Security for industrial automation and control systems - Part 4-2: Technical security requirements for IACS components (IEC 62443-4-2:2019)

IEC 62443-4-2:2019 provides detailed technical control system component requirements (CRs) associated with the seven foundational requirements (FRs) described in IEC TS 62443-1-1 including defining the requirements for control system capability security levels and their components, SL-C(component).
As defined in IEC TS 62443-1-1 there are a total of seven foundational requirements (FRs):
a) identification and authentication control (IAC),
b) use control (UC),
c) system integrity (SI),
d) data confidentiality (DC),
e) restricted data flow (RDF),
f) timely response to events (TRE), and
g) resource availability (RA).
These seven FRs are the foundation for defining control system security capability levels. Defining security capability levels for the control system component is the goal and objective of this document as opposed to SL-T or achieved SLs (SL-A), which are out of scope.

Industrielle Kommunikationsnetze – IT-Sicherheit für industrielle Automatisierungssysteme – Teil 4-2: Anforderungen an Komponenten industrieller Automatisierungssysteme (IEC 62443-4-2:2019)

Sécurité des systèmes d’automatisation et de commande industrielles - Partie 4-2: Exigences de sécurité technique des composants IACS (IEC 62443-4-2:2019)

IEC 62443-4-2:2019 indique les exigences relatives au composant (CR) d'un système de commande technique ainsi que les sept exigences fondamentales (FR) décrites dans l'IEC TS 62443-1-1, y compris la définition des exigences relatives aux niveaux de sécurité de capacité des systèmes de commande et à leurs composants, SL-C(composant).
Comme l'indique l'IEC TS 62443-1-1, il existe en tout sept exigences fondamentales (FR):
a) contrôle d'identification et d'authentification (IAC),
b) contrôle d'utilisation (UC),
c) intégrité du système (SI),
d) confidentialité des données (DC),
e) transfert de données limité (RDF),
f) réponse appropriée aux événements (TRE), et
g) disponibilité des ressources (RA).
Ces sept exigences fondamentales sont à la base de la définition des niveaux de capacité de sécurité des systèmes de commande. Le présent document a pour objet de définir les niveaux de capacité de sécurité du composant du système de commande, par opposition au SL-T ou aux niveaux de sécurité atteints (SL-A), qui n'entrent pas dans le domaine d'application.

Zaščita za sisteme industrijske avtomatizacije in nadzornih sistemov - 4-2. del: Zahteve za tehnično varnost zaščito za IACS komponente (IEC 62443-4-2:2019)

Ta dokument podaja podrobne tehnične zahteve za komponente nadzornega sistema (CR), ki so povezane s sedmimi temeljnimi zahtevami (FR), opisanimi v standardu IEC TS 62443-1-1, vključno z določanjem zahtev za nivoje varnosti zmogljivosti nadzornega sistema in njegove komponente, SL-C (komponenta). Kot je opredeljeno v standardu IEC TS 62443-1-1, obstaja sedem temeljnih zahtev (FR): a) nadzor identifikacije in preverjanja pristnosti (IAC), b) nadzor uporabe (UC), c) celovitost sistema (SI), d) zaupnost podatkov (DC), e) omejen pretok podatkov (RDF), f) pravočasen odziv na dogodke (TRE) in g) razpoložljivost virov (RA). Teh sedem temeljnih zahtev so temelj za opredelitev nivojev varnosti zmogljivosti nadzornega sistema. Opredelitev nivojev zmogljivosti zaščite za komponento nadzornega sistema je cilj tega dokumenta v nasprotju s ciljnimi nivoji varnosti ali doseženimi nivoji varnosti (SL-A), ki niso zajeti.

General Information

Status
Published
Publication Date
08-Sep-2019
ICS
25.040.01 - Industrial automation systems in general
 
35.030 - IT Security
Technical Committee
MOV - Measuring equipment for electromagnetic quantities
Current Stage
6060 - National Implementation/Publication (Adopted Project)
Start Date
26-Apr-2019
Due Date
01-Jul-2019
Completion Date
09-Sep-2019
Ref Project
EN IEC 62443-4-2:2019 - Security for industrial automation and control systems - Part 4-2: Technical security requirements for IACS components

Relations

Corrected By
SIST EN IEC 62443-4-2:2019/AC:2023 - Security for industrial automation and control systems - Part 4-2: Technical security requirements for IACS components (IEC 62443-4-2:2019/COR1:2022)
Effective Date
13-Sep-2022

Overview

EN IEC 62443-4-2:2019 (IEC 62443-4-2) defines technical security requirements for IACS components - hardware, firmware and software elements used in Industrial Automation and Control Systems (IACS). Its primary objective is to specify component-level control requirements (CRs) that map to the seven Foundational Requirements (FRs) from IEC/TS 62443-1-1 and to define component security capability levels (SL‑C). This standard is focused on component capability (SL‑C); topics such as system-level target SL (SL‑T) or achieved SL (SL‑A) are out of scope.

