EN IEC 62443-2-4:2024
(Main)Security for industrial automation and control systems - Part 2-4: Security program requirements for IACS service providers
Security for industrial automation and control systems - Part 2-4: Security program requirements for IACS service providers
IEC 62443-2:2023 specifies a comprehensive set of requirements for security-related processes that IACS service providers can offer to the asset owner during integration and maintenance activities of an Automation Solution. Because not all requirements apply to all industry groups and organizations, Subclause 4.1.4 provides for the development of "profiles" that allow for the subsetting of these requirements. Profiles are used to adapt this document to specific environments, including environments not based on an IACS. NOTE 1 The term "Automation Solution" is used as a proper noun (and therefore capitalized) in this document to prevent confusion with other uses of this term. Collectively, the security processes offered by an IACS service provider are referred to as its Security Program (SP) for IACS asset owners. In a related specification, IEC 62443-2-1 describes requirements for the Security Management System of the asset owner. NOTE 2 In general, these security capabilities are policy, procedure, practice and personnel related. Figure 1 illustrates the integration and maintenance security processes of the asset owner, service provider(s), and product supplier(s) of an IACS and their relationships to each other and to the Automation Solution. Some of the requirements of this document relating to the safety program are associated with security requirements described in IEC 62443-3-3 and IEC 62443-4-2. NOTE 3 The IACS is a combination of the Automation Solution and the organizational measures necessary for its design, deployment, operation, and maintenance. NOTE 4 Maintenance of legacy system with insufficient security technical capabilities, implementation of policies, processes and procedures can be addressed through risk mitigation.
IT-Sicherheit für industrielle Automatisierungssysteme - Teil 2-4: Anforderungen an das IT-Sicherheitsprogramm von Dienstleistern für industrielle Automatisierungssysteme
Sécurité des automatismes industriels et des systèmes de commande - Partie 2-4: Exigences de programme de sécurité pour les fournisseurs de service IACS
L’IEC 62453-2:2023 fournit des informations sur l’intégration de la technologie CIP™ dans la spécification des interfaces des outils des dispositifs de terrain (FDT) (IEC 62453-2). La Famille de profils de communication 2 (communément appelée CIP™ définit des profils de communication basés sur les normes IEC 61158‑2 Type 2, IEC 61158‑3‑2, IEC 61158‑4‑2, IEC 61158‑5‑2, IEC 61158‑6‑2 et IEC 62026‑3. Les profils de base CP 2/1 (ControlNet™), CP 2/2 (EtherNet/IP™) et CP 2/3 (DeviceNet™1) sont définis dans l’IEC 61784-1 et l’IEC 61784-2. Un Profil de communication supplémentaire (CompoNet™1), également basé sur CIP™, est défini dans l’IEC 62026-7. La présente partie de l’IEC 62453 spécifie les services de communication et autres services. La présente spécification ne contient pas la spécification des outils FDT et ne la modifie pas.CIP™ (Common Industrial Protocol), DeviceNet™ et CompoNet™ sont les appellations commerciales de Open DeviceNet Vendor Association, Inc (ODVA). Cette information est donnée à l’intention des utilisateurs du présent document et ne signifie nullement que l’IEC approuve ou recommande le détenteur de la marque ou de l’un quelconque de ses produits. La conformité à la présente norme n’exige pas l’emploi des appellations commerciales CIP™, DeviceNet™ ou CompoNet™. L’utilisation des appellations commerciales CIP™, DeviceNet™ ou CompoNet™ nécessite l’autorisation de Open DeviceNet Vendor Association, Inc. ControlNet™ est l’appellation commerciale de ControlNet International, Ltd. Cette information est donnée à l’intention des utilisateurs du présent document et ne signifie nullement que l’IEC approuve ou recommande le détenteur de la marque ou de l’un quelconque de ses produits. La conformité à ce profil n’exige pas l’emploi de l’appellation commerciale ControlNet™. L’utilisation de l’appellation commerciale ControlNet™ nécessite l’autorisation de ControlNet International, Ltd. EtherNet/IP™ est l’appellation commerciale de ControlNet International, Ltd et de Open DeviceNet Vendor Association, Inc. Cette information est donnée à l’intention des utilisateurs du présent document et ne signifie nullement que l’IEC approuve ou recommande le détenteur de la marque ou de l’un quelconque de ses produits. La conformité à ce profil n’exige pas l’emploi de l’appellation commerciale EtherNet/IP™. L’utilisation de l’appellation commerciale EtherNet/IP™ nécessite l’autorisation de ControlNet International, Ltd. ou de Open DeviceNet Vendor Association, Inc.
