IEC 62443-4-2:2019 Security Requirements for IACS Components -

Security for industrial automation and control systems - Part 4-2: Technical security requirements for IACS components

IEC 62443-4-2:2019 provides detailed technical control system component requirements (CRs) associated with the seven foundational requirements (FRs) described in IEC TS 62443-1-1 including defining the requirements for control system capability security levels and their components, SL-C(component).
As defined in IEC TS 62443-1-1 there are a total of seven foundational requirements (FRs):
a) identification and authentication control (IAC),
b) use control (UC),
c) system integrity (SI),
d) data confidentiality (DC),
e) restricted data flow (RDF),
f) timely response to events (TRE), and
g) resource availability (RA).
These seven FRs are the foundation for defining control system security capability levels. Defining security capability levels for the control system component is the goal and objective of this document as opposed to SL-T or achieved SLs (SL-A), which are out of scope.
The contents of the corrigendum of August 2022 have been included in this copy.

Sécurité des systèmes d'automatisation et de commande industrielles - Partie 4-2: Exigences de sécurité technique des composants IACS

IEC 62443-4-2:2019 indique les exigences relatives au composant (CR) d'un système de commande technique ainsi que les sept exigences fondamentales (FR) décrites dans l'IEC TS 62443-1-1, y compris la définition des exigences relatives aux niveaux de sécurité de capacité des systèmes de commande et à leurs composants, SL-C(composant).
Comme l'indique l'IEC TS 62443-1-1, il existe en tout sept exigences fondamentales (FR):
a) contrôle d'identification et d'authentification (IAC),
b) contrôle d'utilisation (UC),
c) intégrité du système (SI),
d) confidentialité des données (DC),
e) transfert de données limité (RDF),
f) réponse appropriée aux événements (TRE), et
g) disponibilité des ressources (RA).
Ces sept exigences fondamentales sont à la base de la définition des niveaux de capacité de sécurité des systèmes de commande. Le présent document a pour objet de définir les niveaux de capacité de sécurité du composant du système de commande, par opposition au SL-T ou aux niveaux de sécurité atteints (SL-A), qui n'entrent pas dans le domaine d'application.
Le contenu du corrigendum d'août 2022 a été pris en considération dans cet exemplaire.

General Information

Status: Published
Publication Date: 26-Feb-2019

ICS: 25.040.40 - Industrial process measurement and control
: 35.030 - IT Security

Technical Committee: TC 65 - Industrial-process measurement, control and automation
Drafting Committee: WG 10 - TC 65/WG 10

Current Stage: PPUB - Publication issued
Start Date: 27-Feb-2019
Completion Date: 22-Mar-2019

Relations

Corrected By: IEC 62443-4-2:2019/COR1:2022 - Corrigendum 1 - Security for industrial automation and control systems - Part 4-2: Technical security requirements for IACS components
Effective Date: 05-Sep-2023

Overview

IEC 62443-4-2:2019 is an international standard published by the International Electrotechnical Commission (IEC) that specifies the technical security requirements for Industrial Automation and Control System (IACS) components. This standard is a critical part of the IEC 62443 series, focusing on detailed security measures for the components that comprise industrial control systems, enabling manufacturers and integrators to design products that meet robust cybersecurity capabilities.

The document defines requirements aligned with the seven foundational requirements (FRs) introduced in IEC TS 62443-1-1, which are essential for developing secure control systems. The standard aims to establish Security Levels for Control System Components (SL-C) that represent the inherent security features built into these products, distinct from achieved or target security levels.

Key aspects covered include detailed control requirements for identification and authentication, use control, system integrity, data confidentiality, restricted data flows, timely response to security events, and resource availability. IEC 62443-4-2:2019 incorporates updates from the August 2022 corrigendum to ensure compliance with the latest industry security practices.

Key Topics

Seven Foundational Requirements (FRs):
- Identification and Authentication Control (IAC): Ensures robust user and device authentication mechanisms.
- Use Control (UC): Manages authorization and restricts resource access to legitimate users.
- System Integrity (SI): Protects system components from unauthorized modification.
- Data Confidentiality (DC): Guarantees data privacy and protection against unauthorized disclosure.
- Restricted Data Flow (RDF): Controls data paths to prevent unauthorized data leakage.
- Timely Response to Events (TRE): Enables swift detection and response to security incidents.
- Resource Availability (RA): Maintains system operation despite security threats, ensuring uptime.
Component Security Constraints: Defines essential constraints such as support for core functions, least privilege enforcement, compensating countermeasures, and adherence to secure software development processes.
Detailed Control Requirements: The standard breaks down each foundational requirement into specific technical control requirements (CRs) covering identification, authentication, authorization, session management, auditing, and more, with corresponding security levels to guide implementation rigor.
Security Levels for Components (SL-C): Defines capability-based levels that reflect the degree of security inherently built into control system components, facilitating objective assessment for suppliers and users.

