prEN IEC 62443-2-4:2022

SLOVENSKI STANDARD
oSIST prEN IEC 62443-2-4:2022
01-november-2022
Zaščita industrijske avtomatizacije in nadzornih sistemov - 2-4. del: Zahteve za
program varnosti zaščite za ponudnike storitev IACS
Security for industrial automation and control systems - Part 2-4: Security program
requirements for IACS service providers
IT-Sicherheit für industrielle Automatisierungssysteme - Teil 2-4: Anforderungen an das
IT-Sicherheitsprogramm von Dienstleistern für industrielle Automatisierungssysteme
Sécurité des automatismes industriels et des systèmes de commande - Partie 2-4:
Exigences de programme de sécurité pour les fournisseurs de service IACS
Ta slovenski standard je istoveten z: prEN IEC 62443-2-4:2022
ICS:
25.040.01 Sistemi za avtomatizacijo v Industrial automation
industriji na splošno systems in general
35.030 Informacijska varnost IT Security
oSIST prEN IEC 62443-2-4:2022 en,fr,de
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

---------------------- Page: 1 ----------------------
oSIST prEN IEC 62443-2-4:2022

---------------------- Page: 2 ----------------------
oSIST prEN IEC 62443-2-4:2022
65/936/CDV

COMMITTEE DRAFT FOR VOTE (CDV)
PROJECT NUMBER:
IEC 62443-2-4 ED2
DATE OF CIRCULATION: CLOSING DATE FOR VOTING:
2022-09-09 2022-12-02
SUPERSEDES DOCUMENTS:
65/848/CD, 65/854A/CC

IEC TC 65 : INDUSTRIAL-PROCESS MEASUREMENT, CONTROL AND AUTOMATION
SECRETARIAT: SECRETARY:
France Mr Didier GIARRATANO
OF INTEREST TO THE FOLLOWING COMMITTEES: PROPOSED HORIZONTAL STANDARD:

TC 44,SC 45A,TC 57,SC 62A,SC 121A,ISO/IEC
JTC 1/SC 41
Other TC/SCs are requested to indicate their interest, if
any, in this CDV to the secretary.
FUNCTIONS CONCERNED:
EMC ENVIRONMENT QUALITY ASSURANCE SAFETY
SUBMITTED FOR CENELEC PARALLEL VOTING NOT SUBMITTED FOR CENELEC PARALLEL VOTING
Attention IEC-CENELEC parallel voting
The attention of IEC National Committees, members of
CENELEC, is drawn to the fact that this Committee Draft
for Vote (CDV) is submitted for parallel voting.
The CENELEC members are invited to vote through the
CENELEC online voting system.

This document is still under study and subject to change. It should not be used for reference purposes.
Recipients of this document are invited to submit, with their comments, notification of any relevant patent rights of
which they are aware and to provide supporting documentation.

TITLE:
Security for industrial automation and control systems - Part 2-4: Security program
requirements for IACS service providers

PROPOSED STABILITY DATE: 2025

NOTE FROM TC/SC OFFICERS:


Copyright © 2022 International Electrotechnical Commission, IEC. All rights reserved. It is permitted to download this
electronic file, to make a copy and to print out the content for the sole purpose of preparing National Committee positions.
You may not copy or "mirror" the file or printed version of the document, or any part of it, for any other purpose without
permission in writing from IEC.

---------------------- Page: 3 ----------------------
oSIST prEN IEC 62443-2-4:2022
– 2 – IEC CDV 62443-2-4 © IEC 2022
1 CONTENTS
2 CONTENTS . 2
3 FOREWORD . 3
4 INTRODUCTION . 5
5 Scope . 6
6 Normative references . 7
7 Terms, definitions, abbreviated terms and acronyms . 7
8 3.1 Terms and definitions. 7
9 3.2 Abbreviations . 11
10 Concepts . 12
11 4.1 Use of IEC 62443-2-4 . 12
12 4.1.1 Use of IEC 62443-2-4 by service providers . 12
13 4.1.2 Use of IEC 62443-2-4 by asset owners . 13
14 4.1.3 Use of IEC 62443-2-4 during negotiations between asset owners and
15 IACS service providers . 14
16 4.1.4 Profiles . 14
17 4.1.5 Integration service providers . 15
18 4.1.6 Maintenance service providers . 15
19 4.2 Maturity model . 16
20 Requirements overview . 18
21 5.1 Contents . 18
22 5.2 Sorting and filtering . 18
23 5.3 IEC 62264-1 hierarchy model . 18
24 5.4 Requirements table columns . 18
25 5.5 Column definitions . 19
26 5.5.1 Req ID column . 19
27 5.5.2 BR/RE column . 19
28 5.5.3 Functional area column . 20
29 5.5.4 Topic column . 21
30 5.5.5 Subtopic column . 21
31 5.5.6 Documentation column . 23
32 5.5.7 Requirement description column . 23
33 5.5.8 Rationale column . 23
34 Annex A (normative) Security requirements . 24
35 Bibliography . 92
36
37 Figure 1 – Scope of service provider capabilities . 7
38
39 Table 1 – Maturity levels . 17
40 Table 2 – Columns . 18
41 Table 3 – Functional area column values . 20
42 Table 4 – Topic column values . 21
43 Table 5 – Subtopic column values . 22
44 Table A.1 – Security program requirements . 25
45
46

