Security for industrial automation and control systems - Part 2-4: Security program requirements for IACS service providers

This part of IEC 62443 specifies a comprehensive set of requirements for security capabilities
for IACS service providers that they can offer to the asset owner during integration and
maintenance activities of an Automation Solution. Because not all requirements apply to all
industry groups and organizations, Subclause 4.1.4 provides for the development of Profiles
that allow for the subsetting of these requirements. Profiles are used to adapt this document
to specific environments, including environments not based on an IACS.
NOTE 1 The term “Automation Solution” is used as a proper noun (and therefore capitalized) in this part of
IEC 62443 to prevent confusion with other uses of this term.
Collectively, the security capabilities offered by an IACS service provider are referred to as its
Security Program. In a related specification, IEC 62443-2-1 describes requirements for the
Security Management System of the asset owner.
NOTE 2 In general, these security capabilities are policy, procedure, practice and personnel related.
Figure 2 illustrates how the integration and maintenance capabilities relate to the IACS and
the control system product that is integrated into the Automation Solution. Some of these
capabilities reference security measures defined in IEC 62443-3-3 that the service provider
must ensure are supported in the Automation Solution (either included in the control system
product or separately added to the Automation Solution).

IT-Sicherheit für industrielle Automatisierungssysteme - Teil 2-4: Anforderungen an das IT-Sicherheitsprogramm von Dienstleistern für industrielle Automatisierungssysteme

Sécurité des automatismes industriels et des systèmes de commande - Partie 2-4: Exigences de programme de sécurité pour les fournisseurs de service IACS

Zaščita industrijske avtomatizacije in nadzornih sistemov - 2-4. del: Zahteve za program zaščite za ponudnike storitev IACS - Dopolnilo A1 (IEC 62443-2-4:2015/A1:2017)

Ta del standarda IEC 62443 določa izčrpen sklop zahtev za zmogljivosti zaščite
za ponudnike storitev IACS, ki jih lahko ponudijo lastniku dobrine med integracijo in
vzdrževanjem Rešitve avtomatizacije. Ker vse zahteve ne veljajo za vse
industrijske skupine in organizacije, podtočka 4.1.4 zagotavlja razvoj profilov, ki
omogočajo podnabor teh zahtev. Profili se uporabljajo za prilagoditev tega dokumenta
posebnim okoljem, vključno z okolji, ki ne temeljijo na skupnosti IACS.
OPOMBA 1: Izraz »Rešitev avtomatizacije« se v tem delu standarda IEC 62443 uporablja kot lastno ime (in je zato zapisan z veliko začetnico), da ga ni mogoče zamenjati z drugimi uporabami tega izraza.
Skupaj se zmogljivosti zaščite, ki jih ponuja ponudnik storitev IACS, imenujejo njegov
program varnosti zaščite. V povezani specifikaciji standard IEC 62443-2-1 opisuje zahteve za
sistem vodenja zaščite lastnika dobrine.
OPOMBA 2: Na splošno so te zmogljivosti zaščite povezane s politiko, postopki, prakso in osebjem.
Na sliki 2 je prikazano, kako so zmogljivosti integracije in vzdrževanja povezane s skupnostjo IACS in
izdelkom nadzornega sistema, ki je integriran v Rešitev avtomatizacije. Nekatere od teh
zmogljivosti se navezujejo na ukrepe za zaščito iz standarda IEC 62443-3-3, za katere mora ponudnik storitev
zagotoviti, da jih Rešitev avtomatizacije podpira (so vključeni v izdelku nadzornega
sistema ali pa so v Rešitev avtomatizacije dodani posebej).