Applications

IEC 62443-4-2:2019 plays a pivotal role in enhancing cybersecurity across a wide range of industrial automation and control systems (IACS), including sectors such as:

Manufacturing: Securing programmable logic controllers (PLCs), human-machine interfaces (HMIs), and SCADA systems against cyber threats.
Energy and Utilities: Protecting critical infrastructure components like energy management systems and distributed control systems.
Oil and Gas: Implementing robust security in pipeline control and refinery automation equipment.
Transportation: Ensuring safety and integrity of signaling and control components.
Building Automation: Enhancing security for HVAC, lighting, and access control devices.

This standard assists product developers and system integrators in embedding security by design, meeting regulatory and customer requirements for cybersecurity, reducing risks of cyberattacks, and supporting compliance with industrial security frameworks.

Related Standards

IEC TS 62443-1-1: Provides foundational concepts and models that underpin SL-C definitions and security concepts referenced in IEC 62443-4-2.
IEC 62443-2-x series: Focuses on policies and procedures at the organizational and system levels that complement component-level security.
IEC 62443-3-x series: Addresses system-level security requirements and security lifecycle guidance for control systems.
ISO/IEC 27001: Although broader in scope, this information security management standard complements IEC 62443 series in establishing comprehensive cybersecurity frameworks.
NIST SP 800-82: Provides guidelines on industrial control system security aligned with IEC 62443 principles.

By adhering to IEC 62443-4-2:2019, industrial automation suppliers and users can ensure consistent and rigorous technical security measures are implemented within IACS components. This standard contributes significantly to the resilience and reliability of critical infrastructure by fostering secure design, development, and operation of control system components.

IEC 62443-4-2:2019 - Security for industrial automation and control systems - Part 4-2: Technical security requirements for IACS components - Page 1 preview

IEC 62443-4-2:2019 - Security for industrial automation and control systems - Part 4-2: Technical security requirements for IACS components - Page 2 preview

IEC 62443-4-2:2019 - Security for industrial automation and control systems - Part 4-2: Technical security requirements for IACS components - Page 3 preview

Standard

IEC 62443-4-2:2019 - Security for industrial automation and control systems - Part 4-2: Technical security requirements for IACS components

English and French language

192 pages

sale 15% off

Preview

sale 15% off

Preview

Frequently Asked Questions

What is IEC 62443-4-2:2019?

IEC 62443-4-2:2019 is a standard published by the International Electrotechnical Commission (IEC). Its full title is "Security for industrial automation and control systems - Part 4-2: Technical security requirements for IACS components". This standard covers: IEC 62443-4-2:2019 provides detailed technical control system component requirements (CRs) associated with the seven foundational requirements (FRs) described in IEC TS 62443-1-1 including defining the requirements for control system capability security levels and their components, SL-C(component). As defined in IEC TS 62443-1-1 there are a total of seven foundational requirements (FRs): a) identification and authentication control (IAC), b) use control (UC), c) system integrity (SI), d) data confidentiality (DC), e) restricted data flow (RDF), f) timely response to events (TRE), and g) resource availability (RA). These seven FRs are the foundation for defining control system security capability levels. Defining security capability levels for the control system component is the goal and objective of this document as opposed to SL-T or achieved SLs (SL-A), which are out of scope. The contents of the corrigendum of August 2022 have been included in this copy.

What is the scope of IEC 62443-4-2:2019?

IEC 62443-4-2:2019 provides detailed technical control system component requirements (CRs) associated with the seven foundational requirements (FRs) described in IEC TS 62443-1-1 including defining the requirements for control system capability security levels and their components, SL-C(component). As defined in IEC TS 62443-1-1 there are a total of seven foundational requirements (FRs): a) identification and authentication control (IAC), b) use control (UC), c) system integrity (SI), d) data confidentiality (DC), e) restricted data flow (RDF), f) timely response to events (TRE), and g) resource availability (RA). These seven FRs are the foundation for defining control system security capability levels. Defining security capability levels for the control system component is the goal and objective of this document as opposed to SL-T or achieved SLs (SL-A), which are out of scope. The contents of the corrigendum of August 2022 have been included in this copy.

