IEC 62443 Background

The international series of standards IEC 62443 are being developed jointly by the International Electrotechnical Commission (IEC) and the ISA99 to address the need to design cybersecurity robustness and resilience into industrial automation and control systems (IACS), covering both organizational and technical aspects of security over the life cycle of systems. Although initially focused on industrial automation, this cyber security set of standards has also been adopted by the energy sector, since it provides a methodology for applying security in operational and field environments for cyber-physical systems. It can be used in conjunction with the ISO/IEC 27000 series (in particular with ISO/IEC 27019 for the energy domain) and with IEC 62351 which provides some security solutions.

IEC 62443 General organization

The different parts of the standard are grouped into four clusters covering:

  • General concepts, definitions and topics that are common to the series
  • Policies and procedures associated with IACS security including security program requirements for asset owners, and service and solution providers along with a methodology to evaluate the level of protection provided by an operational IACS
  • Technical requirements and risk assessment methodology for cybersecurity on system-wide level
  • Requirements on the secure development lifecycle of system components, and the security requirements of such components at a technical level.
IEC 62443 Series of Industrial Security Standard – Overview (ISA99.org)

In more details

General parts

  • IEC/TS 62443-1-1 defines the terminology, concepts and models for Industrial Automation and Control Systems (IACS) security, which are used throughout the series. In particular, seven foundation requirements (FRs) are defined: Identification and authentication control (FR1), Use control (FR2), System integrity (FR3), Data confidentiality (FR4), Restricted data flow (FR5), Timely response to events (FR6), and Resource availability (FR7).
  • IEC/TS 62443-1-2 includes the definition of terms and acronyms used in the IEC 62443 standards.

Policies and Procedures related parts

  • IEC 62443-2-1 specifies asset owner security program requirements for an industrial automation and control systems (IACS) and provides guidance on how to develop and evolve the security program. The elements of an IACS security program described in this standard define required security capabilities that apply to the secure operation of an IACS, and are mostly policy, procedure, practice and personnel related
  • IEC/IS 62443-2-2 Ed.2 specifies a framework and methodology for evaluation of the protection of an IACS based on the notion of (technical) security level and the maturity of the connected processes. The concept of protection level is a security rating of the combination of technical and organizational measures and defines an indicator of the comprehensiveness of the security program
  • IEC/TR 62443-2-3 defines the patch management in the IACS environment. Specifically, it provides a defined format for the exchange of information about security patches from asset owners to product suppliers, and a definition of some of the activities associated with the development of the patch information by product suppliers and deployment of the patches by asset owners. The exchange format and activities are defined for use in security related patches; however it may also be applicable for non-security related patches or updates
  • IEC 62443-2-4 specifies requirements for security capabilities for IACS service providers that they can offer to the asset owner during integration and maintenance activities of an Automation Solution. Some of these capabilities reference security measures defined in IEC 62443-3-3 that the service provider must ensure are supported in the Automation Solution

System related parts

  • IEC/TR 62443-3-1 provides a current assessment of various cybersecurity tools, mitigation counter-measures, and technologies that may effectively apply to the modern electronically based IACSs regulating and monitoring numerous industries and critical infrastructures. It describes several categories of control system-centric cybersecurity technologies, the types of products available in those categories, the pros and cons of using those products in the automated IACS environments, relative to the expected threats and known cyber vulnerabilities, and, most important, the preliminary recommendations and guidance for using these cybersecurity technology products and/or countermeasures
  • IEC 62443-3-2 establishes requirements for risk assessment in order to partition an IACS (as a system under consideration) into zones and conduits. A zone is a grouping of assets based on risk, while communications between zones is through so called “conduits”. Conduits may then be mapped to the logical network protocol communication between two zones. This document also establishes requirements for detailed risk assessments of each zone and conduit, and for assigning Security Level targets (SL-Ts) on threat and risk
  • IEC 62443-3-3 provides detailed technical control system requirements (SRs) associated with the seven foundational requirements (FRs), including defining the requirements for control system capability security levels. These requirements are intended to be used, along with the defined zones and conduits for the system under consideration, for the definition of the appropriate security capabilities at the control system level. See below.

