Industrial communication networks - Network and system security - Part 3-3: System security requirements and security levels (IEC 62443-3-3:2013)

This part of the IEC 62443 series provides detailed technical control system requirements (SRs) associated with the seven foundational requirements (FRs) described in IEC 62443‑1‑1 including defining the requirements for control system capability security levels, SL-C(control system). These requirements would be used by various members of the industrial automation and control system (IACS) community along with the defined zones and conduits for the system under consideration (SuC) while developing the appropriate control system target SL, SL-T(control system), for a specific asset.
As defined in IEC 62443‑1‑1 there are a total of seven FRs:
a) Identification and authentication control (IAC),
b) Use control (UC),
c) System integrity (SI),
d) Data confidentiality (DC),
e) Restricted data flow (RDF),
f) Timely response to events (TRE), and
g) Resource availability (RA).
These seven requirements are the foundation for control system capability SLs, SL-C (control system). Defining security capability at the control system level is the goal and objective of this standard as opposed to target SLs, SL-T, or achieved SLs, SL-A, which are out of scope.
See IEC 62443‑2‑1 for an equivalent set of non-technical, program-related, capability SRs necessary for fully achieving a control system target SL.

Industrielle Kommunikationsnetze - IT-Sicherheit für Netze und Systeme - Teil 3-3: Systemanforderungen zur IT-Sicherheit und Security-Level (IEC 62443-3-3:2013)

Réseaux industriels de communication - Sécurité dans les réseaux et les systèmes - Partie-3: Exigences relatives à la sécurité dans les systèmes et niveaux de sécurité (IEC 62443-3-3:2013)

IEC 62443-3-3:2013 fournit des exigences système (SR) de commande techniques détaillées associées aux sept exigences fondamentales (FR) décrites dans l’IEC 62443‑1‑1, y compris la définition des exigences des niveaux de sécurité de capacité du système de commande, SL C (système de commande). Ces exigences sont utilisées par plusieurs membres de la communauté des systèmes d’automatisation et de commande industrielles (IACS) ainsi que les zones et conduits définis pour le système à l'étude (SuC), tout en développant le SL cible du système de commande approprié, SL-T (système de commande) pour un actif spécifique. Le contenu du corrigendum d’avril 2014 est inclus dans la présente copie.

Industrijska komunikacijska omrežja - Zaščita omrežja in sistema - 3-3. del: Zahteve za zaščito in nivoje varnosti sistemov (IEC 62443-3-3:2013)

Ta del skupine standardov IEC 62443 podaja podrobne tehnične zahteve za nadzorne sisteme (SR), ki so povezane s sedmimi temeljnimi zahtevami (FR), opisanimi v standardu IEC 62443 1 1, vključno z določanjem zahtev za nivoje varnosti zmogljivosti nadzornega sistema, SL-C (nadzorni sistem). Te zahteve bodo uporabljali različni člani skupnosti industrijske avtomatizacije in nadzornih sistemov (IACS) poleg opredeljenih con in vodov za obravnavani sistem (SuC) pri razvijanju ustreznih ciljnih nivojev varnosti nadzornega sistema, SL-T (nadzorni sistem), za določeno dobrino.
Kot je opredeljeno v standardu IEC 62443 1 1, obstaja sedem temeljnih zahtev:
a) nadzor identifikacije in preverjanja pristnosti (IAC),
b) nadzor uporabe (UC),
c) celovitost sistema (SI),
d) zaupnost podatkov (DC),
e) omejen pretok podatkov (RDF),
f) pravočasen odziv na dogodke (TRE) in
g) razpoložljivost virov (RA).
Teh sedem zahtev so temelj za nivoje varnosti zmogljivosti nadzornega sistema, SL-C (nadzorni sistem). Opredelitev zmogljivosti zaščite na ravni nadzornega sistema je cilj tega standarda v nasprotju s ciljnimi nivoji varnosti, SL-T, ali doseženimi nivoji varnosti, SL-A, ki niso zajeti.
Glej standard IEC 62443 2 1 za enakovreden nabor netehničnih, s programom povezanih zahtev za sistem, ki so potrebne za v celoti dosežene ciljne nivoje varnosti nadzornega sistema.

