CLC IEC/TS 62443-1-5:2024

SLOVENSKI STANDARD
01-september-2024
Zaščita industrijske avtomatizacije in nadzornih sistemov - 1-5. del: Shema za IEC
62443 zaščitne profile (IEC/TS 62443-1-5:2023)
Security for industrial automation and control systems - Part 1-5: Scheme for IEC 62443
security profiles (IEC/TS 62443-1-5:2023)
IT-Sicherheit für industrielle Automatisierungssysteme - Teil 1-5: Schema für IEC 62443
IT-Sicherheitsprofile (IEC/TS 62443-1-5:2023)
Sécurité des automatismes industriels et des systèmes de commande - Partie 1-5:
Schéma pour les profils de sécurité IEC 62443 (IEC/TS 62443-1-5:2023)
Ta slovenski standard je istoveten z: CLC IEC/TS 62443-1-5:2024
ICS:
25.040.40 Merjenje in krmiljenje Industrial process
industrijskih postopkov measurement and control
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

TECHNICAL SPECIFICATION CLC IEC/TS 62443-1-5

SPÉCIFICATION TECHNIQUE
TECHNISCHE SPEZIFIKATION June 2024
ICS 25.040.40
English Version
Security for industrial automation and control systems - Part 1-5:
Scheme for IEC 62443 security profiles
(IEC/TS 62443-1-5:2023)
Sécurité des automatismes industriels et des systèmes de IT-Sicherheit für industrielle Automatisierungssysteme - Teil
commande - Partie 1-5: Schéma pour les profils de sécurité 1-5: Schema für IEC 62443 IT-Sicherheitsprofile
IEC 62443 (IEC/TS 62443-1-5:2023)
(IEC/TS 62443-1-5:2023)
This Technical Specification was approved by CENELEC on 2024-06-10.

CENELEC members are required to announce the existence of this TS in the same way as for an EN and to make the TS available promptly
at national level in an appropriate form. It is permissible to keep conflicting national standards in force.

CENELEC members are the national electrotechnical committees of Austria, Belgium, Bulgaria, Croatia, Cyprus, the Czech Republic,
Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, the
Netherlands, Norway, Poland, Portugal, Republic of North Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland,
Türkiye and the United Kingdom.

European Committee for Electrotechnical Standardization
Comité Européen de Normalisation Electrotechnique
Europäisches Komitee für Elektrotechnische Normung
CEN-CENELEC Management Centre: Rue de la Science 23, B-1040 Brussels
© 2024 CENELEC All rights of exploitation in any form and by any means reserved worldwide for CENELEC Members.
Ref. No. CLC IEC/TS 62443-1-5:2024 E

European foreword
This document (CLC IEC/TS 62443-1-5:2024) consists of the text of IEC/TS 62443-1-5:2023 prepared
by IEC/TC 65 "Industrial-process measurement, control and automation".
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CENELEC shall not be held responsible for identifying any or all such patent rights.
Any feedback and questions on this document should be directed to the users’ national committee. A
complete listing of these bodies can be found on the CENELEC website.
Endorsement notice
The text of the International Technical Specification IEC/TS 62443-1-5:2023 was approved by
CENELEC as a European Technical Specification without any modification.
In the official version, for Bibliography, the following notes have to be added for the standard indicated:
IEC 62443-2-4:2015 NOTE Approved as EN IEC 62443-2-4:2019 (not modified)
IEC 62443-3-2:2020 NOTE Approved as EN IEC 62443-3-2:2020 (not modified)
IEC 62443-3-3:2013 NOTE Approved as EN IEC 62443-3-3:2019 (not modified)
IEC 62443-4-1:2018 NOTE Approved as EN IEC 62443-4-1:2018 (not modified)
IEC 62443-4-2:2019 NOTE Approved as EN IEC 62443-4-2:2019 (not modified)
ISO/IEC 15408 (series) NOTE Approved as EN ISO/IEC 15408 (series)

IEC TS 62443-1-5 ®
Edition 1.0 2023-09
TECHNICAL
SPECIFICATION
Security for industrial automation and control systems –