What ICS categories does IEC 62443-4-2:2019 belong to?

IEC 62443-4-2:2019 is classified under the following ICS (International Classification for Standards) categories: 25.040.40 - Industrial process measurement and control; 35.030 - IT Security. The ICS classification helps identify the subject area and facilitates finding related standards.

What standards are related to IEC 62443-4-2:2019?

IEC 62443-4-2:2019 has the following relationships with other standards: It is inter standard links to IEC 62443-4-2:2019/COR1:2022. Understanding these relationships helps ensure you are using the most current and applicable version of the standard.

How can I purchase IEC 62443-4-2:2019?

You can purchase IEC 62443-4-2:2019 directly from iTeh Standards. The document is available in PDF format and is delivered instantly after payment. Add the standard to your cart and complete the secure checkout process. iTeh Standards is an authorized distributor of IEC standards.

Standards Content (Sample)

IEC 62443-4-2:2019 - Security ...

IEC 62443-4-2 ®
Edition 1.0 2019-02
INTERNATIONAL
STANDARD
NORME
INTERNATIONALE
colour
inside
Security for industrial automation and control systems –
Part 4-2: Technical security requirements for IACS components

Sécurité des systèmes d’automatisation et de commande industrielles –
Partie 4-2: Exigences de sécurité technique des composants IACS

All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form
or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from
either IEC or IEC's member National Committee in the country of the requester. If you have any questions about IEC
copyright or have an enquiry about obtaining additional rights to this publication, please contact the address below or
your local IEC member National Committee for further information.

Droits de reproduction réservés. Sauf indication contraire, aucune partie de cette publication ne peut être reproduite
ni utilisée sous quelque forme que ce soit et par aucun procédé, électronique ou mécanique, y compris la photocopie
et les microfilms, sans l'accord écrit de l'IEC ou du Comité national de l'IEC du pays du demandeur. Si vous avez des
questions sur le copyright de l'IEC ou si vous désirez obtenir des droits supplémentaires sur cette publication, utilisez
les coordonnées ci-après ou contactez le Comité national de l'IEC de votre pays de résidence.

IEC Central Office Tel.: +41 22 919 02 11
3, rue de Varembé info@iec.ch
CH-1211 Geneva 20 www.iec.ch
Switzerland
About the IEC
The International Electrotechnical Commission (IEC) is the leading global organization that prepares and publishes
International Standards for all electrical, electronic and related technologies.

About IEC publications
The technical content of IEC publications is kept under constant review by the IEC. Please make sure that you have the
latest edition, a corrigendum or an amendment might have been published.

IEC publications search - webstore.iec.ch/advsearchform Electropedia - www.electropedia.org
The advanced search enables to find IEC publications by a The world's leading online dictionary on electrotechnology,
variety of criteria (reference number, text, technical containing more than 22 000 terminological entries in English
committee,…). It also gives information on projects, replaced and French, with equivalent terms in 16 additional languages.
and withdrawn publications. Also known as the International Electrotechnical Vocabulary

(IEV) online.
IEC Just Published - webstore.iec.ch/justpublished
Stay up to date on all new IEC publications. Just Published IEC Glossary - std.iec.ch/glossary
details all new publications released. Available online and 67 000 electrotechnical terminology entries in English and
once a month by email. French extracted from the Terms and Definitions clause of
IEC publications issued since 2002. Some entries have been
IEC Customer Service Centre - webstore.iec.ch/csc collected from earlier publications of IEC TC 37, 77, 86 and
If you wish to give us your feedback on this publication or CISPR.

need further assistance, please contact the Customer Service

Centre: sales@iec.ch.
A propos de l'IEC
La Commission Electrotechnique Internationale (IEC) est la première organisation mondiale qui élabore et publie des
Normes internationales pour tout ce qui a trait à l'électricité, à l'électronique et aux technologies apparentées.

A propos des publications IEC
Le contenu technique des publications IEC est constamment revu. Veuillez vous assurer que vous possédez l’édition la
plus récente, un corrigendum ou amendement peut avoir été publié.

Recherche de publications IEC - Electropedia - www.electropedia.org
webstore.iec.ch/advsearchform Le premier dictionnaire d'électrotechnologie en ligne au
La recherche avancée permet de trouver des publications IEC monde, avec plus de 22 000 articles terminologiques en
en utilisant différents critères (numéro de référence, texte, anglais et en français, ainsi que les termes équivalents dans
comité d’études,…). Elle donne aussi des informations sur les 16 langues additionnelles. Egalement appelé Vocabulaire
projets et les publications remplacées ou retirées. Electrotechnique International (IEV) en ligne.

