FprEN IEC 62443-2-1:2024

SLOVENSKI STANDARD
oSIST prEN IEC 62443-2-1:2019
01-november-2019
Zaščita industrijske avtomatizacije in kontrolnih sistemov - 2-1. del: Zahteve za
program varnosti zaščite za lastnike sredstev IACS
Security for industrial automation and control systems - Part 2-1: Security program
requirements for IACS asset owners
Réseaux industriels de communication - Sécurité dans les réseaux et les systèmes -
Partie 2-1: Etablissement d'un programme de sécurité pour les systèmes
d'automatisation et de commande industrielles
Ta slovenski standard je istoveten z: prEN IEC 62443-2-1:2019
ICS:
25.040.01 Sistemi za avtomatizacijo v Industrial automation
industriji na splošno systems in general
35.030 Informacijska varnost IT Security
oSIST prEN IEC 62443-2-1:2019 en,fr,de
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

oSIST prEN IEC 62443-2-1:2019
oSIST prEN IEC 62443-2-1:2019
65/756/CDV
COMMITTEE DRAFT FOR VOTE (CDV)
PROJECT NUMBER:
IEC 62443-2-1 ED2
DATE OF CIRCULATION: CLOSING DATE FOR VOTING:
2019-08-23 2019-11-15
SUPERSEDES DOCUMENTS:
65/692A/RR
IEC TC 65 : INDUSTRIAL-PROCESS MEASUREMENT, CONTROL AND AUTOMATION
SECRETARIAT: SECRETARY:
France Mr Rudy BELLIARDI
OF INTEREST TO THE FOLLOWING COMMITTEES: PROPOSED HORIZONTAL STANDARD:

TC 44, SC 45A, TC 57, SC 62A; ISO/IEC/JTC1/SC 27
Other TC/SCs are requested to indicate their interest, if any, in
this CDV to the secretary.
FUNCTIONS CONCERNED:
EMC ENVIRONMENT QUALITY ASSURANCE SAFETY
SUBMITTED FOR CENELEC PARALLEL VOTING NOT SUBMITTED FOR CENELEC PARALLEL VOTING
Attention IEC-CENELEC parallel voting
The attention of IEC National Committees, members of
CENELEC, is drawn to the fact that this Committee Draft for Vote
(CDV) is submitted for parallel voting.
The CENELEC members are invited to vote through the
CENELEC online voting system.
This document is still under study and subject to change. It should not be used for reference purposes.
Recipients of this document are invited to submit, with their comments, notification of any relevant patent rights of which they are
aware and to provide supporting documentation.

TITLE:
Security for industrial automation and control systems – Part 2-1: Security program requirements for IACS
asset owners
PROPOSED STABILITY DATE: 2024
NOTE FROM TC/SC OFFICERS:
electronic file, to make a copy and to print out the content for the sole purpose of preparing National Committee positions.
You may not copy or "mirror" the file or printed version of the document, or any part of it, for any other purpose without
permission in writing from IEC.

oSIST prEN IEC 62443-2-1:2019
65/756/CDV – 2 – IEC CDV 62443-2-1 © IEC 2019
CONTENTS
FOREWORD . 9
INTRODUCTION . 11
1 Scope . 13
2 Normative references . 14
3 Terms, definitions, abbreviated terms, acronyms and conventions . 14
3.1 Terms and definitions . 14
3.3 Abbreviated terms and acronyms . 17
4 Concepts . 19
4.1 Use of IEC 62443‑2‑1 . 19
4.1.1 Applicable roles . 19
4.1.2 Use of IEC 62443‑2‑1 by asset owners. 20
4.1.3 Use of IEC 62443‑2‑1 by service providers and product suppliers . 22
4.2 Maturity model . 22
4.3 Security levels (SLs) . 24
4.4 Requirements definitions . 25
4.4.1 Requirements organization . 25
4.4.2 Requirements mappings . 25
4.4.3 Requirement conventions . 25
5 Conformity . 25
5.1 Overview . 25
5.2 Requirements selection . 26
6 SPE 1 – Organizational security measures . 28
6.1 Purpose . 28
6.2 ORG 1 – Security related organization and policies . 28
6.2.1 ORG 1.1: Information security management system (ISMS) . 28
6.2.2 ORG 1.2: Background checks. 29
6.2.3 ORG 1.3: Security roles and responsibilities . 29
6.2.4 ORG 1.4: Security awareness training . 30
6.2.5 ORG 1.5: Security responsibilities training . 30
6.2.6 ORG 1.6: Supply chain security . 31
6.3 ORG 2 – Security assessments and reviews . 32
6.3.1 ORG 2.1: Security risk mitigation . 32
6.3.2 ORG 2.2: Processes for discovery of security anomalies . 33
6.3.3 ORG 2.3: Secure development and support . 33
6.3.4 ORG 2.4: SP reviews . 34

