IEC PAS 62443-3:2008

IEC/PAS 62443-3
Edition 1.0 2008-01
PUBLICLY AVAILABLE
SPECIFICATION
PRE-STANDARD
Security for industrial process measurement and control – Network and system
security
IEC/PAS 62443-3:2008(E)
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form

or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from
either IEC or IEC's member National Committee in the country of the requester.
If you have any questions about IEC copyright or have an enquiry about obtaining additional rights to this publication,

please contact the address below or your local IEC member National Committee for further information.

IEC Central Office
3, rue de Varembé
CH-1211 Geneva 20
Switzerland
Email: inmail@iec.ch
Web: www.iec.ch
About the IEC
The International Electrotechnical Commission (IEC) is the leading global organization that prepares and publishes
International Standards for all electrical, electronic and related technologies.

About IEC publications
The technical content of IEC publications is kept under constant review by the IEC. Please make sure that you have the
latest edition, a corrigenda or an amendment might have been published.
ƒ Catalogue of IEC publications: www.iec.ch/searchpub
The IEC on-line Catalogue enables you to search by a variety of criteria (reference number, text, technical committee,…).
It also gives information on projects, withdrawn and replaced publications.
ƒ IEC Just Published: www.iec.ch/online_news/justpub
Stay up to date on all new IEC publications. Just Published details twice a month all new publications released. Available
on-line and also by email.
ƒ Electropedia: www.electropedia.org
The world's leading online dictionary of electronic and electrical terms containing more than 20 000 terms and definitions
in English and French, with equivalent terms in additional languages. Also known as the International Electrotechnical
Vocabulary online.
ƒ Customer Service Centre: www.iec.ch/webstore/custserv
If you wish to give us your feedback on this publication or need further assistance, please visit the Customer Service
Centre FAQ or contact us:
Email: csc@iec.ch
Tel.: +41 22 919 02 11
Fax: +41 22 919 03 00
IEC/PAS 62443-3
Edition 1.0 2008-01
PUBLICLY AVAILABLE
SPECIFICATION
PRE-STANDARD
Security for industrial process measurement and control – Network and system
security
INTERNATIONAL
ELECTROTECHNICAL
COMMISSION
PRICE CODE
XA
ICS 25.040.40; 35.110 ISBN 2-8318-9543-X

PAS 62443-3 © IEC:2008(E) – 2 –

CONTENTS
FOREWORD.3

INTRODUCTION.4

1 Scope.5

2 Normative references .5

3 Terms, definitions, symbols, abbreviated terms and conventions .6

3.1 Terms and definitions .6
3.2 Symbols and abbreviated terms.12
4 Introduction and compliance .13
5 Principles and reference models.13
5.1 General .13
5.2 Threat-risk model .14
5.3 Security life cycle .16
5.4 Policy .17
5.5 Generic reference configurations.20
5.6 Protection models .23
6 ICS security policy – Overview .28
7 ICS security policy – Principles and assumptions .30
7.1 ICS security policy – Principles .30
7.2 ICS security policy – Assumptions and exclusions.31
7.3 ICS security policy – Organization and management. .33
8 ICS security policy – Measures.37
8.1 Availability management.37
8.2 Integrity management.39
8.3 Logical access management .42
8.4 Physical access management.45
8.5 Partition management .46
8.6 External access management.47
Annex A Projected new edition of IEC 62443 .51
Bibliography.53

Figure 1 – Threat-risk relationship .14
Figure 2 – Security life cycle.16
Figure 3 – Policy levels.18
Figure 4 – Industrial control system (ICS) .21
Figure 5 – GPH reference configuration: Generic ICS host with external devices .22
Figure 6 – Device protection: Hardening and access management.23
Figure 7 – Defense-in-depth through partitioning .25
Figure 8 – Example: ICS partitioning.26
Figure 9 – Generic external connectivity .27

– 3 – PAS 62443-3 © IEC:2008(E)

INTERNATIONAL ELECTROTECHNICAL COMMISSION

____________
SECURITY FOR INDUSTRIAL PROCESS MEASUREMENT AND CONTROL –

NETWORK AND SYSTEM SECURITY
FOREWORD
1) The International Electrotechnical Commission (IEC) is a worldwide organization for standardization comprising

all national electrotechnical committees (IEC National Committees). The object of IEC is to promote
international co-operation on all questions concerning standardization in the electrical and electronic fields. To