IEC Just Published - webstore.iec.ch/justpublished Glossaire IEC - std.iec.ch/glossary
Restez informé sur les nouvelles publications IEC. Just 67 000 entrées terminologiques électrotechniques, en anglais
Published détaille les nouvelles publications parues. et en français, extraites des articles Termes et Définitions des
Disponible en ligne et une fois par mois par email. publications IEC parues depuis 2002. Plus certaines entrées
antérieures extraites des publications des CE 37, 77, 86 et
Service Clients - webstore.iec.ch/csc CISPR de l'IEC.

Si vous désirez nous donner des commentaires sur cette
publication ou si vous avez des questions contactez-nous:
sales@iec.ch.
IEC 62443-4-2 ®
Edition 1.0 2019-02
INTERNATIONAL
STANDARD
NORME
INTERNATIONALE
colour
inside
Security for industrial automation and control systems –

Part 4-2: Technical security requirements for IACS components

Sécurité des systèmes d’automatisation et de commande industrielles –

Partie 4-2: Exigences de sécurité technique des composants IACS

INTERNATIONAL
ELECTROTECHNICAL
COMMISSION
COMMISSION
ELECTROTECHNIQUE
INTERNATIONALE
ICS 25.040.40; 35.030 ISBN 978-2-8322-6597-0

– 2 – IEC 62443-4-2:2019  IEC 2019
CONTENTS
FOREWORD . 12
INTRODUCTION . 14
1 Scope . 17
2 Normative references . 17
3 Terms, definitions, abbreviated terms, acronyms, and conventions . 18
3.1 Terms and definitions . 18
3.2 Abbreviated terms and acronyms . 24
3.3 Conventions . 26
4 Common component security constraints . 27
4.1 Overview. 27
4.2 CCSC 1: Support of essential functions . 27
4.3 CCSC 2: Compensating countermeasures . 27
4.4 CCSC 3: Least privilege . 27
4.5 CCSC 4: Software development process . 27
5 FR 1 – Identification and authentication control . 27
5.1 Purpose and SL-C(IAC) descriptions . 27
5.2 Rationale . 28
5.3 CR 1.1 – Human user identification and authentication . 28
5.3.1 Requirement . 28
5.3.2 Rationale and supplemental guidance. 28
5.3.3 Requirement enhancements . 28
5.3.4 Security levels . 29
5.4 CR 1.2 – Software process and device identification and authentication . 29
5.4.1 Requirement . 29
5.4.2 Rationale and supplemental guidance. 29
5.4.3 Requirement enhancements . 29
5.4.4 Security levels . 30
5.5 CR 1.3 – Account management . 30
5.5.1 Requirement . 30
5.5.2 Rationale and supplemental guidance. 30
5.5.3 Requirement enhancements . 30
5.5.4 Security levels . 30
5.6 CR 1.4 – Identifier management . 30
5.6.1 Requirement . 30
5.6.2 Rationale and supplemental guidance. 30
5.6.3 Requirement enhancements . 31
5.6.4 Security levels . 31
5.7 CR 1.5 – Authenticator management . 31
5.7.1 Requirement . 31
5.7.2 Rationale and supplemental guidance. 31
5.7.3 Requirement enhancements . 32
5.7.4 Security levels . 32
5.8 CR 1.6 – Wireless access management . 32