Internal

---------------------- Page: 4 ----------------------
oSIST prEN IEC 62443-2-4:2022
IEC CDV 62443-2-4 © IEC 2022
– 3 –
47 INTERNATIONAL ELECTROTECHNICAL COMMISSION
48
49 ____________
50
51 SECURITY FOR INDUSTRIAL AUTOMATION
52 AND CONTROL SYSTEMS –
53
54 Part 2-4: Security program requirements
55 for IACS service providers
56
57 Ed.2
58
59 FOREWORD
60 1) The International Electrotechnical Commission (IEC) is a worldwide organization for standardization comprising
61 all national electrotechnical committees (IEC National Committees). The object of IEC is to promote international
62 co-operation on all questions concerning standardization in the electrical and electronic fields. To this end and
63 in addition to other activities, IEC publishes International Standards, Technical Specifications, Technical Reports,
64 Publicly Available Specifications (PAS) and Guides (hereafter referred to as “IEC Publication(s)”). Their
65 preparation is entrusted to technical committees; any IEC National Committee interested in the subject dealt with
66 may participate in this preparatory work. International, governmental and non-governmental organizations liaising
67 with the IEC also participate in this preparation. IEC collaborates closely with the International Organization for
68 Standardization (ISO) in accordance with conditions determined by agreement between the two organizations.
69 2) The formal decisions or agreements of IEC on technical matters express, as nearly as possible, an international
70 consensus of opinion on the relevant subjects since each technical committee has representation from all
71 interested IEC National Committees.
72 3) IEC Publications have the form of recommendations for international use and are accepted by IEC National
73 Committees in that sense. While all reasonable efforts are made to ensure that the technical content of IEC
74 Publications is accurate, IEC cannot be held responsible for the way in which they are used or for any
75 misinterpretation by any end user.
76 4) In order to promote international uniformity, IEC National Committees undertake to apply IEC Publications
77 transparently to the maximum extent possible in their national and regional publications. Any divergence between
78 any IEC Publication and the corresponding national or regional publication shall be clearly indicated in the latter.
79 5) IEC itself does not provide any attestation of conformity. Independent certification bodies provide conformity
80 assessment services and, in some areas, access to IEC marks of conformity. IEC is not responsible for any
81 services carried out by independent certification bodies.
82 6) All users should ensure that they have the latest edition of this publication.
83 7) No liability shall attach to IEC or its directors, employees, servants or agents including individual experts and
84 members of its technical committees and IEC National Committees for any personal injury, property damage or
85 other damage of any nature whatsoever, whether direct or indirect, or for costs (including legal fees) and
86 expenses arising out of the publication, use of, or reliance upon, this IEC Publication or any other IEC
87 Publications.
88 8) Attention is drawn to the Normative references cited in this publication. Use of the referenced publications is
89 indispensable for the correct application of this publication.
90 9) Attention is drawn to the possibility that some of the elements of this IEC Publication may be the subject of patent
91 rights. IEC shall not be held responsible for identifying any or all such patent rights.
92 International Standard IEC 62443-2-4 Ed. 2 has been prepared by IEC technical committee 65:
93 Industrial-process measurement, control and automation in collaboration with the liaison
94 International Instrumentation Users Association, referred to as the WIB from its original and
95 now obsolete Dutch name.
96 This publication has been drafted in accordance with the ISO/IEC Directives, Part 2.
97 A list of all parts in the IEC 62443 series, published under the general title Security for industrial
98 automation and control systems, can be found on the IEC website.
99 Edition 2 of IEC 62443-2-4 makes editorial corrections discovered since its release and provides
100 clarifications that have been identified as necessary, primarily through the use of the document
101 during conformity assessment and during the development of profiles. One area of clarification