this end and in addition to other activities, IEC publishes International Standards, Technical Specifications,
Technical Reports, Publicly Available Specifications (PAS) and Guides (hereafter referred to as “IEC
Publication(s)”). Their preparation is entrusted to technical committees; any IEC National Committee interested
in the subject dealt with may participate in this preparatory work. International, governmental and non-
governmental organizations liaising with the IEC also participate in this preparation. IEC collaborates closely
with the International Organization for Standardization (ISO) in accordance with conditions determined by
agreement between the two organizations.
2) The formal decisions or agreements of IEC on technical matters express, as nearly as possible, an international
consensus of opinion on the relevant subjects since each technical committee has representation from all
interested IEC National Committees.
3) IEC Publications have the form of recommendations for international use and are accepted by IEC National
Committees in that sense. While all reasonable efforts are made to ensure that the technical content of IEC
Publications is accurate, IEC cannot be held responsible for the way in which they are used or for any
misinterpretation by any end user.
4) In order to promote international uniformity, IEC National Committees undertake to apply IEC Publications
transparently to the maximum extent possible in their national and regional publications. Any divergence
between any IEC Publication and the corresponding national or regional publication shall be clearly indicated in
the latter.
5) IEC provides no marking procedure to indicate its approval and cannot be rendered responsible for any
equipment declared to be in conformity with an IEC Publication.
6) All users should ensure that they have the latest edition of this publication.
7) No liability shall attach to IEC or its directors, employees, servants or agents including individual experts and
members of its technical committees and IEC National Committees for any personal injury, property damage or
other damage of any nature whatsoever, whether direct or indirect, or for costs (including legal fees) and
expenses arising out of the publication, use of, or reliance upon, this IEC Publication or any other IEC
Publications.
8) Attention is drawn to the Normative references cited in this publication. Use of the referenced publications is
indispensable for the correct application of this publication.
9) Attention is drawn to the possibility that some of the elements of this IEC Publication may be the subject of
patent rights. IEC shall not be held responsible for identifying any or all such patent rights.
A PAS is a technical specification not fulfilling the requirements for a standard but made
available to the public.
IEC-PAS 62443-3 has been processed by IEC technical committee 65: Industrial-process
measurement, control and automation.
The text of this PAS is based on the This PAS was approved for
following document: publication by the P-members of the
committee concerned as indicated in
the following document
Draft PAS Report on voting
65/402/NP 65/412/RVN
Following publication of this PAS, which is a pre-standard publication, the technical committee
or subcommittee concerned will transform it into an International Standard.
This publication seeks the status of a basic security publication according to IEC Guide 104.
This PAS shall remain valid for an initial maximum period of three years starting from
2008-01. The validity may be extended for a single three-year period, following which it shall
be revised to become another type of normative document or shall be withdrawn.

PAS 62443-3 © IEC:2008(E) – 4 –

INTRODUCTION
The increasing degree of public networking of formerly isolated automation systems increases

the exposure of such systems to attack. Standard IT security protection mechanisms have

protection goals and strategies that may be inappropriate for automation systems. This PAS

addresses the topic of securing access to and within industrial systems while assuring timely

response which may be critical to plant operation.

For safety applications and applications in the pharmaceutical or other highly specialized

industries, additional standards, guidelines, definitions and stipulations may apply, for

example, IEC 61508, GAMP (ISPE), for GMP Compliance 21 CFR (FDA) and the Standard

Operating Procedure of the European Medicines Agency (SOP/INSP/2003).

– 5 – PAS 62443-3 © IEC:2008(E)

SECURITY FOR INDUSTRIAL PROCESS MEASUREMENT AND CONTROL –

NETWORK AND SYSTEM SECURITY
1 Scope
This PAS establishes a framework for securing information and communication technology
aspects of industrial process measurement and control systems including its networks and

devices on those networks, during the operational phase of the plant’s life cycle.

This PAS provides guidance on a plant’s operational security requirements and is primarily
intended for automation system owners/operators (responsible for ICS operation)
Furthermore, the operational requirements of this PAS may interest ICS stakeholders such as:
a) automation system designers;
b) manufacturers (vendors) of devices, subsystems, and systems;
c) integrators of subsystems and systems.
The PAS allows for the following concerns:
• graceful migration/evolution of existing systems;
• meeting security objectives with existing COTS technologies and products;
• assurance of reliability/availability of the secured communications services;
• applicability to systems of any size and risk (scalability);
• coexistence of safety, legal and regulatory and automation functionality requirements with
security requirements.
NOTE 1 Plants and systems may contain safety critical components and devices. Any safety-related security
components may be subject to certification based on IEC 61508 and according to the SILs therein. This PAS does
not guarantee that its specifications are all or in part appropriate or sufficient for the security of such safety critical
components and devices.
NOTE 2 This PAS does not include requirements for security assurance evaluation and testing.
NOTE 3 The measures provided by this PAS are rather process-based and general in nature than technically
specific or prescriptive in terms of technical countermeasures and configurations.
NOTE 4 The procedures of this PAS are written with the plant owner/operator's mind set.
NOTE 5  This PAS does not cover
...