Keywords: EN IEC 62443-4-2:2019, IEC 62443-4-2, IACS components, SL-C, industrial cybersecurity, technical security requirements.

Key Topics

EN IEC 62443-4-2 organizes technical controls around the seven FRs:

  • Identification & Authentication Control (IAC) - human, device and software identity; account and authenticator management; password and cryptographic requirements (e.g., CR 1.1–1.16).
  • Use Control (UC) - authorization enforcement, session lock/termination, mobile device controls.
  • System Integrity (SI) - protections against unauthorized code or configuration changes.
  • Data Confidentiality (DC) - encryption and key management for sensitive data.
  • Restricted Data Flow (RDF) - controls on network/data flows and network segmentation.
  • Timely Response to Events (TRE) - logging, event reporting and forensic support.
  • Resource Availability (RA) - robustness and protection against DoS/resource exhaustion.

Other technical features:

  • Common Component Security Constraints (CCSC) such as least privilege and secure software development process requirements.
  • Component Requirement (CR) structure: each CR includes requirement statement, rationale, supplemental guidance, enhancements and mapping to SL‑C descriptions.

Keywords: component requirement, CR, CCSC, foundational requirements, authentication, authorization, PKI, password strength.

Applications & Users

Who uses EN IEC 62443-4-2:

  • Product vendors and developers - to design IACS components that meet defined security capability levels (SL‑C).
  • System integrators and OEMs - to select and validate components that comply with component security requirements.
  • Asset owners/operators - to specify procurement requirements and evaluate component security during architecture design.
  • Certification bodies and test labs - to assess component conformance to IEC 62443 technical CRs.
  • Security engineers and auditors - for gap analysis and hardening of control-system components.

Practical benefits:

  • Consistent, measurable component security criteria for procurement and testing.
  • Clear mapping from technical controls to component capability levels (SL‑C).
  • Improved interoperability of secure components within industrial architectures.

Keywords: industrial automation security, control system security, component security levels, procurement, conformance testing.

Related Standards

  • IEC/TS 62443-1-1 - Terminology, concepts and models (foundation for FRs)
  • IEC 62443-3-3 - System security requirements and security levels
  • EN IEC 62443-4-1 - Secure product development lifecycle requirements

Using EN IEC 62443-4-2:2019 together with 62443-4-1 helps vendors embed security into product lifecycle and demonstrate conformance of IACS components to recognized industrial cybersecurity requirements.

SIST EN IEC 62443-4-2:2019 - BARVE - Page 1 previewSIST EN IEC 62443-4-2:2019 - BARVE - Page 2 previewSIST EN IEC 62443-4-2:2019 - BARVE - Page 3 previewSIST EN IEC 62443-4-2:2019 - BARVE - Page 4 preview
PreviousNext
Standard

SIST EN IEC 62443-4-2:2019 - BARVE

English language
97 pages
Preview
Preview
e-Library read for
1 day

Frequently Asked Questions

SIST EN IEC 62443-4-2:2019 is a standard published by the Slovenian Institute for Standardization (SIST). Its full title is "Security for industrial automation and control systems - Part 4-2: Technical security requirements for IACS components (IEC 62443-4-2:2019)". This standard covers: IEC 62443-4-2:2019 provides detailed technical control system component requirements (CRs) associated with the seven foundational requirements (FRs) described in IEC TS 62443-1-1 including defining the requirements for control system capability security levels and their components, SL-C(component). As defined in IEC TS 62443-1-1 there are a total of seven foundational requirements (FRs): a) identification and authentication control (IAC), b) use control (UC), c) system integrity (SI), d) data confidentiality (DC), e) restricted data flow (RDF), f) timely response to events (TRE), and g) resource availability (RA). These seven FRs are the foundation for defining control system security capability levels. Defining security capability levels for the control system component is the goal and objective of this document as opposed to SL-T or achieved SLs (SL-A), which are out of scope.