General Information

Status
Published
Public Enquiry End Date
30-Jan-2019
Publication Date
10-Oct-2019
Current Stage
6060 - National Implementation/Publication (Adopted Project)
Start Date
09-May-2019
Due Date
14-Jul-2019
Completion Date
11-Oct-2019

Relations

Buy Standard

Standard
EN IEC 62443-3-3:2019 - BARVE
English language
83 pages
sale 10% off
Preview
sale 10% off
Preview
e-Library read for
1 day
Draft
prEN IEC 62443-3-3:2019 - BARVE
English language
83 pages
sale 10% off
Preview
sale 10% off
Preview
e-Library read for
1 day

Standards Content (Sample)

SLOVENSKI STANDARD
SIST EN IEC 62443-3-3:2019
01-november-2019
Industrijska komunikacijska omrežja - Zaščita omrežja in sistema - 3-3. del:
Zahteve za zaščito in nivoje varnosti sistemov (IEC 62443-3-3:2013)
Industrial communication networks - Network and system security - Part 3-3: System
security requirements and security levels (IEC 62443-3-3:2013)
Industrielle Kommunikationsnetze - IT-Sicherheit für Netze und Systeme - Teil 3-3:
Systemanforderungen zur IT-Sicherheit und Security-Level (IEC 62443-3-3:2013)
Réseaux industriels de communication - Sécurité dans les réseaux et les systèmes -
Partie-3: Exigences relatives à la sécurité dans les systèmes et niveaux de sécurité
(IEC 62443-3-3:2013)
Ta slovenski standard je istoveten z: EN IEC 62443-3-3:2019
ICS:
25.040.01 Sistemi za avtomatizacijo v Industrial automation
industriji na splošno systems in general
35.030 Informacijska varnost IT Security
SIST EN IEC 62443-3-3:2019 en,fr,de
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

---------------------- Page: 1 ----------------------
SIST EN IEC 62443-3-3:2019

---------------------- Page: 2 ----------------------
SIST EN IEC 62443-3-3:2019


EUROPEAN STANDARD EN IEC 62443-3-3

NORME EUROPÉENNE

EUROPÄISCHE NORM
April 2019
ICS 25.040.40; 35.110

English Version
Industrial communication networks - Network and system
security - Part 3-3: System security requirements and security
levels
(IEC 62443-3-3:2013)
Réseaux industriels de communication - Sécurité dans les Industrielle Kommunikationsnetze - IT-Sicherheit für Netze
réseaux et les systèmes - Partie-3: Exigences relatives à la und Systeme - Teil 3-3: Systemanforderungen zur IT-
sécurité dans les systèmes et niveaux de sécurité Sicherheit und Security-Level
(IEC 62443-3-3:2013) (IEC 62443-3-3:2013)
This European Standard was approved by CENELEC on 2019-04-03. CENELEC members are bound to comply with the CEN/CENELEC
Internal Regulations which stipulate the conditions for giving this European Standard the status of a national standard without any alteration.
Up-to-date lists and bibliographical references concerning such national standards may be obtained on application to the CEN-CENELEC
Management Centre or to any CENELEC member.
This European Standard exists in three official versions (English, French, German). A version in any other language made by translation
under the responsibility of a CENELEC member into its own language and notified to the CEN-CENELEC Management Centre has the
same status as the official versions.
CENELEC members are the national electrotechnical committees of Austria, Belgium, Bulgaria, Croatia, Cyprus, the Czech Republic,
Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia,
Lithuania, Luxembourg, Malta, the Netherlands, Norway, Poland, Portugal, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden,
Switzerland, Turkey and the United Kingdom.


European Committee for Electrotechnical Standardization
Comité Européen de Normalisation Electrotechnique
Europäisches Komitee für Elektrotechnische Normung
CEN-CENELEC Management Centre: Rue de la Science 23, B-1040 Brussels
© 2019 CENELEC All rights of exploitation in any form and by any means reserved worldwide for CENELEC Members.
 Ref. No. EN IEC 62443-3-3:2019 E

---------------------- Page: 3 ----------------------
SIST EN IEC 62443-3-3:2019
EN IEC 62443-3-3:2019 (E)
European foreword
This document (EN IEC 62443-3-3:2019) consists of the text of IEC 62443-3-3:2013 prepared by
IEC/TC 65 "Industrial-process measurement, control and automation".
The following dates are fixed:
• latest date by which the document has to be implemented at national (dop) 2020-04-03
level by publication of an identical national standard or by endorsement
• latest date by which the national standards conflicting with the (dow) 2022-04-03
document have to be withdrawn

Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CENELEC shall not be held responsible for identifying any or all such patent rights.