General Information

Status
Published
Publication Date
18-Apr-2019
Withdrawal Date
02-Apr-2022
Current Stage
6060 - Document made available - Publishing
Start Date
19-Apr-2019
Due Date
08-Nov-2020
Completion Date
19-Apr-2019

Relations

Buy Standard

Amendment
EN IEC 62443-2-4:2019/A1:2019
English language
25 pages
sale 10% off
Preview
sale 10% off
Preview
e-Library read for
1 day

Standards Content (Sample)


SLOVENSKI STANDARD
01-november-2019
Zaščita industrijske avtomatizacije in nadzornih sistemov - 2-4. del: Zahteve za
program zaščite za ponudnike storitev IACS - Dopolnilo A1 (IEC 62443-2-
4:2015/A1:2017)
Security for industrial automation and control systems - Part 2-4: Security program
requirements for IACS service providers (IEC 62443-2-4:2015/A1:2017)
IT-Sicherheit für industrielle Automatisierungssysteme - Teil 2-4: Anforderungen an das
IT-Sicherheitsprogramm von Dienstleistern für industrielle Automatisierungssysteme
(IEC 62443-2-4:2015/A1:2017)
Sécurité des automatismes industriels et des systèmes de commande - Partie 2-4:
Exigences de programme de sécurité pour les fournisseurs de service IACS
(IEC 62443-2-4:2015/A1:2017)
Ta slovenski standard je istoveten z: EN IEC 62443-2-4:2019/A1:2019
ICS:
25.040.01 Sistemi za avtomatizacijo v Industrial automation
industriji na splošno systems in general
35.030 Informacijska varnost IT Security
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

EUROPEAN STANDARD EN IEC 62443-2-4:2019/A1

NORME EUROPÉENNE
EUROPÄISCHE NORM
April 2019
ICS 35.110; 25.040.40
English Version
Security for industrial automation and control systems - Part 2-4:
Security program requirements for IACS service providers
(IEC 62443-2-4:2015/A1:2017)
Sécurité des automatismes industriels et des systèmes de IT-Sicherheit für industrielle Automatisierungssysteme - Teil
commande - Partie 2-4: Exigences de programme de 2-4: Anforderungen an das IT-Sicherheitsprogramm von
sécurité pour les fournisseurs de service IACS Dienstleistern für industrielle Automatisierungssysteme
(IEC 62443-2-4:2015/A1:2017) (IEC 62443-2-4:2015/A1:2017)
This amendment A1 modifies the European Standard EN IEC 62443-2-4:2019; it was approved by CENELEC on 2019-04-03. CENELEC
members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for giving this amendment the
status of a national standard without any alteration.
Up-to-date lists and bibliographical references concerning such national standards may be obtained on application to the CEN-CENELEC
Management Centre or to any CENELEC member.
This amendment exists in three official versions (English, French, German). A version in any other language made by translation under the
responsibility of a CENELEC member into its own language and notified to the CEN-CENELEC Management Centre has the same status as
the official versions.
CENELEC members are the national electrotechnical committees of Austria, Belgium, Bulgaria, Croatia, Cyprus, the Czech Republic,
Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia,
Lithuania, Luxembourg, Malta, the Netherlands, Norway, Poland, Portugal, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden,
Switzerland, Turkey and the United Kingdom.

European Committee for Electrotechnical Standardization
Comité Européen de Normalisation Electrotechnique
Europäisches Komitee für Elektrotechnische Normung
CEN-CENELEC Management Centre: Rue de la Science 23, B-1040 Brussels
© 2019 CENELEC All rights of exploitation in any form and by any means reserved worldwide for CENELEC Members.
Ref. No. EN IEC 62443-2-4:2019/A1:2019 E

European foreword
This document (EN IEC 62443-2-4:2019/A1:2019) consists of the text of IEC 62443-2-4:2015/A1:2017
prepared by IEC/TC 65 "Industrial-process measurement, control and automation".
The following dates are fixed:
• latest date by which the document has to be implemented at national (dop) 2020-04-03
level by publication of an identical national standard or by endorsement
• latest date by which the national standards conflicting with the (dow) 2022-04-03
document have to be withdrawn
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CENELEC shall not be held responsible for identifying any or all such patent rights.

Endorsement notice
The text of the International Standard IEC 62443-2-4:2015/A1:2017 was approved by CENELEC as a
European Standard without any modification.