IEC 62443-4-2:2019 provides detailed technical control system component requirements (CRs) associated with the seven foundational requirements (FRs) described in IEC TS 62443-1-1 including defining the requirements for control system capability security levels and their components, SL-C(component). As defined in IEC TS 62443-1-1 there are a total of seven foundational requirements (FRs): a) identification and authentication control (IAC), b) use control (UC), c) system integrity (SI), d) data confidentiality (DC), e) restricted data flow (RDF), f) timely response to events (TRE), and g) resource availability (RA). These seven FRs are the foundation for defining control system security capability levels. Defining security capability levels for the control system component is the goal and objective of this document as opposed to SL-T or achieved SLs (SL-A), which are out of scope.

SIST EN IEC 62443-4-2:2019 is classified under the following ICS (International Classification for Standards) categories: 25.040.01 - Industrial automation systems in general; 35.030 - IT Security. The ICS classification helps identify the subject area and facilitates finding related standards.

SIST EN IEC 62443-4-2:2019 has the following relationships with other standards: It is inter standard links to SIST EN IEC 62443-4-2:2019/AC:2023. Understanding these relationships helps ensure you are using the most current and applicable version of the standard.

You can purchase SIST EN IEC 62443-4-2:2019 directly from iTeh Standards. The document is available in PDF format and is delivered instantly after payment. Add the standard to your cart and complete the secure checkout process. iTeh Standards is an authorized distributor of SIST standards.

Standards Content (Sample)


SLOVENSKI STANDARD
01-november-2019
Zaščita za sisteme industrijske avtomatizacije in nadzornih sistemov - 4-2. del:
Zahteve za tehnično varnost zaščito za IACS komponente (IEC 62443-4-2:2019)
Security for industrial automation and control systems - Part 4-2: Technical security
requirements for IACS components (IEC 62443-4-2:2019)
Industrielle Kommunikationsnetze – IT-Sicherheit für industrielle
Automatisierungssysteme – Teil 4-2: Anforderungen an Komponenten industrieller
Automatisierungssysteme (IEC 62443-4-2:2019)
Sécurité des systèmes d’automatisation et de commande industrielles - Partie 4-2:
Exigences de sécurité technique des composants IACS (IEC 62443-4-2:2019)
Ta slovenski standard je istoveten z: EN IEC 62443-4-2:2019
ICS:
25.040.01 Sistemi za avtomatizacijo v Industrial automation
industriji na splošno systems in general
35.030 Informacijska varnost IT Security
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

EUROPEAN STANDARD EN IEC 62443-4-2

NORME EUROPÉENNE
EUROPÄISCHE NORM
April 2019
ICS 25.040.40; 35.030
English Version
Security for industrial automation and control systems - Part 4-2:
Technical security requirements for IACS components
(IEC 62443-4-2:2019)
Industrielle Kommunikationsnetze – IT-Sicherheit für Sécurité des systèmes d'automatisation et de commande
industrielle Automatisierungssysteme – Teil 4-2: industrielles - Partie 4-2: Exigences de sécurité technique
Anforderungen an Komponenten industrieller des composants IACS
Automatisierungssysteme (IEC 62443-4-2:2019)
(IEC 62443-4-2:2019)
This European Standard was approved by CENELEC on 2019-04-03. CENELEC members are bound to comply with the CEN/CENELEC
Internal Regulations which stipulate the conditions for giving this European Standard the status of a national standard without any alteration.
Up-to-date lists and bibliographical references concerning such national standards may be obtained on application to the CEN-CENELEC
Management Centre or to any CENELEC member.
This European Standard exists in three official versions (English, French, German). A version in any other language made by translation
under the responsibility of a CENELEC member into its own language and notified to the CEN-CENELEC Management Centre has the
same status as the official versions.
CENELEC members are the national electrotechnical committees of Austria, Belgium, Bulgaria, Croatia, Cyprus, the Czech Republic,
Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia,
Lithuania, Luxembourg, Malta, the Netherlands, Norway, Poland, Portugal, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden,
Switzerland, Turkey and the United Kingdom.

European Committee for Electrotechnical Standardization
Comité Européen de Normalisation Electrotechnique
Europäisches Komitee für Elektrotechnische Normung
CEN-CENELEC Management Centre: Rue de la Science 23, B-1040 Brussels
© 2019 CENELEC All rights of exploitation in any form and by any means reserved worldwide for CENELEC Members.
Ref. No. EN IEC 62443-4-2:2019 E

European foreword
The text of document 65/735/FDIS, future edition 1 of IEC 62443-4-2, prepared by IEC/TC 65
"Industrial-process measurement, control and automation" was submitted to the IEC-CENELEC
parallel vote and approved by CENELEC as EN IEC 62443-4-2:2019.
The following dates are fixed:
• latest date by which the document has to be implemented at national (dop) 2020-01-03
level by publication of an identical national standard or by endorsement
• latest date by which the national standards conflicting with the (dow) 2022-04-03
document have to be withdrawn
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CENELEC shall not be held responsible for identifying any or all such patent rights.