Endorsement notice
The text of the International Standard IEC 62443-3-3:2013 was approved by CENELEC as a
European Standard without any modification.
In the official version, for Bibliography, the following notes have to be added for the standards
indicated:
IEC 62443-2-4 NOTE Harmonized as EN IEC 62443-2-4
IEC 62443-4-1 NOTE Harmonized as EN IEC 62443-4-1
IEC 62443-4-2 NOTE Harmonized as EN IEC 62443-4-2
ISO/IEC 27002 NOTE Harmonized as EN ISO/IEC 27002


2

---------------------- Page: 4 ----------------------
SIST EN IEC 62443-3-3:2019
EN IEC 62443-3-3:2019 (E)
Annex ZA
(normative)

Normative references to international publications
with their corresponding European publications
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments)
applies.
NOTE 1  Where an International Publication has been modified by common modifications, indicated by (mod), the relevant
EN/HD applies.
NOTE 2  Up-to-date information on the latest versions of the European Standards listed in this annex is available here:
www.cenelec.eu.
Publication Year Title EN/HD Year
IEC 62443-2-1 -  Industrial communication networks - - -
Network and system security - Part 2-1:
Establishing an industrial automation and
control system security program
IEC/TS 62443-1-1 2009 Industrial communication networks - - -
Network and system security - Part 1-1:
Terminology, concepts and models

3

---------------------- Page: 5 ----------------------
SIST EN IEC 62443-3-3:2019

---------------------- Page: 6 ----------------------
SIST EN IEC 62443-3-3:2019




IEC 62443-3-3

®


Edition 1.0 2013-08




INTERNATIONAL



STANDARD








colour

inside










Industrial communication networks – Network and system security –

Part 3-3: System security requirements and security levels



























INTERNATIONAL

ELECTROTECHNICAL

COMMISSION

PRICE CODE
XC


ICS 25.040.40; 35.110 ISBN 978-2-8322-1036-9



  Warning! Make sure that you obtained this publication from an authorized distributor.


® Registered trademark of the International Electrotechnical Commission

---------------------- Page: 7 ----------------------
SIST EN IEC 62443-3-3:2019
– 2 – 62443-3-3 © IEC:2013(E)
CONTENTS
FOREWORD . 9
0 Introduction . 11
0.1 Overview . 11
0.2 Purpose and intended audience . 12
0.3 Usage within other parts of the IEC 62443 series . 12
1 Scope . 14
2 Normative references . 14
3 Terms, definitions, abbreviated terms, acronyms, and conventions . 14
3.1 Terms and definitions . 14
3.2 Abbreviated terms and acronyms . 20
3.3 Conventions . 22
4 Common control system security constraints . 22
4.1 Overview . 22
4.2 Support of essential functions . 23
4.3 Compensating countermeasures . 23
4.4 Least privilege . 24
5 FR 1 – Identification and authentication control . 24
5.1 Purpose and SL-C(IAC) descriptions . 24
5.2 Rationale . 24
5.3 SR 1.1 – Human user identification and authentication . 24
5.3.1 Requirement . 24
5.3.2 Rationale and supplemental guidance . 24
5.3.3 Requirement enhancements . 25
5.3.4 Security levels . 25
5.4 SR 1.2 – Software process and device identification and authentication . 26
5.4.1 Requirement . 26
5.4.2 Rationale and supplemental guidance . 26
5.4.3 Requirement enhancements . 26
5.4.4 Security levels . 27
5.5 SR 1.3 – Account management . 27
5.5.1 Requirement . 27
5.5.2 Rationale and supplemental guidance . 27
5.5.3 Requirement enhancements . 27
5.5.4 Security levels . 27
5.6 SR 1.4 – Identifier management . 28
5.6.1 Requirement . 28
5.6.2 Rationale and supplemental guidance . 28
5.6.3 Requirement enhancements . 28
5.6.4 Security levels . 28
5.7 SR 1.5 – Authenticator management . 28
5.7.1 Requirement . 28
5.7.2 Rationale and supplemental guidance . 28
5.7.3 Requirement enhancements . 29
5.7.4 Security levels . 29
5.8 SR 1.6 – Wireless access management . 30
5.8.1 Requirement . 30

