IEC 62443: The International Series of Standards for Cybersecurity in Industrial Automation - Part 2/2

The IEC 62443 series of standards is organized into five parts. Many parts of the series of standards have already been published. Others are scheduled. In the following, we will look at them in detail.

Current processing status of the individual standard parts

IEC 62443-1: General principles

IEC/TS 62443-1-1

• Title: Concepts and models
• Processing status IEC: published

Part 1-1 of the series of standards defines the terminology as well as the concepts and models for the cybersecurity of industrial automation and control systems (IACS). Industrial Automation and Control Systems, IACS for short). Part 1 forms the basis for the other parts of the series of standards.

IEC 62443-1-2

• IEC title: Master glossary of terms and abbreviations
• IEC processing status: scheduled

IEC 62443-1-3

• IEC title: System security conformance metrics
• IEC processing status: scheduled

IEC 62443-1-4

• IEC title: IACS security lifecycle and use-cases
• IEC processing status: scheduled

IEC/TS 62443-1-5

• IEC title: Rules for IEC 62443 Profiles
• IEC processing status: scheduled

IEC 62443-2: Safety requirements for operators and service providers

IEC 62443-2-1

• IEC title: Security program requirements for IACS asset owners
• Processing status IEC: published

Part 2-1 of the series of standards defines the elements required in order to build an information security management system (ISMS) for industrial automation and control systems (IACS) and provides guidance for developing these elements. This document uses the broad definition and scope for an IACS as defined in IEC 62443-1-1.

The elements of an ISMS according to this standard primarily relate to the associated guidelines, procedures, functions and personnel. In addition, it describes what should or must be included in the final ISMS for the organization.

IEC 62443-2-2

• IEC title: Security Protection Rating
• IEC processing status: scheduled

Part 2-2 of the series of standards specifies a framework for evaluating the protection of an IACS. It includes a procedure for combining the evaluation of both organizational and technical security measures in numerical values, the so-called "protection level".

The framework provides the structure for evaluating the defense-in-depth strategy of the IACS in operation based on the technical and organizational requirements specified in other documents in the IEC 62443 series of standards.

IEC/TR 62443-2-3

• IEC title: Patch management in the IACS environment
• IEC processing status: published

Part 2-3 of the series of standards describes requirements for IACS operators and manufacturers who have established and maintain an IACS patch management program.

A defined format for the dissemination of security patch information from operators to manufacturers, a definition of certain activities related to the development of patch information by manufacturers, and the deployment and installation of patches by operators is recommended.

IEC 62443-2-4

• IEC title: Requirements for IACS service providers
• IEC processing status: published
• German title: Anforderungen an das IT-Sicherheitsprogramm von Dienstleistern für industrielle Automatisierungssysteme (Requirements for the IT Security Program of Service Providers for Industrial Automation Systems)
• German processing status: published as DIN EN IEC 62443-2-4 (VDE 0802-2-4)

Part 2-4 of IEC 62443 specifies a comprehensive set of safety capability requirements for IACS service providers to offer to the operator during the integration and maintenance activities of an automation solution. Since not all requirements apply to all industries and organizations, Part 2-4 provides for the development of profiles that allow for the formation of subgroups with these requirements. Profiles are used to adapt this document to specific environments, including environments that are not based on an IACS.

IEC 62443-2-5

• IEC title: Implementation guidance for IACS asset owners
• IEC processing status: scheduled

IEC 62443-3: Safety requirements for automation systems

IEC/TR 62443-3-1

• IEC title: Security technologies for IAC
• IEC processing status: published

Part 3-1 of the series of standards provides an assessment of various cybersecurity tools, countermeasures and technologies that can be effectively applied to modern IACSs across numerous industries and critical infrastructures.

Categories of cybersecurity technologies are described, the types of products available in these categories as well as the advantages and disadvantages of using these products in IACS environments relative to anticipated threats and known vulnerabilities. In addition, also the preliminary recommendations and guidance for the use of these cybersecurity technology products and/or countermeasures.

IEC 62443-3-2

• IEC title: Security risk assessment and system design
• IEC processing status: published

Part 3-2 of the series of standards specifies how the definition of the system under consideration and its division into zones and conduits can be concluded by means of risk analysis. It also describes how the security level (target) SL-T to be achieved can be assigned to the zones and conduits.

In detail the standard prescribes the processing of the following requirements at the system level for establishing the zones and conduits:

• Determination of the system under consideration
• Performance of an overarching risk assessment for IT security
• Division of the system under consideration into zones and conduits
• Documentation of requirements, assumptions and boundary conditions

IEC 62443-3-3

• IEC title: System security requirements and security levels
• IEC processing status: published
• German title: Systemanforderungen zur IT-Sicherheit und Security-Level (System requirements for IT security and security levels)
• German processing status: published as DIN EN IEC 62443-3-3 (VDE 0802-3-3)

Part 3-3 of the series of standard specifies detailed technical system requirements (SR) for IACS, including requirements for achievable security levels (capability), SL-C (system), based on the seven fundamental requirements (FR) of IEC 62443-1-1.

These requirements are applied by integrators and manufacturers in the field of industrial automation technology in which they develop an appropriate and achievable security level (target) SL-T (system) for a protected object based on the defined zones and conduits of a system under consideration.

IEC 62443-4: Safety requirements for automation components

IEC 62443-4-1

• IEC title: Secure product development lifecycle requirements
• IEC processing status: published
• German title: Anforderungen an den Lebenszyklus für eine sichere Produktentwicklung (Life cycle requirements for safe product development)
• German processing status: published as DIN EN IEC 62443-4-1 (VDE 0802-4-1)

Part 4-1 of the series of standards specifies requirements for a safe development process for products used in IACS. It defines a safe development life cycle (SDL) for the development and maintenance of safe products.

The lifecycle includes the definition of IT security requirements, secure design ("Security-by-Design"), secure implementation (including programming guidelines), verification and validation, vulnerability handling, patch management and the end of the product lifecycle.

The requirements can be applied to new or existing processes of development, maintenance and servicing, and withdrawal of hardware, software, or firmware for new or existing products.

IEC 62443-4-2

• IEC title: Technical security requirements for IACS components
• IEC processing status: published
• German title: Technische Sicherheitsanforderungen an Komponenten industrieller Automatisierungssysteme (IACS) (Technical safety requirements for components of industrial automation systems)
• German processing status: published as DIN EN IEC 62443-4-2 (VDE 0802-4-2)

Part 4-2 of the series of standards specifies detailed component requirements (CR) for components in IACS based on the seven fundamental requirements (FR) according to IEC 62443-1-1, including requirements for the achievable security levels (capability) SL-C (component).

These requirements are applied by manufacturers in the field of industrial automation technology by developing an appropriate security level (target) SL-T (component) to be achieved for a protected object based on the defined zones and conduits of the system under consideration.

IEC 62443-6: Evaluation methodology

IEC/TS 62443-6-1

• IEC title: Security evaluation methodology for IEC 62443 - Part 2-4: Security program requirements for IACS service providers
• IEC processing status: scheduled

IEC/TS 62443-6-2

• IEC title: Security evaluation methodology for IEC 62443 - Part 4-2: Technical security requirements for IACS components
• IEC processing status: scheduled

More information in the context of our theme week on IEC 62443

• IEC 62443: The International Series of Standards for Cybersecurity in Industrial Automation - Part 1/2 | LinkedIn
• IEC 62443 Standards – a cornerstone of industrial cyber security | LinkedIn