Industrial communication networks - Network and system security - Part 3-3: System security requirements and security levels (IEC 62443-3-3:2013)

This part of the IEC 62443 series provides detailed technical control system requirements (SRs) associated with the seven foundational requirements (FRs) described in IEC 62443‑1‑1 including defining the requirements for control system capability security levels, SL-C(control system). These requirements would be used by various members of the industrial automation and control system (IACS) community along with the defined zones and conduits for the system under consideration (SuC) while developing the appropriate control system target SL, SL-T(control system), for a specific asset.
As defined in IEC 62443‑1‑1 there are a total of seven FRs:
a) Identification and authentication control (IAC),
b) Use control (UC),
c) System integrity (SI),
d) Data confidentiality (DC),
e) Restricted data flow (RDF),
f) Timely response to events (TRE), and
g) Resource availability (RA).
These seven requirements are the foundation for control system capability SLs, SL-C (control system). Defining security capability at the control system level is the goal and objective of this standard as opposed to target SLs, SL-T, or achieved SLs, SL-A, which are out of scope.
See IEC 62443‑2‑1 for an equivalent set of non-technical, program-related, capability SRs necessary for fully achieving a control system target SL.

Industrielle Kommunikationsnetze - IT-Sicherheit für Netze und Systeme - Teil 3-3: Systemanforderungen zur IT-Sicherheit und Security-Level (IEC 62443-3-3:2013)

Réseaux industriels de communication - Sécurité dans les réseaux et les systèmes - Partie-3: Exigences relatives à la sécurité dans les systèmes et niveaux de sécurité (IEC 62443-3-3:2013)

IEC 62443-3-3:2013 fournit des exigences système (SR) de commande techniques détaillées associées aux sept exigences fondamentales (FR) décrites dans l’IEC 62443‑1‑1, y compris la définition des exigences des niveaux de sécurité de capacité du système de commande, SL C (système de commande). Ces exigences sont utilisées par plusieurs membres de la communauté des systèmes d’automatisation et de commande industrielles (IACS) ainsi que les zones et conduits définis pour le système à l'étude (SuC), tout en développant le SL cible du système de commande approprié, SL-T (système de commande) pour un actif spécifique. Le contenu du corrigendum d’avril 2014 est inclus dans la présente copie.

Industrijska komunikacijska omrežja - Zaščita omrežja in sistema - 3-3. del: Zahteve za zaščito in nivoje varnosti sistemov (IEC 62443-3-3:2013)

Ta del skupine standardov IEC 62443 podaja podrobne tehnične zahteve za nadzorne sisteme (SR), ki so povezane s sedmimi temeljnimi zahtevami (FR), opisanimi v standardu IEC 62443 1 1, vključno z določanjem zahtev za nivoje varnosti zmogljivosti nadzornega sistema, SL-C (nadzorni sistem). Te zahteve bodo uporabljali različni člani skupnosti industrijske avtomatizacije in nadzornih sistemov (IACS) poleg opredeljenih con in vodov za obravnavani sistem (SuC) pri razvijanju ustreznih ciljnih nivojev varnosti nadzornega sistema, SL-T (nadzorni sistem), za določeno dobrino.
Kot je opredeljeno v standardu IEC 62443 1 1, obstaja sedem temeljnih zahtev:
a) nadzor identifikacije in preverjanja pristnosti (IAC),
b) nadzor uporabe (UC),
c) celovitost sistema (SI),
d) zaupnost podatkov (DC),
e) omejen pretok podatkov (RDF),
f) pravočasen odziv na dogodke (TRE) in
g) razpoložljivost virov (RA).
Teh sedem zahtev so temelj za nivoje varnosti zmogljivosti nadzornega sistema, SL-C (nadzorni sistem). Opredelitev zmogljivosti zaščite na ravni nadzornega sistema je cilj tega standarda v nasprotju s ciljnimi nivoji varnosti, SL-T, ali doseženimi nivoji varnosti, SL-A, ki niso zajeti.
Glej standard IEC 62443 2 1 za enakovreden nabor netehničnih, s programom povezanih zahtev za sistem, ki so potrebne za v celoti dosežene ciljne nivoje varnosti nadzornega sistema.

General Information

Status
Published
Public Enquiry End Date
30-Jan-2019
Publication Date
10-Oct-2019
ICS
25.040.01 - Industrial automation systems in general
 
35.030 - IT Security
 
35.110 - Networking
Technical Committee
MOV - Measuring equipment for electromagnetic quantities
Current Stage
6060 - National Implementation/Publication (Adopted Project)
Start Date
09-May-2019
Due Date
14-Jul-2019
Completion Date
11-Oct-2019
Ref Project
EN IEC 62443-3-3:2019 - Industrial communication networks - Network and system security - Part 3-3: System security requirements and security levels

Relations

Corrected By
SIST EN IEC 62443-3-3:2019/AC:2020 - Industrial communication networks - Network and system security - Part 3-3: System security requirements and security levels (IEC 62443-3-3:2013/COR1:2014)
Effective Date
17-Sep-2019

Overview

EN IEC 62443-3-3:2019 (IEC 62443-3-3) is a technical part of the IEC 62443 industrial cybersecurity series that specifies detailed system security requirements (SRs) and defines control system capability security levels (SL‑C). Adopted by CENELEC as EN IEC 62443-3-3:2019, this standard focuses on specifying the technical controls for Industrial Automation and Control Systems (IACS) at the control-system level. It complements program-level guidance in IEC 62443‑2‑1 and is intended to be applied against defined zones and conduits of a System under Consideration (SuC). Note: defining target SLs (SL‑T) or achieved SLs (SL‑A) is out of scope.