---------------------- Page: 8 ----------------------
SIST EN IEC 62443-3-3:2019
62443-3-3 © IEC:2013(E) – 3 –
5.8.2 Rationale and supplemental guidance . 30
5.8.3 Requirement enhancements . 30
5.8.4 Security levels . 30
5.9 SR 1.7 – Strength of password-based authentication . 30
5.9.1 Requirement . 30
5.9.2 Rationale and supplemental guidance . 30
5.9.3 Requirement enhancements . 31
5.9.4 Security levels . 31
5.10 SR 1.8 – Public key infrastructure (PKI) certificates . 31
5.10.1 Requirement . 31
5.10.2 Rationale and supplemental guidance . 31
5.10.3 Requirement enhancements . 32
5.10.4 Security levels . 32
5.11 SR 1.9 – Strength of public key authentication . 32
5.11.1 Requirement . 32
5.11.2 Rationale and supplemental guidance . 32
5.11.3 Requirement enhancements . 33
5.11.4 Security levels . 33
5.12 SR 1.10 – Authenticator feedback . 33
5.12.1 Requirement . 33
5.12.2 Rationale and supplemental guidance . 33
5.12.3 Requirement enhancements . 33
5.12.4 Security levels . 33
5.13 SR 1.11 – Unsuccessful login attempts . 34
5.13.1 Requirement . 34
5.13.2 Rationale and supplemental guidance . 34
5.13.3 Requirement enhancements . 34
5.13.4 Security levels . 34
5.14 SR 1.12 – System use notification . 34
5.14.1 Requirement . 34
5.14.2 Rationale and supplemental guidance . 34
5.14.3 Requirement enhancements . 35
5.14.4 Security levels . 35
5.15 SR 1.13 – Access via untrusted networks . 35
5.15.1 Requirement . 35
5.15.2 Rationale and supplemental guidance . 35
5.15.3 Requirement enhancements . 35
5.15.4 Security levels . 35
6 FR 2 – Use control . 36
6.1 Purpose and SL-C(UC) descriptions . 36
6.2 Rationale . 36
6.3 SR 2.1 – Authorization enforcement . 36
6.3.1 Requirement . 36
6.3.2 Rationale and supplemental guidance . 36
6.3.3 Requirement enhancements . 37
6.3.4 Security levels . 37
6.4 SR 2.2 – Wireless use control . 37
6.4.1 Requirement . 37
6.4.2 Rationale and supplemental guidance . 38

---------------------- Page: 9 ----------------------
SIST EN IEC 62443-3-3:2019
– 4 – 62443-3-3 © IEC:2013(E)
6.4.3 Requirement enhancements . 38
6.4.4 Security levels . 38
6.5 SR 2.3 – Use control for portable and mobile devices . 38
6.5.1 Requirement . 38
6.5.2 Rationale and supplemental guidance . 38
6.5.3 Requirement enhancements . 39
6.5.4 Security levels . 39
6.6 SR 2.4 – Mobile code . 39
6.6.1 Requirement . 39
6.6.2 Rationale and supplemental guidance . 39
6.6.3 Requirement enhancements . 39
6.6.4 Security levels . 39
6.7 SR 2.5 – Session lock . 40
6.7.1 Requirement . 40
6.7.2 Rationale and supplemental guidance . 40
6.7.3 Requirement enhancements . 40
6.7.4 Security levels . 40
6.8 SR 2.6 – Remote session termination . 40
6.8.1 Requirement . 40
6.8.2 Rationale and supplemental guidance . 40
6.8.3 Requirement enhancements . 40
6.8.4 Security levels . 41
6.9 SR 2.7 – Concurrent session control . 41
6.9.1 Requirement . 41
6.9.2 Rationale and supplemental guidance . 41
6.9.3 Requirement enhancements . 41
6.9.4 Security levels . 41
6.10 SR 2.8 – Auditable events . 41
6.10.1 Requirement . 41
6.10.2 Rationale and supplemental guidance . 41
6.10.3 Requirement enhancements . 42
6.10.4 Security levels . 42
6.11 SR 2.9 – Audit storage capacity. 42
6.11.1 Requirement . 42
6.11.2 Rationale and supplemental guidance . 42
6.11.3 Requirement enhancements . 42
6.11.4 Security levels . 43
6.12 SR 2.10 – Response to audit processing failures . 43
6.12.1 Requirement . 43
6.12.2 Rationale and supplemental guidance . 43
6.12.3 Requirement enhancements . 43
6.12.4 Security levels . 43
6.13 SR 2.11 – Timestamps . 43
6.13.1 Requirement . 43
6.13.2 Rationale and supplemental guidance . 43
6.13.3 Requirement enhancements . 44
6.13.4 Security levels . 44
6.14 SR 2.12 – Non-repudiation . 44
6.14.1 Requirement . 44