Zaščita industrijske avtomatizacije in nadzornih sistemov - 2-4. del: Zahteve za program zaščite za ponudnike storitev IACS (IEC 62443-2-4:2023)
Standard IEC 62443-2:2023 določa izčrpen sklop zahtev za procese v zvezi z zaščito, ki jih lahko ponudniki storitev IACS zagotavljajo lastniku sredstva med integracijo in vzdrževanjem rešitve avtomatizacije. Ker vse zahteve ne veljajo za vse industrijske skupine in organizacije, podtočka 4.1.4 zagotavlja razvoj »profilov«, ki omogočajo podnabor teh zahtev. Profili se uporabljajo za prilagoditev tega dokumenta posebnim okoljem, vključno z okolji, ki ne temeljijo na storitvah IACS.
OPOMBA 1: Izraz »rešitev avtomatizacije« se v tem dokumentu uporablja kot lastno ime (in je zato zapisan z veliko začetnico), da ga ni mogoče zamenjati z drugimi uporabami tega izraza. Skupaj se procesi zaščite, ki jih zagotavlja ponudnik storitev IACS, imenujejo njegov program zaščite (SP) za lastnike sredstev IACS. V povezani specifikaciji standard IEC 62443-2-1 opisuje zahteve za sistem upravljanja zaščite lastnika sredstva.
OPOMBA 2: Na splošno so te zmogljivosti zaščite povezane s politiko, postopki, prakso in osebjem. Slika 1 prikazuje procese zaščite, ki jih v okviru integracije in vzdrževanja izvajajo lastnik sredstva, ponudnik(-i) storitve in dobavitelj(-i) storitve IACS, ter njihova razmerja med seboj in do rešitve avtomatizacije. Nekatere zahteve v tem dokumentu, ki se navezujejo na program zaščite, so povezane z zahtevami glede zaščite iz standardov IEC 62443-3-3 in IEC 62443-4-2.
OPOMBA 3: IACS je kombinacija rešitve avtomatizacije in organizacijskih ukrepov, potrebnih za njeno načrtovanje, uvedbo, delovanje in vzdrževanje.
OPOMBA 4: K vzdrževanju starejšega sistema z nezadostno tehnično zmogljivostjo na področju zaščite ter izvajanju pravilnikov, procesov in postopkov je mogoče pristopiti z zmanjšanjem tveganja.
General Information
Relations
Standards Content (Sample)
SLOVENSKI STANDARD
01-september-2024
Zaščita industrijske avtomatizacije in nadzornih sistemov - 2-4. del: Zahteve za
program zaščite za ponudnike storitev IACS (IEC 62443-2-4:2023)
Security for industrial automation and control systems - Part 2-4: Security program
requirements for IACS service providers (IEC 62443-2-4:2023)
IT-Sicherheit für industrielle Automatisierungssysteme - Teil 2-4: Anforderungen an das
IT-Sicherheitsprogramm von Dienstleistern für industrielle Automatisierungssysteme
(IEC 62443-2-4:2023)
Sécurité des automatismes industriels et des systèmes de commande - Partie 2-4:
Exigences de programme de sécurité pour les fournisseurs de service IACS (IEC 62443-
2-4:2023)
Ta slovenski standard je istoveten z: EN IEC 62443-2-4:2024
ICS:
25.040.01 Sistemi za avtomatizacijo v Industrial automation
industriji na splošno systems in general
35.030 Informacijska varnost IT Security
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.
