2-4. del: Zahteve za
program varnosti zaščite za ponudnike storitev IACS (IEC 62443-2-4:2015)
Security for industrial automation and control systems - Part 2-4: Security program
requirements for IACS service providers (IEC 62443-2-4:2015)
IT-Sicherheit für industrielle Automatisierungssysteme - Teil 2-4: Anforderungen an das
IT-Sicherheitsprogramm von Dienstleistern für industrielle Automatisierungssysteme (IEC
62443-2-4:2015)
Sécurité des automatismes industriels et des systèmes de commande Partie 2-4:
Exigences de programme de sécurité pour les fournisseurs de service IACS (IEC 62443-
2-4:2015)
Ta slovenski standard je istoveten z: EN IEC 62443-2-4:2019
ICS:
25.040.01 Sistemi za avtomatizacijo v Industrial automation
industriji na splošno systems in general
35.030 Informacijska varnost IT Security
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.
EUROPEAN STANDARD EN IEC 62443-2-4
NORME EUROPÉENNE
EUROPÄISCHE NORM
April 2019
ICS 25.040.40; 35.100.05
English Version
Security for industrial automation and control systems - Part 2-4:
Security program requirements for IACS service providers
(IEC 62443-2-4:2015)
Sécurité des automatismes industriels et des systèmes de IT-Sicherheit für industrielle Automatisierungssysteme - Teil
commande - Partie 2-4: Exigences de programme de 2-4: Anforderungen an das IT-Sicherheitsprogramm von
sécurité pour les fournisseurs de service IACS Dienstleistern für industrielle Automatisierungssysteme
(IEC 62443-2-4:2015) (IEC 62443-2-4:2015)
This European Standard was approved by CENELEC on 2019-04-03. CENELEC members are bound to comply with the CEN/CENELEC
Internal Regulations which stipulate the conditions for giving this European Standard the status of a national standard without any alteration.
Up-to-date lists and bibliographical references concerning such national standards may be obtained on application to the CEN-CENELEC
Management Centre or to any CENELEC member.
This European Standard exists in three official versions (English, French, German). A version in any other language made by translation
under the responsibility of a CENELEC member into its own language and notified to the CEN-CENELEC Management Centre has the
same status as the official versions.
CENELEC members are the national electrotechnical committees of Austria, Belgium, Bulgaria, Croatia, Cyprus, the Czech Republic,
Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia,
Lithuania, Luxembourg, Malta, the Netherlands, Norway, Poland, Portugal, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden,
Switzerland, Turkey and the United Kingdom.
European Committee for Electrotechnical Standardization
Comité Européen de Normalisation Electrotechnique
Europäisches Komitee für Elektrotechnische Normung
CEN-CENELEC Management Centre: Rue de la Science 23, B-1040 Brussels
© 2019 CENELEC All rights of exploitation in any form and by any means reserved worldwide for CENELEC Members.
Ref. No. EN IEC 62443-2-4:2019 E
European foreword
This document (EN IEC 62443-2-4:2019) consists of the text of IEC 62443-2-4:2015 prepared by
IEC/TC 65 "Industrial-process measurement, control and automation".
The following dates are fixed:
• latest date by which the document has to be implemented at national (dop) 2020-04-03
level by publication of an identical national standard or by endorsement
• latest date by which the national standards conflicting with the (dow) 2022-04-03
document have to be withdrawn
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CENELEC shall not be held responsible for identifying any or all such patent rights.
Endorsement notice
The text of the International Standard IEC 62443-2-4:2015 was approved by CENELEC as a
European Standard without any modification.