Key topics and technical requirements

EN IEC 62443-3-3 organizes requirements around the seven foundational requirements (FRs) from IEC 62443‑1‑1. Major technical topics include:

  • Identification & authentication control (IAC): human, device and software identification, account and authenticator management, PKI and password strength, wireless access.
  • Use control (UC): authorization enforcement, session lock/termination, control for portable/mobile devices and mobile code.
  • System integrity (SI): measures to ensure firmware/software/process integrity.
  • Data confidentiality (DC) and Restricted data flow (RDF): encryption, segmentation, and permitted communication pathways.
  • Timely response to events (TRE): logging, alerting and incident response considerations.
  • Resource availability (RA): protections against denial of service and resilience measures.
  • Detailed SRs (e.g., SR 1.1–1.15, SR 2.1–2.8, etc.) provide requirement statements, rationale, enhancements and how each maps to security levels (SL‑C).

Applications

This standard is used to:

  • Define technical security requirements for control systems during design and procurement.
  • Specify capability expectations for control‑system vendors and integrators.
  • Guide implementation of zone-and-conduit architectures and network segmentation.
  • Support security assessments, audits and product evaluation against SL‑C criteria.
  • Inform secure configuration of authentication, authorization, encryption and device management.

Who uses this standard

  • Industrial asset owners and operators (OT/IACS).
  • System integrators and control‑system engineers.
  • Product vendors and OEMs delivering PLCs, RTUs, HMIs and industrial network devices.
  • Cybersecurity assessors, auditors and compliance teams.

Related standards

  • IEC 62443‑1‑1 (terminology, concepts, models)
  • IEC 62443‑2‑1 (security program and processes)
  • IEC 62443‑4‑1 and 62443‑4‑2 (product development and component requirements)
  • ISO/IEC 27002 (information security controls)

Keywords: EN IEC 62443-3-3:2019, IEC 62443-3-3, industrial cybersecurity, IACS security, control system security, security levels SL‑C, zones and conduits, system security requirements.

SIST EN IEC 62443-3-3:2019 - BARVE - Page 1 previewSIST EN IEC 62443-3-3:2019 - BARVE - Page 2 previewSIST EN IEC 62443-3-3:2019 - BARVE - Page 3 previewSIST EN IEC 62443-3-3:2019 - BARVE - Page 4 preview
PreviousNext
Standard

SIST EN IEC 62443-3-3:2019 - BARVE

English language
83 pages
Preview
Preview
e-Library read for
1 day

Frequently Asked Questions

SIST EN IEC 62443-3-3:2019 is a standard published by the Slovenian Institute for Standardization (SIST). Its full title is "Industrial communication networks - Network and system security - Part 3-3: System security requirements and security levels (IEC 62443-3-3:2013)". This standard covers: This part of the IEC 62443 series provides detailed technical control system requirements (SRs) associated with the seven foundational requirements (FRs) described in IEC 62443‑1‑1 including defining the requirements for control system capability security levels, SL-C(control system). These requirements would be used by various members of the industrial automation and control system (IACS) community along with the defined zones and conduits for the system under consideration (SuC) while developing the appropriate control system target SL, SL-T(control system), for a specific asset. As defined in IEC 62443‑1‑1 there are a total of seven FRs: a) Identification and authentication control (IAC), b) Use control (UC), c) System integrity (SI), d) Data confidentiality (DC), e) Restricted data flow (RDF), f) Timely response to events (TRE), and g) Resource availability (RA). These seven requirements are the foundation for control system capability SLs, SL-C (control system). Defining security capability at the control system level is the goal and objective of this standard as opposed to target SLs, SL-T, or achieved SLs, SL-A, which are out of scope. See IEC 62443‑2‑1 for an equivalent set of non-technical, program-related, capability SRs necessary for fully achieving a control system target SL.

This part of the IEC 62443 series provides detailed technical control system requirements (SRs) associated with the seven foundational requirements (FRs) described in IEC 62443‑1‑1 including defining the requirements for control system capability security levels, SL-C(control system). These requirements would be used by various members of the industrial automation and control system (IACS) community along with the defined zones and conduits for the system under consideration (SuC) while developing the appropriate control system target SL, SL-T(control system), for a specific asset. As defined in IEC 62443‑1‑1 there are a total of seven FRs: a) Identification and authentication control (IAC), b) Use control (UC), c) System integrity (SI), d) Data confidentiality (DC), e) Restricted data flow (RDF), f) Timely response to events (TRE), and g) Resource availability (RA). These seven requirements are the foundation for control system capability SLs, SL-C (control system). Defining security capability at the control system level is the goal and objective of this standard as opposed to target SLs, SL-T, or achieved SLs, SL-A, which are out of scope. See IEC 62443‑2‑1 for an equivalent set of non-technical, program-related, capability SRs necessary for fully achieving a control system target SL.

SIST EN IEC 62443-3-3:2019 is classified under the following ICS (International Classification for Standards) categories: 25.040.01 - Industrial automation systems in general; 35.030 - IT Security; 35.110 - Networking. The ICS classification helps identify the subject area and facilitates finding related standards.

SIST EN IEC 62443-3-3:2019 has the following relationships with other standards: It is inter standard links to SIST EN IEC 62443-3-3:2019/AC:2020. Understanding these relationships helps ensure you are using the most current and applicable version of the standard.