---------------------- Page: 10 ----------------------
SIST EN IEC 62443-3-3:2019
62443-3-3 © IEC:2013(E) – 5 –
6.14.2 Rationale and supplemental guidance . 44
6.14.3 Requirement enhancements . 44
6.14.4 Security levels . 44
7 FR 3 – System integrity . 45
7.1 Purpose and SL-C(SI) descriptions . 45
7.2 Rationale . 45
7.3 SR 3.1 – Communication integrity. 45
7.3.1 Requirement . 45
7.3.2 Rationale and supplemental guidance . 45
7.3.3 Requirement enhancements . 46
7.3.4 Security levels . 46
7.4 SR 3.2 – Malicious code protection . 46
7.4.1 Requirement . 46
7.4.2 Rationale and supplemental guidance . 46
7.4.3 Requirement enhancements . 47
7.4.4 Security levels . 47
7.5 SR 3.3 – Security functionality verification . 47
7.5.1 Requirement . 47
7.5.2 Rationale and supplemental guidance . 47
7.5.3 Requirement enhancements . 48
7.5.4 Security levels . 48
7.6 SR 3.4 – Software and information integrity . 48
7.6.1 Requirement . 48
7.6.2 Rationale and supplemental guidance . 48
7.6.3 Requirement enhancements . 49
7.6.4 Security levels . 49
7.7 SR 3.5 – Input validation . 49
7.7.1 Requirement . 49
7.7.2 Rationale and supplemental guidance . 49
7.7.3 Requirement enhancements . 49
7.7.4 Security levels . 49
7.8 SR 3.6 – Deterministic output . 50
7.8.1 Requirement . 50
7.8.2 Rationale and supplemental guidance . 50
7.8.3 Requirement enhancements . 50
7.8.4 Security levels . 50
7.9 SR 3.7 – Error handling . 50
7.9.1 Requirement . 50
7.9.2 Rationale and supplemental guidance . 50
7.9.3 Requirement enhancements . 50
7.9.4 Security levels . 51
7.10 SR 3.8 – Session integrity . 51
7.10.1 Requirement . 51
7.10.2 Rationale and supplemental guidance . 51
7.10.3 Requirement enhancements . 51
7.10.4 Security levels . 51
7.11 SR 3.9 – Protection of audit information . 52
7.11.1 Requirement . 52
7.11.2 Rationale and supplemental guidance . 52

---------------------- Page: 11 ----------------------
SIST EN IEC 62443-3-3:2019
– 6 – 62443-3-3 © IEC:2013(E)
7.11.3 Requirement enhancements . 52
7.11.4 Security levels . 52
8 FR 4 – Data confidentiality . 52
8.1 Purpose and SL-C(DC) descriptions . 52
8.2 Rationale . 52
8.3 SR 4.1 – Information confidentiality . 53
8.3.1 Requirement . 53
8.3.2 Rationale and
...

SLOVENSKI STANDARD
oSIST prEN IEC 62443-3-3:2019
01-januar-2019
Industrijska komunikacijska omrežja - Varnost omrežja in sistema - 3-3. del:
Varnostne zahteve sistema in varnostne stopnje
Industrial communication networks - Network and system security - Part 3-3: System
security requirements and security levels
Industrielle Kommunikationsnetze - IT-Sicherheit für Netze und Systeme - Teil 3-3:
Systemanforderungen zur IT-Sicherheit und Security-Level
Ta slovenski standard je istoveten z: prEN IEC 62443-3-3:2018
ICS:
25.040.01 Sistemi za avtomatizacijo v Industrial automation
industriji na splošno systems in general
35.110 Omreževanje Networking
oSIST prEN IEC 62443-3-3:2019 en,fr,de
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

---------------------- Page: 1 ----------------------
oSIST prEN IEC 62443-3-3:2019

---------------------- Page: 2 ----------------------
oSIST prEN IEC 62443-3-3:2019


EUROPEAN STANDARD DRAFT
prEN IEC 62443-3-3
NORME EUROPÉENNE

EUROPÄISCHE NORM

November 2018
ICS

English Version
Industrial communication networks - Network and system
security - Part 3-3: System security requirements and security
levels
(IEC 62443-3-3:2013)
To be completed Industrielle Kommunikationsnetze - IT-Sicherheit für Netze
(IEC 62443-3-3:2013) und Systeme - Teil 3-3: Systemanforderungen zur IT-
Sicherheit und Security-Level
(IEC 62443-3-3:2013)
This draft European Standard is submitted to CENELEC members for enquiry.
Deadline for CENELEC: 2019-02-15.

The text of this draft consists of the text of IEC 62443-3-3:2013.

If this draft becomes a European Standard, CENELEC members are bound to comply with the CEN/CENELEC Internal Regulations which
stipulate the conditions for giving this European Standard the status of a national standard without any alteration.

This draft European Standard was established by CENELEC in three official versions (English, French, German).
A version in any other language made by translation under the responsibility of a CENELEC member into its own language and notified to
the CEN-CENELEC Management Centre has the same status as the official versions.