In the official version, for Bibliography, the following notes have to be added for the standards
indicated:
IEC 61508 (series) NOTE Harmonized as EN 61508 (series)
IEC 61511 (series) NOTE Harmonized as EN 61511 (series)
IEC 62264-1:2013 NOTE Harmonized as EN 62264-1:2013 (not modified)
IEC 62443-3-3:2013 NOTE Harmonized as EN IEC 62443-3-3:2019 (not modified)
IEC 62443-4-1 NOTE Harmonized as EN IEC 62443-4-1
IEC 62443-4-2 NOTE Harmonized as EN IEC 62443-4-2
IEC 62443-2-4 ®
Edition 1.0 2015-06
INTERNATIONAL
STANDARD
NORME
INTERNATIONALE
colour
inside
Security for industrial automation and control systems –
Part 2-4: Security program requirements for IACS service providers
Sécurité des automatismes industriels et des systèmes de commande –
Partie 2-4: Exigences de programme de sécurité pour les fournisseurs de
service IACS
INTERNATIONAL
ELECTROTECHNICAL
COMMISSION
COMMISSION
ELECTROTECHNIQUE
INTERNATIONALE
ICS 25.040.40; 35.040; 35.100 ISBN 978-2-8322-2767-1
– 2 – IEC 62443-2-4:2015 © IEC 2015
CONTENTS
FOREWORD. 3
INTRODUCTION . 5
1 Scope . 6
2 Normative references . 7
3 Terms, definitions, abbreviated terms and acronyms . 7
3.1 Terms and definitions . 7
3.2 Abbreviations . 10
4 Concepts . 11
4.1 Use of IEC 62443-2-4 . 11
4.1.1 Use of IEC 62443-2-4 by IACS service providers . 11
4.1.2 Use of IEC 62443-2-4 by IACS asset owners . 12
4.1.3 Use of IEC 62443-2-4 during negotiations between IACS asset owners
and IACS service providers . 12
4.1.4 Profiles . 12
4.1.5 IACS integration service providers . 13
4.1.6 IACS maintenance service providers . 13
4.2 Maturity model . 14
5 Requirements overview . 15
5.1 Contents . 15
5.2 Sorting and filtering . 15
5.3 IEC 62264-1 hierarchy model . 16
5.4 Requirements table columns . 16
5.5 Column definitions . 16
5.5.1 Req ID column . 16
5.5.2 BR/RE column . 16
5.5.3 Functional area column . 17
5.5.4 Topic column . 18
5.5.5 Subtopic column . 19
5.5.6 Documentation column . 21
5.5.7 Requirement description. 21
5.5.8 Rationale . 21
Annex A (normative) Security requirements . 22
Bibliography . 85
Figure 1 – Parts of the IEC 62443 Series . 5
Figure 2 – Scope of service provider capabilities . 6
Table 1 – Maturity levels . 15
Table 2 – Columns . 16
Table 3 – Functional area column values . 18
Table 4 – Topic column values . 19
Table 5 – Subtopic column values . 20
Table A.1 – Security program requirements . 22
IEC 62443-2-4:2015 © IEC 2015 – 3 –
INTERNATIONAL ELECTROTECHNICAL COMMISSION
____________
SECURITY FOR INDUSTRIAL AUTOMATION
AND CONTROL SYSTEMS –
Part 2-4: Security program requirements
for IACS service providers
FOREWORD
1) The International Electrotechnical Commission (IEC) is a worldwide organization for standardization comprising
all national electrotechnical committees (IEC National Committees). The object of IEC is to promote
international co-operation on all questions concerning standardization in the electrical and electronic fields. To
this end and in addition to other activities, IEC publishes International Standards, Technical Specifications,
Technical Reports, Publicly Available Specifications (PAS) and Guides (hereafter referred to as “IEC
Publication(s)”). Their preparation is entrusted to technical committees; any IEC National Committee interested
in the subject dealt with may participate in this preparatory work. International, governmental and non-
governmental organizations liaising with the IEC also participate in this preparation. IEC collaborates closely
with the International Organization for Standardization (ISO) in accordance with conditions determined by
agreement between the two organizations.
2) The formal decisions or agreements of IEC on technical matters express, as nearly as possible, an international
consensus of opinion on the relevant subjects since each technical committee has representation from all
interested IEC National Committees.
3) IEC Publications have the form of recommendations for international use and are accepted by IEC National
Committees in that sense. While all reasonable efforts are made to ensure that the technical content of IEC
Publications is accurate, IEC cannot be held responsible for the way in which they are used or for any
misinterpretation by any end user.
4) In order to promote international uniformity, IEC National Committees undertake to apply IEC Publications
transparently to the maximum extent possible in their national and regional publications. Any divergence
between any IEC Publication and the corresponding national or regional publication shall be clearly indicated in
the latter.
