Security for industrial automation and control systems - Part 4-2: Technical security requirements for IACS components

IEC 62443-4-2:2019 provides detailed technical control system component requirements (CRs) associated with the seven foundational requirements (FRs) described in IEC TS 62443-1-1 including defining the requirements for control system capability security levels and their components, SL-C(component). As defined in IEC TS 62443-1-1 there are a total of seven foundational requirements (FRs): a) identification and authentication control (IAC), b) use control (UC), c) system integrity (SI), d) data confidentiality (DC), e) restricted data flow (RDF), f) timely response to events (TRE), and g) resource availability (RA). These seven FRs are the foundation for defining control system security capability levels. Defining security capability levels for the control system component is the goal and objective of this document as opposed to SL-T or achieved SLs (SL-A), which are out of scope.

Industrielle Kommunikationsnetze - IT-Sicherheit für industrielle Automatisierungssysteme - Teil 4-2: Technische Sicherheitsanforderungen an Komponenten industrieller Automatisierungssysteme (IACS)

Sécurité des systèmes d’automatisation et de commande industrielles - Partie 4-2: Exigences de sécurité technique des composants IACS

IEC 62443-4-2:2019 indique les exigences relatives au composant (CR) d'un système de commande technique ainsi que les sept exigences fondamentales (FR) décrites dans l'IEC TS 62443-1-1, y compris la définition des exigences relatives aux niveaux de sécurité de capacité des systèmes de commande et à leurs composants, SL-C(composant). Comme l'indique l'IEC TS 62443-1-1, il existe en tout sept exigences fondamentales (FR): a) contrôle d'identification et d'authentification (IAC), b) contrôle d'utilisation (UC), c) intégrité du système (SI), d) confidentialité des données (DC), e) transfert de données limité (RDF), f) réponse appropriée aux événements (TRE), et g) disponibilité des ressources (RA). Ces sept exigences fondamentales sont à la base de la définition des niveaux de capacité de sécurité des systèmes de commande. Le présent document a pour objet de définir les niveaux de capacité de sécurité du composant du système de commande, par opposition au SL-T ou aux niveaux de sécurité atteints (SL-A), qui n'entrent pas dans le domaine d'application.

Zaščita za sisteme industrijske avtomatizacije in nadzornih sistemov - 4-2. del: Zahteve za tehnično varnost zaščito za IACS komponente (IEC 62443-4-2:2019)

Ta dokument podaja podrobne tehnične zahteve za komponente nadzornega sistema (CR), ki so povezane s sedmimi temeljnimi zahtevami (FR), opisanimi v standardu IEC TS 62443-1-1, vključno z določanjem zahtev za nivoje varnosti zmogljivosti nadzornega sistema in njegove komponente, SL-C (komponenta). Kot je opredeljeno v standardu IEC TS 62443-1-1, obstaja sedem temeljnih zahtev (FR): a) nadzor identifikacije in preverjanja pristnosti (IAC), b) nadzor uporabe (UC), c) celovitost sistema (SI), d) zaupnost podatkov (DC), e) omejen pretok podatkov (RDF), f) pravočasen odziv na dogodke (TRE) in g) razpoložljivost virov (RA). Teh sedem temeljnih zahtev so temelj za opredelitev nivojev varnosti zmogljivosti nadzornega sistema. Opredelitev nivojev zmogljivosti zaščite za komponento nadzornega sistema je cilj tega dokumenta v nasprotju s ciljnimi nivoji varnosti ali doseženimi nivoji varnosti (SL-A), ki niso zajeti.

