IEC 62443 Background
The international series of standards IEC 62443 are being developed jointly by the International Electrotechnical Commission (IEC) and the ISA99 to address the need to design cybersecurity robustness and resilience into industrial automation and control systems (IACS), covering both organizational and technical aspects of security over the life cycle of systems. Although initially focused on industrial automation, this cyber security set of standards has also been adopted by the energy sector, since it provides a methodology for applying security in operational and field environments for cyber-physical systems. It can be used in conjunction with the ISO/IEC 27000 series (in particular with ISO/IEC 27019 for the energy domain) and with IEC 62351 which provides some security solutions.
IEC 62443 General organization
The different parts of the standard are grouped into four clusters covering:
In more details
Policies and Procedures related parts
System related parts
Component related parts
Roles involved in the application of the IEC 62443 series
Different types of roles are involved in the secure development, operation and support of an IACS. The figure below gives an overview about these various roles and their interactions with the industrial automation and control systems.
IEC 62443-3-3 System Security Requirements and Assurance Levels
Although each part of IEC 62443 is important, IEC 62443-3-3 has become one of the most visible and utilized parts. It defines four security levels (SL1, SL2, SL3, SL4) (see Figure 15). These security levels correlate the required set of countermeasures with the strength of a potential adversary, in order to counter different levels of risk. To meet a specific SL, the defined requirements must be fulfilled. It does help to focus only on certain facets of security. The security requirements defined by IEC 62443-3-3 help to ensure that all relevant aspects are addressed.
IEC 62443-3-3 also covers security requirements and is aligned with the concept of seven foundational requirements (FR) as defined in IEC 62443-1-1. The technical security requirements are grouped according to the FRs Identification and authentication control (FR1), Use control (FR2), System integrity (FR3), Data confidentiality (FR4), Restricted data flow (FR5), Timely response to events (FR6), and Resource availability (FR7). For each of the foundational requirements, there exist several concrete technical security requirements (SR) and requirement enhancements (RE) and these are assigned to the 4 security levels according to the level of threat mitigation provided. In the context of communication security, these security levels are specifically interesting for the “conduits” connecting different zones.
To reach a dedicated security level, the requirements (SR) and potential requirement enhancements (RE) defined for that security level have to be fulfilled. The standard foresees that a security requirement can be addressed either directly or by a compensating countermeasure. The concept of compensating countermeasures allows a certain security level to be reached even if some requirements cannot be implemented directly. For example, some components, particularly legacy equipment, cannot support the required technical features. This approach is in particular important for existing systems, so called “brown-field installations”, as existing equipment can be continued to be used for many years.
The security level of a zone or a conduit (a conduit connects zones) is more precisely a security level vector with seven elements (see also annex A of IEC 62443-3-3). The elements of the vector designate the security level for each foundational requirement. This allows defining the security level specific for each foundational requirement. If, e.g., confidentiality is not a security objective within a zone, the security level element corresponding to FR4 “Data confidentiality” can be defined to be SL1 or even none, although SL3 may be required for other foundational requirements (e.g., for FR1, FR2, and FR3). Hence, the resulting security level vector for a zone could be SL=(3,3,3,1,2,1,3) or SL=(2,2,2,0,1,1,0).
The recently approved IEC 62443-4-2 provides cyber security technical requirements for components types embedded devices, network components, host components and software applications. The requirements are derived from the system level requirements in IEC 62443-3-3.
The IECEE offers a conformance assessment program that intends to provide a framework for assessments in accordance with the IEC 62443 standards to result in IECEE Certificates of Conformity. The certificates provided by IECEE include capability certifications of IEC 62443-2-4 Process, Products and Solutions, and IEC 62443-4-1 for organization capabilities. The scheme also supports product certificates of conformity for control systems (IEC 62443-3-3) and components (IEC 62443-4-2), in each case, these certifications can optionally be provided in conjunction with IEC 62443-4-2, but also for products (see IEC 62443-4-1 and 62443-4-2).