5) IEC itself does not provide any attestation of conformity. Independent certification bodies provide conformity
assessment services and, in some areas, access to IEC marks of conformity. IEC is not responsible for any
services carried out by independent certification bodies.
6) All users should ensure that they have the latest edition of this publication.
7) No liability shall attach to IEC or its directors, employees, servants or agents including individual experts and
members of its technical committees and IEC National Committees for any personal injury, property damage or
other damage of any nature whatsoever, whether direct or indirect, or for costs (including legal fees) and
expenses arising out of the publication, use of, or reliance upon, this IEC Publication or any other IEC
Publications.
8) Attention is drawn to the Normative references cited in this publication. Use of the referenced publications is
indispensable for the correct application of this publication.
9) Attention is drawn to the possibility that some of the elements of this IEC Publication may be the subject of
patent rights. IEC shall not be held responsible for identifying any or all such patent rights.
International Standard IEC 62443-2-4 has been prepared by IEC technical committee 65:
Industrial-process measurement, control and automation.
This publication contains an attached file in the form of an Excel 97-2003 spreadsheet version
of Table A.1. This file is intended to be used as a complement and does not form an integral
part of the publication.
The text of this standard is based on the following documents:
CDV Report on voting
65/545/CDV 65/561A/RVC
Full information on the voting for the approval of this standard can be found in the report on
voting indicated in the above table.
...
SLOVENSKI STANDARD
01-november-2019
Zaščita industrijske avtomatizacije in nadzornih sistemov - 2-4. del: Zahteve za
program varnosti zaščite za ponudnike storitev IACS (IEC 62443-2-4:2015)
Security for industrial automation and control systems - Part 2-4: Security program
requirements for IACS service providers (IEC 62443-2-4:2015)
IT-Sicherheit für industrielle Automatisierungssysteme - Teil 2-4: Anforderungen an das
IT-Sicherheitsprogramm von Dienstleistern für industrielle Automatisierungssysteme (IEC
62443-2-4:2015)
Sécurité des automatismes industriels et des systèmes de commande Partie 2-4:
Exigences de programme de sécurité pour les fournisseurs de service IACS (IEC 62443-
2-4:2015)
Ta slovenski standard je istoveten z: EN IEC 62443-2-4:2019
ICS:
25.040.01 Sistemi za avtomatizacijo v Industrial automation
industriji na splošno systems in general
35.030 Informacijska varnost IT Security
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.
EUROPEAN STANDARD EN IEC 62443-2-4
NORME EUROPÉENNE
EUROPÄISCHE NORM
April 2019
ICS 25.040.40; 35.100.05
English Version
Security for industrial automation and control systems - Part 2-4:
Security program requirements for IACS service providers
(IEC 62443-2-4:2015)
Sécurité des automatismes industriels et des systèmes de IT-Sicherheit für industrielle Automatisierungssysteme - Teil
commande - Partie 2-4: Exigences de programme de 2-4: Anforderungen an das IT-Sicherheitsprogramm von
sécurité pour les fournisseurs de service IACS Dienstleistern für industrielle Automatisierungssysteme
(IEC 62443-2-4:2015) (IEC 62443-2-4:2015)
This European Standard was approved by CENELEC on 2019-04-03. CENELEC members are bound to comply with the CEN/CENELEC
Internal Regulations which stipulate the conditions for giving this European Standard the status of a national standard without any alteration.
Up-to-date lists and bibliographical references concerning such national standards may be obtained on application to the CEN-CENELEC
Management Centre or to any CENELEC member.
This European Standard exists in three official versions (English, French, German). A version in any other language made by translation
under the responsibility of a CENELEC member into its own language and notified to the CEN-CENELEC Management Centre has the
same status as the official versions.
CENELEC members are the national electrotechnical committees of Austria, Belgium, Bulgaria, Croatia, Cyprus, the Czech Republic,
Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia,
Lithuania, Luxembourg, Malta, the Netherlands, Norway, Poland, Portugal, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden,
Switzerland, Turkey and the United Kingdom.
