Security for industrial automation and control systems - Part 4-1: Secure product development lifecycle requirements

IEC 62443-4:2018 specifies the process requirements for the secure development of products used in industrial automation and control systems. This specification is part of a series of standards that addresses the issue of security for industrial automation and control systems (IACS). IEC 62443-4 defines secure development life-cycle (SDL) requirements related to cyber security for products intended for use in the industrial automation and control systems environment and provides guidance on how to meet the requirements described for each element. The life-cycle description includes security requirements definition, secure design, secure implementation (including coding guidelines), verification and validation, defect management, patch management and product end-of-life. These requirements can be applied to new or existing processes for developing, maintaining and retiring hardware, software or firmware.
Note that these requirements only apply to the developer and maintainer of the product, and are not applicable to the integrator or the user of the product. A summary list of the requirements is provided in Annex B.

Sécurité des automatismes industriels et des systèmes de commande - Partie 4-1: Exigences relatives au cycle de développement<br /> de produit sécurisé

L'IEC 62443-4:2018 spécifie les exigences relatives au processus de développement sécurisé des produits utilisés dans des systèmes d'automatisation et de commande industriels. Elle définit un cycle de développement sécurisé (SDL – secure development life-cycle) en vue de développer et d'assurer la sécurité des produits. Ce cycle inclut la définition des exigences de sécurité, la conception sécurisée, la mise en œuvre sécurisée (y compris les lignes directrices en matière de codage), la vérification et la validation, la gestion des défauts, la gestion des correctifs et la fin de vie du produit. Ces exigences peuvent être appliquées à des processus nouveaux ou existants pour le développement, la maintenance et le retrait des matériels, logiciels et micrologiciels destinés aux produits nouveaux ou existants. Elles s'appliquent au développeur et au chargé de maintenance du produit, mais pas à l'intégrateur ni à l'utilisateur du produit. Une liste récapitulative des exigences du présent document peut être consultée à l'Annexe B.

General Information

Status
Published
Publication Date
14-Jan-2018
Current Stage
PPUB - Publication issued
Start Date
02-Feb-2018
Completion Date
15-Jan-2018
Ref Project

Buy Standard

Standard
IEC 62443-4-1:2018 - Security for industrial automation and control systems - Part 4-1: Secure product development lifecycle requirements
English language
54 pages
sale 15% off
Preview
sale 15% off
Preview
Standard
IEC 62443-4-1:2018 - Security for industrial automation and control systems - Part 4-1: Secure product development lifecycle requirements
English and French language
112 pages
sale 15% off
Preview
sale 15% off
Preview

Standards Content (Sample)


IEC 62443-4-1 ®
Edition 1.0 2018-01
INTERNATIONAL
STANDARD
colour
inside
Security for industrial automation and control systems –
Part 4-1: Secure product development lifecycle requirements

All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form
or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from
either IEC or IEC's member National Committee in the country of the requester. If you have any questions about IEC
copyright or have an enquiry about obtaining additional rights to this publication, please contact the address below or
your local IEC member National Committee for further information.

IEC Central Office Tel.: +41 22 919 02 11
3, rue de Varembé info@iec.ch
CH-1211 Geneva 20 www.iec.ch
Switzerland
About the IEC
The International Electrotechnical Commission (IEC) is the leading global organization that prepares and publishes
International Standards for all electrical, electronic and related technologies.

About IEC publications
The technical content of IEC publications is kept under constant review by the IEC. Please make sure that you have the
latest edition, a corrigenda or an amendment might have been published.

IEC Catalogue - webstore.iec.ch/catalogue Electropedia - www.electropedia.org
The stand-alone application for consulting the entire The world's leading online dictionary of electronic and
bibliographical information on IEC International Standards, electrical terms containing 21 000 terms and definitions in
Technical Specifications, Technical Reports and other English and French, with equivalent terms in 16 additional
documents. Available for PC, Mac OS, Android Tablets and languages. Also known as the International Electrotechnical
iPad. Vocabulary (IEV) online.