Component related parts

  • IEC 62443-4-1 specifies process requirements for the secure development of products used in industrial automation and control systems. It defines a secure development life-cycle for the purpose of developing and maintaining secure products
  • IEC 62443-4-2 specifies the cyber security technical requirements for components, such as embedded devices, network components, host components and software applications. The requirements are derived from the system level requirements defined in IEC 62443-3-3

Roles involved in the application of the IEC 62443 series

Different types of roles are involved in the secure development, operation and support of an IACS. The figure below gives an overview about these various roles and their interactions with the industrial automation and control systems.

Application of IEC 62443 parts by different roles (ISA99.org)

IEC 62443-3-3 System Security Requirements and Assurance Levels

Although each part of IEC 62443 is important, IEC 62443-3-3 has become one of the most visible and utilized parts. It defines four security levels (SL1, SL2, SL3, SL4) (see Figure 15). These security levels correlate the required set of countermeasures with the strength of a potential adversary, in order to counter different levels of risk. To meet a specific SL, the defined requirements must be fulfilled. It does help to focus only on certain facets of security. The security requirements defined by IEC 62443-3-3 help to ensure that all relevant aspects are addressed.

IEC 62443 Defined Security Levels

IEC 62443-3-3 also covers security requirements and is aligned with the concept of seven foundational requirements (FR) as defined in IEC 62443-1-1. The technical security requirements are grouped according to the FRs Identification and authentication control (FR1), Use control (FR2), System integrity (FR3), Data confidentiality (FR4), Restricted data flow (FR5), Timely response to events (FR6), and Resource availability (FR7). For each of the foundational requirements, there exist several concrete technical security requirements (SR) and requirement enhancements (RE) and these are assigned to the 4 security levels according to the level of threat mitigation provided. In the context of communication security, these security levels are specifically interesting for the “conduits” connecting different zones.

To reach a dedicated security level, the requirements (SR) and potential requirement enhancements (RE) defined for that security level have to be fulfilled. The standard foresees that a security requirement can be addressed either directly or by a compensating countermeasure. The concept of compensating countermeasures allows a certain security level to be reached even if some requirements cannot be implemented directly. For example, some components, particularly legacy equipment, cannot support the required technical features. This approach is in particular important for existing systems, so called “brown-field installations”, as existing equipment can be continued to be used for many years.

The security level of a zone or a conduit (a conduit connects zones) is more precisely a security level vector with seven elements (see also annex A of IEC 62443-3-3). The elements of the vector designate the security level for each foundational requirement. This allows defining the security level specific for each foundational requirement. If, e.g., confidentiality is not a security objective within a zone, the security level element corresponding to FR4 “Data confidentiality” can be defined to be SL1 or even none, although SL3 may be required for other foundational requirements (e.g., for FR1, FR2, and FR3). Hence, the resulting security level vector for a zone could be SL=(3,3,3,1,2,1,3) or SL=(2,2,2,0,1,1,0).

The recently approved IEC 62443-4-2 provides cyber security technical requirements for components types embedded devices, network components, host components and software applications. The requirements are derived from the system level requirements in IEC 62443-3-3.

The IECEE offers a conformance assessment program that intends to provide a framework for assessments in accordance with the IEC 62443 standards to result in IECEE Certificates of Conformity. The certificates provided by IECEE include capability certifications of IEC 62443-2-4 Process, Products and Solutions, and IEC 62443-4-1 for organization capabilities. The scheme also supports product certificates of conformity for control systems (IEC 62443-3-3) and components (IEC 62443-4-2), in each case, these certifications can optionally be provided in conjunction with IEC 62443-4-2, but also for products (see IEC 62443-4-1 and 62443-4-2).