Internal

---------------------- Page: 5 ----------------------
oSIST prEN IEC 62443-2-4:2022
– 4 – IEC CDV 62443-2-4 © IEC 2022
102 is that some requirements were interpreted as technical requirements, when the intention was
103 for them to be the use/configuration of technical capabilities.
104 Future standards in this series will carry the new general title as cited above. Titles of existing
105 standards in this series will be updated at the time of the next edition.
106 The committee has decided that the contents of the base publication and its amendment will
107 remain unchanged until the stability date indicated on the IEC web site under
108 "http://webstore.iec.ch" in the data related to the specific publication. At this date, the
109 publication will be
110 • reconfirmed,
111 • withdrawn,
112 • replaced by a revised edition, or
113 • amended.
114
IMPORTANT – The 'colour inside' logo on the cover page of this publication indicates
that it contains colours which are considered to be useful for the correct understanding
of its contents. Users should therefore print this document using a colour printer.
115

Internal

---------------------- Page: 6 ----------------------
oSIST prEN IEC 62443-2-4:2022
IEC CDV 62443-2-4 © IEC 2022
– 5 –
116 INTRODUCTION
117 This standard is the part of the IEC 62443 series that contains security requirements for
118 providers of integration and maintenance services for Industrial Automation and Control
119 Systems (IACS).
120

Internal

---------------------- Page: 7 ----------------------
oSIST prEN IEC 62443-2-4:2022
– 6 – IEC CDV 62443-2-4 © IEC 2022
121
122 SECURITY FOR INDUSTRIAL AUTOMATION
123 AND CONTROL SYSTEMS –
124
125 Part 2-4: Security program requirements
126 for IACS service providers
127
128 Ed.2
129
130 1 Scope
131 This part of IEC 62443 specifies a comprehensive set of requirements for security capabilities
132 for IACS service providers that they can offer to the asset owner during integration and
133 maintenance activities of an Automation Solution. Because not all requirements apply to all
134 industry groups and organizations, Subclause 4.1.4 provides for the development of Profiles
135 that allow for the subsetting of these requirements. Profiles are used to adapt this document
136 to specific environments, including environments not based on an IACS.
137 NOTE 1 The term “Automation Solution” is used as a proper noun (and therefore capitalized) in this part of
138 IEC 62443 to prevent confusion with other uses of this term.
139 Collectively, the security capabilities offered by an IACS service provider are referred to as its
140 Security Program for IACS Asset Owners. In a related specification, IEC 62443-2-1 describes
141 requirements for the Security Management System of the asset owner.
142 NOTE 2 In general, these security capabilities are policy, procedure, practice and personnel related.
143 Figure 1 illustrates the integration and maintenance security capabilities of the asset owner,
144 service provider(s) and product supplier(s) of an IACS and their relationships to each other and
145 to the Automation Solution. Some of the IEC 62443-2-4 security program requirements are
146 associated with security requirements described in IEC 62443-3-3 and IEC 62443-4-2.
147 NOTE 3 The IACS is a combination of the Automation Solution and the organizational measures necessary for its
148 design, deployment, operation, and maintenance.
149 NOTE 4 Maintenance of legacy system with insufficient security functional capabilities, implementation of policies,
150 processes and procedures are recommended as risk mitigations.

Internal

---------------------- Page: 8 ----------------------
oSIST prEN IEC 62443-2-4:2022
IEC CDV 62443-2-4 © IEC 2022
– 7 –
151
152 Figure 1 – Scope of service provider capabilities
153 In Figure 1, the Automation Solution is illustrated to contain the Essential Functions that include
154 safety functions, commonly implemented by a Safety Instrumented System (SIS), and
155 complementary and control functions, commonly implemented by supporting applications, such
156 as batch management, advanced control, historian, and security related applications. The
157 dashed boxes indicate that these components are “optional”.
158 NOTE 5 The term “process” in BPCS may apply to a variety of industrial processes, including continuous processes
159 and manufacturing processes.
160 NOTE 6 Automation Solutions typically have a single control system (product), but they are not restricted to do so.
161 In general, the Automation Solution is the set of hardware and software, independent of product packaging, that is
162 used to control a physical process (e.g. continuous or manufacturing) as defined by the asset owner.
163 NOTE 7 Service providers often provide reference architectures.
164 2 Normative references
165 The following referenced documents are indispensable for the application of this document. For
166 dated references, only the edition cited applies. For undated references, the latest edition of
167 the referenced document (including any amendments) applies.
168 “None”
169 3 Terms, definitions, abbreviated terms and acronyms
170 3.1 Terms and definitions
171 For the purposes of this document, the following terms and definitions apply.