General Information

Status
Published
Publication Date
11-Apr-2019
Technical Committee
Drafting Committee
Current Stage
6060 - Document made available
Due Date
12-Apr-2019
Completion Date
12-Apr-2019

Buy Standard

Standard
EN IEC 62443-4-2:2019 - BARVE na PDF-str 22
English language
97 pages
sale 10% off
Preview
sale 10% off
Preview

e-Library read for
1 day

Standards Content (sample)

SLOVENSKI STANDARD
SIST EN IEC 62443-4-2:2019
01-november-2019
Zaščita za sisteme industrijske avtomatizacije in nadzornih sistemov - 4-2. del:
Zahteve za tehnično varnost zaščito za IACS komponente (IEC 62443-4-2:2019)

Security for industrial automation and control systems - Part 4-2: Technical security

requirements for IACS components (IEC 62443-4-2:2019)
Industrielle Kommunikationsnetze – IT-Sicherheit für industrielle
Automatisierungssysteme – Teil 4-2: Anforderungen an Komponenten industrieller
Automatisierungssysteme (IEC 62443-4-2:2019)

Sécurité des systèmes d’automatisation et de commande industrielles - Partie 4-2:

Exigences de sécurité technique des composants IACS (IEC 62443-4-2:2019)
Ta slovenski standard je istoveten z: EN IEC 62443-4-2:2019
ICS:
25.040.01 Sistemi za avtomatizacijo v Industrial automation
industriji na splošno systems in general
35.030 Informacijska varnost IT Security
SIST EN IEC 62443-4-2:2019 en,fr,de

2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

---------------------- Page: 1 ----------------------
SIST EN IEC 62443-4-2:2019
---------------------- Page: 2 ----------------------
SIST EN IEC 62443-4-2:2019
EUROPEAN STANDARD EN IEC 62443-4-2
NORME EUROPÉENNE
EUROPÄISCHE NORM
April 2019
ICS 25.040.40; 35.030
English Version
Security for industrial automation and control systems - Part 4-2:
Technical security requirements for IACS components
(IEC 62443-4-2:2019)

Industrielle Kommunikationsnetze – IT-Sicherheit für Sécurité des systèmes d'automatisation et de commande

industrielle Automatisierungssysteme – Teil 4-2: industrielles - Partie 4-2: Exigences de sécurité technique

Anforderungen an Komponenten industrieller des composants IACS
Automatisierungssysteme (IEC 62443-4-2:2019)
(IEC 62443-4-2:2019)

This European Standard was approved by CENELEC on 2019-04-03. CENELEC members are bound to comply with the CEN/CENELEC

Internal Regulations which stipulate the conditions for giving this European Standard the status of a national standard without any alteration.

Up-to-date lists and bibliographical references concerning such national standards may be obtained on application to the CEN-CENELEC

Management Centre or to any CENELEC member.

This European Standard exists in three official versions (English, French, German). A version in any other language made by translation

under the responsibility of a CENELEC member into its own language and notified to the CEN-CENELEC Management Centre has the

same status as the official versions.

CENELEC members are the national electrotechnical committees of Austria, Belgium, Bulgaria, Croatia, Cyprus, the Czech Republic,

Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia,

Lithuania, Luxembourg, Malta, the Netherlands, Norway, Poland, Portugal, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden,

Switzerland, Turkey and the United Kingdom.
European Committee for Electrotechnical Standardization
Comité Européen de Normalisation Electrotechnique
Europäisches Komitee für Elektrotechnische Normung
CEN-CENELEC Management Centre: Rue de la Science 23, B-1040 Brussels

© 2019 CENELEC All rights of exploitation in any form and by any means reserved worldwide for CENELEC Members.

Ref. No. EN IEC 62443-4-2:2019 E
---------------------- Page: 3 ----------------------
SIST EN IEC 62443-4-2:2019
EN IEC 62443-4-2:2019 (E)
European foreword

The text of document 65/735/FDIS, future edition 1 of IEC 62443-4-2, prepared by IEC/TC 65

"Industrial-process measurement, control and automation" was submitted to the IEC-CENELEC

parallel vote and approved by CENELEC as EN IEC 62443-4-2:2019.
The following dates are fixed:

• latest date by which the document has to be implemented at national (dop) 2020-01-03

level by publication of an identical national standard or by endorsement

• latest date by which the national standards conflicting with the (dow) 2022-04-03

document have to be withdrawn

Attention is drawn to the possibility that some of the elements of this document may be the subject of

patent rights. CENELEC shall not be held responsible for identifying any or all such patent rights.

