IEC 62443


IEC 62443 is a series of standards that address security for operational technology in automation and control systems. The series is divided into different sections and describes both technical and process-related aspects of automation and control systems security.

History

In 2002, the International Society of Automation, a professional automation engineering society and ANSI-accredited standards development organization established a standards committee. This committee developed a multi-part series of standards and technical reports addressing the cybersecurity of Automation and Control Systems. These standards were initially published as ANSI/ISA-99 or ISA99 standards.
Around 2010, ISA99 strengthened its relationship with the International Electrotechnical Commission, leading to the renaming of the standards to ANSI/ISA-62443. The available content was submitted to and used by IEC working groups. Since then, the series has been commonly referred to as IEC 62443.
Meanwhile, the German engineering associations VDI and VDE released the VDI/VDE 2182 guidelines in 2011. The guidelines describe how to handle information security in industrial automation environments and were also submitted to and used by the IEC working groups.

Current Situation

The IEC 62443 series of standards is maintained by the International Electrotechnical Commission Technical Committee 65 Working Group 10. The IEC working group and ISA99 committee continue to collaborate, creating joint leadership and project teams to develop the standards in the IEC 62443 series. Their collaboration integrates the processes and procedures of both ISA and IEC Directives, ensuring alignment in the development process.
The resulting standards are published by ISA as ANSI/ISA 62443 in the United States and by IEC as IEC 62443 internationally. For any given part of the series, the technical content of the ISA and IEC editions is identical where both organizations have accepted the content.

Relationship between IEC and ISA

The relationship between IEC and ISA in the development of the IEC 62443 series is characterized by complementary roles. IEC serves as the global standardization body responsible for publishing and maintaining the IEC 62443 series, while ISA contributes significant technical expertise, industry insight, and foundational drafts through its ISA99 committee.
ISA primarily focuses on the U.S. market and publishes standards under the ANSI/ISA 62443 designation. IEC, on the other hand, ensures global adoption and harmonization of the standards as IEC 62443.
While both organizations collaborate on the majority of standards, they retain the independence to develop and publish standards separately when consensus cannot be reached. For example, IEC developed and published IEC 62443-6-1 independently without ISA involvement.

Industry Application

The IEC has approved the IEC 62443 family of standards as 'horizontal standards'. This means that when sector specific standards for operational technology are being developed by subject matter experts, the IEC 62443 standards must be used at the foundation for requirements addressing security in those standards. This approach serves to avoid the proliferation of partial and/or conflicting requirements for addressing security of automation and control systems across industry sectors where the same or similar technology or products are deployed at operating sites.

Structure

IEC 62443 Industrial communication networks - Network and system security series of standards consists of several parts, which are divided into six areas:
  1. General: Parts in this category describe the basic terms, concepts and models.
  2. Policies and Procedures: This primarily describes a system for managing industrial IT security.
  3. System: Various specifications for security functions of control and automation systems are described here.
  4. Components and Requirements: The requirements for product development processes for components of an automation solution are described here.
  5. Profiles:This section is intended to define industry-specific cybersecurity requirements and provide a structured approach to implementing measures based on the cybersecurity profiles described in IEC 62443-1-5.
  6. Evaluation: This section describes assessment methodologies that ensure that assessment results are consistent and reproducible with regard to the requirements of the individual parts.
The following table lists the parts of the IEC 62443 series of standards published to date with their status and title.
StandardTitleStatusDescription
IEC 62443-1-1Concepts and modelsTechnical Specification, Edition 1.0, July 2009This standard introduces the set of main cybersecurity elements that apply across the series and notably those that appear in two or more parts of the series.
IEC 62443-1-5Scheme for IEC 62443 security profilesTechnical Specification, Edition 1.0, September 2023
IEC 62443-2-1Security program requirements for IACS asset ownersEdition 2.0, 2024This part of the standard is aimed at operators of automation solutions and defines requirements for how security during the operation of plants is to be considered.
IEC 62443-2-3Patch management in the IACS environmentTechnical Report, Edition 1.0, June 2015
IEC 62443-2-4Requirements for IACS service providersEdition 2.0, December 2023This part defines requirements for integrators. These requirements are divided into 12 topics: Assurance, architecture, wireless, security engineering systems, configuration management, remote access, event management and logging, user management, malware protection, patch management, backup & recovery, and project staffing.
IEC 62443-3-1Security technologies for industrial automation and control systemsTechnical Report, Edition 1.0, July 2009
IEC 62443-3-2Security risk assessment and system designEdition 1.0, June 2020
IEC 62443-3-3System security requirements and security levelsEdition 1.0, August 2013
IEC 62443-4-1Secure product development lifecycle requirementsEdition 1.0, January 2018This part defines how a secure product development process should look like. It is divided into eight areas : management of development, definition of security requirements, design of security solutions, secure development, testing of security features, handling of security vulnerabilities, creation and publication of updates and documentation of security features.
IEC 62443-4-2Technical security requirements for IACS componentsEdition 1.0, February 2019This part defines technical requirements for products or components. Like the requirements for systems, the requirements are divided into 12 subject areas and refer to them. In addition to the technical requirements, common component security constraints are defined, which must be met by components to be compliant with IEC 62443-4-2:
  • CCSC 1 describes that components must take into account the general security characteristics of the system in which they are used.
  • CCSC 2 specifies that the technical requirements that the component cannot meet itself can be met by compensating countermeasures at system level. For this purpose, the countermeasures must be described in the documentation of the component.
  • CCSC 3 requires that the "Least Privilege" principle is applied in the component.
  • CCSC 4 requires that the component is developed and supported by IEC 62443-4-1 compliant development processes.
IEC 62443-6-1Security evaluation methodology for IEC 62443-2-4Technical Specification, Edition 1.0, March 2024-

Developments and Activities

The standards in the IEC 62443 series of standards evolve constantly. According to IEC guidelines, all published standards will be periodically reviewed and either be confirmed to be current, updated, or withdrawn.In addition, several parts of the series are under development, including new editions of:
  • IEC 62443-1-6: Applying the 62443 series to the industrial internet of things
  • IEC 62443-2-2: IACS Security Protection
  • IEC 62443-6-2: Evaluation Methodology for IEC 62443-4-2

    Foundational Concepts

There are several concepts that form the foundation of the IEC 62443 series.

Principal Roles

Standards in the series addresses the implications for several principal roles, including:
  • the Asset Owner,
  • the Product Supplier, and
  • the Service Providers
The different roles each follow a risk-based approach to prevent and manage security risks in their activities.

Maturity Level

The standards describe different maturity levels for processes through so-called "maturity levels". To fulfill a certain level of a maturity level, all process-related requirements must always be practiced during product development or integration, i.e. the selection of only individual criteria is not standard-compliant.
The maturity levels are described as follows:
  • Maturity Level 1 - Initial: Product suppliers usually carry out product development ad hoc and often undocumented.
  • Maturity Level 2 - Managed: The product supplier is able to manage the development of a product according to written guidelines. It must be demonstrated that the personnel who carry out the process have the appropriate expertise, are trained and/or follow written procedures. The processes are repeatable.
  • Maturity Level 3 - Defined : The process is repeatable throughout the supplier's organization. The processes have been practiced and there is evidence that this has been done.
  • Maturity Level 4 - Improving: Product suppliers use appropriate process metrics to monitor the effectiveness and performance of the process and demonstrate continuous improvement in these areas.