Internal

---------------------- Page: 9 ----------------------
oSIST prEN IEC 62443-2-4:2022
– 8 – IEC CDV 62443-2-4 © IEC 2022
172 ISO and IEC maintain terminological databases for use in standardization at the following
173 addresses:
174 • IEC Electropedia: available at http://www.electropedia.org/
175 • ISO Online browsing platform: available at http://www.iso.org/obp
176 3.1.1
177 asset owner
178 role of an organization responsible for one or more IACSs
179 Note 1 to entry: Used in place of the generic word end user to provide differentiation.
180 Note 2 to entry: This definition includes the components that are part of the IACS.
181 Note 3 to entry: In the context of this standard, asset owner also includes the operator of the IACS.
182 3.1.2
183 attack surface
184 physical and functional interfaces of a system that can be accessed and through which the
185 system can be potentially exploited
186 Note 1 to entry: The size of the attack surface for a software interface is proportional to the number of methods and
187 parameters defined for the interface. Simple interfaces, therefore, have smaller attack surfaces than complex
188 interfaces.
189 Note 2 to entry: The size of the attack surface and the number of vulnerabilities are not necessarily related to each
190 other.
191 3.1.3
192 Automation Solution
193 collection of control system and any complementary components that have been installed and
194 configured to operate in an IACS
195 Note 1 to entry: Automation Solution is used as a proper noun in this part of IEC 62443.
196 Note 2 to entry: The difference between the control system and the Automation Solution is that the control system
197 is incorporated into the Automation Solution design (e.g. a specific number of workstations, controllers, and devices
198 in a specific configuration), which is then implemented. The resulting configuration is referred to as the
199 Automation Solution.
200 Note 3 to entry: The Automation Solution may be provided by multiple suppliers, including the product supplier of
201 the control system and the product suppliers of complementary components.
202 Note 4 to entry: The Automation Solution does not include the processes and procedures used during integration,
203 maintenance, and operation of the IACS.
204 Note 5 to entry: An Automation Solution, once integration into a given environment is complete, is ready for
205 operation
206 3.1.4
207 basic process control system
208 system that responds to input signals from the process, its associated equipment, other
209 programmable systems and/or an operator and generates output signals causing the process
210 and its associated equipment to operate in the desired manner but does not perform any safety
211 integrated functions (SIF)
212 Note 1 to entry: Safety instrumented functions are specified in the IEC 61508 series.
213 Note 2 to entry: The term “process” in this definition may apply to a variety of industrial processes, including
214 continuous processes and manufacturing processes.
215 3.1.5
216 component
217 entity belonging to an IACS that exhibits the characteristics of one or more of a host device,
218 network device, software application, or embedded device

Internal

---------------------- Page: 10 ----------------------
oSIST prEN IEC 62443-2-4:2022
IEC CDV 62443-2-4 © IEC 2022
– 9 –
219 3.1.6
220 consultant
221 subcontractor that provides guidance, including expert advice, to the asset owner, integration
222 or maintenance service provider, or product supplier
223 Note1 to entry: a consultant can provide assistance for component or system countermeasures
224 3.1.7
225 control system
226 hardware and software components used in the design and implementation of an IACS
227 Note 1 to entry: As shown in Figure 1, control systems are composed of field devices, embedded control devices,
228 network devices, and host devices (including workstations and servers).
229 Note 2 to entry: As shown in Figure 1, control systems are represented in the Automation Solution by a BPCS and
230 an optional SIS.
231 3.1.8
232 handover
233 act of turning an Automation Solution over to the asset owner
234 Note 1 to entry: Handover effectively transfers responsibility for operations and maintenance of an
235 Automation Solution from the integration service provider to the asset owner and generally occurs after successful
236 completion of system test, often referred to as Site Acceptance Test (SAT)
237 3.1.9
238 harden
239 process of improving the security of a system or component through a reduction of risk factors
240 Note 1 to entry: Hardening generally involves adapting and configuring the Automation Solution / components and
241 related policies and procedures to meet the security needs of the asset owner’s site
242 3.1.10
243 industrial automation and control system
244 collection of personnel, hardware, software, procedures and policies involved in the operation
245 of the industrial process and that can affect or influence its safe, secure and reliable operation
246 Note 1 to entry: The IACS may include components that are not installed at the asset owner’s site.
247 Note 2 to entry: The definition of IACS was taken from IEC-62443-3-3 and is illustrated in Figure 1. Examples of
248 IACSs include Distributed Control Systems (DCS) and Supervisory Control and Data Acquisition (SCADA) systems.
249 IEC 62443-2-4 also defines the proper noun “Automation Solution” to mean the specific instance of the control system
250 product and possibly additional components that are designed into the IACS. The Automation Solution, therefore,
251 differs from the control system since it represents a specific implementation (design and configuration) of the control
252 system hardware and software components for a specific asset owner.
253 3.1.11
254 integration service provider
255 service provider that provides integration activities for an Automation Solution including design,
256 installation, configuration, testing, commissioning, and handover
257 Note 1 to entry: Integration service providers are often referred to as integrators or Main Automation Contractors
258 (MAC).
259 3.1.12
260 maintenance service provider
261 service provider that provides support activities for an Automation Solution after handover
262 Note 1 to entry: Maintenance is often considered to be distinguished from operation (e.g. in common colloquial
263 language it is often assumed that an Automation Solution is either in operation or under maintenance). Maintenance
264 service providers can perform support activities during operations, e.g. managing user accounts, security monitoring,
265 and security assessments.