European Committee for Electrotechnical Standardization
Comité Européen de Normalisation Electrotechnique
Europäisches Komitee für Elektrotechnische Normung
CEN-CENELEC Management Centre: Rue de la Science 23, B-1040 Brussels
© 2019 CENELEC All rights of exploitation in any form and by any means reserved worldwide for CENELEC Members.
Ref. No. EN IEC 62443-2-4:2019 E
European foreword
This document (EN IEC 62443-2-4:2019) consists of the text of IEC 62443-2-4:2015 prepared by
IEC/TC 65 "Industrial-process measurement, control and automation".
The following dates are fixed:
• latest date by which the document has to be implemented at national (dop) 2020-04-03
level by publication of an identical national standard or by endorsement
• latest date by which the national standards conflicting with the (dow) 2022-04-03
document have to be withdrawn
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CENELEC shall not be held responsible for identifying any or all such patent rights.
Endorsement notice
The text of the International Standard IEC 62443-2-4:2015 was approved by CENELEC as a
European Standard without any modification.
In the official version, for Bibliography, the following notes have to be added for the standards
indicated:
IEC 61508 (series) NOTE Harmonized as EN 61508 (series)
IEC 61511 (series) NOTE Harmonized as EN 61511 (series)
IEC 62264-1:2013 NOTE Harmonized as EN 62264-1:2013 (not modified)
IEC 62443-3-3:2013 NOTE Harmonized as EN IEC 62443-3-3:2019 (not modified)
IEC 62443-4-1 NOTE Harmonized as EN IEC 62443-4-1
IEC 62443-4-2 NOTE Harmonized as EN IEC 62443-4-2
IEC 62443-2-4 ®
Edition 1.0 2015-06
INTERNATIONAL
STANDARD
NORME
INTERNATIONALE
colour
inside
Security for industrial automation and control systems –
Part 2-4: Security program requirements for IACS service providers
Sécurité des automatismes industriels et des systèmes de commande –
Partie 2-4: Exigences de programme de sécurité pour les fournisseurs de
service IACS
INTERNATIONAL
ELECTROTECHNICAL
COMMISSION
COMMISSION
ELECTROTECHNIQUE
INTERNATIONALE
ICS 25.040.40; 35.040; 35.100 ISBN 978-2-8322-2767-1
– 2 – IEC 62443-2-4:2015 © IEC 2015
CONTENTS
FOREWORD. 3
INTRODUCTION . 5
1 Scope . 6
2 Normative references . 7
3 Terms, definitions, abbreviated terms and acronyms . 7
3.1 Terms and definitions . 7
3.2 Abbreviations . 10
4 Concepts . 11
4.1 Use of IEC 62443-2-4 . 11
4.1.1 Use of IEC 62443-2-4 by IACS service providers . 11
4.1.2 Use of IEC 62443-2-4 by IACS asset owners . 12
4.1.3 Use of IEC 62443-2-4 during negotiations between IACS asset owners
and IACS service providers . 12
4.1.4 Profiles . 12
4.1.5 IACS integration service providers . 13
4.1.6 IACS maintenance service providers . 13
4.2 Maturity model . 14
5 Requirements overview . 15
5.1 Contents . 15
5.2 Sorting and filtering . 15
5.3 IEC 62264-1 hierarchy model . 16
5.4 Requirements table columns . 16
5.5 Column definitions . 16
5.5.1 Req ID column . 16
5.5.2 BR/RE column . 16
5.5.3 Functional area column . 17
5.5.4 Topic column . 18
5.5.5 Subtopic column . 19
5.5.6 Documentation column . 21
5.5.7 Requirement description. 21
5.5.8 Rationale . 21
Annex A (normative) Security requirements . 22
Bibliography . 85
Figure 1 – Parts of the IEC 62443 Series . 5
Figure 2 – Scope of service provider capabilities . 6
Table 1 – Maturity levels . 15
Table 2 – Columns . 16
Table 3 – Functional area column values . 18
Table 4 – Topic column values . 19
Table 5 – Subtopic column values . 20
Table A.1 – Security program requirements . 22
IEC 62443-2-4:2015 © IEC 2015 – 3 –
INTERNATIONAL ELECTROTECHNICAL COMMISSION
____________
SECURITY FOR INDUSTRIAL AUTOMATION
AND CONTROL SYSTEMS –
Part 2-4: Security program requirements
for IACS service providers
FOREWORD
1) The International Electrotechnical Commission (IEC) is a worldwide organization for standardization comprising
all national electrotechnical committees (IEC National Committees). The object of IEC is to promote
international co-operation on all questions concerning standardization in the electrical and electronic fields. To
this end and in addition to other activities, IEC publishes International Standards, Technical Specifications,
Technical Reports, Publicly Available Specifications (PAS) and Guides (hereafter referred to as “IEC
Publication(s)”). Their preparation is entrusted to technical committees; any IEC National Committee interested
in the subject dealt with may participate in this preparatory work. International, governmental and non-
governmental organizations liaising with the IEC also participate in this preparation. IEC collaborates closely
with the International Organization for Standardization (ISO) in accordance with conditions determined by
agreement between the two organizations.