SLOVENSKI STANDARD
01-november-2019
Zaščita industrijske avtomatizacije in nadzornih sistemov - 2-4. del: Zahteve za
program zaščite za ponudnike storitev IACS - Dopolnilo A1 (IEC 62443-2-
4:2015/A1:2017)
Security for industrial automation and control systems - Part 2-4: Security program
requirements for IACS service providers (IEC 62443-2-4:2015/A1:2017)
IT-Sicherheit für industrielle Automatisierungssysteme - Teil 2-4: Anforderungen an das
IT-Sicherheitsprogramm von Dienstleistern für industrielle Automatisierungssysteme (IEC
62443-2-4:2015/A1:2017)
Sécurité des automatismes industriels et des systèmes de commande - Partie 2-4:
Exigences de programme de sécurité pour les fournisseurs de service IACS
(IEC 62443-2-4:2015/A1:2017)
Ta slovenski standard je istoveten z: EN IEC 62443-2-4:2019/A1:2019
ICS:
25.040.01 Sistemi za avtomatizacijo v Industrial automation
industriji na splošno systems in general
35.030 Informacijska varnost IT Security
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

EUROPEAN STANDARD EN IEC 62443-2-4:2019/A1

NORME EUROPÉENNE
EUROPÄISCHE NORM
April 2019
ICS 35.110; 25.040.40
English Version
Security for industrial automation and control systems - Part 2-4:
Security program requirements for IACS service providers
(IEC 62443-2-4:2015/A1:2017)
Sécurité des automatismes industriels et des systèmes de IT-Sicherheit für industrielle Automatisierungssysteme - Teil
commande - Partie 2-4: Exigences de programme de 2-4: Anforderungen an das IT-Sicherheitsprogramm von
sécurité pour les fournisseurs de service IACS Dienstleistern für industrielle Automatisierungssysteme
(IEC 62443-2-4:2015/A1:2017) (IEC 62443-2-4:2015/A1:2017)
This amendment A1 modifies the European Standard EN IEC 62443-2-4:2019; it was approved by CENELEC on 2019-04-03. CENELEC
members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for giving this amendment the
status of a national standard without any alteration.
Up-to-date lists and bibliographical references concerning such national standards may be obtained on application to the CEN-CENELEC
Management Centre or to any CENELEC member.
This amendment exists in three official versions (English, French, German). A version in any other language made by translation under the
responsibility of a CENELEC member into its own language and notified to the CEN-CENELEC Management Centre has the same status as
the official versions.
CENELEC members are the national electrotechnical committees of Austria, Belgium, Bulgaria, Croatia, Cyprus, the Czech Republic,
Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia,
Lithuania, Luxembourg, Malta, the Netherlands, Norway, Poland, Portugal, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden,
Switzerland, Turkey and the United Kingdom.

European Committee for Electrotechnical Standardization
Comité Européen de Normalisation Electrotechnique
Europäisches Komitee für Elektrotechnische Normung
CEN-CENELEC Management Centre: Rue de la Science 23, B-1040 Brussels
© 2019 CENELEC All rights of exploitation in any form and by any means reserved worldwide for CENELEC Members.
Ref. No. EN IEC 62443-2-4:2019/A1:2019 E

European foreword
This document (EN IEC 62443-2-4:2019/A1:2019) consists of the text of IEC 62443-2-4:2015/A1:2017
prepared by IEC/TC 65 "Industrial-process measurement, control and automation".
The following dates are fixed:
• latest date by which the document has to be implemented at national (dop) 2020-04-03
level by publication of an identical national standard or by endorsement
• latest date by which the national standards conflicting with the (dow) 2022-04-03
document have to be withdrawn
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CENELEC shall not be held responsible for identifying any or all such patent rights.

Endorsement notice
The text of the International Standard IEC 62443-2-4:2015/A1:2017 was approved by CENELEC as a
European Standard without any modification.