CENELEC members are the national electrotechnical committees of Austria, Belgium, Bulgaria, Croatia, Cyprus, the Czech Republic,
Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia,
Lithuania, Luxembourg, Malta, the Netherlands, Norway, Poland, Portugal, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden,
Switzerland, Turkey and the United Kingdom.

Recipients of this draft are invited to submit, with their comments, notification of any relevant patent rights of which they are aware and to
provide supporting documentation.

Warning : This document is not a European Standard. It is distributed for review and comments. It is subject to change without notice and
shall not be referred to as a European Standard.


European Committee for Electrotechnical Standardization
Comité Européen de Normalisation Electrotechnique
Europäisches Komitee für Elektrotechnische Normung
CEN-CENELEC Management Centre: Rue de la Science 23, B-1040 Brussels
© 2018 CENELEC All rights of exploitation in any form and by any means reserved worldwide for CENELEC Members.
Project: 66556 Ref. No. prEN IEC 62443-3-3 E

---------------------- Page: 3 ----------------------
oSIST prEN IEC 62443-3-3:2019
prEN IEC 62443-3-3:2018 (E)

European foreword
This document (prEN IEC 62443-3-3:2018) consists of the text of IEC 62443-3-3:2015 prepared by
IEC/TC 65 "Industrial-process measurement, control and automation".
This document is currently submitted to the Enquiry.
The following dates are proposed:
• latest date by which the existence of (doa) dor + 6 months
this document has to be announced at national
level
latest date by which this document has to be (dop) dor + 12 months

implemented at national level by publication of an
identical national standard or by endorsement
• latest date by which the national standards (dow) dor + 36 months
conflicting with this document have to be (to be confirmed or
withdrawn modified when voting)
Bibliography
In the official version, for Bibliography, the following notes have to be added for the standards
indicated:
1
IEC 62443-2-4 NOTE  Harmonized as EN 62443-2-4 (not modified).
2
IEC 62443-3-2 NOTE  Harmonized as EN 62443-3-2 (not modified).
IEC 62443-4-1 NOTE  Harmonized as EN 62443-4-1 (not modified).
3
IEC 62443-4- NOTE  Harmonized as EN 62443-4-2 (not modified).
IEC 27002 NOTE  Harmonized as EN ISO/IEC 27002 (not modified)


1
Under preparation
2
Under preparation
3
Under preparation
2

---------------------- Page: 4 ----------------------
oSIST prEN IEC 62443-3-3:2019
prEN IEC 62443-3-3:2018 (E)
Annex ZA
(normative)
Normative references to international publications
with their corresponding European publications
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments)
applies.
NOTE 1 When an International Publication has been modified by common modifications, indicated by (mod), the relevant

EN/HD applies.

NOTE 2 Up-to-date information on the latest versions of the European Standards listed in this annex is available here:
www.cenelec.eu.
Publication Year Title EN/HD Year
IEC 62443-1-1 2009 Industrial communication networks - - -
Network and system security - Part 1-1:
Terminology, concepts and models
IEC 62443-2-1 -  Industrial communication networks - - -
Network and system security - Part 2-1:
Establishing an industrial automation and
control system security program


3

---------------------- Page: 5 ----------------------
oSIST prEN IEC 62443-3-3:2019

---------------------- Page: 6 ----------------------
oSIST prEN IEC 62443-3-3:2019




IEC 62443-3-3

®


Edition 1.0 2013-08




INTERNATIONAL



STANDARD








colour

inside










Industrial communication networks – Network and system security –

Part 3-3: System security requirements and security levels



























INTERNATIONAL

ELECTROTECHNICAL

COMMISSION

PRICE CODE
XC


ICS 25.040.40; 35.110 ISBN 978-2-8322-1036-9



  Warning! Make sure that you obtained this publication from an authorized distributor.