EUROPEAN STANDARD EN IEC 62443-2-4
NORME EUROPÉENNE
EUROPÄISCHE NORM January 2024
ICS 25.040.40; 35.100.05 Supersedes EN IEC 62443-2-4:2019;
EN IEC 62443-2-4:2019/A1:2019
English Version
Security for industrial automation and control systems - Part 2-4:
Security program requirements for IACS service providers
(IEC 62443-2-4:2023)
Sécurité des automatismes industriels et des systèmes de IT-Sicherheit für industrielle Automatisierungssysteme - Teil
commande - Partie 2-4: Exigences de programme de 2-4: Anforderungen an das IT-Sicherheitsprogramm von
sécurité pour les fournisseurs de service IACS Dienstleistern für industrielle Automatisierungssysteme
(IEC 62443-2-4:2023) (IEC 62443-2-4:2023)
This European Standard was approved by CENELEC on 2024-01-19. CENELEC members are bound to comply with the CEN/CENELEC
Internal Regulations which stipulate the conditions for giving this European Standard the status of a national standard without any alteration.
Up-to-date lists and bibliographical references concerning such national standards may be obtained on application to the CEN-CENELEC
Management Centre or to any CENELEC member.
This European Standard exists in three official versions (English, French, German). A version in any other language made by translation
under the responsibility of a CENELEC member into its own language and notified to the CEN-CENELEC Management Centre has the
same status as the official versions.
CENELEC members are the national electrotechnical committees of Austria, Belgium, Bulgaria, Croatia, Cyprus, the Czech Republic,
Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, the
Netherlands, Norway, Poland, Portugal, Republic of North Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland,
Türkiye and the United Kingdom.
European Committee for Electrotechnical Standardization
Comité Européen de Normalisation Electrotechnique
Europäisches Komitee für Elektrotechnische Normung
CEN-CENELEC Management Centre: Rue de la Science 23, B-1040 Brussels
© 2024 CENELEC All rights of exploitation in any form and by any means reserved worldwide for CENELEC Members.
Ref. No. EN IEC 62443-2-4:2024 E
European foreword
The text of document 65/1021/FDIS, future edition 2 of IEC 62443-2-4, prepared by IEC/TC 65
"Industrial-process measurement, control and automation" was submitted to the IEC-CENELEC
parallel vote and approved by CENELEC as EN IEC 62443-2-4:2024.
The following dates are fixed:
• latest date by which the document has to be implemented at national (dop) 2024-10-19
level by publication of an identical national standard or by endorsement
• latest date by which the national standards conflicting with the (dow) 2027-01-19
document have to be withdrawn
This document supersedes EN IEC 62443-2-4:2019 and all of its amendments and corrigenda (if any).
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CENELEC shall not be held responsible for identifying any or all such patent rights.
Any feedback and questions on this document should be directed to the users’ national committee. A
complete listing of these bodies can be found on the CENELEC website.
Endorsement notice
The text of the International Standard IEC 62443-2-4:2023 was approved by CENELEC as a
European Standard without any modification.
In the official version, for Bibliography, the following notes have to be added for the standard indicated:
IEC 62682:2022 NOTE Approved as EN IEC 62682:2023 (not modified)
ISO/IEC 30111 NOTE Approved as EN ISO/IEC 30111
ISO 15189:2022 NOTE Approved as EN ISO 15189:2022 (not modified)
IEC 62443-2-4 ®
Edition 2.0 2023-12
INTERNATIONAL
STANDARD
NORME
INTERNATIONALE
colour
inside
Security for industrial automation and control systems –
Part 2-4: Security program requirements for IACS service providers
Sécurité des automatismes industriels et des systèmes de commande –
Partie 2-4: Exigences de programme de sécurité pour les fournisseurs de
service IACS
INTERNATIONAL
ELECTROTECHNICAL
COMMISSION
COMMISSION
ELECTROTECHNIQUE
INTERNATIONALE
ICS 25.040.40, 35.100.05 ISBN 978-2-8322-7779-9
– 2 – IEC 62443-2-4:2023 © IEC 2023
CONTENTS
FOREWORD . 3
1 Scope . 5
2 Normative references . 6
3 Terms, definitions and abbreviated terms . 7
3.1 Terms and definitions . 7
3.2 Abbreviated terms . 11
4 Concepts . 13
4.1 Use of this document . 13
4.1.1 Use of this document by service providers . 13
4.1.2 Use of this document by asset owners . 14
4.1.3 Use of this document during negotiations between asset owners and
IACS service providers . 15
4.1.4 Profiles . 15
4.1.5 Integration service providers . 15