Endorsement notice

The text of the International Standard IEC 62443-4-2:2019 was approved by CENELEC as a

European Standard without any modification.

In the official version, for Bibliography, the following notes have to be added for the standards

indicated:
ISO/IEC 27002:2013 NOTE Harmonized as EN ISO/IEC 27002:2017 (not modified)
IEC 62264-1 NOTE Harmonized as EN 62264-1
IEC 62443-3-2 NOTE Harmonized as EN 62443-3-2
Under preparation. Stage at time of publication: prEN 62443-3-2:2018.
---------------------- Page: 4 ----------------------
SIST EN IEC 62443-4-2:2019
EN IEC 62443-4-2:2019 (E)
Annex ZA
(normative)
Normative references to international publications
with their corresponding European publications

The following documents are referred to in the text in such a way that some or all of their content

constitutes requirements of this document. For dated references, only the edition cited applies. For

undated references, the latest edition of the referenced document (including any amendments)

applies.

NOTE 1 Where an International Publication has been modified by common modifications, indicated by (mod), the relevant

EN/HD applies.

NOTE 2 Up-to-date information on the latest versions of the European Standards listed in this annex is available here:

www.cenelec.eu.
Publication Year Title EN/HD Year
IEC/TS 62443-1-1 - Industrial communication networks - - -
Network and system security - Part 1-1:
Terminology, concepts and models
IEC 62443-3-3 2013 Industrial communication networks - - -
Network and system security - Part 3-3:
System security requirements and security
levels
Security for industrial automation and
IEC 62443-4-1 - EN IEC 62443-4-1 -
control systems – Part 4-1: Secure product
development lifecycle requirements
---------------------- Page: 5 ----------------------
SIST EN IEC 62443-4-2:2019
---------------------- Page: 6 ----------------------
SIST EN IEC 62443-4-2:2019
IEC 62443-4-2
Edition 1.0 2019-02
INTERNATIONAL
STANDARD
NORME
INTERNATIONALE
colour
inside
Security for industrial automation and control systems –
Part 4-2: Technical security requirements for IACS components
Sécurité des systèmes d’automatisation et de commande industrielles –
Partie 4-2: Exigences de sécurité technique des composants IACS
INTERNATIONAL
ELECTROTECHNICAL
COMMISSION
COMMISSION
ELECTROTECHNIQUE
INTERNATIONALE
ICS 25.040.40; 35.030 ISBN 978-2-8322-6597-0

Warning! Make sure that you obtained this publication from an authorized distributor.

Attention! Veuillez vous assurer que vous avez obtenu cette publication via un distributeur agréé.

® Registered trademark of the International Electrotechnical Commission
Marque déposée de la Commission Electrotechnique Internationale
---------------------- Page: 7 ----------------------
SIST EN IEC 62443-4-2:2019
– 2 – IEC 62443-4-2:2019  IEC 2019
CONTENTS

FOREWORD ......................................................................................................................... 12

INTRODUCTION ................................................................................................................... 14

1 Scope ............................................................................................................................ 17

2 Normative references .................................................................................................... 17

3 Terms, definitions, abbreviated terms, acronyms, and conventions ................................ 18

3.1 Terms and definitions ............................................................................................ 18

3.2 Abbreviated terms and acronyms .......................................................................... 24

3.3 Conventions .......................................................................................................... 26

4 Common component security constraints ....................................................................... 27

4.1 Overview............................................................................................................... 27