IEC publications search - webstore.iec.ch/advsearchform IEC Glossary - std.iec.ch/glossary
The advanced search enables to find IEC publications by a 67 000 electrotechnical terminology entries in English and
variety of criteria (reference number, text, technical French extracted from the Terms and Definitions clause of
committee,…). It also gives information on projects, replaced IEC publications issued since 2002. Some entries have been
and withdrawn publications. collected from earlier publications of IEC TC 37, 77, 86 and

CISPR.
IEC Just Published - webstore.iec.ch/justpublished

Stay up to date on all new IEC publications. Just Published IEC Customer Service Centre - webstore.iec.ch/csc
details all new publications released. Available online and If you wish to give us your feedback on this publication or
also once a month by email. need further assistance, please contact the Customer Service
Centre: sales@iec.ch.
IEC 62443-4-1 ®
Edition 1.0 2018-01
INTERNATIONAL
STANDARD
colour
inside
Security for industrial automation and control systems –

Part 4-1: Secure product development lifecycle requirements

INTERNATIONAL
ELECTROTECHNICAL
COMMISSION
ISBN 978-2-8322-5239-0
ICS 25.040.40; 35.030
– 2 – IEC 62443-4-1:2018 © IEC 2018
CONTENTS
FOREWORD . 6
INTRODUCTION . 8
1 Scope . 11
2 Normative references . 11
3 Terms, definitions, abbreviated terms, acronyms and conventions . 11
3.1 Terms and definitions . 11
3.2 Abbreviated terms and acronyms . 16
3.3 Conventions . 17
4 General principles . 17
4.1 Concepts . 17
4.2 Maturity model . 19
5 Practice 1 – Security management . 20
5.1 Purpose . 20
5.2 SM-1: Development process . 21
5.2.1 Requirement . 21
5.3 Rationale and supplemental guidance . 21
5.4 SM-2: Identification of responsibilities . 21
5.4.1 Requirement . 21
5.4.2 Rationale and supplemental guidance. 21
5.5 SM-3: Identification of applicability . 21
5.5.1 Requirement . 21
5.5.2 Rationale and supplemental guidance. 22
5.6 SM-4: Security expertise . 22
5.6.1 Requirement . 22
5.6.2 Rationale and supplemental guidance. 22
5.7 SM-5: Process scoping . 22
5.7.1 Requirement . 22
5.7.2 Rationale and supplemental guidance. 23
5.8 SM-6: File integrity . 23
5.8.1 Requirement . 23
5.8.2 Rationale and supplemental guidance. 23
5.9 SM-7: Development environment security . 23
5.9.1 Requirement . 23
5.9.2 Rationale and supplemental guidance. 23
5.10 SM-8: Controls for private keys . 23
5.10.1 Requirement . 23
5.10.2 Rationale and supplemental guidance. 24
5.11 SM-9: Security requirements for externally provided components . 24
5.11.1 Requirement . 24
5.11.2 Rationale and supplemental guidance. 24
5.12 SM-10: Custom developed components from third-party suppliers . 24
5.12.1 Requirement . 24
5.12.2 Rationale and supplemental guidance. 25
5.13 SM-11: Assessing and addressing security-related issues . 25
5.13.1 Requirement . 25
5.13.2 Rationale and supplemental guidance. 25

5.14 SM-12: Process verification . 25
5.14.1 Requirement . 25
5.14.2 Rationale and supplemental guidance. 25
5.15 SM-13: Continuous improvement . 25
5.15.1 Requirement . 25
5.15.2 Rationale and supplemental guidance. 26
6 Practice 2 – Specification of security requirements . 26
6.1 Purpose . 26
6.2 SR-1: Product security context . 27
6.2.1 Requirement . 27
6.2.2 Rationale and supplemental guidance. 27
6.3 SR-2: Threat model . 27
6.3.1 Requirement . 27
6.3.2 Rationale and supplemental guidance. 28
6.4 SR-3: Product security requirements . 28
6.4.1 Requirement . 28
6.4.2 Rationale and supplemental guidance. 28
6.5 SR-4: Product security requirements content . 29
6.5.1 Requirement . 29
6.5.2 Rationale and supplemental guidance. 29
6.6 SR-5: Security requirements review . 29
6.6.1 Requirement . 29
6.6.2 Rationale and supplemental guidance. 29
7 Practice 3 – Secure by design . 30
7.1 Purpose . 30
7.2 SD-1: Secure design principles . 30
7.2.1 Requirement . 30
7.2.2 Rationale and supplemental guidance. 30
7.3 SD-2: Defense in depth design. 31
7.3.1 Requirement . 31
7.3.2 Rationale and supplemental guidance. 32
7.4 SD-3: Security design review . 32
7.4.1 Requirement . 32
7.4.2 Rationale and supplemental guidance. 32
7.5 SD-4: Secure design best practices . 32
7.5.1 Requirement . 32
7.5.2 Rationale and supplemental guidance. 33
8 Practice 4 – Secure implementation . 33
8.1 Purpose . 33
8.2 Applicability . 33
8.3 SI-1: Security implementation review . 33
8.3.1 Requirement . 33
8.3.2 Rationale and supplemental guidance. 34
8.4 SI-2: Secure coding standards . 34
8.4.1 Requirement . 34
8.4.2 Rationale and supplemental guidance. 34
9 Practice 5 – Security verification and validation testing . 34
9.1 Purpose . 34

– 4 – IEC 62443-4-1:2018 © IEC 2018
9.2 SVV-1: Security requirements testing .
...


