EN IEC 62443-2-4:2019/A1:2019
(Amendment)Security for industrial automation and control systems - Part 2-4: Security program requirements for IACS service providers
Security for industrial automation and control systems - Part 2-4: Security program requirements for IACS service providers
This part of IEC 62443 specifies a comprehensive set of requirements for security capabilities
for IACS service providers that they can offer to the asset owner during integration and
maintenance activities of an Automation Solution. Because not all requirements apply to all
industry groups and organizations, Subclause 4.1.4 provides for the development of Profiles
that allow for the subsetting of these requirements. Profiles are used to adapt this document
to specific environments, including environments not based on an IACS.
NOTE 1 The term “Automation Solution” is used as a proper noun (and therefore capitalized) in this part of
IEC 62443 to prevent confusion with other uses of this term.
Collectively, the security capabilities offered by an IACS service provider are referred to as its
Security Program. In a related specification, IEC 62443-2-1 describes requirements for the
Security Management System of the asset owner.
NOTE 2 In general, these security capabilities are policy, procedure, practice and personnel related.
Figure 2 illustrates how the integration and maintenance capabilities relate to the IACS and
the control system product that is integrated into the Automation Solution. Some of these
capabilities reference security measures defined in IEC 62443-3-3 that the service provider
must ensure are supported in the Automation Solution (either included in the control system
product or separately added to the Automation Solution).
IT-Sicherheit für industrielle Automatisierungssysteme - Teil 2-4: Anforderungen an das IT-Sicherheitsprogramm von Dienstleistern für industrielle Automatisierungssysteme
Sécurité des automatismes industriels et des systèmes de commande - Partie 2-4: Exigences de programme de sécurité pour les fournisseurs de service IACS
Zaščita industrijske avtomatizacije in nadzornih sistemov - 2-4. del: Zahteve za program zaščite za ponudnike storitev IACS - Dopolnilo A1 (IEC 62443-2-4:2015/A1:2017)
Ta del standarda IEC 62443 določa izčrpen sklop zahtev za zmogljivosti zaščite
za ponudnike storitev IACS, ki jih lahko ponudijo lastniku dobrine med integracijo in
vzdrževanjem Rešitve avtomatizacije. Ker vse zahteve ne veljajo za vse
industrijske skupine in organizacije, podtočka 4.1.4 zagotavlja razvoj profilov, ki
omogočajo podnabor teh zahtev. Profili se uporabljajo za prilagoditev tega dokumenta
posebnim okoljem, vključno z okolji, ki ne temeljijo na skupnosti IACS.
OPOMBA 1: Izraz »Rešitev avtomatizacije« se v tem delu standarda IEC 62443 uporablja kot lastno ime (in je zato zapisan z veliko začetnico), da ga ni mogoče zamenjati z drugimi uporabami tega izraza.
Skupaj se zmogljivosti zaščite, ki jih ponuja ponudnik storitev IACS, imenujejo njegov
program varnosti zaščite. V povezani specifikaciji standard IEC 62443-2-1 opisuje zahteve za
sistem vodenja zaščite lastnika dobrine.
OPOMBA 2: Na splošno so te zmogljivosti zaščite povezane s politiko, postopki, prakso in osebjem.
Na sliki 2 je prikazano, kako so zmogljivosti integracije in vzdrževanja povezane s skupnostjo IACS in
izdelkom nadzornega sistema, ki je integriran v Rešitev avtomatizacije. Nekatere od teh
zmogljivosti se navezujejo na ukrepe za zaščito iz standarda IEC 62443-3-3, za katere mora ponudnik storitev
zagotoviti, da jih Rešitev avtomatizacije podpira (so vključeni v izdelku nadzornega
sistema ali pa so v Rešitev avtomatizacije dodani posebej).