4.2 CCSC 1: Support of essential functions ................................................................ 27

4.3 CCSC 2: Compensating countermeasures ............................................................ 27

4.4 CCSC 3: Least privilege ........................................................................................ 27

4.5 CCSC 4: Software development process ............................................................... 27

5 FR 1 – Identification and authentication control ............................................................. 27

5.1 Purpose and SL-C(IAC) descriptions ..................................................................... 27

5.2 Rationale .............................................................................................................. 28

5.3 CR 1.1 – Human user identification and authentication ......................................... 28

5.3.1 Requirement .................................................................................................. 28

5.3.2 Rationale and supplemental guidance............................................................ 28

5.3.3 Requirement enhancements .......................................................................... 28

5.3.4 Security levels ............................................................................................... 29

5.4 CR 1.2 – Software process and device identification and authentication ............... 29

5.4.1 Requirement .................................................................................................. 29

5.4.2 Rationale and supplemental guidance............................................................ 29

5.4.3 Requirement enhancements .......................................................................... 29

5.4.4 Security levels ............................................................................................... 30

5.5 CR 1.3 – Account management ............................................................................. 30

5.5.1 Requirement .................................................................................................. 30

5.5.2 Rationale and supplemental guidance............................................................ 30

5.5.3 Requirement enhancements .......................................................................... 30

5.5.4 Security levels ............................................................................................... 30

5.6 CR 1.4 – Identifier management ............................................................................ 30

5.6.1 Requirement .................................................................................................. 30

5.6.2 Rationale and supplemental guidance............................................................ 30

5.6.3 Requirement enhancements .......................................................................... 31

5.6.4 Security levels ............................................................................................... 31

5.7 CR 1.5 – Authenticator management ..................................................................... 31

5.7.1 Requirement .................................................................................................. 31

5.7.2 Rationale and supplemental guidance............................................................ 31

5.7.3 Requirement enhancements .......................................................................... 32

5.7.4 Security levels ............................................................................................... 32

5.8 CR 1.6 – Wireless access management ................................................................ 32

---------------------- Page: 8 ----------------------
SIST EN IEC 62443-4-2:2019
IEC 62443-4-2:2019  IEC 2019 – 3 –

5.9 CR 1.7 – Strength of password-based authentication ............................................ 32

5.9.1 Requirement .................................................................................................. 32

5.9.2 Rationale and supplemental guidance............................................................ 32

5.9.3 Requirement enhancements .......................................................................... 32

5.9.4 Security levels ............................................................................................... 33

5.10 CR 1.8 – Public key infrastructure certificates ....................................................... 33

5.10.1 Requirement .................................................................................................. 33

5.10.2 Rationale and supplemental guidance............................................................ 33

5.10.3 Requirement enhancements .......................................................................... 33

5.10.4 Security levels ............................................................................................... 33

5.11 CR 1.9 – Strength of public key-based authentication ........................................... 34

5.11.1 Requirement .................................................................................................. 34

5.11.2 Rationale and supplemental guidance............................................................ 34

5.11.3 Requirement enhancements .......................................................................... 35

5.11.4 Security levels ............................................................................................... 35

5.12 CR 1.10 – Authenticator feedback ......................................................................... 35

5.12.1 Requirement .................................................................................................. 35

5.12.2 Rationale and supplemental guidance............................................................ 35

5.12.3 Requirement enhancements .......................................................................... 35

5.12.4 Security levels ............................................................................................... 35

5.13 CR 1.11 – Unsuccessful login attempts ................................................................. 35

5.13.1 Requirement .................................................................................................. 35

5.13.2 Rationale and supplemental guidance............................................................ 36

5.13.3 Requirement enhancements .......................................................................... 36

5.13.4 Security levels ............................................................................................... 36

5.14 CR 1.12 – System use notification ........................................................................ 36

5.14.1 Requirement .................................................................................................. 36

5.14.2 Rationale and supplemental guidance............................................................ 36

5.14.3 Requirement enhancements .......................................................................... 36

5.14.4 Security levels ............................................................................................... 37