You can purchase SIST EN IEC 62443-3-3:2019 directly from iTeh Standards. The document is available in PDF format and is delivered instantly after payment. Add the standard to your cart and complete the secure checkout process. iTeh Standards is an authorized distributor of SIST standards.

Standards Content (Sample)


SLOVENSKI STANDARD
01-november-2019
Industrijska komunikacijska omrežja - Zaščita omrežja in sistema - 3-3. del:
Zahteve za zaščito in nivoje varnosti sistemov (IEC 62443-3-3:2013)
Industrial communication networks - Network and system security - Part 3-3: System
security requirements and security levels (IEC 62443-3-3:2013)
Industrielle Kommunikationsnetze - IT-Sicherheit für Netze und Systeme - Teil 3-3:
Systemanforderungen zur IT-Sicherheit und Security-Level (IEC 62443-3-3:2013)
Réseaux industriels de communication - Sécurité dans les réseaux et les systèmes -
Partie-3: Exigences relatives à la sécurité dans les systèmes et niveaux de sécurité
(IEC 62443-3-3:2013)
Ta slovenski standard je istoveten z: EN IEC 62443-3-3:2019
ICS:
25.040.01 Sistemi za avtomatizacijo v Industrial automation
industriji na splošno systems in general
35.030 Informacijska varnost IT Security
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

EUROPEAN STANDARD EN IEC 62443-3-3

NORME EUROPÉENNE
EUROPÄISCHE NORM
April 2019
ICS 25.040.40; 35.110
English Version
Industrial communication networks - Network and system
security - Part 3-3: System security requirements and security
levels
(IEC 62443-3-3:2013)
Réseaux industriels de communication - Sécurité dans les Industrielle Kommunikationsnetze - IT-Sicherheit für Netze
réseaux et les systèmes - Partie-3: Exigences relatives à la und Systeme - Teil 3-3: Systemanforderungen zur IT-
sécurité dans les systèmes et niveaux de sécurité Sicherheit und Security-Level
(IEC 62443-3-3:2013) (IEC 62443-3-3:2013)
This European Standard was approved by CENELEC on 2019-04-03. CENELEC members are bound to comply with the CEN/CENELEC
Internal Regulations which stipulate the conditions for giving this European Standard the status of a national standard without any alteration.
Up-to-date lists and bibliographical references concerning such national standards may be obtained on application to the CEN-CENELEC
Management Centre or to any CENELEC member.
This European Standard exists in three official versions (English, French, German). A version in any other language made by translation
under the responsibility of a CENELEC member into its own language and notified to the CEN-CENELEC Management Centre has the
same status as the official versions.
CENELEC members are the national electrotechnical committees of Austria, Belgium, Bulgaria, Croatia, Cyprus, the Czech Republic,
Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia,
Lithuania, Luxembourg, Malta, the Netherlands, Norway, Poland, Portugal, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden,
Switzerland, Turkey and the United Kingdom.

European Committee for Electrotechnical Standardization
Comité Européen de Normalisation Electrotechnique
Europäisches Komitee für Elektrotechnische Normung
CEN-CENELEC Management Centre: Rue de la Science 23, B-1040 Brussels
© 2019 CENELEC All rights of exploitation in any form and by any means reserved worldwide for CENELEC Members.
Ref. No. EN IEC 62443-3-3:2019 E

European foreword
This document (EN IEC 62443-3-3:2019) consists of the text of IEC 62443-3-3:2013 prepared by
IEC/TC 65 "Industrial-process measurement, control and automation".
The following dates are fixed:
• latest date by which the document has to be implemented at national (dop) 2020-04-03
level by publication of an identical national standard or by endorsement
• latest date by which the national standards conflicting with the (dow) 2022-04-03
document have to be withdrawn
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CENELEC shall not be held responsible for identifying any or all such patent rights.

Endorsement notice
The text of the International Standard IEC 62443-3-3:2013 was approved by CENELEC as a
European Standard without any modification.
In the official version, for Bibliography, the following notes have to be added for the standards
indicated:
IEC 62443-2-4 NOTE Harmonized as EN IEC 62443-2-4
IEC 62443-4-1 NOTE Harmonized as EN IEC 62443-4-1
IEC 62443-4-2 NOTE Harmonized as EN IEC 62443-4-2
ISO/IEC 27002 NOTE Harmonized as EN ISO/IEC 27002

Annex ZA
(normative)
Normative references to international publications
with their corresponding European publications
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments)
applies.
NOTE 1  Where an International Publication has been modified by common modifications, indicated by (mod), the relevant
EN/HD applies.
NOTE 2  Up-to-date information on the latest versions of the European Standards listed in this annex is available here:
www.cenelec.eu.
Publication Year Title EN/HD Year
IEC 62443-2-1 -  Industrial communication networks - - -
Network and system security - Part 2-1:
Establishing an industrial automation and
control system security program
IEC/TS 62443-1-1 2009 Industrial communication networks - - -
Network and system security - Part 1-1:
Terminology, concepts and models

IEC 62443-3-3 ®
Edition 1.0 2013-08
INTERNATIONAL
STANDARD
colour
inside
Industrial communication networks – Network and system security –