General Information
- Status
- Published
- Publication Date
- 18-Apr-2019
- Withdrawal Date
- 02-Apr-2022
- Technical Committee
- CLC/TC 65X - Industrial-process measurement, control and automation
- Drafting Committee
- CLC/TC 65X - Industrial-process measurement, control and automation
- Current Stage
- 6060 - Document made available - Publishing
- Start Date
- 19-Apr-2019
- Due Date
- 08-Nov-2020
- Completion Date
- 19-Apr-2019
Relations
- Effective Date
- 26-Jul-2022
- Effective Date
- 17-Apr-2018
Overview
EN IEC 62443-2-4:2019/A1:2019 (IEC 62443-2-4 with Amendment A1) specifies security program requirements for IACS service providers - organizations that design, integrate, operate or maintain Industrial Automation and Control Systems (IACS). The amendment clarifies scope, introduces the use of Profiles to tailor requirements to specific sectors/environments, and refines the maturity model and requirement descriptions. The standard is intended for use during integration and maintenance activities of an Automation Solution and is aligned with other IEC 62443 parts and IEC 62264/IEC 62443 zoning models.
Key topics and requirements
- Security program capabilities for service providers: A comprehensive set of capabilities (Annex A) that service providers can offer to asset owners during lifecycle activities.
- Profiles (customization): Profiles are defined via IEC Technical Reports (TRs) so industry groups, asset owners or service providers can subset and adapt Annex A requirements to specific environments (including non-IACS contexts).
- Maturity model: Defines maturity levels for service-provider capabilities; Level 2 emphasizes documented policies and evidence that personnel are trained and capable of following procedures.
- Requirement semantics: Terms like “ensure” are defined to mean providing a high level of confidence (via demonstration, verification or process). Technologies must be “commonly accepted by both the security and industrial automation communities.”
- Domain models referenced:
- IEC 62264-1 Hierarchy Model (Levels) - used to reference network/application positions.
- IEC 62443-3-2 zones and conduits model - used for trust boundaries and partitioning the Automation Solution.
- Personnel and supply-chain controls: Example requirement SP.01.04 requires service providers to ensure assigned personnel (and subcontractors) are subject to security-related background checks where feasible and permitted by law.
Applications - who uses this standard
- IACS service providers (integrators, contractors, maintenance teams) - to build compliant security programs and demonstrate capability to asset owners.
- Asset owners / operators - to define procurement requirements, evaluate and contract service providers, and select Profiles appropriate to their risk tolerance.
- Industry groups / regulators - to create Profiles (TRs) tailored to sector-specific needs.
- Security assessors and auditors - to assess conformance against Annex A requirements and maturity levels.
Related standards
- IEC 62443 family (other parts addressing product development, system integration and technical controls)
- IEC 62264-1 (enterprise-control system integration / hierarchy model)
- IEC 62443-3-2 (zones and conduits guidance)
EN IEC 62443-2-4:2019/A1:2019 is essential reading for organizations managing industrial cybersecurity programs, vendor assessment, and secure service delivery in industrial environments. Keywords: IEC 62443, EN IEC 62443-2-4, IACS security, industrial automation cybersecurity, service provider security program, profiles, maturity model.
Frequently Asked Questions
EN IEC 62443-2-4:2019/A1:2019 is a amendment published by CLC. Its full title is "Security for industrial automation and control systems - Part 2-4: Security program requirements for IACS service providers". This standard covers: This part of IEC 62443 specifies a comprehensive set of requirements for security capabilities for IACS service providers that they can offer to the asset owner during integration and maintenance activities of an Automation Solution. Because not all requirements apply to all industry groups and organizations, Subclause 4.1.4 provides for the development of Profiles that allow for the subsetting of these requirements. Profiles are used to adapt this document to specific environments, including environments not based on an IACS. NOTE 1 The term “Automation Solution” is used as a proper noun (and therefore capitalized) in this part of IEC 62443 to prevent confusion with other uses of this term. Collectively, the security capabilities offered by an IACS service provider are referred to as its Security Program. In a related specification, IEC 62443-2-1 describes requirements for the Security Management System of the asset owner. NOTE 2 In general, these security capabilities are policy, procedure, practice and personnel related. Figure 2 illustrates how the integration and maintenance capabilities relate to the IACS and the control system product that is integrated into the Automation Solution. Some of these capabilities reference security measures defined in IEC 62443-3-3 that the service provider must ensure are supported in the Automation Solution (either included in the control system product or separately added to the Automation Solution).