5.15 CR 1.13 – Access via untrusted networks ............................................................. 37

5.16 CR 1.14 – Strength of symmetric key-based authentication ................................... 37

5.16.1 Requirement .................................................................................................. 37

5.16.2 Rationale and supplemental guidance............................................................ 37

5.16.3 Requirement enhancements .......................................................................... 37

5.16.4 Security levels ............................................................................................... 38

6 FR 2 – Use control......................................................................................................... 38

6.1 Purpose and SL-C(UC) descriptions ...................................................................... 38

6.2 Rationale .............................................................................................................. 38

6.3 CR 2.1 – Authorization enforcement ...................................................................... 38

6.3.1 Requirement .................................................................................................. 38

6.3.2 Rationale and supplemental guidance............................................................ 38

6.3.3 Requirement enhancements .......................................................................... 39

6.3.4 Security levels ............................................................................................... 39

6.4 CR 2.2 – Wireless use control ............................................................................... 40

6.4.1 Requirement .................................................................................................. 40

6.4.2 Rationale and supplemental guidance............................................................ 40

6.4.3 Requirement enhancements .......................................................................... 40

6.4.4 Security levels ............................................................................................... 40

---------------------- Page: 9 ----------------------
SIST EN IEC 62443-4-2:2019
– 4 – IEC 62443-4-2:2019  IEC 2019

6.5 CR 2.3 – Use control for portable and mobile devices ........................................... 40

6.6 CR 2.4 – Mobile code............................................................................................ 40

6.7 CR 2.5 – Session lock ........................................................................................... 40

6.7.1 Requirement .................................................................................................. 40

6.7.2 Rationale and supplemental guidance............................................................ 41

6.7.3 Requirement enhancements .......................................................................... 41

6.7.4 Security levels ............................................................................................... 41

6.8 CR 2.6 – Remote session termination ................................................................... 41

6.8.1 Requirement .................................................................................................. 41

6.8.2 Rationale and supplemental guidance............................................................ 41

6.8.3 Requirement enhancements .......................................................................... 41

6.8.4 Security levels ............................................................................................... 41

6.9 CR 2.7 – Concurrent session control ..................................................................... 41

6.9.1 Requirement .................................................................................................. 41

6.9.2 Rationale and supplemental guidance............................................................ 42

6.9.3 Requirement enhancements .......................................................................... 42

6.9.4 Security levels ............................................................................................... 42

6.10 CR 2.8 – Auditable events .................................................................................... 42

6.10.1 Requirement .................................................................................................. 42

6.10.2 Rationale and supplemental guidance............................................................ 42

6.10.3 Requirement enhancements .......................................................................... 42

6.10.4 Security levels ............................................................................................... 43

6.11 CR 2.9 – Audit storage capacity ............................................................................ 43

6.11.1 Requirement .................................................................................................. 43

6.11.2 Rationale and supplemental guidance............................................................ 43

6.11.3 Requirement enhancements .......................................................................... 43

6.11.4 Security levels ............................................................................................... 43

6.12 CR 2.10 – Response to audit processing failures .................................................. 43

6.12.1 Requirement .................................................................................................. 43

6.12.2 Rationale and supplemental guidance............................................................ 44

6.12.3 Requirement enhancements .......................................................................... 44

6.12.4 Security levels ............................................................................................... 44

6.13 CR 2.11 – Timestamps .......................................................................................... 44

6.13.1 Requirement .................................................................................................. 44

6.13.2 Rationale and supplemental guidance............................................................ 44

6.13.3 Requirement enhancements .......................................................................... 44

6.13.4 Security levels ............................................................................................... 44

6.14 CR 2.12 – Non-repudiation .................................................................................... 45

6.14.1 Requirement .................................................................................................. 45

6.14.2 Rationale and supplemental guidance............................................................ 45

6.14.3 Requirement enhancements .......................................................................... 45

6.14.4 Security levels ............................................................................................... 45