5.9 CR 1.7 – Strength of password-based authentication . 32
5.9.1 Requirement . 32
5.9.2 Rationale and supplemental guidance. 32
5.9.3 Requirement enhancements . 32
5.9.4 Security levels . 33
5.10 CR 1.8 – Public key infrastructure certificates . 33
5.10.1 Requirement . 33
5.10.2 Rationale and supplemental guidance. 33
5.10.3 Requirement enhancements . 33
5.10.4 Security levels . 33
5.11 CR 1.9 – Strength of public key-based authentication . 34
5.11.1 Requirement . 34
5.11.2 Rationale and supplemental guidance. 34
5.11.3 Requirement enhancements . 35
5.11.4 Security levels . 35
5.12 CR 1.10 – Authenticator feedback . 35
5.12.1 Requirement . 35
5.12.2 Rationale and supplemental guidance. 35
5.12.3 Requirement enhancements . 35
5.12.4 Security levels . 35
5.13 CR 1.11 – Unsuccessful login attempts . 35
5.13.1 Requirement . 35
5.13.2 Rationale and supplemental guidance. 36
5.13.3 Requirement enhancements . 36
5.13.4 Security levels . 36
5.14 CR 1.12 – System use notification . 36
5.14.1 Requirement . 36
5.14.2 Rationale and supplemental guidance. 36
5.14.3 Requirement enhancements . 36
5.14.4 Security levels . 37
5.15 CR 1.13 – Access via untrusted networks . 37
5.16 CR 1.14 – Strength of symmetric key-based authentication . 37
5.16.1 Requirement . 37
5.16.2 Rationale and supplemental guidance. 37
5.16.3 Requirement enhancements . 37
5.16.4 Security levels . 38
6 FR 2 – Use control. 38
6.1 Purpose and SL-C(UC) descriptions . 38
6.2 Rationale . 38
6.3 CR 2.1 – Authorization enforcement . 38
6.3.1 Requirement . 38
6.3.2 Rationale and supplemental guidance. 38
6.3.3 Requirement enhancements . 39
6.3.4 Security levels . 39
6.4 CR 2.2 – Wireless use control . 40
6.4.1 Requirement . 40
6.4.2 Rationale and supplemental guidance. 40
6.4.3 Requirement enhancements . 40
6.4.4 Security levels . 40

– 4 – IEC 62443-4-2:2019  IEC 2019
6.5 CR 2.3 – Use control for portable and mobile devices . 40
6.6 CR 2.4 – Mobile code. 40
6.7 CR 2.5 – Session lock . 40
6.7.1 Requirement . 40
6.7.2 Rationale and supplemental guidance. 41
6.7.3 Requirement enhancements . 41
6.7.4 Security levels . 41
6.8 CR 2.6 – Remote session termination . 41
6.8.1 Requirement . 41
6.8.2 Rationale and supplemental guidance. 41
6.8.3 Requirement enhancements . 41
6.8.4 Security levels . 41
6.9 CR 2.7 – Concurrent session control . 41
6.9.1 Requirement . 41
6.9.2 Rationale and supplemental guidance. 42
6.9.3 Requirement enhancements . 42
6.9.4 Security levels . 42
6.10 CR 2.8 – Auditable events . 42
6.10.1 Requirement . 42
6.10.2 Rationale and supplemental guidance. 42
6.10.3 Requirement enhancements . 42
6.10.4 Security levels . 43
6.11 CR 2.9 – Audit storage capacity . 43
6.11.1 Requirement . 43
6.11.2 Rationale and supplemental guidance. 43
6.11.3 Requirement enhancements . 43
6.11.4 Security levels . 43
6.12 CR 2.10 – Response to audit processing failures . 43
6.12.1 Requirement . 43
6.12.2 Rationale and supplemental guidance. 44
6.12.3 Requirement enhancements . 44
6.12.4 Security levels . 44
6.13 CR 2.11 – Timestamps . 44
6.13.1 Requirement . 44
6.13.2 Rationale and supplemental guidance. 44
6.13.3 Requirement enhancements . 44
6.13.4 Security levels . 44
6.14 CR 2.12 – Non-repudiation . 45
6.14.1 Requirement . 45
6.14.2 Rationale and supplemental guidance. 45
6.14.3 Requirement enhancements . 45
6.14.4 Security levels . 45
6.15 CR 2.13 – Use of physical diagnostic and test interfaces . 45
7 FR 3 – System integrity . 45
7.1 Purpose and SL-C(SI) descriptions . 45
7.2 Rationale . 46