This part of IEC 62443 specifies a comprehensive set of requirements for security capabilities for IACS service providers that they can offer to the asset owner during integration and maintenance activities of an Automation Solution. Because not all requirements apply to all industry groups and organizations, Subclause 4.1.4 provides for the development of Profiles that allow for the subsetting of these requirements. Profiles are used to adapt this document to specific environments, including environments not based on an IACS. NOTE 1 The term “Automation Solution” is used as a proper noun (and therefore capitalized) in this part of IEC 62443 to prevent confusion with other uses of this term. Collectively, the security capabilities offered by an IACS service provider are referred to as its Security Program. In a related specification, IEC 62443-2-1 describes requirements for the Security Management System of the asset owner. NOTE 2 In general, these security capabilities are policy, procedure, practice and personnel related. Figure 2 illustrates how the integration and maintenance capabilities relate to the IACS and the control system product that is integrated into the Automation Solution. Some of these capabilities reference security measures defined in IEC 62443-3-3 that the service provider must ensure are supported in the Automation Solution (either included in the control system product or separately added to the Automation Solution).
EN IEC 62443-2-4:2019/A1:2019 is classified under the following ICS (International Classification for Standards) categories: 25.040.40 - Industrial process measurement and control; 35.110 - Networking. The ICS classification helps identify the subject area and facilitates finding related standards.
EN IEC 62443-2-4:2019/A1:2019 has the following relationships with other standards: It is inter standard links to EN IEC 62443-2-4:2024, EN IEC 62443-2-4:2019. Understanding these relationships helps ensure you are using the most current and applicable version of the standard.
You can purchase EN IEC 62443-2-4:2019/A1:2019 directly from iTeh Standards. The document is available in PDF format and is delivered instantly after payment. Add the standard to your cart and complete the secure checkout process. iTeh Standards is an authorized distributor of CLC standards.
Standards Content (Sample)
SLOVENSKI STANDARD
01-november-2019
Zaščita industrijske avtomatizacije in nadzornih sistemov - 2-4. del: Zahteve za
program zaščite za ponudnike storitev IACS - Dopolnilo A1 (IEC 62443-2-
4:2015/A1:2017)
Security for industrial automation and control systems - Part 2-4: Security program
requirements for IACS service providers (IEC 62443-2-4:2015/A1:2017)
IT-Sicherheit für industrielle Automatisierungssysteme - Teil 2-4: Anforderungen an das
IT-Sicherheitsprogramm von Dienstleistern für industrielle Automatisierungssysteme
(IEC 62443-2-4:2015/A1:2017)
Sécurité des automatismes industriels et des systèmes de commande - Partie 2-4:
Exigences de programme de sécurité pour les fournisseurs de service IACS
(IEC 62443-2-4:2015/A1:2017)
Ta slovenski standard je istoveten z: EN IEC 62443-2-4:2019/A1:2019
ICS:
25.040.01 Sistemi za avtomatizacijo v Industrial automation
industriji na splošno systems in general
35.030 Informacijska varnost IT Security
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.
EUROPEAN STANDARD EN IEC 62443-2-4:2019/A1
NORME EUROPÉENNE
EUROPÄISCHE NORM
April 2019
ICS 35.110; 25.040.40
English Version
Security for industrial automation and control systems - Part 2-4:
Security program requirements for IACS service providers
(IEC 62443-2-4:2015/A1:2017)
Sécurité des automatismes industriels et des systèmes de IT-Sicherheit für industrielle Automatisierungssysteme - Teil
commande - Partie 2-4: Exigences de programme de 2-4: Anforderungen an das IT-Sicherheitsprogramm von
sécurité pour les fournisseurs de service IACS Dienstleistern für industrielle Automatisierungssysteme
(IEC 62443-2-4:2015/A1:2017) (IEC 62443-2-4:2015/A1:2017)
This amendment A1 modifies the European Standard EN IEC 62443-2-4:2019; it was approved by CENELEC on 2019-04-03. CENELEC
members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for giving this amendment the
status of a national standard without any alteration.