Endorsement notice
The text of the International Standard IEC 62443-4-2:2019 was approved by CENELEC as a
European Standard without any modification.
In the official version, for Bibliography, the following notes have to be added for the standards
indicated:
ISO/IEC 27002:2013 NOTE Harmonized as EN ISO/IEC 27002:2017 (not modified)
IEC 62264-1 NOTE Harmonized as EN 62264-1
IEC 62443-3-2 NOTE Harmonized as EN 62443-3-2

Under preparation. Stage at time of publication: prEN 62443-3-2:2018.
Annex ZA
(normative)
Normative references to international publications
with their corresponding European publications
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments)
applies.
NOTE 1  Where an International Publication has been modified by common modifications, indicated by (mod), the relevant
EN/HD applies.
NOTE 2  Up-to-date information on the latest versions of the European Standards listed in this annex is available here:
www.cenelec.eu.
Publication Year Title EN/HD Year
IEC/TS 62443-1-1 -  Industrial communication networks - - -
Network and system security - Part 1-1:
Terminology, concepts and models
IEC 62443-3-3 2013 Industrial communication networks - - -
Network and system security - Part 3-3:
System security requirements and security
levels
Security for industrial automation and
IEC 62443-4-1 -  EN IEC 62443-4-1 -
control systems – Part 4-1: Secure product
development lifecycle requirements

IEC 62443-4-2 ®
Edition 1.0 2019-02
INTERNATIONAL
STANDARD
NORME
INTERNATIONALE
colour
inside
Security for industrial automation and control systems –

Part 4-2: Technical security requirements for IACS components

Sécurité des systèmes d’automatisation et de commande industrielles –

Partie 4-2: Exigences de sécurité technique des composants IACS

INTERNATIONAL
ELECTROTECHNICAL
COMMISSION
COMMISSION
ELECTROTECHNIQUE
INTERNATIONALE
ICS 25.040.40; 35.030 ISBN 978-2-8322-6597-0

– 2 – IEC 62443-4-2:2019  IEC 2019
CONTENTS
FOREWORD . 12
INTRODUCTION . 14
1 Scope . 17
2 Normative references . 17
3 Terms, definitions, abbreviated terms, acronyms, and conventions . 18
3.1 Terms and definitions . 18
3.2 Abbreviated terms and acronyms . 24
3.3 Conventions . 26
4 Common component security constraints . 27
4.1 Overview. 27
4.2 CCSC 1: Support of essential functions . 27
4.3 CCSC 2: Compensating countermeasures . 27
4.4 CCSC 3: Least privilege . 27
4.5 CCSC 4: Software development process . 27
5 FR 1 – Identification and authentication control . 27
5.1 Purpose and SL-C(IAC) descriptions . 27
5.2 Rationale . 28
5.3 CR 1.1 – Human user identification and authentication . 28
5.3.1 Requirement . 28
5.3.2 Rationale and supplemental guidance. 28
5.3.3 Requirement enhancements . 28
5.3.4 Security levels . 29
5.4 CR 1.2 – Software process and device identification and authentication . 29
5.4.1 Requirement . 29
5.4.2 Rationale and supplemental guidance. 29
5.4.3 Requirement enhancements . 29
5.4.4 Security levels . 30
5.5 CR 1.3 – Account management . 30
5.5.1 Requirement . 30
5.5.2 Rationale and supplemental guidance. 30
5.5.3 Requirement enhancements . 30
5.5.4 Security levels . 30
5.6 CR 1.4 – Identifier management . 30
5.6.1 Requirement . 30
5.6.2 Rationale and supplemental guidance. 30
5.6.3 Requirement enhancements . 31
5.6.4 Security levels . 31
5.7 CR 1.5 – Authenticator management . 31
5.7.1 Requirement . 31
5.7.2 Rationale and supplemental guidance. 31
5.7.3 Requirement enhancements . 32
5.7.4 Security levels . 32
5.8 CR 1.6 – Wireless access management . 32