2) The formal decisions or agreements of IEC on technical matters express, as nearly as possible, an international
consensus of opinion on the relevant subjects since each technical committee has representation from all
interested IEC National Committees.
3) IEC Publications have the form of recommendations for international use and are accepted by IEC National
Committees in that sense. While all reasonable efforts are made to ensure that the technical content of IEC
Publications is accurate, IEC cannot be held responsible for the way in which they are used or for any
misinterpretation by any end user.
4) In order to promote international uniformity, IEC National Committees undertake to apply IEC Publications
transparently to the maximum extent possible in their national and regional publications. Any divergence
between any IEC Publication and the corresponding national or regional publication shall be clearly indicated in
the latter.
5) IEC itself does not provide any attestation of conformity. Independent certification bodies provide conformity
assessment services and, in some areas, access to IEC marks of conformity. IEC is not responsible for any
services carried out by independent certification bodies.
6) All users should ensure that they have the latest edition of this publication.
7) No liability shall attach to IEC or its directors, employees, servants or agents including individual experts and
members of its technical committees and IEC National Committees for any personal injury, property damage or
other damage of any nature whatsoever, whether direct or indirect, or for costs (including legal fees) and
expenses arising out of the publication, use of, or reliance upon, this IEC Publication or any other IEC
Publications.
8) Attention is drawn to the Normative references cited in this publication. Use of the referenced publications is
indispensable for the correct application of this publication.
9) Attention is drawn to the possibility that some of the elements of this IEC Publication may be the subject of
patent rights. IEC shall not be held responsible for identifying any or all such patent rights.
International Standard IEC 62443-2-4 has been prepared by IEC technical committee 65:
Industrial-process measurement, control and automation.
This publication contains an attached file in the form of an Excel 97-2003 spreadsheet version
of Table A.1. This file is intended to be used as a complement and does not form an integral
part of the publication.
The text of this standard is based on the followi
...
SLOVENSKI STANDARD
01-november-2019
Zaščita industrijske avtomatizacije in nadzornih sistemov - 2-4. del: Zahteve za
program varnosti zaščite za ponudnike storitev IACS (IEC 62443-2-4:2015)
Security for industrial automation and control systems - Part 2-4: Security program
requirements for IACS service providers (IEC 62443-2-4:2015)
IT-Sicherheit für industrielle Automatisierungssysteme - Teil 2-4: Anforderungen an das
IT-Sicherheitsprogramm von Dienstleistern für industrielle Automatisierungssysteme
(IEC 62443-2-4:2015)
Sécurité des automatismes industriels et des systèmes de commande Partie 2-4:
Exigences de programme de sécurité pour les fournisseurs de service IACS (IEC 62443-
2-4:2015)
Ta slovenski standard je istoveten z: EN IEC 62443-2-4:2019
ICS:
25.040.01 Sistemi za avtomatizacijo v Industrial automation
industriji na splošno systems in general
35.030 Informacijska varnost IT Security
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.
