IEC 62443: Security for Industrial Automation and Control Systems (IACS)
IEC 62443 is a series of standards that provides a framework for cybersecurity in industrial automation and control systems (IACS). It addresses the entire supply chain, from product development to system integration and operation. The standard is divided into four main parts, with a focus on policies, procedures, systems, and components.
This overview focuses on three key parts of the standard:
- IEC 62443-3-2: Security Risk Assessment for System Design: This part focuses on the process of assessing and managing cybersecurity risks during the design of an IACS. It introduces the concept of zones and conduits for segmenting the system and defines a systematic approach to risk assessment.
- IEC 62443-4-1: Secure Product Development Lifecycle Requirements: This part specifies the process requirements for the secure development of products used in IACS environments. It ensures that security is integrated into products from the beginning of their lifecycle.
- IEC 62443-4-2: Technical Security Requirements for IACS Components: This part details the technical security requirements for the individual components that make up an IACS, such as software applications, embedded devices, host devices, and network devices.
Foundational Requirements
IEC 62443 is based on seven Foundational Requirements (FRs) that define the high-level security objectives for an IACS:
| FR | Name | Description |
|---|---|---|
| FR 1 | Identification and Authentication Control (IAC) | Control access to the IACS by identifying and authenticating all users (humans, processes, and devices). |
| FR 2 | Use Control (UC) | Enforce the privileges of authenticated users to perform actions on the IACS. |
| FR 3 | System Integrity (SI) | Ensure the integrity of the IACS to prevent unauthorized manipulation. |
| FR 4 | Data Confidentiality (DC) | Ensure the confidentiality of data on communication channels and in storage to prevent unauthorized disclosure. |
| FR 5 | Restricted Data Flow (RDF) | Segment the IACS into zones and conduits to limit the necessary data flow. |
| FR 6 | Timely Response to Events (TRE) | Respond to security violations by notifying the proper authorities, reporting needed evidence of the violation, and taking timely corrective action. |
| FR 7 | Resource Availability (RA) | Ensure the availability of the IACS against denial-of-service attacks. |
Quality Attributes
The IEC 62443 standard addresses a broad range of security-related quality attributes, which are essential for the protection of industrial control systems. These attributes are closely related to the seven Foundational Requirements and can be summarized as follows:
- Security: The core of the standard, encompassing all aspects of protecting the IACS from threats.
- Integrity: Ensuring that data and system components are not altered in an unauthorized manner.
- Availability: Ensuring that the IACS is available for use when needed.
- Confidentiality: Preventing the unauthorized disclosure of information.
- Access Control: Restricting access to the IACS to authorized users and devices.
- Auditability: The ability to log and audit security-relevant events.
- Robustness: The ability of the system to withstand and recover from security threats.