Part 3-3: System security requirements and security levels

INTERNATIONAL
ELECTROTECHNICAL
COMMISSION
PRICE CODE
XC
ICS 25.040.40; 35.110 ISBN 978-2-8322-1036-9

– 2 – 62443-3-3 © IEC:2013(E)
CONTENTS
FOREWORD . 9
0 Introduction . 11
0.1 Overview . 11
0.2 Purpose and intended audience . 12
0.3 Usage within other parts of the IEC 62443 series . 12
1 Scope . 14
2 Normative references . 14
3 Terms, definitions, abbreviated terms, acronyms, and conventions . 14
3.1 Terms and definitions . 14
3.2 Abbreviated terms and acronyms . 20
3.3 Conventions . 22
4 Common control system security constraints . 22
4.1 Overview . 22
4.2 Support of essential functions . 23
4.3 Compensating countermeasures . 23
4.4 Least privilege . 24
5 FR 1 – Identification and authentication control . 24
5.1 Purpose and SL-C(IAC) descriptions . 24
5.2 Rationale . 24
5.3 SR 1.1 – Human user identification and authentication . 24
5.3.1 Requirement . 24
5.3.2 Rationale and supplemental guidance . 24
5.3.3 Requirement enhancements . 25
5.3.4 Security levels . 25
5.4 SR 1.2 – Software process and device identification and authentication . 26
5.4.1 Requirement . 26
5.4.2 Rationale and supplemental guidance . 26
5.4.3 Requirement enhancements . 26
5.4.4 Security levels . 27
5.5 SR 1.3 – Account management . 27
5.5.1 Requirement . 27
5.5.2 Rationale and supplemental guidance . 27
5.5.3 Requirement enhancements . 27
5.5.4 Security levels . 27
5.6 SR 1.4 – Identifier management . 28
5.6.1 Requirement . 28
5.6.2 Rationale and supplemental guidance . 28
5.6.3 Requirement enhancements . 28
5.6.4 Security levels . 28
5.7 SR 1.5 – Authenticator management . 28
5.7.1 Requirement . 28
5.7.2 Rationale and supplemental guidance . 28
5.7.3 Requirement enhancements . 29
5.7.4 Security levels . 29
5.8 SR 1.6 – Wireless access management . 30
5.8.1 Requirement . 30

62443-3-3 © IEC:2013(E) – 3 –
5.8.2 Rationale and supplemental guidance . 30
5.8.3 Requirement enhancements . 30
5.8.4 Security levels . 30
5.9 SR 1.7 – Strength of password-based authentication . 30
5.9.1 Requirement . 30
5.9.2 Rationale and supplemental guidance . 30
5.9.3 Requirement enhancements . 31
5.9.4 Security levels . 31
5.10 SR 1.8 – Public key infrastructure (PKI) certificates . 31
5.10.1 Requirement . 31
5.10.2 Rationale and supplemental guidance . 31
5.10.3 Requirement enhancements . 32
5.10.4 Security levels . 32
5.11 SR 1.9 – Strength of public key authentication . 32
5.11.1 Requirement . 32
5.11.2 Rationale and supplemental guidance . 32
5.11.3 Requirement enhancements . 33
5.11.4 Security levels . 33
5.12 SR 1.10 – Authenticator feedback . 33
5.12.1 Requirement . 33
5.12.2 Rationale and supplemental guidance . 33
5.12.3 Requirement enhancements . 33
5.12.4 Security levels . 33
5.13 SR 1.11 – Unsuccessful login attempts . 34
5.13.1 Requirement . 34
5.13.2 Rationale and supplemental guidance . 34
5.13.3 Requirement enhancements . 34
5.13.4 Security levels . 34
5.14 SR 1.12 – System use notification . 34
5.14.1 Requirement . 34
5.14.2 Rationale and supplemental guidance . 34
5.14.3 Requirement enhancements . 35
5.14.4 Security levels . 35
5.15 SR 1.13 – Access via untrusted networks . 35
5.15.1 Requirement . 35
5.15.2 Rationale and supplemental guidance . 35
5.15.3 Requirement enhancements . 35
5.15.4 Security levels . 35
6 FR 2 – Use control . 36
6.1 Purpose and SL-C(UC) descriptions . 36
6.2 Rationale . 36
6.3 SR 2.1 – Authorization enforcement . 36
6.3.1 Requirement . 36
6.3.2 Rationale and supplemental guidance . 36
6.3.3 Requirement enhancements . 37
6.3.4 Security levels . 37
6.4 SR 2.2 – Wireless use control . 37
6.4.1 Requirement . 37
6.4.2 Rationale and supplemental guidance . 38