IEC 62443-2-4 ®
Edition 1.0 2017-08
INTERNATIONAL
STANDARD
colour
inside
AMENDMENT 1
Security for industrial automation and control systems –

Part 2-4: Security program requirements for IACS service providers

INTERNATIONAL
ELECTROTECHNICAL
COMMISSION
ICS 25.040.40; 35.110 ISBN 978-2-8322-4366-4

– 2 – IEC 62443-2-4:2015/AMD 1:2017
© 2017
FOREWORD
This amendment has been prepared by IEC technical committee 65: Industrial-process
measurement, control and automation.
The text of this amendment is based on the following documents:
CDV Report on voting
65/637A/CDV 65/661/RVC
Full information on the voting for the approval of this amendment can be found in the report
on voting indicated in the above table.

IMPORTANT – The 'colour inside' logo on the cover page of this publication indicates
that it contains colours which are considered to be useful for the correct
understanding of its contents. Users should therefore print this document using a
colour printer.
_____________
1 Scope
Replace the first paragraph by the following new text:
This part of IEC 62443 specifies a comprehensive set of requirements for security capabilities
for IACS service providers that they can offer to the asset owner during integration and
maintenance activities of an Automation Solution. Because not all requirements apply to all
industry groups and organizations, Subclause 4.1.4 provides for the development of Profiles
that allow for the subsetting of these requirements. Profiles are used to adapt this document
to specific environments, including environments not based on an IACS.
Delete Note 4 and renumber Note 5 to "Note 4".

3.1.14
safety instrumented system
Add the following Note 2 to entry:
Note 2 to entry: Not all industry sectors use this term. This term is not restricted to any specific industry sector,
and it is used generically to refer to systems that enforce functional safety. Other equivalent terms include safety
systems and safety related systems.

4.1.4 Profiles
Replace the existing text with the following:
This document recognizes that not all of the requirements in Annex A apply to all industry
sectors/environments. To allow subsetting and adaptation of these requirements, this
document provides for the use of “Profiles”.

IEC 62443-2-4:2015/AMD 1:2017 – 3 –
© 2017
Profiles are written as IEC Technical Reports (TRs) by industry groups/sectors or other
organizations, including asset owners and service providers, to select/adapt Annex A
requirements that are most appropriate to their specific needs.
Each TR may define one or more profiles, and each profile identifies a subset of the
requirements defined in Annex A and specifies, where necessary, how specific requirements
are to be applied in the environment where they are to be used.
It is anticipated that asset owners will select these profiles to specify the requirements that
apply to their Automation Solutions.

4.2 Maturity model
Table 1 – Maturity levels
Replace, in the fourth column, row for Level 2, the second paragraph that begins with “At this
level, the service provider has…” by the following:
At this level, the service provider has the capability to manage the delivery and performance of the service
according to written policies (including objectives). The service provider also has evidence to show that personnel
who will perform the service have the expertise, are trained, and/or are capable of following written procedures to
perform the service.
5.1 Contents
Insert the following new paragraph between the first paragraph and the note:
Not all requirements apply to all service providers, and asset owners may request service
providers to perform only a subset of the required capabilities specified in Annex A. In
addition, industry sectors, service providers, and asset owners may define their own profiles
that contain a subset of these requirements (see 4.1.4).

5.3 IEC 62264-1 hierarchy model
Replace the first paragraph with the following:
Many of the requirements in Annex A refer to network or application levels in phrases such as
“a wireless handheld device is used in Level 2”. When capitalized, “Level” in this context
refers to the position in the IEC 62264-1 Hierarchy Model. The Level of a referenced object
(e.g. wireless handheld device) is represented by the lowest Level function that it executes.
The zones and conduits model described by IEC 62443-3-2 is referenced by requirements in
Annex A that address, independent of the IEC 62264-1 Hierarchy Model Level, trust
boundaries that subdivide the Automation Solution into partitions referred to as “zones” by
IEC 62443-3-2.
5.5.3 Functional area column
Replace the first paragraph with the following:
This column provi
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.