® Registered trademark of the International Electrotechnical Commission

---------------------- Page: 7 ----------------------
oSIST prEN IEC 62443-3-3:2019
– 2 – 62443-3-3 © IEC:2013(E)
CONTENTS
FOREWORD . 9
0 Introduction . 11
0.1 Overview . 11
0.2 Purpose and intended audience . 12
0.3 Usage within other parts of the IEC 62443 series . 12
1 Scope . 14
2 Normative references . 14
3 Terms, definitions, abbreviated terms, acronyms, and conventions . 14
3.1 Terms and definitions . 14
3.2 Abbreviated terms and acronyms . 20
3.3 Conventions . 22
4 Common control system security constraints . 22
4.1 Overview . 22
4.2 Support of essential functions . 23
4.3 Compensating countermeasures . 23
4.4 Least privilege . 24
5 FR 1 – Identification and authentication control . 24
5.1 Purpose and SL-C(IAC) descriptions . 24
5.2 Rationale . 24
5.3 SR 1.1 – Human user identification and authentication . 24
5.3.1 Requirement . 24
5.3.2 Rationale and supplemental guidance . 24
5.3.3 Requirement enhancements . 25
5.3.4 Security levels . 25
5.4 SR 1.2 – Software process and device identification and authentication . 26
5.4.1 Requirement . 26
5.4.2 Rationale and supplemental guidance . 26
5.4.3 Requirement enhancements . 26
5.4.4 Security levels . 27
5.5 SR 1.3 – Account management . 27
5.5.1 Requirement . 27
5.5.2 Rationale and supplemental guidance . 27
5.5.3 Requirement enhancements . 27
5.5.4 Security levels . 27
5.6 SR 1.4 – Identifier management . 28
5.6.1 Requirement . 28
5.6.2 Rationale and supplemental guidance . 28
5.6.3 Requirement enhancements . 28
5.6.4 Security levels . 28
5.7 SR 1.5 – Authenticator management . 28
5.7.1 Requirement . 28
5.7.2 Rationale and supplemental guidance . 28
5.7.3 Requirement enhancements . 29
5.7.4 Security levels . 29
5.8 SR 1.6 – Wireless access management . 30
5.8.1 Requirement . 30

---------------------- Page: 8 ----------------------
oSIST prEN IEC 62443-3-3:2019
62443-3-3 © IEC:2013(E) – 3 –
5.8.2 Rationale and supplemental guidance . 30
5.8.3 Requirement enhancements . 30
5.8.4 Security levels . 30
5.9 SR 1.7 – Strength of password-based authentication . 30
5.9.1 Requirement . 30
5.9.2 Rationale and supplemental guidance . 30
5.9.3 Requirement enhancements . 31
5.9.4 Security levels . 31
5.10 SR 1.8 – Public key infrastructure (PKI) certificates . 31
5.10.1 Requirement . 31
5.10.2 Rationale and supplemental guidance . 31
5.10.3 Requirement enhancements . 32
5.10.4 Security levels . 32
5.11 SR 1.9 – Strength of public key authentication . 32
5.11.1 Requirement . 32
5.11.2 Rationale and supplemental guidance . 32
5.11.3 Requirement enhancements . 33
5.11.4 Security levels . 33
5.12 SR 1.10 – Authenticator feedback . 33
5.12.1 Requirement . 33
5.12.2 Rationale and supplemental guidance . 33
5.12.3 Requirement enhancements . 33
5.12.4 Security levels . 33
5.13 SR 1.11 – Unsuccessful login attempts . 34
5.13.1 Requirement . 34
5.13.2 Rationale and supplemental guidance . 34
5.13.3 Requirement enhancements . 34
5.13.4 Security levels . 34
5.14 SR 1.12 – System use notification . 34
5.14.1 Requirement . 34
5.14.2 Rationale and supplemental guidance . 34
5.14.3 Requirement enhancements . 35
5.14.4 Security levels . 35
5.15 SR 1.13 – Access via untrusted networks . 35
5.15.1 Requirement . 35
5.15.2 Rationale and supplemental guidance . 35
5.15.3 Requirement enhancements . 35
5.15.4 Security levels . 35
6 FR 2 – Use control . 36
6.1 Purpose and SL-C(UC) descriptions . 36
6.2 Rationale . 36
6.3 SR 2.1 – Authorization enforcement . 36
6.3.1 Requirement . 36
6.3.2 Rationale and supplemental guidance . 36
6.3.3 Requirement enhancements . 37
6.3.4 Security levels . 37
6.4 SR 2.2 – Wireless use control . 37
6.4.1 Requirement . 37
6.4.2 Rationale and supplemental guidance . 38