– 4 – 62443-3-3 © IEC:2013(E)
6.4.3 Requirement enhancements . 38
6.4.4 Security levels . 38
6.5 SR 2.3 – Use control for portable and mobile devices . 38
6.5.1 Requirement . 38
6.5.2 Rationale and supplemental guidance . 38
6.5.3 Requirement enhancements . 39
6.5.4 Security levels . 39
6.6 SR 2.4 – Mobile code . 39
6.6.1 Requirement . 39
6.6.2 Rationale and supplemental guidance . 39
6.6.3 Requirement enhancements . 39
6.6.4 Security levels . 39
6.7 SR 2.5 – Session lock . 40
6.7.1 Requirement . 40
6.7.2 Rationale and supplemental guidance . 40
6.7.3 Requirement enhancements . 40
6.7.4 Security levels . 40
6.8 SR 2.6 – Remote session termination . 40
6.8.1 Requirement . 40
6.8.2 Rationale and supplemental guidance . 40
6.8.3 Requirement enhancements . 40
6.8.4 Security levels . 41
6.9 SR 2.7 – Concurrent session control . 41
6.9.1 Requirement . 41
6.9.2 Rationale and supplemental guidance . 41
6.9.3 Requirement enhancements . 41
6.9.4 Security levels . 41
6.10 SR 2.8 – Auditable events . 41
6.10.1 Requirement . 41
6.10.2 Rationale and supplemental guidance . 41
6.10.3 Requirement enhancements . 42
6.10.4 Security levels . 42
6.11 SR 2.9 – Audit storage capacity. 42
6.11.1 Requirement . 42
6.11.2 Rationale and supplemental guidance . 42
6.11.3 Requirement enhancements . 42
6.11.4 Security levels . 43
6.12 SR 2.10 – Response to audit processing failures . 43
6.12.1 Requirement . 43
6.12.2 Rationale and supplemental guidance . 43
6.12.3 Requirement enhancements . 43
6.12.4 Security levels . 43
6.13 SR 2.11 – Timestamps . 43
6.13.1 Requirement . 43
6.13.2 Rationale and supplemental guidance . 43
6.13.3 Requirement enhancements . 44
6.13.4 Security levels . 44
6.14 SR 2.12 – Non-repudiation . 44
6.14.1 Requirement . 44

62443-3-3 © IEC:2013(E) – 5 –
6.14.2 Rationale and supplemental guidance . 44
6.14.3 Requirement enhancements . 44
6.14.4 Security levels . 44
7 FR 3 – System integrity . 45
7.1 Purpose and SL-C(SI) descriptions . 45
7.2 Rationale . 45
7.3 SR 3.1 – Communication integrity. 45
7.3.1 Requirement . 45
7.3.2 Rationale and supplemental guidance . 45
7.3.3 Requirement enhancements . 46
7.3.4 Security levels . 46
7.4 SR 3.2 – Malicious code protection . 46
7.4.1 Requirement . 46
7.4.2 Rationale and supplemental guidance . 46
7.4.3 Requirement enhancements . 47
7.4.4 Security levels . 47
7.5 SR 3.3 – Security functionality verification . 47
7.5.1 Requirement . 47
7.5.2 Rationale and supplemental guidance . 47
7.5.3 Requirement enhancements . 48
7.5.4 Security levels . 48
7.6 SR 3.4 – Software and information integrity . 48
7.6.1 Requirement . 48
7.6.2 Rationale and supplemental guidance . 48
7.6.3 Requirement enhancements . 49
7.6.4 Security levels . 49
7.7 SR 3.5 – Input validation . 49
7.7.1 Requirement . 49
7.7.2 Rationale and supplemental guidance . 49
7.7.3 Requirement enhancements . 49
7.7.4 Security levels . 49
7.8 SR 3.6 – Deterministic output . 50
7.8.1 Requirement . 50
7.8.2 Rationale and supplemental guidance . 50
7.8.3 Requirement enhancements . 50
7.8.4 Security levels . 50
7.9 SR 3.7 – Error handling . 50
7.9.1 Requirement . 50
7.9.2 Rationale and supplemental guidance . 50
7.9.3 Requirement enhancements . 50
7.9.4 Security levels . 51
7.10 SR 3.8 – Session integrity . 51
7.10.1 Requirement . 51
7.10.2 Rationale and supplemental guidance . 51
7.10.3 Requirement enhancements . 51
7.10.4 Security levels . 51
7.11 SR 3.9 – Protection of audit information . 52
7.11.1 Requirement . 52
7.11.2 Rationale and supplemental guidance . 52

– 6 – 62443-3-3 © IEC:2013(E)
7.11.3 Requirement enhancements . 52
7.11.4 Security levels . 52
8 FR 4 – Data confidentiality . 52
8.1 Purpose and SL-C(DC) descriptions . 52
8.2 Rationale . 52
8.3 SR 4.1 – Information confidentiality . 53
8.3.1 Requirement . 53
8.3.2 Rationale and supplemental guidance . 53
8.3.3 Requirement enhancements . 53
8.3.4 Security levels . 53
8.4 SR 4.2 – Information persistence . 54
8.4.1 Requirement . 54
8.4.2 Rationale and supplemental guidance . 54
8.4.3 Requirement enhancements . 54
8.4.4 Security levels . 54
8.5 SR 4.3 – Use of cryptography . 54
8.5.1 Requirement . 54
8.5.2 Rationale and supplemental guidance . 55
8.5.3 Requirement enhancements . 55
8.5.4 Security levels . 55
9 FR 5 – Restricted data flow . 55
9.1 Purpose and SL-C(RDF) descriptions . 55
9.2 Rationale . 55
9.3 SR 5.1 – Network segmentation . 56
9.3.1 Requirement . 56
9.3.2 Rationale and supplemental guidance . 56
9.3.3 Requirement enhancements . 56
9.3.4 Security levels . 57
9.4 SR 5.2 – Zone boundary protection . 57
9.4.1 Requirement . 57
9.4.2 Rationale and supplemental guidance . 57
9.4.3 Requirement enhancements . 57
9.4.4 Security levels . 58
9.5 SR 5.3 – General purpose person-to-person communication restrictions . 58
9.5.1 Requirement . 58
9.5.2 Rationale and supplemental guidance . 58
9.5.3 Requirement enhancements . 58
9.5.4 Security levels . 59
9.6 SR 5.4 – Application partitioning. 59
9.6.1 Requirement . 59
9.6.2 Rationale and supplemental guidance . 59
9.6.3 Requirement enhancements . 59
9.6.4 Security levels . 59
10 FR 6 – Timely response to events . 59
10.1 Purpose and SL-C(TRE) descriptions . 59
10.2 Rationale . 60
10.3 SR 6.1 – Audit log accessibility . 60
10.3.1 Requirement . 60
10.3.2 Rationale and supplemental guidance . 60