7.3 CR 3.1 – Communication integrity . 46
7.3.1 Requirement . 46
7.3.2 Rationale and supplemental guidance. 46
7.3.3 Requirement enhancements . 47
7.3.4 Security levels . 47
7.4 CR 3.2 – Protection from malicious code . 47
7.5 CR 3.3 – Security functionality verification . 47
7.5.1 Requirement . 47
7.5.2 Rationale and supplemental guidance. 47
7.5.3 Requirement enhancements . 47
7.5.4 Security levels . 48
7.6 CR 3.4 – Software and information integrity . 48
7.6.1 Requirement . 48
7.6.2 Rationale and supplemental guidance. 48
7.6.3 Requirement enhancements . 48
7.6.4 Security levels . 48
7.7 CR 3.5 – Input validation . 48
7.7.1 Requirement . 48
7.7.2 Rationale and supplemental guidance. 49
7.7.3 Requirement enhancements . 49
7.7.4 Security levels . 49
7.8 CR 3.6 – Deterministic output . 49
7.8.1 Requirement . 49
7.8.2 Rationale and supplemental guidance. 49
7.8.3 Requirement enhancements . 49
7.8.4 Security levels . 50
7.9 CR 3.7 – Error handling . 50
7.9.1 Requirement . 50
7.9.2 Rationale and supplemental guidance. 50
7.9.3 Requirement enhancements . 50
7.9.4 Security levels . 50
7.10 CR 3.8 – Session integrity. 50
7.10.1 Requirement . 50
7.10.2 Rationale and supplemental guidance. 51
7.10.3 Requirement enhancements . 51
7.10.4 Security levels . 51
7.11 CR 3.9 – Protection of audit information . 51
7.11.1 Requirement . 51
7.11.2 Rationale and supplemental guidance. 51
7.11.3 Requirement enhancements . 51
7.11.4 Security levels . 51
7.12 CR 3.10 – Support for updates . 52
7.13 CR 3.11 – Physical tamper resistance and detection . 52
7.14 CR 3.12 – Provisioning product supplier roots of trust . 52
7.15 CR 3.13 – Provisioning asset owner roots of trust . 52
7.16 CR 3.14 – Integrity of the boot process . 52
8 FR 4 – Data confidentiality. 52
8.1 Purpose and SL-C(DC) descriptions . 52
8.2 Rationale . 52

– 6 – IEC 62443-4-2:2019  IEC 2019
8.3 CR 4.1 – Information confidentiality . 52
8.3.1 Requirement . 52
8.3.2 Rationale and supplemental guidance. 53
8.3.3 Requirement enhancements . 53
8.3.4 Security levels . 53
8.4 CR 4.2 – Information persistence . 53
8.4.1 Requirement . 53
8.4.2 Rationale and supplemental guidance. 53
8.4.3 Requirement enhancements . 53
8.4.4 Security levels . 54
8.5 CR 4.3 – Use of cryptography . 54
8.5.1 Requirement . 54
8.5.2 Rationale and supplemental guidance. 54
8.5.3 Requirement enhancements . 54
8.5.4 Security levels . 54
9 FR 5 – Restricted data flow . 55
9.1 Purpose and SL-C(RDF) descriptions . 55
9.2 Rationale . 55
9.3 CR 5.1 – Network segmentation . 55
9.3.1 Requirement . 55
9.3.2 Rationale and supplemental guidance. 55
9.3.3 Requirement enhancements . 56
9.3.4 Security levels . 56
9.4 CR 5.2 – Zone boundary protection . 56
9.5 CR 5.3 – General-purpose person-to-person communication restrictions . 56
9.6 CR 5.4 – Application partitioning . 56
10 FR 6 – Timely response to events. 56
10.1 Purpose and SL-C(TRE) descriptions . 56
10.2 Rationale . 57
10.3 CR 6.1 – Audit log accessibility . 57
10.3.1 Requirement . 57
10.3.2 Rationale and supplemental guidance. 57
10.3.3 Requirement enhancements . 57
10.3.4 Security levels . 57
10.4 CR 6.2 – Continuous monitoring . 57
10.4.1 Requirement . 57
10.4.2 Rationale and supplemental guidance. 57
10.4.3 Requirement enhancements . 58
10.4.4 Security levels . 58
11 FR 7 – Resource availability . 58
11.1 Purpose and SL-C(RA) descriptions . 58
11.2 Rationale . 58
11.3 CR 7.1 – Denial of service protection . 59
11.3.1 Requirement . 59
11.3.2 Rationale and supplemental guidance. 59
11.3.3 Requirement enhancements . 59
11.3.4 Security levels . 59