EUROPEAN STANDARD EN IEC 62443-2-4
NORME EUROPÉENNE
EUROPÄISCHE NORM
April 2019
ICS 25.040.40; 35.100.05
English Version
Security for industrial automation and control systems - Part 2-4:
Security program requirements for IACS service providers
(IEC 62443-2-4:2015)
Sécurité des automatismes industriels et des systèmes de IT-Sicherheit für industrielle Automatisierungssysteme - Teil
commande - Partie 2-4: Exigences de programme de 2-4: Anforderungen an das IT-Sicherheitsprogramm von
sécurité pour les fournisseurs de service IACS Dienstleistern für industrielle Automatisierungssysteme
(IEC 62443-2-4:2015) (IEC 62443-2-4:2015)
This European Standard was approved by CENELEC on 2019-04-03. CENELEC members are bound to comply with the CEN/CENELEC
Internal Regulations which stipulate the conditions for giving this European Standard the status of a national standard without any alteration.
Up-to-date lists and bibliographical references concerning such national standards may be obtained on application to the CEN-CENELEC
Management Centre or to any CENELEC member.
This European Standard exists in three official versions (English, French, German). A version in any other language made by translation
under the responsibility of a CENELEC member into its own language and notified to the CEN-CENELEC Management Centre has the
same status as the official versions.
CENELEC members are the national electrotechnical committees of Austria, Belgium, Bulgaria, Croatia, Cyprus, the Czech Republic,
Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia,
Lithuania, Luxembourg, Malta, the Netherlands, Norway, Poland, Portugal, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden,
Switzerland, Turkey and the United Kingdom.
European Committee for Electrotechnical Standardization
Comité Européen de Normalisation Electrotechnique
Europäisches Komitee für Elektrotechnische Normung
CEN-CENELEC Management Centre: Rue de la Science 23, B-1040 Brussels
© 2019 CENELEC All rights of exploitation in any form and by any means reserved worldwide for CENELEC Members.
Ref. No. EN IEC 62443-2-4:2019 E
European foreword
This document (EN IEC 62443-2-4:2019) consists of the text of IEC 62443-2-4:2015 prepared by
IEC/TC 65 "Industrial-process measurement, control and automation".
The following dates are fixed:
• latest date by which the document has to be implemented at national (dop) 2020-04-03
level by publication of an identical national standard or by endorsement
• latest date by which the national standards conflicting with the (dow) 2022-04-03
document have to be withdrawn
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CENELEC shall not be held responsible for identifying any or all such patent rights.
Endorsement notice
The text of the International Standard IEC 62443-2-4:2015 was approved by CENELEC as a
European Standard without any modification.
In the official version, for Bibliography, the following notes have to be added for the standards
indicated:
IEC 61508 (series) NOTE Harmonized as EN 61508 (series)
IEC 61511 (series) NOTE Harmonized as EN 61511 (series)
IEC 62264-1:2013 NOTE Harmonized as EN 62264-1:2013 (not modified)
IEC 62443-3-3:2013 NOTE Harmonized as EN IEC 62443-3-3:2019 (not modified)
IEC 62443-4-1 NOTE Harmonized as EN IEC 62443-4-1
IEC 62443-4-2 NOTE Harmonized as EN IEC 62443-4-2
IEC 62443-2-4 ®
Edition 1.0 2015-06
INTERNATIONAL
STANDARD
NORME
INTERNATIONALE
colour
inside
Security for industrial automation and control systems –
Part 2-4: Security program requirements for IACS service providers
Sécurité des automatismes industriels et des systèmes de commande –
Partie 2-4: Exigences de programme de sécurité pour les fournisseurs de
service IACS
INTERNATIONAL
ELECTROTECHNICAL
COMMISSION
COMMISSION
ELECTROTECHNIQUE
INTERNATIONALE
ICS 25.040.40; 35.040; 35.100 ISBN 978-2-8322-2767-1
– 2 – IEC 62443-2-4:2015 © IEC 2015
CONTENTS
FOREWORD. 3
INTRODUCTION . 5
1 Scope . 6
2 Normative references . 7
3 Terms, definitions, abbreviated terms and acronyms . 7
3.1 Terms and definitions . 7
3.2 Abbreviations . 10
4 Concepts . 11
4.1 Use of IEC 62443-2-4 . 11
4.1.1 Use of IEC 62443-2-4 by IACS service providers . 11
4.1.2 Use of IEC 62443-2-4 by IACS asset owners . 12
4.1.3 Use of IEC 62443-2-4 during negotiations between IACS asset owners
and IACS service providers . 12
4.1.4 Profiles . 12
4.1.5 IACS integration service providers . 13
4.1.6 IACS maintenance service providers . 13
4.2 Maturity model . 14
5 Requirements overview . 15
5.1 Contents . 15
5.2 Sorting and filtering . 15