62443-3-3 © IEC:2013(E) – 7 –
10.3.3 Requirement enhancements . 60
10.3.4 Security levels . 60
10.4 SR 6.2 – Continuous monitoring . 60
10.4.1 Requirement . 60
10.4.2 Rationale and supplemental guidance . 60
10.4.3 Requirement enhancements . 61
10.4.4 Security levels . 61
11 FR 7 – Resource availability . 61
11.1 Purpose and SL-C(RA) descriptions . 61
11.2 Rationale . 61
11.3 SR 7.1 – Denial of service protection . 62
11.3.1 Requirement . 62
11.3.2 Rationale and supplemental guidance . 62
11.3.3 Requirement enhancements . 62
11.3.4 Security levels . 62
11.4 SR 7.2 – Resource management . 62
11.4.1 Requirement . 62
11.4.2 Rationale and supplemental guidance . 62
11.4.3 Requirement enhancements . 62
11.4.4 Security levels . 63
11.5 SR 7.3 – Control system backup . 63
11.5.1 Requirement . 63
11.5.2 Rationale and supplemental guidance . 63
11.5.3 Requirement enhancements . 63
11.5.4 Security levels . 63
11.6 SR 7.4 – Control system recovery and reconstitution . 63
11.6.1 Requirement . 63
11.6.2 Rationale and supplemental guidance . 63
11.6.3 Requirement enhancements . 64
11.6.4 Security levels . 64
11.7 SR 7.5 – Emergency power . 64
11.7.1 Requirement . 64
11.7.2 Rationale and supplemental guidance . 64
11.7.3 Requirement enhancements . 64
11.7.4 Security levels . 64
11.8 SR 7.6 – Network and security configuration settings . 64
11.8.1 Requirement . 64
11.8.2 Rationale and supplemental guidance . 64
11.8.3 Requirement enhancements . 65
11.8.4 Security levels . 65
11.9 SR 7.7 – Least functionality . 65
11.9.1 Requirement . 65
11.9.2 Rationale and supplemental guidance . 65
11.9.3 Requirement enhancements . 65
11.9.4 Security levels . 65
11.10 SR 7.8 – Control system component inventory . 66
11.10.1 Requirement . 66
11.10.2 Rationale and supplemental guidance . 66
11.10.3 Requirement enhancements . 66

– 8 – 62443-3-3 © IEC:2013(E)
11.10.4 Security levels . 66
Annex A (informative) Discussion of the SL vector . 67
Annex B (informative) Mapping of SRs and REs to FR SL levels 1-4 . 75
Bibliography . 79

Figure 1 – Structure of the IEC 62443 series . 13
Figure A.1 – High-level process-industry example showing zones and conduits . 69
Figure A.2 – High-level manufacturing example showing zones and conduits . 70
Figure A.3 – Schematic of correlation of the use of different SL types . 71

Table B.1 – Mapping of SRs and REs to FR SL levels 1-4 (1 of 4) . 75

62443-3-3 © IEC:2013(E) – 9 –
INTERNATIONAL ELECTROTECHNICAL COMMISSION
____________
INDUSTRIAL COMMUNICATION NETWORKS –
NETWORK AND SYSTEM SECURITY –
Part 3-3: System security requirements and security levels

FOREWORD
1) The International Electrotechnical Commission (IEC) is a worldwide organization for standardization comprising
all national electrotechnical committees (IEC National Committees). The object of IEC is to promote
international co-operation on all questions concerning standardization in the electrical and electronic fields. To
this end and in addition to other activities, IEC publishes International Standards, Technical Specifications,
Technical Reports, Publicly Available Specifications (PAS) and Guides (hereafter referred to as “IEC
Publication(s)”). Their preparation is entrusted to technical committees; any IEC National Committee interested
in the subject dealt with may participate in this preparatory work. International, governmental and non-
governmental organizations liaising with the IEC also participate in this preparation. IEC collaborates closely
with the International Organization for Standardization (ISO) in accordance with conditions determined by
agreement between the two organizations.
2) The formal decisions or agreements of IEC on technical matters express, as nearly as possible, an international
consensus of opinion on the relevant subjects since each technical committee has representation from all
interested IEC National Committees.
3) IEC Publications have the form of recommendations for international use and are accepted by IEC National
Committees in that sense. While all reasonable efforts are made to ensure that the technical content of IEC
Publications is accurate, IEC cannot be held responsible for the way in which they are used or for any
misinterpretation by any end user.
4) In order to promote international uniformity, IEC National Committees undertake to apply IEC Publications
transparently to the maximum extent possible in their national and regional publications. Any divergence
between any IEC Publication and the corresponding national or regional publication shall be clearly indicated in
the latter.
5) IEC itself does not provide any attestation of conformity. Independent certification bodies provide conformity
assessment services and, in some areas, access to IEC marks of conformity. IEC is not responsible for any
services carried out by independent certification bodies.
6) All users should ensure that they have the latest edition of this publication.
7) No liability shall attach to IEC or its directors, employees, servants or agents including individual experts and
members of its technical committees and IEC National Committees for any personal injury, property damage or
other damage of any nature whatsoever, whether direct or indirect, or for costs (including legal fees) and
expenses arising out of the publication, use of, or reliance upon, this IEC Publication or any other IEC
Publications.
8) Attention is drawn to the Normative references cited in this publication. Use of the referenced publications is
indispensable for the correct application of this publication.
9) Attention is drawn to the possibility that some of the elements of this IEC Publication may be the subject of
patent rights. IEC shall not be held responsible for identifyi
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.