Part 1-5: Scheme for IEC 62443 security profiles

INTERNATIONAL
ELECTROTECHNICAL
COMMISSION
ICS 25.040.40  ISBN 978-2-8322-7499-6

– 2 – IEC TS 62443-1-5:2023 © IEC 2023
CONTENTS
FOREWORD . 4
INTRODUCTION . 6
1 Scope . 7
2 Normative references . 7
3 Terms, definitions, abbreviated terms, and acronyms . 7
3.1 Terms and definitions. 7
3.2 Abbreviated terms and acronyms . 9
4 Security profile . 9
5 Security profile requirements . 10
5.1 General . 10
5.2 PR.01: Security profile content . 11
5.2.1 Requirement . 11
5.2.2 Rationale and supplemental guidance . 11
5.3 PR.02: Selection . 11
5.3.1 Requirement . 11
5.3.2 Rationale and supplemental guidance . 11
5.4 PR.03: Contextual mapping . 11
5.4.1 Requirement . 11
5.4.2 Rationale and supplemental guidance . 12
5.5 PR.04: No new requirements . 12
5.5.1 Requirement . 12
5.5.2 Rationale and supplemental guidance . 12
5.6 PR.05: No modification of IEC 62443 requirements . 12
5.6.1 Requirement . 12
5.6.2 Rationale and supplemental guidance . 12
5.7 PR.06: Maturity level . 12
5.7.1 Requirement . 12
5.7.2 Rationale and supplemental guidance . 13
5.8 PR.07: Security level . 13
5.8.1 Requirement . 13
5.8.2 Rationale and supplemental guidance . 13
5.9 PR.08: Security risk evaluation of the security profile . 13
5.9.1 Requirement . 13
5.9.2 Rationale and supplemental guidance . 13
5.10 PR.09: Document type . 13
5.10.1 Requirement . 13
5.10.2 Rationale and supplemental guidance . 14
6 Process for the creation, validation, and application of IEC 62443 security profiles . 14
6.1 General . 14
6.2 Creation phase . 14
6.3 Validation phase . 14
6.4 Application phase . 14
Annex A (normative) IEC 62443 security profile content . 15
Bibliography . 16

IEC TS 62443-1-5:2023 © IEC 2023 – 3 –
Figure 1 – Relationship between standards and security profiles within the IEC 62443
series . 10
Figure 2 – Relations between security profile requirements . 10

Table A.1 – Minimum IEC 62443 security profile content . 15

– 4 – IEC TS 62443-1-5:2023 © IEC 2023
INTERNATIONAL ELECTROTECHNICAL COMMISSION
____________
SECURITY FOR INDUSTRIAL AUTOMATION
AND CONTROL SYSTEMS –
Part 1-5: Scheme for IEC 62443 security profiles

FOREWORD
1) The International Electrotechnical Commission (IEC) is a worldwide organization for standardization comprising
all national electrotechnical committees (IEC National Committees). The object of IEC is to promote international
co-operation on all questions concerning standardization in the electrical and electronic fields. To this end and
in addition to other activities, IEC publishes International Standards, Technical Specifications, Technical Reports,
Publicly Available Specifications (PAS) and Guides (hereafter referred to as "IEC Publication(s)"). Their
preparation is entrusted to technical committees; any IEC National Committee interested in the subject dealt with
may participate in this preparatory work. International, governmental and non-governmental organizations liaising
with the IEC also participate in this preparation. IEC collaborates closely with the International Organization for
Standardization (ISO) in accordance with conditions determined by agreement between the two organizations.
2) The formal decisions or agreements of IEC on technical matters express, as nearly as possible, an international
consensus of opinion on the relevant subjects since each technical committee has representation from all
interested IEC National Committees.
3) IEC Publications have the form of recommendations for international use and are accepted by IEC National
Committees in that sense. While all reasonable efforts are made to ensure that the technical content of IEC
Publications is accurate, IEC cannot be held responsible for the way in which they are used or for any
misinterpretation by any end user.
4) In order to promote international uniformity, IEC National Committees undertake to apply IEC Publications
transparently to the maximum extent possible in their national and regional publications. Any divergence between
any IEC Publication and the corresponding national or regional publication shall be clearly indicated in the latter.
5) IEC itself does not provide any attestation of conformity. Independent certification bodies provide conformity
assessment services and, in some areas, access to IEC marks of conformity. IEC is not responsible for any
services carried out by independent certification bodies.
6) All users should ensure that they have the latest edition of this publication.
7) No liability shall attach to IEC or its directors, employees, servants or agents including individual experts and
members of its technical committees and IEC National Committees for any personal injury, property damage or
other damage of any nature whatsoever, whether direct or indirect, or for costs (including legal fees) and
expenses arising out of the publication, use of, or reliance upon, this IEC Publication or any other IEC
Publications.
8) Attention is drawn to the Normative references cited in this publication. Use of the referenced publications is
indispensable for the correct application of this publication.
9) Attention is drawn to the possibility that some of the elements of this IEC Publication may be the subject of patent
rights. IEC shall not be held responsible for identifying any or all such patent rights.
IEC TS 62443-1-5 has been prepared by IEC technical committee 65: Industrial-process
measurement, control and automation. It is a Technical Specification.
The text of this Technical Specification is based on the following documents:
Draft Report on voting
65/947/DTS 65/1009/RVDTS
Full information on the voting for its approval can be found in the report on voting indicated in
the above table.
The language used for the development of this Technical Specification is English.

