05/11/2019

Everything you need to know about the IEC 62443 standard

IEC 62443 is the security standard for operators, integrators and manufacturers in the industrial sector. It is a set of rules that is intended to provide adequate security for those who implement it. 

Why is the ISO/IEC standard 62443 so important?

Why, one might ask, is there so much fuss about the ISO/IEC standard? Quite simply: in most cases this is about industrial plants that – if they fail – will have an immediate impact on the population. These include, of course, energy suppliers, health care, water suppliers and the manufacturing industry.

IEC 62443 consists of four sub-areas

IEC 62443-1 contains general concepts, terminologies and methods.
To this end, the first standard part defines what constitutes an industrial system at all and deals with the two “general prerequisites” which must be taken into account at all times.

  • Support of the essential functions
    Security measures shall not interfere with the basic functions of the industrial system.
  • Compensation through countermeasures
    If necessary, compensatory countermeasures must be taken. These are particularly important if a system (e.g. an legacy component) cannot implement certain security mechanisms itself (e.g. authentication) and is therefore protected by the function of another component (e.g. a firewall).

In addition, other important security concepts are described in more detail:

  • Security goals
  • Defense in depth
  • Least privilege
  • Risk analysis
  • Supply chain security

IEC 62443-2 is aimed at plant operators and contains organizational measures and processes that are relevant as part of a defense in depth concept. The measures described are addressed to the operators themselves or to the organisation responsible for operation and maintenance. The standard parts 2-1 and 2-2 describe specifications and implementation recommendations for setting up an ISMS (Information Security Management System) for the OT (Operational Technology) area. The standard part 2-3 deals with topics in the area of patch management, the standard part 2-4 is intended as a vendor’s tray in which service providers find specifications for processes that can for example be demanded by an operator.

IEC 62443-3 addresses integrators. It deals with security-relevant requirements for the functional capabilities of automation systems. These can be found in the standard part 3-3 under the term “Foundational Requirements (FR)” and contain system requirements on the topics of identification and authentication, system integrity, restricted data flow or timely reaction to events.
Among other things, Part 3 also includes a technical report on current security techniques, in which topics such as authentication and authorization, encryption, remote access or monitoring and logging are addressed and placed in the context of industrial systems. Standard Part 3-2 describes a risk analysis and zoning process. The document describes procedures for dividing an industrial system into zones, assessing security risks, defining planned security levels and establishing security requirements.

Finally, IEC 62443-4 is aimed at manufacturers of hardware and software components for industrial plants. IT security is discussed as an integral part of the development process for these parts and the requirements and functional capabilities of the product are defined in the 4-1 standard part in order to prevent weak points. Ideally, this is already included in the development phase of a product, since the topic of a Secure Development Lifecycle with all related topics (called “Practices” in the standard) is dealt with extensively. In addition, standard part 4-2 contains an extension of the system requirements from IEC 62443-3-3, which deals with the particular features of the following component classes that are used in industrial solutions: Software applications, host devices, embedded devices and network components.
Within the standard, so-called security levels (SL 1-4) are presented, which describe an approach to specify the protection of a zone, a solution or a system.
Level 1 is the minimum requirement a system must meet to prevent accidental misuse. In Level 4, on the other hand, you are already in a high-security area, so to speak, which can only be achieved with considerable effort, but can then only be hacked with very high skills and motivation. From experience Limes Security can state that reaching level 3 is already an excellent security level.

Limes Security is a specialist in the field of ISO/IEC 62443 standards and is happy to support you in achieving your desired security level.
Read more about our #cooperation with TÜV.
We would be delighted to provide you with a comprehensive summary of the most important elements of the IEC 62443 standard in the form of an overview poster – simply send a short e-mail to office@limessecurity.com .