Loading comments...

Die SIST EN IEC 62443-3-3:2019 ist ein wesentlicher Bestandteil der IEC 62443-Serie, die sich mit der Netzwerksicherheit und dem Schutz industrieller Kommunikationsnetzwerke befasst. Der spezifische Fokus auf die Systemanforderungen und Sicherheitsstufen bietet einen detaillierten Rahmen für die Anforderungen an Sicherheitskontrollen (SRs), die an die sieben grundlegenden Anforderungen (FRs) angeknüpft sind. Diese grundlegenden Anforderungen sind entscheidend, um ein solides Fundament für die Sicherheit von Automatisierungs- und Steuerungssystemen (IACS) zu schaffen. Ein besonders starker Aspekt dieser Norm liegt in ihrer umfassenden Abdeckung der Sicherheitsanforderungen, die es verschiedenen Stakeholdern in der IACS-Community ermöglichen, die Sicherheitsfähigkeit ihrer Kontrollsysteme gezielt zu bewerten und zu verbessern. Die normativen sieben FRs - Identifikation und Authentifizierung (IAC), Nutzungskontrolle (UC), Systemintegrität (SI), Datenschutz (DC), eingeschränkter Datenfluss (RDF), zeitgerechte Reaktion auf Ereignisse (TRE) und Ressourcenverfügbarkeit (RA) - bieten eine robuste Basis, auf der Sicherheitsstufen (SL-C) definiert werden. Diese Anforderungen sind nicht nur theoretisch, sondern praktisch anwendbar bei der Entwicklung spezifischer Sicherheitsstrategien für verschiedene Anlagen. Ein weiteres Plus der Norm ist die klare Unterscheidung zwischen Sicherheitsfähigkeitsanforderungen und erreichtem Sicherheitsniveau, was eine präzise Zuordnung und Messung der Sicherheitsstufen (SL-T und SL-A) ermöglicht. Dies hilft Organisationen, die tatsächlichen Sicherheitsressourcen effektiv zu steuern und die erforderlichen Sicherheitsmaßnahmen zu implementieren, um das angestrebte Sicherheitsniveau zu erreichen. Insgesamt ist die SIST EN IEC 62443-3-3:2019 von großer Relevanz für alle Akteure, die in den Bereichen industrielle Automatisierung, Steuerungssysteme und Netzwerksicherheit tätig sind. Ihre detaillierten Anforderungen und die strukturierte Herangehensweise an die Sicherheitsstufen bieten wertvolle Unterstützung für Unternehmen, die sich mit der Sicherstellung der Integrität und Sicherheit ihrer Systeme befassen. Die Norm stellt somit einen unverzichtbaren Leitfaden für die effektive Absicherung industrieller Netzwerke dar.

SIST EN IEC 62443-3-3:2019は、産業通信ネットワークとシステムセキュリティに関する重要な標準であり、制御システムの安全性に必要な詳細な技術的制御システム要件(SRs)を提供します。この標準は、IEC 62443-1-1で述べられている七つの基本要件(FRs)に基づいており、特に制御システムの能力セキュリティレベル(SL-C)を定義することに焦点を当てています。これにより、産業オートメーションおよび制御システム(IACS)コミュニティのさまざまなメンバーが特定の資産に対して適切な制御システムターゲットSL(SL-T)を開発する際に非常に有用です。 この標準の強みは、具体的で技術的な要件が明確に定義されている点にあります。特に、七つの基本要件は各々、識別と認証制御(IAC)、使用制御(UC)、システムの完全性(SI)、データの機密性(DC)、制限されたデータフロー(RDF)、イベントに対する迅速な応答(TRE)、そしてリソースの可用性(RA)と、システムセキュリティの基盤を構成しています。これにより、制御システムの能力セキュリティレベルを明確に確認し、適切な対策を講じる際の指針を提供します。 さらに、この標準は制御システムのセキュリティ能力を強化することを目的としており、ターゲットセキュリティレベル(SL-T)や達成済みセキュリティレベル(SL-A)に関しては範囲外であることを明確にしているため、使用者は必要なセキュリティ要件に集中することができます。また、IEC 62443-2-1では、制御システムターゲットSLを完全に達成するために必要な非技術的かつプログラム関連の能力SRsが提供されているため、全体的なセキュリティ戦略を構築する際の参考にもなります。 要約すると、SIST EN IEC 62443-3-3:2019は、制御システムにおけるセキュリティの要件を明確に定義し、産業界のさまざまなニーズに応じた適用性の高い基準を提供するため、非常に重要であると言えます。

