ISA/IEC 62443

Summary

The ISA/IEC 62443 standard defines the necessary elements to establish a cyber security management system (CSMS) for industrial automation and control systems (IACS) and provides guidance on how to develop those elements. The version used in this section is IEC 62443-3-3 edition 1.0 2013-08.

Definitions

Definition	Requirements
IEC62443-IAC-1_1. Human user identification and authentication	237. Ascertain human interaction
IEC62443-IAC-1_2. Software process and device identification and authentication	143. Unique access credentials 176. Restrict system objects 264. Request authentication
IEC62443-IAC-1_3. Account management	034. Manage user accounts
IEC62443-IAC-1_5. Authenticator management	228. Authenticate using standard protocols 229. Request access credentials 319. Make authentication options equally secure
IEC62443-IAC-1_6. Wireless access management	253. Restrict network access
IEC62443-IAC-1_7. Strength of password-based authentication	129. Validate previous passwords 130. Limit password lifespan 133. Passwords with at least 20 characters 136. Force temporary password change 138. Define lifespan for temporary passwords 332. Prevent the use of breached passwords 334. Avoid knowledge-based authentication
IEC62443-IAC-1_8. Public key infrastructure (PKI) certificates	090. Use valid certificates 093. Use consistent certificates
IEC62443-IAC-1_9. Strength of public key authentication	373. Use certificate pinning 088. Request client certificates
IEC62443-IAC-1_11. Unsuccessful login attempts	131. Deny multiple password changing attempts 227. Display access notification
IEC62443-IAC-1_12. System use notification	225. Proper authentication responses 227. Display access notification 301. Notify configuration changes 358. Notify upcoming expiration dates
IEC62443-IAC-1_13. Access via untrusted networks	160. Encode system outputs 321. Avoid deserializing untrusted data 340. Use octet stream downloads 348. Use consistent encoding
IEC62443-UC-2_1. Authorization enforcement	114. Deny access with inactive credentials 096. Set user's required privileges
IEC62443-UC-2_2. Wireless use control	248. SSID without dictionary words 250. Manage access points 253. Restrict network access 254. Change SSID name
IEC62443-UC-2_3. Use control for portable and mobile devices	205. Configure PIN 210. Delete information from mobile devices 214. Allow data destruction 373. Use certificate pinning
IEC62443-UC-2_4. Mobile code	205. Configure PIN 352. Enable trusted execution
IEC62443-UC-2_6. Remote session termination	023. Terminate inactive user sessions
IEC62443-UC-2_7. Concurrent session control	025. Manage concurrent sessions
IEC62443-UC-2_8. Auditable events	075. Record exceptional events in logs
IEC62443-UC-2_9. Audit storage capacity	322. Avoid excessive logging 377. Store logs based on valid regulation
IEC62443-UC-2_11. Timestamps	079. Record exact occurrence time of events
IEC62443-SI-3_1. Communication integrity	147. Use pre-existent mechanisms 224. Use secure cryptographic mechanisms 046. Manage the integrity of critical files
IEC62443-SI-3_2. Malicious code protection	115. Filter malicious emails 155. Application free of malicious code 340. Use octet stream downloads 041. Scan files for malicious code
IEC62443-SI-3_5. Input validation	173. Discard unsafe inputs
IEC62443-SI-3_7. Error handling	313. Inform inability to identify users
IEC62443-SI-3_8. Session integrity	357. Use stateless session tokens 024. Transfer information using session objects 029. Cookies with security attributes 030. Avoid object reutilization 031. Discard user session data
IEC62443-SI-3_9. Protection of audit information	377. Store logs based on valid regulation 080. Prevent log modification
IEC62443-DC-4_1. Information confidentiality	176. Restrict system objects 178. Use digital signatures 185. Encrypt sensitive information 329. Keep client-side storage without sensitive data 365. Avoid exposing technical information
IEC62443-DC-4_3. Use of cryptography	145. Protect system cryptographic keys 148. Set minimum size of asymmetric encryption 149. Set minimum size of symmetric encryption 150. Set minimum size for hash functions 370. Use OAEP padding with RSA 371. Use GCM Padding with AES
IEC62443-RDF-5_1. Network segmentation	259. Segment the organization network
IEC62443-RDF-5_2. Zone boundary protection	258. Filter website content 341. Use the principle of deny by default
IEC62443-RDF-5_3. User content filtering	116. Disable images of unknown origin 258. Filter website content 266. Disable insecure functionalities 340. Use octet stream downloads
IEC62443-TRE-6_1. Audit log accessibility	378. Use of log management system
IEC62443-RA-7_1. Denial of service protection	327. Set a rate limit 345. Establish protections against overflows 072. Set maximum response time
IEC62443-RA-7_6. Network and security configuration settings	062. Define standard configurations
IEC62443-RA-7_7. Least functionality	186. Use the principle of least privilege 255. Allow access only to the necessary ports 353. Schedule firmware updates
IEC62443-CR-1_1-RE_1. Unique identification and authentication	264. Request authentication 305. Prioritize token usage 319. Make authentication options equally secure 335. Define out of band token lifespan 357. Use stateless session tokens
IEC62443-CR-1_1-RE_2. Multifactor authentication for all interfaces	262. Verify third-party components 362. Assign MFA mechanisms to a single account
IEC62443-CR-1_7. Strength of password-based authentication	126. Set a password regeneration mechanism 127. Store hashed passwords 130. Limit password lifespan 132. Passphrases with at least 4 words 133. Passwords with at least 20 characters 135. Passwords with random salt 139. Set minimum OTP length 333. Store salt values separately 334. Avoid knowledge-based authentication
IEC62443-CR-1_7-RE_2. Password lifetime restrictions for all users	130. Limit password lifespan 138. Define lifespan for temporary passwords 140. Define OTP lifespan
IEC62443-CR-2_1-RE_3. Permission mapping to roles	034. Manage user accounts
IEC62443-CR-3_1-RE_1. Communication authentication	181. Transmit data using secure protocols 369. Set a maximum lifetime in sessions 024. Transfer information using session objects 030. Avoid object reutilization

Last updated

2023/09/18