IEC 62443-4-2:2019  IEC 2019 – 3 –
5.9 CR 1.7 – Strength of password-based authentication . 32
5.9.1 Requirement . 32
5.9.2 Rationale and supplemental guidance. 32
5.9.3 Requirement enhancements . 32
5.9.4 Security levels . 33
5.10 CR 1.8 – Public key infrastructure certificates . 33
5.10.1 Requirement . 33
5.10.2 Rationale and supplemental guidance. 33
5.10.3 Requirement enhancements . 33
5.10.4 Security levels . 33
5.11 CR 1.9 – Strength of public key-based authentication . 34
5.11.1 Requirement . 34
5.11.2 Rationale and supplemental guidance. 34
5.11.3 Requirement enhancements . 35
5.11.4 Security levels . 35
5.12 CR 1.10 – Authenticator feedback . 35
5.12.1 Requirement . 35
5.12.2 Rationale and supplemental guidance. 35
5.12.3 Requirement enhancements . 35
5.12.4 Security levels . 35
5.13 CR 1.11 – Unsuccessful login attempts . 35
5.13.1 Requirement . 35
5.13.2 Rationale and supplemental guidance. 36
5.13.3 Requirement enhancements . 36
5.13.4 Security levels . 36
5.14 CR 1.12 – System use notification . 36
5.14.1 Requirement . 36
5.14.2 Rationale and supplemental guidance. 36
5.14.3 Requirement enhancements . 36
5.14.4 Security levels . 37
5.15 CR 1.13 – Access via untrusted networks . 37
5.16 CR 1.14 – Strength of symmetric key-based authentication . 37
5.16.1 Requirement . 37
5.16.2 Rationale and supplemental guidance. 37
5.16.3 Requirement enhancements . 37
5.16.4 Security levels . 38
6 FR 2 – Use control. 38
6.1 Purpose and SL-C(UC) descriptions . 38
6.2 Rationale . 38
6.3 CR 2.1 – Authorization enforcement . 38
6.3.1 Requirement . 38
6.3.2 Rationale and supplemental guidance. 38
6.3.3 Requirement enhancements . 39
6.3.4 Security levels . 39
6.4 CR 2.2 – Wireless use control . 40
6.4.1 Requirement . 40
6.4.2 Rationale and supplemental guidance. 40
6.4.3 Requirement enhancements . 40
6.4.4 Security levels . 40

– 4 – IEC 62443-4-2:2019  IEC 2019
6.5 CR 2.3 – Use control for portable and mobile devices . 40
6.6 CR 2.4 – Mobile code. 40
6.7 CR 2.5 – Session lock . 40
6.7.1 Requirement . 40
6.7.2 Rationale and supplemental guidance. 41
6.7.3 Requirement enhancements . 41
6.7.4 Security levels . 41
6.8 CR 2.6 – Remote session termination . 41
6.8.1 Requirement . 41
6.8.2 Rationale and supplemental guidance. 41
6.8.3 Requirement enhancements . 41
6.8.4 Security levels . 41
6.9 CR 2.7 – Concurrent session control . 41
6.9.1 Requirement . 41
6.9.2 Rationale and supplemental guidance. 42
6.9.3 Requirement enhancements . 42
6.9.4 Security levels . 42
6.10 CR 2.8 – Auditable events . 42
6.10.1 Requirement . 42
6.10.2 Rationale and supplemental guidance. 42
6.10.3 Requirement enhancements . 42
6.10.4 Security levels . 43
6.11 CR 2.9 – Audit storage capacity . 43
6.11.1 Requirement . 43
6.11.2 Rationale and supplemental guidance. 43
6.11.3 Requirement enhancements . 43
6.11.4 Security levels . 43
6.12 CR 2.10 – Response to audit processing failures . 43
6.12.1 Requirement . 43
6.12.2 Rationale and supplemental guidance. 44
6.12.3 Requirement enhancements . 44
6.12.4 Security levels . 44
6.13 CR 2.11 – Timestamps . 44
6.13.1 Requirement . 44
6.13.2 Rationale and supplemental guidance. 44
6.13.3 Requirement enhancements . 44
6.13.4 Security levels . 44
6.14 CR 2.12 – Non-repudiation . 45
6.14.1 Requirement . 45
6.14.2 Rationale and supplemental guidance. 45
6.14.3 Requirement enhancements . 45
6.14.4 Security levels . 45
6.15 CR 2.13 – Use of physical diagnostic and test interfaces . 45
7 FR 3 – System integrity . 45
7.1 Purpose and SL-C(SI) descriptions . 45
7.2 Rationale . 46