Up-to-date lists and bibliographical references concerning such national standards may be obtained on application to the CEN-CENELEC
Management Centre or to any CENELEC member.
This amendment exists in three official versions (English, French, German). A version in any other language made by translation under the
responsibility of a CENELEC member into its own language and notified to the CEN-CENELEC Management Centre has the same status as
the official versions.
CENELEC members are the national electrotechnical committees of Austria, Belgium, Bulgaria, Croatia, Cyprus, the Czech Republic,
Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia,
Lithuania, Luxembourg, Malta, the Netherlands, Norway, Poland, Portugal, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden,
Switzerland, Turkey and the United Kingdom.
European Committee for Electrotechnical Standardization
Comité Européen de Normalisation Electrotechnique
Europäisches Komitee für Elektrotechnische Normung
CEN-CENELEC Management Centre: Rue de la Science 23, B-1040 Brussels
© 2019 CENELEC All rights of exploitation in any form and by any means reserved worldwide for CENELEC Members.
Ref. No. EN IEC 62443-2-4:2019/A1:2019 E
European foreword
This document (EN IEC 62443-2-4:2019/A1:2019) consists of the text of IEC 62443-2-4:2015/A1:2017
prepared by IEC/TC 65 "Industrial-process measurement, control and automation".
The following dates are fixed:
• latest date by which the document has to be implemented at national (dop) 2020-04-03
level by publication of an identical national standard or by endorsement
• latest date by which the national standards conflicting with the (dow) 2022-04-03
document have to be withdrawn
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CENELEC shall not be held responsible for identifying any or all such patent rights.
Endorsement notice
The text of the International Standard IEC 62443-2-4:2015/A1:2017 was approved by CENELEC as a
European Standard without any modification.
SLOVENSKI STANDARD
01-november-2019
Zaščita industrijske avtomatizacije in nadzornih sistemov - 2-4. del: Zahteve za
program zaščite za ponudnike storitev IACS - Dopolnilo A1 (IEC 62443-2-
4:2015/A1:2017)
Security for industrial automation and control systems - Part 2-4: Security program
requirements for IACS service providers (IEC 62443-2-4:2015/A1:2017)
IT-Sicherheit für industrielle Automatisierungssysteme - Teil 2-4: Anforderungen an das
IT-Sicherheitsprogramm von Dienstleistern für industrielle Automatisierungssysteme (IEC
62443-2-4:2015/A1:2017)
Sécurité des automatismes industriels et des systèmes de commande - Partie 2-4:
Exigences de programme de sécurité pour les fournisseurs de service IACS
(IEC 62443-2-4:2015/A1:2017)
Ta slovenski standard je istoveten z: EN IEC 62443-2-4:2019/A1:2019
ICS:
25.040.01 Sistemi za avtomatizacijo v Industrial automation
industriji na splošno systems in general
35.030 Informacijska varnost IT Security
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.
EUROPEAN STANDARD EN IEC 62443-2-4:2019/A1
NORME EUROPÉENNE
EUROPÄISCHE NORM
April 2019
ICS 35.110; 25.040.40
English Version
Security for industrial automation and control systems - Part 2-4:
Security program requirements for IACS service providers
(IEC 62443-2-4:2015/A1:2017)
Sécurité des automatismes industriels et des systèmes de IT-Sicherheit für industrielle Automatisierungssysteme - Teil
commande - Partie 2-4: Exigences de programme de 2-4: Anforderungen an das IT-Sicherheitsprogramm von
sécurité pour les fournisseurs de service IACS Dienstleistern für industrielle Automatisierungssysteme
(IEC 62443-2-4:2015/A1:2017) (IEC 62443-2-4:2015/A1:2017)
This amendment A1 modifies the European Standard EN IEC 62443-2-4:2019; it was approved by CENELEC on 2019-04-03. CENELEC
members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for giving this amendment the
status of a national standard without any alteration.