SIST EN IEC 62443-3-3:2019 표준은 산업 통신 네트워크와 시스템 보안에 대한 신뢰할 수 있는 지침을 제공합니다. 이 표준은 IEC 62443 시리즈 중 제3-3 파트로, 체계적인 보안 요구사항(SR)과 보안 수준(SL)에 대한 상세 기술 요구사항을 다루고 있습니다. 표준의 범위는 IEC 62443-1-1에서 규명된 일곱 가지 기초 요구사항(FR)과 관련된 보안 요구사항을 명확히 정의함으로써 산업 자동화 및 제어 시스템(IACS) 커뮤니티의 다양한 구성원들이 활용할 수 있도록 돕습니다. 이 표준의 가장 큰 장점 중 하나는 보안 능력의 정의에 있습니다. 내부의 보안 요구사항은 실제 자산에 적합한 시스템 보안 수준(SL-T)을 개발하는 데 필수적인 역할을 하며, 각 기초 요구사항은 구체적인 보안 목표를 설정하는 데 필요한 프레임워크를 제공합니다. 특히, 일곱 가지 요구사항은 다음과 같습니다: 식별 및 인증 제어(IAC), 사용 제어(UC), 시스템 무결성(SI), 데이터 기밀성(DC), 제한된 데이터 흐름(RDF), 사건에 대한 적시 대응(TRE), 및 자원 가용성(RA). 이러한 요구사항은 제어 시스템의 보안 능력을 효과적으로 개발하기 위한 기초로 작용합니다. SIST EN IEC 62443-3-3:2019는 또한 사용자가 시스템 보안 목표를 달성하기 위해 전문 지식을 바탕으로 요구사항을 구현할 수 있도록 구체적인 지침을 제공합니다. 표준은 보안 목표(SL-T) 및 달성된 보안 수준(SL-A)과 같은 범위 외의 항목보다는 제어 시스템 능력에 집중하고 있습니다. 이를 통해 사용자는 각 자산의 특정 요구를 만족하는 보안 조치를 효과적으로 수립할 수 있습니다. 결론적으로, SIST EN IEC 62443-3-3:2019 표준은 산업 통신 네트워크 및 시스템 보안을 위한 필수적인 기준으로, 제어 시스템 보안 요구사항을 체계적으로 정의하고 있습니다. 이 표준은 IACS에서 보고된 보안 위험을 효과적으로 관리하기 위한 기초를 제공하여 안전한 시스템 운영을 지원합니다.

The SIST EN IEC 62443-3-3:2019 standard focuses on the crucial aspect of industrial communication networks, specifically addressing network and system security within the framework of the IEC 62443 series. Its scope encompasses detailed technical control system requirements (SRs) aligned with the seven foundational requirements (FRs) stipulated in IEC 62443‑1‑1. This systematic approach to defining control system capability security levels (SL-C) is vital for stakeholders in the industrial automation and control system (IACS) sector, ensuring they can assess and implement essential security measures effectively. One of the key strengths of this standard lies in its comprehensive integration of the seven foundational requirements. By emphasizing identification and authentication control (IAC), use control (UC), system integrity (SI), data confidentiality (DC), restricted data flow (RDF), timely response to events (TRE), and resource availability (RA), the standard provides a robust foundation upon which organizations can build their security protocols. This structured methodology not only aids in clarifying the necessary security capabilities at the control system level but also ensures that these requirements resonate with the varied complexities of IACS assets. Moreover, the standard’s focus on defining security capability at the control system level enhances its relevance in today's industrial landscape, where cyber threats continue to evolve. By providing clarity on control system target security levels (SL-T) and establishing achievable security levels (SL-A) as out of scope, the document strategically concentrates on empowering organizations to develop customized and protective control system security strategies tailored to specific assets and operational environments. The SIST EN IEC 62443-3-3:2019 standard proves to be instrumental for various members of the IACS community, guiding them in the development of tailored security approaches based on the unique requirements of their systems under consideration (SuC). Its alignment with the broader IEC 62443 framework signifies its importance in cultivating a safer industrial ecosystem through enhanced security practices and standardized methodologies.

La norme SIST EN IEC 62443-3-3:2019 joue un rôle essentiel dans le domaine des réseaux de communication industriels et de la sécurité des systèmes. Elle offre une approche structurée en définissant des exigences de sécurité du système (SRs) qui sont cruciales pour l'automatisation industrielle et les systèmes de contrôle (IACS). En se basant sur les sept exigences fondamentales (FRs) énoncées dans IEC 62443‑1‑1, cette norme approfondit les capacités de sécurité des systèmes de contrôle en établissant des niveaux de sécurité associés, SL-C (système de contrôle). Le principal point fort de cette norme réside dans sa capacité à fournir des exigences techniques détaillées qui orientent les différents acteurs de la communauté IACS dans le développement de solutions de sécurité adaptées. En définissant des niveaux de sécurité de capacité pour les systèmes de contrôle, la norme permet aux entreprises de concevoir des systèmes robustes qui répondent efficacement aux exigences de sécurité spécifiques à leurs actifs. Une autre force de la norme est son approche méthodique pour identifier et authentifier les contrôles, ainsi que pour intégrer des mesures de confidentialité des données et d'intégrité du système. Les sept exigences fondamentales, y compris le contrôle d'utilisation, le flux de données restreint et la disponibilité des ressources, forment une base solide qui assure une couverture exhaustive des aspects de sécurité critiques. La pertinence de cette norme est indéniable dans un environnement où les cybermenaces évoluent constamment. En fournissant un cadre clair pour établir des niveaux de sécurité de capacité (SL-C), la norme SIST EN IEC 62443-3-3:2019 non seulement contribue à améliorer la sécurité des systèmes industriels, mais aussi protège les actifs critiques contre diverses vulnérabilités. En s'assurant que les exigences de sécurité sont intégrées dès la conception, cette norme sert de référence précieuse pour les professionnels engagés dans la mise en œuvre de systèmes de contrôle sécurisés.