IEC TS 62443-1-5:2023 © IEC 2023 – 5 –
This document was drafted in accordance with ISO/IEC Directives, Part 2, and developed in
accordance with ISO/IEC Directives, Part 1 and ISO/IEC Directives, IEC Supplement, available
at www.iec.ch/members_experts/refdocs. The main document types developed by IEC are
described in greater detail at www.iec.ch/publications.
A list of all parts in the IEC 62443 series, published under the general title Security for industrial
automation and control systems, can be found on the IEC website.
The committee has decided that the contents of this document will remain unchanged until the
stability date indicated on the IEC website under webstore.iec.ch in the data related to the
specific document. At this date, the document will be
• reconfirmed,
• withdrawn,
• replaced by a revised edition, or
• amended.
– 6 – IEC TS 62443-1-5:2023 © IEC 2023
INTRODUCTION
This document specifies a scheme for defining security profiles for the IEC 62443 series.
The scheme is applicable to IEC 62443 security profiles intended to be published as part of the
upcoming IEC 62443 dedicated security profiles sub-series). The document can also be used
for the definition of security profiles outside of the IEC 62443 series.
IEC 62443 security profiles can be used by interested parties (e.g., organizations, interested
groups/ sectors) to contextually map a defined set of requirements specified in the IEC 62443
series. Examples for the necessity of security profiles include the industry sector specific (area
of application) contextual mapping of IEC 62443 terminology and requirements.
NOTE The ISO/IEC 15408 series also uses a concept of profiles (called "Protection Profiles"), but those profiles
are based on a different scheme, specific to ISO/IEC 15408.

IEC TS 62443-1-5:2023 © IEC 2023 – 7 –
SECURITY FOR INDUSTRIAL AUTOMATION
AND CONTROL SYSTEMS –
Part 1-5: Scheme for IEC 62443 security profiles

1 Scope
This part of IEC 62443 specifies a scheme for defining (selecting, writing, drafting, creating)
IEC 62443 security profiles.
This scheme and its specified requirements apply to IEC 62443 security profiles which are
planned to be published as part of the upcoming IEC 62443 dedicated security profiles sub-
series.
IEC 62443 security profiles can support interested parties (e.g. during conformity assessment
activities) to achieve comparability of assessed IEC 62443 requirements.
2 Normative references
There are no normative references in this document.
3 Terms, definitions, abbreviated terms, and acronyms
3.1 Terms and definitions
For the purposes of this document, the terms and definitions given in IEC TS 62443-1-1:2009
and the following apply.
ISO and IEC maintain terminological databases for use in standardization at the following
addresses:
• IEC Electropedia: available at https://www.electropedia.org/
• ISO Online browsing platform: available at https://www.iso.org/obp
3.1.1
contextual mapping
declaration and rationale of how a selected requirement is applied within a specific environment
Note 1 to entry: A contextual mapping is neither intended to undermine principles and concepts of the underlaying
IEC 62443 document(s) nor to alter / modify the definition / rationale of a selected requirement.
EXAMPLE 1:
Detailing requirements, e.g.
• the applicable framework for a security risk assessment methodology (e.g. IEC 62443-2-4, SP.03.01 BR)
• required security training courses for service provider staff, subcontractors, or consultants in a particular industry
sector (e.g. IEC 62443-2-4, SP.01.01, SP.01.02)
•
...