Up-to-date lists and bibliographical references concerning such national standards may be obtained on application to the CEN-CENELEC
Management Centre or to any CENELEC member.
This amendment exists in three official versions (English, French, German). A version in any other language made by translation under the
responsibility of a CENELEC member into its own language and notified to the CEN-CENELEC Management Centre has the same status as
the official versions.
CENELEC members are the national electrotechnical committees of Austria, Belgium, Bulgaria, Croatia, Cyprus, the Czech Republic,
Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia,
Lithuania, Luxembourg, Malta, the Netherlands, Norway, Poland, Portugal, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden,
Switzerland, Turkey and the United Kingdom.
European Committee for Electrotechnical Standardization
Comité Européen de Normalisation Electrotechnique
Europäisches Komitee für Elektrotechnische Normung
CEN-CENELEC Management Centre: Rue de la Science 23, B-1040 Brussels
© 2019 CENELEC All rights of exploitation in any form and by any means reserved worldwide for CENELEC Members.
Ref. No. EN IEC 62443-2-4:2019/A1:2019 E
European foreword
This document (EN IEC 62443-2-4:2019/A1:2019) consists of the text of IEC 62443-2-4:2015/A1:2017
prepared by IEC/TC 65 "Industrial-process measurement, control and automation".
The following dates are fixed:
• latest date by which the document has to be implemented at national (dop) 2020-04-03
level by publication of an identical national standard or by endorsement
• latest date by which the national standards conflicting with the (dow) 2022-04-03
document have to be withdrawn
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CENELEC shall not be held responsible for identifying any or all such patent rights.
Endorsement notice
The text of the International Standard IEC 62443-2-4:2015/A1:2017 was approved by CENELEC as a
European Standard without any modification.
IEC 62443-2-4 ®
Edition 1.0 2017-08
INTERNATIONAL
STANDARD
colour
inside
AMENDMENT 1
Security for industrial automation and control systems –
Part 2-4: Security program requirements for IACS service providers
INTERNATIONAL
ELECTROTECHNICAL
COMMISSION
ICS 25.040.40; 35.110 ISBN 978-2-8322-4366-4
– 2 – IEC 62443-2-4:2015/AMD 1:2017
© 2017
FOREWORD
This amendment has been prepared by IEC technical committee 65: Industrial-process
measurement, control and automation.
The text of this amendment is based on the following documents:
CDV Report on voting
65/637A/CDV 65/661/RVC
Full information on the voting for the approval of this amendment can be found in the report
on voting indicated in the above table.
IMPORTANT – The 'colour inside' logo on the cover page of this publication indicates
that it contains colours which are considered to be useful for the correct
understanding of its contents. Users should therefore print this document using a
colour printer.
_____________
1 Scope
Replace the first paragraph by the following new text:
This part of IEC 62443 specifies a comprehensive set of requirements for security capabilities
for IACS service providers that they can offer to the asset owner during integration and
maintenance activities of an Automation Solution. Because not all requirements apply to all
industry groups and organizations, Subclause 4.1.4 provides for the development of Profiles
that allow for the subsetting of these requirements. Profiles are used to adapt this document
to specific environments, including environments not based on an IACS.
Delete Note 4 and renumber Note 5 to "Note 4".
3.1.14
safety instrumented system
Add the following Note 2 to entry:
Note 2 to entry: Not all industry sectors use this term. This term is not restricted to any specific industry sector,
and it is used generically to refer to systems that enforce functional safety. Other equivalent terms include safety
systems and safety related systems.
4.1.4 Profiles
Replace the existing text with the following:
This document recognizes that not all of the requirements in Annex A apply to all industry
sectors/environments. To allow subsetting and adaptation of these requirements, this
document provides for the use of “Profiles”.
IEC 62443-2-4:2015/AMD 1:2017 – 3 –
© 2017
Profiles are written as IEC Technical Reports (TRs) by industry groups/sectors or other
organizations, including asset owners and service providers, to select/adapt Annex A
requirements that are most appropriate to their specific needs.
