IEC 62443 Standards – a cornerstone of industrial cyber security


Cyber security is too often narrowly considered a purely information technology (IT) issue.

This may be partly true in certain service sectors such as finance or insurance; however, industrial systems depend on operational technology (OT), which must be taken into account for cyber risks.

This is the primary purpose of the IEC 62443 series of Standards, prepared by IEC Technical Committee (TC) 65: Industrial-process measurement, control and automation, in collaboration with members of Committee 99 of the International Society of Automation (ISA99).

Securing industrial automation and control systems comprehensively

The IEC 62443 series was developed to secure industrial communication networks and industrial automation and control systems (IACS) through a systematic approach.

It currently includes nine Standards, Technical Reports (TR) and Technical Specifications (TS) with four parts still under development. IACS are found in an ever-expanding range of domains and industries many, such as power and energy supply and distribution, transportation, manufacturing, etc. are central to critical infrastructure. IACS also include Supervisory Control and Data Acquisition (SCADA) systems that are commonly used by organizations that operate in critical infrastructure industries, such as electricity generation, transmission and distribution, gas, water distribution networks. Ensuring risk mitigation and resilience is thus essential.

Prevention of illegal or inappropriate access

In IEC 62443 publications « the term ‘security’ is considered to mean the prevention of illegal or unwanted penetration, intentional or unintentional interference with the proper and intended operation, or inappropriate access to confidential information in IACS. »

Security « includes computers, networks, operating systems, applications and other programmable configurable components of the system ».

IEC 62443 Standards cover all aspects of cyber security at all stages and are a cornerstone of a secure-by-design approach.

As such a broad overview of IEC 62443 publications is necessary, as they are relevant to all industrial communication networks and IACS users, including asset owners, system integrators, « equipment manufacturers, suppliers, facility operators, maintenance practitioners and all private and government organizations involved with, or affected by, control system cyber security » (IEC/TS 62443-1-1 Industrial communication networks – Network and system security – Part 1-1: Terminology, concepts and models).

The IEC 62443 series of Standards is organized into four parts covering the following:

  • General (IEC 62443-1.* – one part of four published)
  • Policies and procedures (IEC 62443-2.* – three parts of four published)
  • System (IEC 62443-3.* – all three parts published)
  • Components (IEC 62443-4.* – both parts published).

Distinctive and wide-ranging approach

Many businesses and industries using IT have had well-established cyber security management systems (CSMS) in place as defined in the ISO/IEC 27001 and ISO/IEC 27002 standards for information security, developed by the Joint Technical Committee for Information Technology (ISO/IEC JTC 1), established by IEC and ISO.

For its part, the IEC 62443 series includes security for both IT and OT. This IT-OT integration covers multiple aspects and provides a flexible framework to address and mitigate current and future security vulnerabilities in IACS.

The IEC 62443 general part, IEC/TS 62443-1-1:2009 « defines the terminology, concepts and models for IACS security. It establishes the basis for the remaining standards in the IEC 62443 series. » It lists the following seven foundational requirements:

  • identification and authentication control (IAC),
  • use control (UC),
  • system integrity (SI),
  • data confidentiality (DC),
  • restricted data flow (RDF),
  • timely response to events (TRE), and
  • resource availability (RA).

In policies and procedures, IEC 62443-2-1:2010 « defines the elements necessary to establish a CSMS for IACS and provides guidance on how to develop those elements. The CSMS elements described in this standard are mostly policy, procedure, practice and personnel-related, describing what shall or should be included in the final CSMS for the organization. »

IEC TR 62443-2-3:2015, deals with patch management in the IACS environment, and « describes requirements for asset owners and IACS product suppliers that have established and are now maintaining an IACS patch management programme.

This Technical Report recommends a defined format for the distribution of information about security patches from asset owners to IACS product suppliers. It also provides a definition for some of the activities associated with the development of the patch information by IACS product suppliers and deployment and installation of the patches by asset owners.

The exchange format and activities are defined for use in security-related patches; however, it may also be applicable for non-security related patches or updates. (…) It does not differentiate between the product suppliers that supply the infrastructure components or the IACS applications; it provides guidance for all patches applicable (…) »

IEC 62443-2-4:2017, specifies requirements for security capabilities for IACS service providers that they can offer to the asset owner during integration and maintenance activities of an automation solution.

The system part, IEC TR 62443-3-1:2009, Industrial communication networks – Network and system security – Security technologies for IACS, « provides a current assessment of various cyber security tools, mitigation counter-measures and technologies that may effectively apply to the modern electronically-based IACSs regulating and monitoring numerous industries and critical infrastructures.

It describes several categories of control system-centric cyber security technologies, the types of products available in those categories, the pros and cons of using those products in the automated IACS environments, relative to the expected threats and known cyber vulnerabilities, and, most importantly, the preliminary recommendations and guidance for using these cyber security technology products and/or countermeasures.

IEC 62443-3-2:2020, Security for IACS focuses on security risk assessment for system design. Among other things, it establishes requirements for:

• defining a system under consideration (SUC) for an IACS

• partitioning the SUC into zones and conduits

• assessing risk for each zone and conduit

• establishing the target security level (SL-T) for each zone and conduit

• documenting the security requirements.

As regards components, IEC 62443-4-1:2018, focuses on secure product development lifecycle requirements. « It specifies the process requirements for the secure development of products used in industrial automation and control systems (…).
It defines secure development life-cycle requirements related to cyber security for products intended for use in the IACS environment and provides guidance on how to meet the requirements described for each element. The life-cycle description includes security requirements definition, secure design, secure implementation (including coding guidelines), verification and validation, defect management, patch management and product end-of-life.
These requirements can be applied to new or existing processes for developing, maintaining and retiring hardware, software or firmware. »

These requirements only apply to the developer and maintainer of the product, and are not applicable to the integrator or the user of the product.

As for IEC 62443-4-2:2019, Technical security requirements for IACS components, it provides detailed technical control system component requirements associated with the seven foundational requirements listed [above] in IEC TS 62443-1-1, including defining the requirements for control system capability security levels and their components.

IEC 62443 set to be adopted in more systems and sectors

Ensuring cyber security is a growing concern for industries where cyber attacks can be directed at both IT and OT systems. For this reason, many rely increasingly on the IEC 62443 series for cyber protection, risk mitigation and resilience in addition to other standards.

In the energy sector, utility grids and systems depend on IEC 62443 standards, among others, to reduce cyber risks. This applies also to nuclear power plants and a range of energy storage systems. Hydropower facilities rely also on IEC 62443.

In transportation systems railway networks, shipping and aviation depend also on IEC 62443 to prevent or mitigate cyber risks.

Likewise IEC 62443 Standards are essential for industrial automation, particularly with the rapid introduction of Industrial Internet of Things devices.

International engineering companies and classification societies mention their compliance to IEC 62443 Standards as evidence of the quality of the products and services they provide.

The wider adoption of IEC 62443 Standards is thus set to advance apace.

By Morand Fachot original article published on IEC website

le clusis