IEC 62443-4-2:2019  IEC 2019 – 5 –
7.3 CR 3.1 – Communication integrity . 46
7.3.1 Requirement . 46
7.3.2 Rationale and supplemental guidance. 46
7.3.3 Requirement enhancements . 47
7.3.4 Security levels . 47
7.4 CR 3.2 – Protection from malicious code . 47
7.5 CR 3.3 – Security functionality verification . 47
7.5.1 Requirement . 47
7.5.2 Rationale and supplemental guidance. 47
7.5.3 Requirement enhancements . 47
7.5.4 Security levels . 48
7.6 CR 3.4 – Software and information integrity . 48
7.6.1 Requirement . 48
7.6.2 Rationale and supplemental guidance. 48
7.6.3 Requirement enhancements . 48
7.6.4 Security levels . 48
7.7 CR 3.5 – Input validation . 48
7.7.1 Requirement . 48
7.7.2 Rationale and supplemental guidance. 49
7.7.3 Requirement enhancements . 49
7.7.4 Security levels . 49
7.8 CR 3.6 – Deterministic output . 49
7.8.1 Requirement . 49
7.8.2 Rationale and supplemental guidance. 49
7.8.3 Requirement enhancements . 49
7.8.4 Security levels . 50
7.9 CR 3.7 – Error handling . 50
7.9.1 Requirement . 50
7.9.2 Rationale and supplemental guidance. 50
7.9.3 Requirement enhancements . 50
7.9.4 Security levels . 50
7.10 CR 3.8 – Session integrity. 50
7.10.1 Requirement . 50
7.10.2 Rationale and supplemental guidance. 51
7.10.3 Requirement enhancements . 51
7.10.4 Security levels . 51
7.11 CR 3.9 – Protection of audit information . 51
7.11.1 Requirement . 51
7.11.2 Rationale and supplemental guidance. 51
7.11.3 Requirement enhancements . 51
7.11.4 Security levels . 51
7.12 CR 3.10 – Support for updates . 52
7.13 CR 3.11 – Physical tamper resistance and detection . 52
7.14 CR 3.12 – Provisioning product supplier roots of trust . 52
7.15 CR 3.13 – Provisioning asset owner roots of trust . 52
7.16 CR 3.14 – Integrity of the boot process . 52
8 FR 4 – Data confidentiality. 52
8.1 Purpose and SL-C(DC) descriptions . 52
8.2 Rationale . 52

– 6 – IEC 62443-4-2:2019  IEC 2019
8.3 CR 4.1 – Information confidentiality . 52
8.3.1 Requirement . 52
8.3.2 Rationale and supplemental guidance. 53
8.3.3 Requirement enhancements . 53
8.3.4 Security levels . 53
8.4 CR 4.2 – Information persistence . 53
8.4.1 Requirement . 53
8.4.2 Rationale and supplemental guidance. 53
8.4.3 Requirement enhancements . 53
8.4.4 Security levels . 54
8.5 CR 4.3 – Use of cryptography . 54
8.5.1 Requirement . 54
8.5.2 Rationale and supplemental guidance. 54
8.5.3 Requirement enhancements . 54
8.5.4 Security levels . 54
9 FR 5 – Restricted data flow . 55
9.1 Purpose and SL-C(RDF) descriptions . 55
9.2 Rationale . 55
9.3 CR 5.1 – Network segmentation . 55
9.3.1 Requirement . 55
9.3.2 Rationale and supplemental guidance. 55
9.3.3 Requirement enhancements . 56
9.3.4 Security levels . 56
9.4 CR 5.2 – Zone boundary protection . 56
9.5 CR 5.3 – General-purpose person-to-person communication restrictions . 56
9.6 CR 5.4 – Application partitioning . 56
10 FR 6 – Timely response to events. 56
10.1 Purpose and SL-C(TRE) descriptions . 56
10.2 Rationale . 57
10.3 CR 6.1 – Audit log accessibility . 57
10.3.1 Requirement . 57
10.3.2 Rationale and supplemental guidance. 57
10.3.3 Requirement enhancements . 57
10.3.4 Security levels . 57
10.4 CR 6.2 – Continuous monitoring . 57
10.4.1 Requirement . 57
10.4.2 Rationale and supplemental guidance. 57
10.4.3 Requirement enhancements . 58
10.4.4 Security levels . 58
11 FR 7 – Resource availability . 58
11.1 Purpose and SL-C(RA) descriptions . 58
11.2 Rationale . 58
11.3 CR 7.1 – Denial of service protection . 59
11.3.1 Requirement . 59
11.3.2 Rationale and supplemental guidance. 59
11.3.3 Requirement enhancements . 59
11.3.4 Security levels . 59