Each TR may define one or more profiles, and each profile identifies a subset of the
requirements defined in Annex A and specifies, where necessary, how specific requirements
are to be applied in the environment where they are to be used.
It is anticipated that asset owners will select these profiles to specify the requirements that
apply to their Automation Solutions.
4.2 Maturity model
Table 1 – Maturity levels
Replace, in the fourth column, row for Level 2, the second paragraph that begins with “At this
level, the service provider has…” by the following:
At this level, the service provider has the capability to manage the delivery and performance of the service
according to written policies (including objectives). The service provider also has evidence to show that personnel
who will perform the service have the expertise, are trained, and/or are capable of following written procedures to
perform the service.
5.1 Contents
Insert the following new paragraph between the first paragraph and the note:
Not all requirements apply to all service providers, and asset owners may request service
providers to perform only a subset of the required capabilities specified in Annex A. In
addition, industry sectors, service providers, and asset owners may define their own profiles
that contain a subset of these requirements (see 4.1.4).
5.3 IEC 62264-1 hierarchy model
Replace the first paragraph with the following:
Many of the requirements in Annex A refer to network or application levels in phrases such as
“a wireless handheld device is used in Level 2”. When capitalized, “Level” in this context
refers to the position in the IEC 62264-1 Hierarchy Model. The Level of a referenced object
(e.g. wireless handheld device) is represented by the lowest Level function that it executes.
The zones and conduits model described by IEC 62443-3-2 is referenced by requirements in
Annex A that address, independent of the IEC 62264-1 Hierarchy Model Level, trust
boundaries that subdivide the Automation Solution into partitions referred to as “zones” by
IEC 62443-3-2.
5.5.3 Functional area column
Replace the first paragraph with the following:
This column provides the top level technical organization of the requirements. Table 3
provides a list of the functional areas. The functional areas in this column can be used to
provide a high level summary of the areas in which service providers claim conformance.
However, because the “Architecture” functional area is so broad, its use as a summary level is
– 4 – IEC 62443-2-4:2015/AMD 1:2017
© 2017
limited. Therefore, it is subdivided into three summary levels based on the Topic column (see
5.5.4) values for Architecture as shown below:
Summary Level Topic column
Network Security Devices – Network
Network design
Solution Hardening Devices – All
Devices – Workstations
Risk assessment,
Solution components
Data Protection Data Protection
5.5.7 Requirement description
Add “column” to the title as follows:
Requirement description column
Replace the existing text with the following:
This column contains the textual description of the requirement. It may also contain notes that
are examples provided to help in understanding the requirement.
Each requirement defines a capability required of the service provider. Whether an asset
owner requires the service provider to perform the capability is beyond the scope of this
document.
The term “ensure” is used in many requirements to mean “provide a high level of confidence”.
It is used when the service provider needs to have some means, such as a demonstration,
verification, or process, of providing this level of confidence.
The phrase “commonly accepted by both the security and industrial automation communities”
is used in these requirement descriptions in place of specific security technologies, such as
specific encryption algorithms. This phrase is used to allow evolution of more secure
technologies as a replacement for technologies whose weaknesses have been exposed.
To be compliant to these requirements, service providers will have to use technologies (e.g.
encryption) that are commonly accepted and used by the security and industrial automation
communities at the time compliance is claimed. Technologies that are no longer considered
secure, such as the Digital Encryption Standard (DES) and the Wireless Equivalent Privacy
(WEP) security algorithms, would be non-conformant.
5.5.8 Rationale
Add “column” to the title as follows:
Rationale column
IEC 62443-2-4:2015/AMD 1:2017 – 5 –
© 2017
Annex A – Security requirements
Table A.1 – Security program requirements
Change the text in the “Requirement description” and “Rationale” columns to:
Req ID BR/R Functional Topic Subtopic Doc Requirement description Rationale
E area ?