Internal

---------------------- Page: 11 ----------------------
oSIST prEN IEC 62443-2-4:2022
– 10 – IEC CDV 62443-2-4 © IEC 2022
266 3.1.13
267 portable media
268 portable devices that contain data storage capabilities that can be used to physically copy data
269 from one piece of equipment and transfer it to another
270 Note 1 to entry: Types of portable media include but are not limited to: CD / DVD / Blu-ray Media, USB memory
271 devices, smart phones, flash memory, solid state disks, hard drives, handhelds, and portable computers.
272 3.1.14
273 product
274 system, subsystem or component that is manufactured, developed or refined for use by other
275 products
276 Note 1 to entry: The processes required by the practices defined in this document apply iteratively to all levels of
277 product design (for example, from the system level to the component level).
278 3.1.15
279 product supplier
280 manufacturer of hardware and/or software product
281 Note 1 to entry: Used in place of the generic word vendor to provide differentiation.
282 3.1.16
283 profile
284 named combination of options, chosen according to a specified framework, that are necessary
285 to accomplish a particular function
286 Note 1 to entry: The options can be chosen from one or several documents or subdivisions of documents.
287 3.1.17
288 remote access
289 access to a control system through an external interface of the control system
290 Note 1 to entry: Examples of applications that support remote access include RDP, OPC, and Syslog.
291 Note 2 to entry: In general, remote access applications and the Automation Solution will reside in different security
292 zones as determined by the asset owner. See IEC 62443-3-2 for the application of zones and conduits to the
293 Automation Solution by the asset owner.
294 3.1.18
295 safety instrumented system
296 system used to implement functional safety
297 Note 1 to entry: See IEC 61508 and IEC 61511 for more information on functional safety.
298 Note 2 to entry: Not all industry sectors use this term. This term is not restricted to any specific industry sector, and
299 it is used generically to refer to systems that enforce functional safety. Other equivalent terms include safety systems
300 and safety related systems.
301 3.1.19
302 security compromise
303 violation of the security of a system such that an unauthorized (1) disclosure or modification of
304 information or (2) denial of service may have occurred
305 Note 1 to entry: A security compromise represents a breach of the security of a system or an infraction of its security
306 policies. It is independent of impact or potential impact to the system.
307 3.1.20
308 security incident
309 security compromise that is of some significance to the asset owner or failed attempt to
310 compromise the system whose result could have been of some significance to the asset owner

Internal

---------------------- Page: 12 ----------------------
oSIST prEN IEC 62443-2-4:2022
IEC CDV 62443-2-4 © IEC 2022
– 11 –
311 Note 1 to entry: The term “of some significance’ is relative to the environment in which the security compromise is
312 detected. For example, the same compromise may be declared as a security incident in one environment and not in
313 another. Triage activities are often used by asset owners to evaluate security compromises and identify those that
314 are significant enough to be considered incidents.
315 Note 2 to entry: In some environments, failed attempts to compromise the system, such as failed login attempts,
316 are considered significant enough to be classified as security incidents.
317 3.1.21
318 security patch
319 software patch that is relevant to the security of a software component
320 Note 1 to entry: For the purpose of this definition, firmware is considered software.
321 Note 2 to entry: Software patches may address known or potential vulnerabilities, or simply improve the security of
322 the software component, including its reliable operation.
323 3.1.22
324 security program
325 portfolio of security services, including integration services and maintenance services, and their
326 associated policies, procedures, and products that are applicable to the IACS
327 Note 1 to entry: The security program for IACS service providers refers to the policies and procedures defined by
328 them to address security concerns of the IACS.
329 3.1.23
330 service provider
331 role of an organization (internal or external organization, manufacturer, etc.) that provides a
332 specific support service and associated supplies in accordance with an agreement with the
333 asset owner
334 Note 1 to entry: This term is used in place of the generic word “vendor” to provide differentiation.
335 3.1.24
336
...