11.4 CR 7.2 – Resource management . 59
11.4.1 Requirement . 59
11.4.2 Rationale and supplemental guidance. 59
11.4.3 Requirement enhancements . 59
11.4.4 Security levels . 59
11.5 CR 7.3 – Control system backup . 60
11.5.1 Requirement . 60
11.5.2 Rationale and supplemental guidance. 60
11.5.3 Requirement enhancements . 60
11.5.4 Security levels . 60
11.6 CR 7.4 – Control system recovery and reconstitution . 60
11.6.1 Requirement . 60
11.6.2 Rationale and supplemental guidance. 60
11.6.3 Requirement enhancements . 60
11.6.4 Security levels . 61
11.7 CR 7.5 – Emergency power . 61
11.8 CR 7.6 – Network and security configuration settings . 61
11.8.1 Requirement . 61
11.8.2 Rationale and supplemental guidance. 61
11.8.3 Requirement enhancements . 61
11.8.4 Security levels . 61
11.9 CR 7.7 – Least functionality . 61
11.9.1 Requirement . 61
11.9.2 Rationale and supplemental guidance. 61
11.9.3 Requirement enhancements . 62
11.9.4 Security levels . 62
11.10 CR 7.8 – Control system component inventory . 62
11.10.1 Requirement . 62
11.10.2 Rationale and supplemental guidance. 62
11.10.3 Requirement enhancements . 62
11.10.4 Security levels . 62
12 Software application requirements . 62
12.1 Purpose . 62
12.2 SAR 2.4 – Mobile code . 62
12.2.1 Requirement . 62
12.2.2 Rationale and supplemental guidance. 63
12.2.3 Requirement enhancements . 63
12.2.4 Security levels . 63
12.3 SAR 3.2 – Protection from malicious code . 63
12.3.1 Requirement . 63
12.3.2 Rationale and supplemental guidance. 63
12.3.3 Requirement enhancements . 63
12.3.4 Security levels . 63
13 Embedded device requirements . 64
13.1 Purpose . 64
13.2 EDR 2.4 – Mobile code . 64
13.2.1 Requirement . 64
13.2.2 Rationale and supplemental guidance. 64
13.2.3 Requirement enhancements . 64

– 8 – IEC 62443-4-2:2019  IEC 2019
13.2.4 Security levels . 64
13.3 EDR 2.13 – Use of physical diagnostic and test interfaces . 64
13.3.1 Requirement . 64
13.3.2 Rationale and supplemental guidance. 65
13.3.3 Requirement enhancements . 65
13.3.4 Security levels . 65
13.4 EDR 3.2 – Protection from malicious code . 65
13.4.1 Requirement . 65
13.4.2 Rationale and supplemental guidance. 65
13.4.3 Requirement enhancements . 66
13.4.4 Security levels . 66
13.5 EDR 3.10 – Support for updates . 66
13.5.1 Requirement . 66
13.5.2 Rationale and supplemental guidance. 66
13.5.3 Requirement enhancements . 66
13.5.4 Security levels . 66
13.6 EDR 3.11 – Physical tamper resistance and detection . 66
13.6.1 Requirement . 66
13.6.2 Rationale and supplemental guidance. 66
13.6.3 Requirement enhancements . 67
13.6.4 Security levels . 67
13.7 EDR 3.12 – Provisioning product supplier roots of trust. 67
13.7.1 Requirement . 67
13.7.2 Rationale and supplemental guidance. 67
13.7.3 Requirement enhancements . 67
13.7.4 Security levels . 68
13.8 EDR 3.13 – Provisioning asset owner roots of trust . 68
13.8.1 Requirement . 68
13.8.2 Rationale and supplemental guidance. 68
13.8.3 Requirement enhancements . 68
13.8.4 Security levels . 68
13.9 EDR 3.14 – Integrity of the boot process . 69
13.9.1 Requirement . 69
13.9.2 Rationale and supplemental guidance. 69
13.9.3 Requirement enhancements . 69
13.9.4 Security levels . 69
14 Host device requirements . 69
14.1 Purpose . 69
14.2 HDR 2.4 – Mobile code . 69
14.2.1 Requirement . 69
14.2.2 Rationale and supplemental guidance. 70
14.2.3 Requirement enhancements . 70
14.2.4 Security levels . 70
14.3 HDR 2.13 – Use of physical diagnostic and test interfaces . 70
14.3.1 Requirement . 70
14.3.2 Rationale and supplemental guidance.
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.

Loading comments...

The IEC 62443-4-2:2019 standard plays a crucial role in enhancing security for industrial automation and control systems by providing a comprehensive set of technical security requirements specific to IACS components. This document is pivotal as it delineates detailed control system component requirements (CRs) correlating with the seven foundational requirements (FRs) established in IEC TS 62443-1-1. One of the primary strengths of IEC 62443-4-2:2019 is its structured approach to defining control system security capability levels and their components, categorized as SL-C(component). By focusing on the foundational requirements such as identification and authentication control (IAC), use control (UC), system integrity (SI), data confidentiality (DC), restricted data flow (RDF), timely response to events (TRE), and resource availability (RA), this standard ensures a holistic view of security measures necessary for safeguarding IACS. The standard not only emphasizes the importance of these seven foundational requirements but also provides clear guidelines for assessing and achieving various security capability levels across control system components. This ability to define and evaluate security capability levels is essential for organizations aiming to bolster their cybersecurity posture in the industrial landscape. Additionally, the inclusion of the August 2022 corrigendum enhances the current relevance and applicability of IEC 62443-4-2:2019, ensuring stakeholders have access to the most up-to-date information regarding security requirements. The clear focus on component-level security within the framework of IACS positions this standard as a fundamental resource for industries looking to mitigate security risks effectively. Overall, the IEC 62443-4-2:2019 standard stands out due to its thorough integration of foundational security requirements and its practical guidance for the evaluation of control system security capability levels, making it an essential document for organizations committed to achieving robust security in their industrial automation environments.