IEC 62443-4-2:2019  IEC 2019 – 7 –
11.4 CR 7.2 – Resource management . 59
11.4.1 Requirement . 59
11.4.2 Rationale and supplemental guidance. 59
11.4.3 Requirement enhancements . 59
11.4.4 Security levels . 59
11.5 CR 7.3 – Control system backup . 60
11.5.1 Requirement . 60
11.5.2 Rationale and supplemental guidance. 60
11.5.3 Requirement enhancements . 60
11.5.4 Security levels . 60
11.6 CR 7.4 – Control system recovery and reconstitution . 60
11.6.1 Requirement . 60
11.6.2 Rationale and supplemental guidance. 60
11.6.3 Requirement enhancements . 60
11.6.4 Security levels . 61
11.7 CR 7.5 – Emergency power . 61
11.8 CR 7.6 – Network and security configuration settings . 61
11.8.1 Requirement . 61
11.8.2 Rationale and supplemental guidance. 61
11.8.3 Requirement enhancements . 61
11.8.4 Security levels . 61
11.9 CR 7.7 – Least functionality . 61
11.9.1 Requirement . 61
11.9.2 Rationale and supplemental guidance. 61
11.9.3 Requirement enhancements . 62
11.9.4 Security levels . 62
11.10 CR 7.8 – Control system component inventory . 62
11.10.1 Requirement . 62
11.10.2 Rationale and supplemental guidance. 62
11.10.3 Requirement enhancements . 62
11.10.4 Security levels . 62
12 Software application requirements . 62
12.1 Purpose . 62
12.2 SAR 2.4 – Mobile code . 62
12.2.1 Requirement . 62
12.2.2 Rationale and supplemental guidance. 63
12.2.3 Requirement enhancements . 63
12.2.4 Security levels . 63
12.3 SAR 3.2 – Protection from malicious code . 63
12.3.1 Requirement . 63
12.3.2 Rationale and supplemental guidance. 63
12.3.3 Requirement enhancements . 63
12.3.4 Security levels . 63
13 Embedded device requirements . 64
13.1 Purpose . 64
13.2 EDR 2.4 – Mobile code . 64
13.2.1 Requirement . 64
13.2.2 Rationale and supplemental guidance. 64
13.2.3 Requirement enhancements . 64

– 8 – IEC 62443-4-2:2019  IEC 2019
13.2.4 Security levels . 64
13.3 EDR 2.13 – Use of physical diagnostic and test interfaces . 64
13.3.1 Requirement . 64
13.3.2 Rationale and supplemental guidance. 65
13.3.3 Requirement enhancements . 65
13.3.4 Security levels . 65
13.4 EDR 3.2 – Protection from malicious code . 65
13.4.1 Requirement . 65
13.4.2 Rationale and supplemental guidance. 65
13.4.3 Requirement enhancements . 66
13.4.4 Security levels . 66
13.5 EDR 3.10 – Support for updates . 66
13.5.1 Requirement . 66
13.5.2 Rationale and supplemental guidance. 66
13.5.3 Requirement enhancements . 66
13.5.4 Security levels . 66
13.6 EDR 3.11 – Physical tamper resistance and detection . 66
13.6.1 Requirement . 66
13.6.2 Rationale and supplemental guidance. 66
13.6.3 Requirement enhancements . 67
13.6.4 Security levels . 67
13.7 EDR 3.12 – Provisioning product supplier roots of trust. 67
13.7.1 Requirement . 67
13.7.2 Rationale and supplemental guidance. 67
13.7.3 Requirement enhancements . 67
13.7.4 Security levels . 68
13.8 EDR 3.13 – Provisioning asset owner roots of trust . 68
13.8.1 Requirement . 68
13.8.2 Rationale and supplemental guidance. 68
13.8.3 Requirement enhancements . 68
13.8.4 Security levels . 68
13.9 EDR 3.14 – Integrity of the boot process . 69
13.9.1 Requirement . 69
13.9.2 Rationale and supplemental guidance. 69
13.9.3 Requirement enhancements .
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.

Loading comments...

SIST EN IEC 62443-4-2:2019は、産業自動化および制御システムのセキュリティに関する文書であり、IACSコンポーネントに対する技術的なセキュリティ要件を詳細に定義しています。この標準は、IEC TS 62443-1-1に示される七つの基盤要件(FRs)によって、その枠組みを形成しています。 この標準の強みは、コントロールシステムの能力セキュリティレベル(SL-C)およびそのコンポーネントに関連する具体的な要件(CRs)を明確に規定している点です。具体的には、識別・認証制御(IAC)、使用制御(UC)、システムの完全性(SI)、データの機密性(DC)、制限されたデータフロー(RDF)、イベントへのタイムリーな応答(TRE)、リソースの可用性(RA)という七つの基盤要件に基づいています。これにより、各コンポーネントがどのようにセキュリティ機能を提供するかを評価する際の明確な基準が設けられています。 また、SIST EN IEC 62443-4-2:2019は、コントロールシステムコンポーネントのセキュリティ能力レベルを定義するための手引きとなるため、セキュリティを重視した製品開発に対して大いに関係があります。このことは、産業界においても求められるセキュリティの強化につながります。 この文書が注目される理由は、工業自動化と制御システムにおけるセキュリティを強化するための具体的なフレームワークを提供することで、使用者や開発者が共通の理解を持ち、効果的なセキュリティ対策を講じるための基盤となるからです。特に、これからのデジタル化が進む中で、IACSコンポーネントにおけるセキュリティ要件は不可欠であり、産業界全体の信頼性を高めるために強力なツールとなるでしょう。