---------------------- Page: 9 ----------------------
oSIST prEN IEC 62443-3-3:2019
– 4 – 62443-3-3 © IEC:2013(E)
6.4.3 Requirement enhancements . 38
6.4.4 Security levels . 38
6.5 SR 2.3 – Use control for portable and mobile devices . 38
6.5.1 Requirement . 38
6.5.2 Rationale and supplemental guidance . 38
6.5.3 Requirement enhancements . 39
6.5.4 Security levels . 39
6.6 SR 2.4 – Mobile code . 39
6.6.1 Requirement . 39
6.6.2 Rationale and supplemental guidance . 39
6.6.3 Requirement enhancements . 39
6.6.4 Security levels . 39
6.7 SR 2.5 – Session lock . 40
6.7.1 Requirement . 40
6.7.2 Rationale and supplemental guidance . 40
6.7.3 Requirement enhancements . 40
6.7.4 Security levels . 40
6.8 SR 2.6 – Remote session termination . 40
6.8.1 Requirement . 40
6.8.2 Rationale and supplemental guidance . 40
6.8.3 Requirement enhancements . 40
6.8.4 Security levels . 41
6.9 SR 2.7 – Concurrent session control . 41
6.9.1 Requirement . 41
6.9.2 Rationale and supplemental guidance . 41
6.9.3 Requirement enhancements . 41
6.9.4 Security levels . 41
6.10 SR 2.8 – Auditable events . 41
6.10.1 Requirement . 41
6.10.2 Rationale and supplemental guidance . 41
6.10.3 Requirement enhancements . 42
6.10.4 Security levels . 42
6.11 SR 2.9 – Audit storage capacity. 42
6.11.1 Requirement . 42
6.11.2 Rationale and supplemental guidance . 42
6.11.3 Requirement enhancements . 42
6.11.4 Security levels . 43
6.12 SR 2.10 – Response to audit processing failures . 43
6.12.1 Requirement . 43
6.12.2 Rationale and supplemental guidance . 43
6.12.3 Requirement enhancements . 43
6.12.4 Security levels . 43
6.13 SR 2.11 – Timestamps . 43
6.13.1 Requirement . 43
6.13.2 Rationale and supplemental guidance . 43
6.13.3 Requirement enhancements . 44
6.13.4 Security levels . 44
6.14 SR 2.12 – Non-repudiation . 44
6.14.1 Requirement . 44

---------------------- Page: 10 ----------------------
oSIST prEN IEC 62443-3-3:2019
62443-3-3 © IEC:2013(E) – 5 –
6.14.2 Rationale and supplemental guidance . 44
6.14.3 Requirement enhancements . 44
6.14.4 Security levels . 44
7 FR 3 – System integrity . 45
7.1 Purpose and SL-C(SI) descriptions . 45
7.2 Rationale . 45
7.3 SR 3.1 – Communication integrity. 45
7.3.1 Requirement . 45
7.3.2 Rationale and supplemental guidance . 45
7.3.3 Requirement enhancements . 46
7.3.4 Security levels . 46
7.4 SR 3.2 – Malicious code protection . 46
7.4.1 Requirement . 46
7.4.2 Rationale and supplemental guidance . 46
7.4.3 Requirement enhancements . 47
7.4.4 Security levels . 47
7.5 SR 3.3 – Security functionality verification . 47
7.5.1 Requirement . 47
7.5.2 Rationale and supplemental guidance . 47
7.5.3 Requirement enhancements . 48
7.5.4 Security levels . 48
7.6 SR 3.4 – Software and information integrity . 48
7.6.1 Requirement . 48
7.6.2 Rationale and supplemental guidance . 48
7.6.3 Requirement enhancements . 49
7.6.4 Security levels . 49
7.7 SR 3.5 – Input validation . 49
7.7.1 Requirement . 49
7.7.2 Rationale and supplemental guidance . 49
7.7.3 Requirement enhancements . 49
7.7.4 Security levels . 49
7.8 SR 3.6 – Deterministic output . 50
7.8.1 Requirement . 50
7.8.2 Rationale and supplemental guidance . 50
7.8.3 Requirement enhancements . 50
7.8.4 Security levels . 50
7.9 SR 3.7 – Error handling . 50
7.9.1 Requirement . 50
7.9.2 Rationale and supplemental guidance . 50
7.9.3 Requirement enhancements . 50
7.9.4 Security levels . 51
7.10 SR 3.8 – Session integrity . 51
7.10.1 Requirement . 51
7.10.2 Rationale and supplemental guidance . 51
7.10.3 Requirement enhancements . 51
7.10.4 Security levels . 51
7.11 SR 3.9 – Protection of audit information . 52
7.11.1 Requirement . 52
7.11.2 Rationale and supplemental guidance . 52

---------------------- Page: 11 ----------------------
oSIST prEN IEC 62443-3-3:2019
– 6 – 62443-3-3 © IEC:2013(E)
7.11.3 Requirement enhancements . 52
7.11.4 Security levels . 52
8 FR 4 – Data confidentiality . 52
8.1 Purpose and SL-C(DC) descriptions . 52
8.2 Rationale . 52
8.3 SR 4.1 – Information confidentiality . 53
8.3.1 Requ
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.