SP.01.04 BR Solution staffing Background Service provider No The service provider shall have the The capabilities specified by this BR and its REs are
checks capability to ensure that it assigns used to protect the Automation Solution from being
only service provider personnel to staffed with personnel whose trustworthiness may be
Automation Solution related questionable. While the background check cannot
activities who have successfully guarantee trustworthiness, it can identify personnel
passed security-related background who have had trouble with their trustworthiness.
checks, where feasible, and to the
Having this capability means that the service provider
extent allowed by applicable law.
has an identifiable process for verifying the integrity of
the service provider personnel it will assign to work on
the Automation Solution. This requirement also
recognizes that the ability to perform background
checks is not always possible because of applicable
laws or because of lack of support by local authorities
and/or service organizations. For example, there may
be countries that do not prohibit background checks,
but that provide no support for conducting a
background check, making it infeasible or impractical
for the service provider to perform such a check.
How and how often background checks are performed
are left to the service provider. Examples of
background checks include identity verification and
criminal record checks.
– 6 – IEC 62443-2-4:2015/AMD 1:2017
© 2017
Change the text in the “Requirement description” and “Rationale” columns to:
Req ID BR/RE Functional Topic Subtopic Doc Requirement description Rationale
area ?
SP.01.04 RE(1) Solution Background Subcontractor No The service provider shall have the Having this capability means that the service provider
staffing checks capability to ensure that it assigns has an identifiable process for verifying the integrity of
only subcontractors, consultants, the subcontractors, consultants, and representatives of
and representatives to the service provider who will be assigned to work on
Automation Solution related activities the Automation Solution. This requirement also
who have successfully passed recognizes that the ability to perform background
security-related background checks, checks is not always possible because of applicable
where feasible, and to the extent laws or because of lack of support by local authorities
allowed by applicable law. and/or service organizations. For example, there may
be countries that do not prohibit background checks,
but that provide no support for conducting a
background check, making it infeasible or impractical
for the service provider to perform such a check.
How and how often background checks are performed
are left to the service provider. Examples of
background checks include identity verification and
criminal record checks.
See ISO/IEC 27036-3 for additional supply chain
organizational requirements.
IEC 62443-2-4:2015/AMD 1:2017 – 7 –
© 2017
Change the text in the “Requirement description” and “Rationale” columns to:
Req ID BR/RE Functional Topic Subtopic Doc Requirement description Rationale
area ?
SP.01.06 BR Solution Personnel Security lead No The service provider shall have The capability specified by this BR is used to reduce
staffing assignments documented minimum IACS cyber- errors in security decision making and implementation.
security qualifications for security Making poor choices or lacking the ability to properly
lead positions and the capability to implement security can unnecessarily expose the
assign security leads to Automation Solution to security threats and/or
Automation Solutions who meet compromises.
these qualifications.
Having this capability means that the service provider
has documented the qualifications
(expertise/competencies) that it requires of personnel
who lead cyber-security related activities and has an
identifiable process for staffing each
Automation Solution with personnel who have this
expertise. Expertise may include IACS cyber-security
experience, training and certifications, and in general,
the service provider and asset owner will typically
come to agreement on the cyber-security qualifications
for personnel before staffing begins. The phrase "meet
these qualifications" is used to indicate that the
security leads assigned to the Automation Solution
have relevant experiences that confirm their
compliance with these qualifications.
– 8 – IEC 62443-2-4:2015/AMD 1:2017
© 2017
Change the text in the “Rationale” column to:
Req ID BR/RE Functional Topic Subtopic Doc Requirement description Rationale
area ?
SP.03.02 RE(2) Architecture Network design Connectivity No The service provider shall have the Having this capability means that the service provider
capability to ensure that interfaces of has an identifiable process for protecting the
the Automation Solution that have been Automation Solution from external access and for
identified as untrusted are protected by controlling access between Level 2 and Level 3 (e.g.
network security devices or equivalent through the use of firewalls/firewall rules).
mechanisms, with documented and
Within the Automation Solution, having this capability
maintained se
...