6.15 CR 2.13 – Use of physical diagnostic and test interfaces ...................................... 45

7 FR 3 – System integrity ................................................................................................. 45

7.1 Purpose and SL-C(SI) descriptions ....................................................................... 45

7.2 Rationale .............................................................................................................. 46

---------------------- Page: 10 ----------------------
SIST EN IEC 62443-4-2:2019
IEC 62443-4-2:2019  IEC 2019 – 5 –

7.3 CR 3.1 – Communication integrity ......................................................................... 46

7.3.1 Requirement .................................................................................................. 46

7.3.2 Rationale and supplemental guidance............................................................ 46

7.3.3 Requirement enhancements .......................................................................... 47

7.3.4 Security levels ............................................................................................... 47

7.4 CR 3.2 – Protection from malicious code ............................................................... 47

7.5 CR 3.3 – Security functionality verification ............................................................ 47

7.5.1 Requirement .................................................................................................. 47

7.5.2 Rationale and supplemental guidance............................................................ 47

7.5.3 Requirement enhancements .......................................................................... 47

7.5.4 Security levels ............................................................................................... 48

7.6 CR 3.4 – Software and information integrity .......................................................... 48

7.6.1 Requirement .................................................................................................. 48

7.6.2 Rationale and supplemental guidance............................................................ 48

7.6.3 Requirement enhancements .......................................................................... 48

7.6.4 Security levels ............................................................................................... 48

7.7 CR 3.5 – Input validation ....................................................................................... 48

7.7.1 Requirement .................................................................................................. 48

7.7.2 Rationale and supplemental guidance............................................................ 49

7.7.3 Requirement enhancements .......................................................................... 49

7.7.4 Security levels ............................................................................................... 49

7.8 CR 3.6 – Deterministic output ............................................................................... 49

7.8.1 Requirement .................................................................................................. 49

7.8.2 Rationale and supplemental guidance............................................................ 49

7.8.3 Requirement enhancements .......................................................................... 49

7.8.4 Security levels ............................................................................................... 50

7.9 CR 3.7 – Error handling ........................................................................................ 50

7.9.1 Requirement .................................................................................................. 50

7.9.2 Rationale and supplemental guidance............................................................ 50

7.9.3 Requirement enhancements .......................................................................... 50

7.9.4 Security levels ............................................................................................... 50

7.10 CR 3.8 – Session integrity..................................................................................... 50

7.10.1 Requirement .................................................................................................. 50

7.10.2 Rationale and supplemental guidance............................................................ 51

7.10.3 Requirement enhancements .......................................................................... 51

7.10.4 Security levels ............................................................................................... 51

7.11 CR 3.9 – Protection of audit information ................................................................ 51

7.11.1 Requirement .................................................................................................. 51

7.11.2 Rationale and supplemental guidance............................................................ 51

7.11.3 Requirement enhancements .......................................................................... 51

7.11.4 Security levels ............................................................................................... 51

7.12 CR 3.10 – Support for updates .............................................................................. 52

7.13 CR 3.11 – Physical tamper resistance and detection ............................................. 52

7.14 CR 3.12 – Provisioning product supplier roots of trust ........................................... 52

7.15 CR 3.13 – Provisioning asset owner roots of trust ................................................. 52

7.16 CR 3.14 – Integrity of the boot process ................................................................. 52

8 FR 4 – Data confidentiality............................................................................................. 52

8.1 Purpose and SL-C(DC) descriptions ...................................................................... 52

8.2 Rationale .............................................................................................................. 52

---------------------- Page: 11 ----------------------
SIST EN IEC 62443-4-2:2019
– 6 – IEC 62443-4-2:2019  IEC 2019

8.3 CR 4.1 – Information confidentiality ...................................................................... 52

8.3.1 Requirement .................................................................................................. 52

8.3.2 Rationale and supplemental guidance............................................................ 53

8.3.3 Requirement enhancements ................
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.