IEC 62443-4-1 ®
Edition 1.0 2018-01
INTERNATIONAL
STANDARD
NORME
INTERNATIONALE
colour
inside
Security for industrial automation and control systems –
Part 4-1: Secure product development lifecycle requirements

Sécurité des automatismes industriels et des systèmes de commande –
Partie 4-1: Exigences relatives au cycle de développement de produit sécurisé

All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form
or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from
either IEC or IEC's member National Committee in the country of the requester. If you have any questions about IEC
copyright or have an enquiry about obtaining additional rights to this publication, please contact the address below or
your local IEC member National Committee for further information.

Droits de reproduction réservés. Sauf indication contraire, aucune partie de cette publication ne peut être reproduite
ni utilisée sous quelque forme que ce soit et par aucun procédé, électronique ou mécanique, y compris la photocopie
et les microfilms, sans l'accord écrit de l'IEC ou du Comité national de l'IEC du pays du demandeur. Si vous avez des
questions sur le copyright de l'IEC ou si vous désirez obtenir des droits supplémentaires sur cette publication, utilisez
les coordonnées ci-après ou contactez le Comité national de l'IEC de votre pays de résidence.

IEC Central Office Tel.: +41 22 919 02 11
3, rue de Varembé info@iec.ch
CH-1211 Geneva 20 www.iec.ch
Switzerland
About the IEC
The International Electrotechnical Commission (IEC) is the leading global organization that prepares and publishes
International Standards for all electrical, electronic and related technologies.

About IEC publications
The technical content of IEC publications is kept under constant review by the IEC. Please make sure that you have the
latest edition, a corrigendum or an amendment might have been published.

IEC publications search - webstore.iec.ch/advsearchform Electropedia - www.electropedia.org
The advanced search enables to find IEC publications by a The world's leading online dictionary on electrotechnology,
variety of criteria (reference number, text, technical containing more than 22 000 terminological entries in English
committee,…). It also gives information on projects, replaced and French, with equivalent terms in 16 additional languages.
and withdrawn publications. Also known as the International Electrotechnical Vocabulary

(IEV) online.
IEC Just Published - webstore.iec.ch/justpublished
Stay up to date on all new IEC publications. Just Published IEC Glossary - std.iec.ch/glossary
details all new publications released. Available online and 67 000 electrotechnical terminology entries in English and
once a month by email. French extracted from the Terms and Definitions clause of
IEC publications issued since 2002. Some entries have been
IEC Customer Service Centre - webstore.iec.ch/csc collected from earlier publications of IEC TC 37, 77, 86 and
If you wish to give us your feedback on this publication or CISPR.

need further assistance, please contact the Customer Service

Centre: sales@iec.ch.
A propos de l'IEC
La Commission Electrotechnique Internationale (IEC) est la première organisation mondiale qui élabore et publie des
Normes internationales pour tout ce qui a trait à l'électricité, à l'électronique et aux technologies apparentées.

A propos des publications IEC
Le contenu technique des publications IEC est constamment revu. Veuillez vous assurer que vous possédez l’édition la
plus récente, un corrigendum ou amendement peut avoir été publié.

Recherche de publications IEC - Electropedia - www.electropedia.org
webstore.iec.ch/advsearchform Le premier dictionnaire d'électrotechnologie en ligne au
La recherche avancée permet de trouver des publications IEC monde, avec plus de 22 000 articles terminologiques en
en utilisant différents critères (numéro de référence, texte, anglais et en français, ainsi que les termes équivalents dans
comité d’études,…). Elle donne aussi des informations sur les 16 langues additionnelles. Egalement appelé Vocabulaire
projets et les publications remplacées ou retirées. Electrotechnique International (IEV) en ligne.