SIST EN IEC 62443-4-2:2019 표준은 산업 자동화 및 제어 시스템에 대한 보안 요구사항을 규명하며, 특히 제어 시스템 구성 요소에 대한 기술적 보안 요구사항을 포함하고 있습니다. 이 문서는 IEC TS 62443-1-1에서 설명하는 일곱 가지 기초 요구사항(FRs)에 대한 심도 있는 기술 통제 시스템 구성 요소 요구사항(CRs)을 제공하여 매우 폭넓은 적용 범위를 가지고 있습니다. 이 표준의 가장 큰 강점은 기초 요구사항에 기반하여 제어 시스템의 보안 기능 수준을 정의하는 데 중점을 두고 있다는 점입니다. 일곱 가지 기초 요구사항에는 식별 및 인증 통제(IAC), 사용 통제(UC), 시스템 무결성(SI), 데이터 기밀성(DC), 제한된 데이터 흐름(RDF), 사건에 대한 시기적절한 반응(TRE), 자원 가용성(RA)이 포함됩니다. 이러한 요구사항들은 IACS 구성 요소의 보안 기능 수준을 정의하는 데 필요한 기초를 마련합니다. SIST EN IEC 62443-4-2:2019는 제어 시스템 구성 요소의 보안 능력 수준을 정의하는 것을 주요 목표로 하고 있으며, 그로 인해 이 표준은 기존의 SL-T나 도달한 SL(SL-A)의 범위를 넘어서 확실하게 목적을 두고 있습니다. 또한, 이 표준은 보안 관련 요구사항을 체계적으로 정리하여 산업 영역에서의 안전성과 신뢰성을 높이는 데 필수적인 기초 자료로 작용합니다. 따라서 SIST EN IEC 62443-4-2:2019는 산업 자동화 및 제어 시스템의 보안 요구사항을 효과적으로 충족시키기 위한 필수적인 표준으로, 현재와 미래의 산업 환경에서 높은 관련성과 중요성을 지니고 있습니다. 이로 인해 산업계에서 표준을 채택하고 준수하는 것이 더욱 중요해지고 있습니다.

The SIST EN IEC 62443-4-2:2019 standard presents a comprehensive framework for addressing the security of industrial automation and control systems (IACS) through its technical security requirements for control system components. The scope of this standard focuses explicitly on the definition and establishment of control system capability security levels and their associated components, which is pivotal for organizations looking to bolster their security posture in industrial environments. One of the key strengths of this standard lies in its clear delineation of the seven foundational requirements (FRs): identification and authentication control (IAC), use control (UC), system integrity (SI), data confidentiality (DC), restricted data flow (RDF), timely response to events (TRE), and resource availability (RA). These FRs form a robust foundation upon which the security capability levels are built, providing a structured approach to achieve security objectives tailored to specific components of control systems. The document effectively emphasizes the importance of understanding the interdependencies of these foundational requirements and how they collectively contribute to a comprehensive security strategy. By focusing on the components' security capability levels (SL-C), the standard ensures that organizations can implement precise, actionable, and measurable security measures that align with their operational needs without delving into out-of-scope aspects such as achieved security levels (SL-A) or technical security requirements for the overall system (SL-T). Moreover, the relevance of SIST EN IEC 62443-4-2:2019 is pronounced in the context of the evolving threat landscape faced by industrial sectors. As cyber threats become more sophisticated, adhering to this standard allows organizations to systematically enhance their security frameworks, ensuring that each component within the industrial control systems is fortified against potential vulnerabilities. This proactive approach not only helps in compliance with international norms but also fosters a culture of security awareness and resilience within organizations. In summary, the SIST EN IEC 62443-4-2:2019 standard stands out as a vital resource for organizations involved in industrial automation and control systems. Its focus on defining technical security requirements and capability levels provides a clear pathway for enhancing the security foundations of control systems, making it an indispensable reference in the pursuit of robust industrial cybersecurity.