IEC 62443-4-2:2019は、産業自動化および制御システムにおける技術的な安全要件を定義した標準です。この標準は、IEC TS 62443-1-1で記述されている七つの基本要件（FRs）に基づいており、特に制御システムのコンポーネントに関連する詳細な技術的制御要件（CRs）を提供しています。これにより、産業自動化におけるセキュリティの強化が図られます。まず、この標準の範囲は、制御システム能力のセキュリティレベル（SL-C(component)）とそのコンポーネントに対する要件を明確に定義することであり、繁雑な詳細が含まれています。これは、ユーザーが安全性を確保するための具体的な基準を持つことができるという強みがあります。また、七つの基本要件（FRs）は、識別と認証管理（IAC）、使用管理（UC）、システムの整合性（SI）、データの機密性（DC）、制限されたデータフロー（RDF）、事象への迅速な対応（TRE）、およびリソースの可用性（RA）で構成されており、これらは制御システムのセキュリティ能力レベルを定義するための基盤として機能します。 IEC 62443-4-2:2019の目的は、制御システムコンポーネントのためのセキュリティ能力レベルを定義することであり、SL-Tや達成されたSL（SL-A）はこの標準の範囲外となっています。この明確な区別により、適用範囲が明瞭であり、技術者や規制当局にとって利用しやすいものになっています。さらに、2022年8月の訂正通知の内容が含まれており、最新の情報が反映されています。これにより、従来の文書よりも信頼性が高まり、技術者が最新の要件を考慮に入れることができる点もこの標準の大きな利点です。総じて、IEC 62443-4-2:2019は、産業自動化および制御システムにおける技術的なセキュリティ要件を明確に定義した非常に重要なドキュメントであり、その範囲と強さは、国内外の様々な産業において適用可能な価値のある標準となっています。

IEC 62443-4-2:2019 표준은 산업 자동화 및 제어 시스템을 위한 기술 보안 요구 사항에 집중한 중요한 문서입니다. 이 표준은 IEC TS 62443-1-1에서 설명된 7개의 기초 요구 사항(FR)에 대한 상세한 기술 제어 시스템 구성 요소 요구 사항(CR)을 제공합니다. 특히, 이 문서는 제어 시스템의 보안 능력 수준 및 해당 구성 요소에 대한 요구 사항을 정의하는 데 중점을 두고 있습니다. 표준의 범위는 다음과 같이 요약될 수 있습니다. 첫 번째 기초 요구 사항인 식별 및 인증 제어(IAC)부터 사용 제어(UC), 시스템 무결성(SI), 데이터 기밀성(DC), 제한된 데이터 흐름(RDF), 사건에 대한 적시 응답(TRE), 그리고 자원 가용성(RA)에 이르기까지, 이 7개의 기초 요구 사항은 제어 시스템 보안 기능 수준을 정의하는 기반을 형성합니다. 본 문서의 목표는 이러한 기초 요구 사항을 기반으로 하여 제어 시스템 구성 요소의 보안 기능 수준을 정의하는 것입니다. 이는 SL-T 또는 달성된 SLs(SL-A)와는 다른 목표입니다. IEC 62443-4-2:2019의 강점은 제어 시스템의 보안 요구 사항을 정교하게 규명하여 제조업체 및 운영자가 보안 수준을 향상시키고 잠재적인 위협으로부터 시스템을 보호할 수 있도록 돕는다는 점입니다. 이 표준은 산업 자동화 분야에서 국제적으로 인정받는 기준으로, 보안 요구 사항을 체계적이고 구조화된 방식으로 제시하여 사용자들이 명확히 이해할 수 있도록 돕습니다. 마지막으로, 2022년 8월의 정오표가 이 문서에 포함되어 있어, 최신 정보를 반영한 체계적인 가이드를 제공합니다. 따라서 IEC 62443-4-2:2019는 산업 자동화 및 제어 시스템의 보안 강화를 위한 필수적인 문서로 여겨지며, 모든 관련 분야의 이해당사자들에게 큰 의의를 가집니다.