IEC Just Published - webstore.iec.ch/justpublished Glossaire IEC - std.iec.ch/glossary
Restez informé sur les nouvelles publications IEC. Just 67 000 entrées terminologiques électrotechniques, en anglais
Published détaille les nouvelles publications parues. et en français, extraites des articles Termes et Définitions des
Disponible en ligne et une fois par mois par email. publications IEC parues depuis 2002. Plus certaines entrées
antérieures extraites des publications des CE 37, 77, 86 et
Service Clients - webstore.iec.ch/csc CISPR de l'IEC.

Si vous désirez nous donner des commentaires sur cette
publication ou si vous avez des questions contactez-nous:
sales@iec.ch.
IEC 62443-4-1 ®
Edition 1.0 2018-01
INTERNATIONAL
STANDARD
NORME
INTERNATIONALE
colour
inside
Security for industrial automation and control systems –

Part 4-1: Secure product development lifecycle requirements

Sécurité des automatismes industriels et des systèmes de commande –

Partie 4-1: Exigences relatives au cycle de développement de produit sécurisé

INTERNATIONAL
ELECTROTECHNICAL
COMMISSION
COMMISSION
ELECTROTECHNIQUE
INTERNATIONALE
ICS 25.040.40; 35.030 ISBN 978-2-8322-8693-7

– 2 – IEC 62443-4-1:2018 © IEC 2018
CONTENTS
FOREWORD . 6
INTRODUCTION . 8
1 Scope . 11
2 Normative references . 11
3 Terms, definitions, abbreviated terms, acronyms and conventions . 11
3.1 Terms and definitions . 11
3.2 Abbreviated terms and acronyms . 16
3.3 Conventions . 17
4 General principles . 17
4.1 Concepts . 17
4.2 Maturity model . 19
5 Practice 1 – Security management . 20
5.1 Purpose . 20
5.2 SM-1: Development process . 21
5.2.1 Requirement . 21
5.3 Rationale and supplemental guidance . 21
5.4 SM-2: Identification of responsibilities . 21
5.4.1 Requirement . 21
5.4.2 Rationale and supplemental guidance. 21
5.5 SM-3: Identification of applicability . 21
5.5.1 Requirement . 21
5.5.2 Rationale and supplemental guidance. 22
5.6 SM-4: Security expertise . 22
5.6.1 Requirement . 22
5.6.2 Rationale and supplemental guidance. 22
5.7 SM-5: Process scoping . 22
5.7.1 Requirement . 22
5.7.2 Rationale and supplemental guidance. 23
5.8 SM-6: File integrity . 23
5.8.1 Requirement . 23
5.8.2 Rationale and supplemental guidance. 23
5.9 SM-7: Development environment security . 23
5.9.1 Requirement . 23
5.9.2 Rationale and supplemental guidance. 23
5.10 SM-8: Controls for private keys . 23
5.10.1 Requirement . 23
5.10.2 Rationale and supplemental guidance. 24
5.11 SM-9: Security requirements for externally provided components . 24
5.11.1 Requirement . 24
5.11.2 Rationale and supplemental guidance. 24
5.12 SM-10: Custom developed components from third-party suppliers . 24
5.12.1 Requirement . 24
5.12.2 Rationale and supplemental guidance. 25
5.13 SM-11: Assessing and addressing security-related issues . 25
5.13.1 Requirement . 25
5.13.2 Rationale and supplemental guidance. 25

5.14 SM-12: Process verification . 25
5.14.1 Requirement . 25
5.14.2 Rationale and supplemental guidance. 25
5.15 SM-13: Continuous improvement . 25
5.15.1 Requirement . 25
5.15.2 Rationale and supplemental guidance. 26
6 Practice 2 – Specification of security requirements . 26
6.1 Purpose . 26
6.2 SR-1: Product security context . 27
6.2.1 Requirement . 27
6.2.2 Rationale and supplemental guidance. 27
6.3 SR-2: Threat model . 27
6.3.1 Requirement . 27
6.3.2 Rationale and supplemental guidance. 28
6.4 SR-3: Product security requirements . 28
6.4.1 Requirement . 28
6.4.2 Rationale and supplemental guidance. 28
6.5 SR-4: Product security requirements content . 29
6.5.1 Requirement . 29
6.5.2 Rationale and supplemental guidance. 29
6.6 SR-5: Security requirements review . 29
6.6.1 Requirement . 29
6.6.2 Rationale and supplemental guidance. 29
7 Practice 3 – Secure by design . 30
7.1 Purpose . 30
7.2 SD-1: Secure design principles . 30
7.2.1 Requirement .
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.