記事のタイトル: EN IEC 62443-2-4:2019/A1:2019 - 工業用自動化および制御システムのセキュリティ - 第2-4部: IACSサービスプロバイダーのセキュリティプログラム要件 記事の内容: このIEC 62443の一部は、IACSサービスプロバイダーが自動化ソリューションの統合およびメンテナンス活動中に資産所有者に提供できる包括的なセキュリティ能力の要件を指定しています。すべての要件がすべての業界グループや組織に適用されないため、4.1.4節では、これらの要件を部分化するためのプロファイルの開発が提供されています。プロファイルは、IACSに基づかない環境を含む特定の環境にこのドキュメントを適応させるために使用されます。 注1: "自動化ソリューション"という用語は、他の用途との混同を防ぐため、このIEC 62443の一部では固有名詞として使用されています。 IACSサービスプロバイダーが提供するセキュリティ能力はセキュリティプログラムとして総称されます。関連する仕様であるIEC 62443-2-1では、資産所有者のセキュリティ管理システムの要件が説明されています。 注2: 一般的に、これらのセキュリティ能力はポリシー、手順、実践、人員に関連しています。 図2は、統合およびメンテナンスの能力がIACSおよび自動化ソリューションに統合される制御システム製品との関連を示しています。これらの能力の一部は、サービスプロバイダーが自動化ソリューションでサポートされていることを確認しなければならないIEC 62443-3-3で定義されたセキュリティ対策を参照します(制御システム製品に含まれているか、自動化ソリューションに別途追加されている)。
The article discusses the EN IEC 62443-2-4:2019/A1:2019 standard, which specifies security requirements for Industrial Automation and Control Systems (IACS) service providers. These requirements are meant to ensure that the service providers can offer comprehensive security capabilities during integration and maintenance activities of an Automation Solution. The article also mentions the use of Profiles to customize the requirements based on specific industry groups or organizations. The security capabilities offered by an IACS service provider are collectively referred to as its Security Program. The article also references another specification, IEC 62443-2-1, which describes requirements for the Security Management System of the asset owner. Additionally, the article mentions that some of the integration and maintenance capabilities mentioned in the standard reference security measures defined in IEC 62443-3-3, which the service provider must ensure are supported in the Automation Solution.
기사 제목: EN IEC 62443-2-4:2019/A1:2019 - 산업용 자동화 및 제어 시스템의 보안 - 제2-4부: IACS 서비스 제공자를 위한 보안 프로그램 요구 사항 기사 내용: 이 IEC 62443의 일부는 IACS 서비스 제공자가 자동화 솔루션의 통합 및 유지 보수 활동 중 자산 소유자에게 제공할 수 있는 보안 역량의 포괄적인 요구 사항을 명시합니다. 모든 요구 사항이 모든 산업군과 조직에 적용되지 않기 때문에 부속서 4.1.4는 이러한 요구 사항을 하위집합화 할 수 있는 프로파일의 개발을 제공합니다. 프로파일은 IACS를 기반으로하지 않는 환경을 포함하여이 문서를 특정 환경에 맞게 조정하는 데 사용됩니다. 비고 1: "자동화 솔루션"이라는 용어는이 IEC 62443의 이 부분에서 일반명사로 사용되어 혼돈을 방지하기 위해 대문자로 작성됩니다. IACS 서비스 제공자가 제공하는 보안 역량은 보안 프로그램이라고 합니다. 관련된 명세인 IEC 62443-2-1에서는 자산 소유자의 보안 관리 시스템에 대한 요구 사항을 설명합니다. 비고 2: 일반적으로 이러한 보안 역량은 정책, 절차, 실천 및 인적 요소와 관련이 있습니다. 그림 2는 통합 및 유지 보수 기능이 IACS와 자동화 솔루션에 통합된 제어 시스템 제품과 어떻게 관련되는지 보여줍니다. 이러한 기능 중 일부는 서비스 제공자가 자동화 솔루션에서 지원해야 할 IEC 62443-3-3에서 정의된 보안 조치를 참조합니다(제어 시스템 제품에 포함되거나 자동화 솔루션에 별도로 추가됩니다).
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.
Loading comments...