4.1.6 Maintenance service providers . 16
4.2 Maturity model . 17
5 Requirements overview . 18
5.1 Contents . 18
5.2 Sorting and filtering . 19
5.3 IEC 62264-1 hierarchy model . 19
5.4 Requirements table columns . 19
5.5 Column definitions . 19
5.5.1 Req ID column . 19
5.5.2 BR/RE column . 20
5.5.3 Functional area column . 20
5.5.4 Topic column . 21
5.5.5 Subtopic column . 22
5.5.6 Documentation column . 24
5.5.7 Requirement description column . 24
5.5.8 Rationale column . 25
Annex A (normative) Security requirements . 26
Bibliography . 91
Figure 1 – Scope of service provider processes . 6
Table 1 – Maturity levels . 18
Table 2 – Columns . 19
Table 3 – Functional area column values . 21
Table 4 – Architecture Functional Area Summary Levels . 21
Table 5 – Topic column values . 22
Table 6 – Subtopic column values . 23
Table A.1 – Security program requirements . 26
IEC 62443-2-4:2023 © IEC 2023 – 3 –
INTERNATIONAL ELECTROTECHNICAL COMMISSION
____________
SECURITY FOR INDUSTRIAL AUTOMATION
AND CONTROL SYSTEMS –
Part 2-4: Security program requirements
for IACS service providers
FOREWORD
1) The International Electrotechnical Commission (IEC) is a worldwide organization for standardization comprising
all national electrotechnical committees (IEC National Committees). The object of IEC is to promote international
co-operation on all questions concerning standardization in the electrical and electronic fields. To this end and
in addition to other activities, IEC publishes International Standards, Technical Specifications, Technical Reports,
Publicly Available Specifications (PAS) and Guides (hereafter referred to as "IEC Publication(s)"). Their
preparation is entrusted to technical committees; any IEC National Committee interested in the subject dealt with
may participate in this preparatory work. International, governmental and non-governmental organizations liaising
with the IEC also participate in this preparation. IEC collaborates closely with the International Organization for
Standardization (ISO) in accordance with conditions determined by agreement between the two organizations.
2) The formal decisions or agreements of IEC on technical matters express, as nearly as possible, an international
consensus of opinion on the relevant subjects since each technical committee has representation from all
interested IEC National Committees.
3) IEC Publications have the form of recommendations for international use and are accepted by IEC National
Committees in that sense. While all reasonable efforts are made to ensure that the technical content of IEC
Publications is accurate, IEC cannot be held responsible for the way in which they are used or for any
misinterpretation by any end user.
4) In order to promote international uniformity, IEC National Committees undertake to apply IEC Publications
transparently to the maximum extent possible in their national and regional publications. Any divergence between
any IEC Publication and the corresponding national or regional publication shall be clearly indicated in the latter.
5) IEC itself does not provide any attestation of conformity. Independent certification bodies provide conformity
assessment services and, in some areas, access to IEC marks of conformity. IEC is not responsible for any
services carried out by independent certification bodies.
6) All users should ensure that they have the latest edition of this publication.
7) No liability shall attach to IEC or its directors, employees, servants or agents including individual experts and
members of its technical committees and IEC National Committees for any personal injury, property damage or
other damage of any nature whatsoever, whether direct or indirect, or for costs (including legal fees) and
expenses arising out of the publication, use of, or reliance upon, this IEC Publication or any other IEC
Publications.
8) Attention is drawn to the Normative references cited in this publication. Use of the referenced publications is
indispensable for the correct application of this publication.
9) IEC draws attention to the possibility that the implementation of this document may involve the use of (a)
patent(s). IEC takes no position concerning the evidence, validity or applicability of any claimed patent rights in
respect thereof. As of the date of publication of this document, IEC had not received notice of (a) patent(s), which
may be required to implement this document. However, implementers are cautioned that this may not represent
the latest information, wh
...
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.