oSIST prEN IEC 62443-2-1:2019
IEC CDV 62443-2-1 © IEC 2019 – 3 – 65/756/CDV

6.4 ORG 3 – Security of physical access . 35
6.4.1 ORG 3.1: Physical access control . 35
7 SPE 2 – Configuration management . 35
7.1 Purpose . 35
7.2 CM 1 – Inventory management of IACS hardware/software components and
network communications . 35
7.2.1 CM 1.1: Asset inventory baseline . 35
7.2.2 CM 1.2: Infrastructure drawings/documentation . 36
7.2.3 CM 1.3: Configuration settings . 37
7.2.4 CM 1.4: Change control . 37
8 SPE 3 – Network and communications security . 38
8.1 Purpose . 38
8.2 NET 1 – System segmentation . 38
8.2.1 NET 1.1: Segmentation from non-IACS networks . 38
8.2.2 NET 1.2: Documentation of network segment interconnections . 39
8.2.3 NET 1.3: Network segmentation from safety systems . 39
8.2.4 NET 1.4: Network autonomy . 40
8.2.5 NET 1.5: Network disconnection from external networks . 40
8.2.6 NET 1.6: Internal network access control . 41
8.2.7 NET 1.7: Device connections . 41
8.2.8 NET 1.8: Network accessible services . 42
8.2.9 NET 1.9: User messaging . 43
8.2.10 NET 1.10: Network time distribution . 43
8.3 NET 2 – Secure wireless access . 44
8.3.1 NET 2.1: Wireless protocols . 44
8.3.2 NET 2.2: Wireless network segmentation . 44
8.3.3 NET 2.3: Wireless properties and addresses . 45
8.4 NET 3 – Secure remote access . 45
8.4.1 NET 3.1: Remote access applications . 45
8.4.2 NET 3.2: Remote access connections . 46
8.4.3 NET 3.3: Remote access termination . 47
9 SPE 4 – Component security . 47
9.1 Purpose . 47
9.2 COMP 1 – Devices and media . 48
9.2.1 COMP 1.1: Device hardening . 48
9.2.2 COMP 1.2: Dedicated portable media . 48
9.3 COMP 2 – Malware protection . 49
9.3.1 COMP 2.1: Malware free . 49

oSIST prEN IEC 62443-2-1:2019
65/756/CDV – 4 – IEC CDV 62443-2-1 © IEC 2019
9.3.2 COMP 2.2: Malware protection . 50
9.3.3 COMP 2.3: Malware protection software validation and installation . 50
9.4 COMP 3 – Patch management. 51
9.4.1 COMP 3.1: Security patch authenticity/integrity . 51
9.4.2 COMP 3.2: Security patch validation and installation . 51
9.4.3 COMP 3.3: Security patch status . 52
9.4.4 COMP 3.4: Security patching retention of security . 52
9.4.5 COMP 3.5: Security patch mitigation . 53
10 SPE 5 – Protection of data . 53
10.1 Purpose . 53
10.2 DATA 1 – Protection of data . 54
10.2.1 DATA 1.1: Data classification . 54
10.2.2 DATA 1.2: Protection of data . 54
10.2.3 DATA 1.3: Safety system configuration mode. 55
10.2.4 DATA 1.4: Failure-state . 56
10.2.5 DATA 1.5: Data retention . 56
10.2.6 DATA 1.6: Data purging . 57
10.2.7 DATA 1.7: Cryptographic mechanisms . 57
10.2.8 DATA 1.8: Key management . 58
10.2.9 DATA 1.9: Public key infrastructure (PKI) .
...