5.3 IEC 62264-1 hierarchy model . 16
5.4 Requirements table columns . 16
5.5 Column definitions . 16
5.5.1 Req ID column . 16
5.5.2 BR/RE column . 16
5.5.3 Functional area column . 17
5.5.4 Topic column . 18
5.5.5 Subtopic column . 19
5.5.6 Documentation column . 21
5.5.7 Requirement description. 21
5.5.8 Rationale . 21
Annex A (normative) Security requirements . 22
Bibliography . 85
Figure 1 – Parts of the IEC 62443 Series . 5
Figure 2 – Scope of service provider capabilities . 6
Table 1 – Maturity levels . 15
Table 2 – Columns . 16
Table 3 – Functional area column values . 18
Table 4 – Topic column values . 19
Table 5 – Subtopic column values . 20
Table A.1 – Security program requirements . 22
IEC 62443-2-4:2015 © IEC 2015 – 3 –
INTERNATIONAL ELECTROTECHNICAL COMMISSION
____________
SECURITY FOR INDUSTRIAL AUTOMATION
AND CONTROL SYSTEMS –
Part 2-4: Security program requirements
for IACS service providers
FOREWORD
1) The International Electrotechnical Commission (IEC) is a worldwide organization for standardization comprising
all national electrotechnical committees (IEC National Committees). The object of IEC is to promote
international co-operation on all questions concerning standardization in the electrical and electronic fields. To
this end and in addition to other activities, IEC publishes International Standards, Technical Specifications,
Technical Reports, Publicly Available Specifications (PAS) and Guides (hereafter referred to as “IEC
Publication(s)”). Their preparation is entrusted to technical committees; any IEC National Committee interested
in the subject dealt with may participate in this preparatory work. International, governmental and non-
governmental organizations liaising with the IEC also participate in this preparation. IEC collaborates closely
with the International Organization for Standardization (ISO) in accordance with conditions determined by
agreement between the two organizations.
2) The formal decisions or agreements of IEC on technical matters express, as nearly as possible, an international
consensus of opinion on the relevant subjects since each technical committee has representation from all
interested IEC National Committees.
3) IEC Publications have the form of recommendations for international use and are accepted by IEC National
Committees in that sense. While all reasonable efforts are made to ensure that the technical content of IEC
Publications is accurate, IEC cannot be held responsible for the way in which they are used or for any
misinterpretation by any end user.
4) In order to promote international uniformity, IEC National Committees undertake to apply IEC Publications
transparently to the maximum extent possible in their national and regional publications. Any divergence
between any IEC Publication and the corresponding national or regional publication shall be clearly indicated in
the latter.
5) IEC itself does not provide any attestation of conformity. Independent certification bodies provide conformity
assessment services and, in some areas, access to IEC marks of conformity. IEC is not responsible for any
services carried out by independent certification bodies.
6) All users should ensure that they have the latest edition of this publication.
7) No liability shall attach to IEC or its directors, employees, servants or agents including individual experts and
members of its technical committees and IEC National Committees for any personal injury, property damage or
other damage of any nature whatsoever, whether direct or indirect, or for costs (including legal fees) and
expenses arising out of the publication, use of, or reliance upon, this IEC Publication or any other IEC
Publications.
8) Attention is drawn to the Normative references cited in this publication. Use of the referenced publications is
indispensable for the correct application of this publication.
9) Attention is drawn to the possibility that some of the elements of this IEC Publication may be the subject of
patent rights. IEC shall not be held responsible for identifying any or all such patent rights.
International Standard IEC 62443-2-4 has been prepared by IEC technical committee 65:
Industrial-process measurement, control and automation.
This publication contains an attached file in the form of an Excel 97-2003 spreadsheet version
of Table A.1. This file is intended to be used as a complement and does not form an integral
part of the publication.
The text of this standard is based on the followi
...
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.