BS EN IEC 62443-3-3:2019
$215.11
Industrial communication networks. Network and system security – System security requirements and security levels
| Published By | Publication Date | Number of Pages |
| BSI | 2019 | 86 |
This part of the IEC 62443 series provides detailed technical control system requirements (SRs) associated with the seven foundational requirements (FRs) described in IEC 62443โ1โ1 including defining the requirements for control system capability security levels, SL-C(control system). These requirements would be used by various members of the industrial automation and control system (IACS) community along with the defined zones and conduits for the system under consideration (SuC) while developing the appropriate control system target SL, SL-T(control system), for a specific asset.
As defined in IEC 62443โ1โ1 there are a total of seven FRs:
-
Identification and authentication control (IAC),
-
Use control (UC),
-
System integrity (SI),
-
Data confidentiality (DC),
-
Restricted data flow (RDF),
-
Timely response to events (TRE), and
-
Resource availability (RA).
These seven requirements are the foundation for control system capability SLs, SL-C (control system). Defining security capability at the control system level is the goal and objective of this standard as opposed to target SLs, SL-T, or achieved SLs, SL-A, which are out of scope.
See IEC 62443โ2โ1 for an equivalent set of non-technical, program-related, capability SRs necessary for fully achieving a control system target SL.
PDF Catalog
| PDF Pages | PDF Title |
|---|---|
| 2 | undefined |
| 5 | Annex ZA(normative)Normative references to international publicationswith their corresponding European publications |
| 7 | CONTENTS |
| 14 | FOREWORD |
| 16 | 0 Introduction 0.1 Overview |
| 17 | 0.2 Purpose and intended audience 0.3 Usage within other parts of the IEC 62443 series |
| 18 | Figures Figure 1 โ Structure of the IEC 62443 series |
| 19 | 1 Scope 2 Normative references 3 Terms, definitions, abbreviated terms, acronyms, and conventions 3.1 Terms and definitions |
| 25 | 3.2 Abbreviated terms and acronyms |
| 27 | 3.3 Conventions 4 Common control system security constraints 4.1 Overview |
| 28 | 4.2 Support of essential functions 4.3 Compensating countermeasures |
| 29 | 4.4 Least privilege 5 FR 1 โ Identification and authentication control 5.1 Purpose and SL-C(IAC) descriptions 5.2 Rationale 5.3 SR 1.1 โ Human user identification and authentication 5.3.1 Requirement 5.3.2 Rationale and supplemental guidance |
| 30 | 5.3.3 Requirement enhancements 5.3.4 Security levels |
| 31 | 5.4 SR 1.2 โ Software process and device identification and authentication 5.4.1 Requirement 5.4.2 Rationale and supplemental guidance 5.4.3 Requirement enhancements |
| 32 | 5.4.4 Security levels 5.5 SR 1.3 โ Account management 5.5.1 Requirement 5.5.2 Rationale and supplemental guidance 5.5.3 Requirement enhancements 5.5.4 Security levels |
| 33 | 5.6 SR 1.4 โ Identifier management 5.6.1 Requirement 5.6.2 Rationale and supplemental guidance 5.6.3 Requirement enhancements 5.6.4 Security levels 5.7 SR 1.5 โ Authenticator management 5.7.1 Requirement 5.7.2 Rationale and supplemental guidance |
| 34 | 5.7.3 Requirement enhancements 5.7.4 Security levels |
| 35 | 5.8 SR 1.6 โ Wireless access management 5.8.1 Requirement 5.8.2 Rationale and supplemental guidance 5.8.3 Requirement enhancements 5.8.4 Security levels 5.9 SR 1.7 โ Strength of password-based authentication 5.9.1 Requirement 5.9.2 Rationale and supplemental guidance |
| 36 | 5.9.3 Requirement enhancements 5.9.4 Security levels 5.10 SR 1.8 โ Public key infrastructure (PKI) certificates 5.10.1 Requirement 5.10.2 Rationale and supplemental guidance |
| 37 | 5.10.3 Requirement enhancements 5.10.4 Security levels 5.11 SR 1.9 โ Strength of public key authentication 5.11.1 Requirement 5.11.2 Rationale and supplemental guidance |
| 38 | 5.11.3 Requirement enhancements 5.11.4 Security levels 5.12 SR 1.10 โ Authenticator feedback 5.12.1 Requirement 5.12.2 Rationale and supplemental guidance 5.12.3 Requirement enhancements 5.12.4 Security levels |
| 39 | 5.13 SR 1.11 โ Unsuccessful login attempts 5.13.1 Requirement 5.13.2 Rationale and supplemental guidance 5.13.3 Requirement enhancements 5.13.4 Security levels 5.14 SR 1.12 โ System use notification 5.14.1 Requirement 5.14.2 Rationale and supplemental guidance |
| 40 | 5.14.3 Requirement enhancements 5.14.4 Security levels 5.15 SR 1.13 โ Access via untrusted networks 5.15.1 Requirement 5.15.2 Rationale and supplemental guidance 5.15.3 Requirement enhancements 5.15.4 Security levels |
| 41 | 6 FR 2 โ Use control 6.1 Purpose and SL-C(UC) descriptions 6.2 Rationale 6.3 SR 2.1 โ Authorization enforcement 6.3.1 Requirement 6.3.2 Rationale and supplemental guidance |
| 42 | 6.3.3 Requirement enhancements 6.3.4 Security levels 6.4 SR 2.2 โ Wireless use control 6.4.1 Requirement |
| 43 | 6.4.2 Rationale and supplemental guidance 6.4.3 Requirement enhancements 6.4.4 Security levels 6.5 SR 2.3 โ Use control for portable and mobile devices 6.5.1 Requirement 6.5.2 Rationale and supplemental guidance |
| 44 | 6.5.3 Requirement enhancements 6.5.4 Security levels 6.6 SR 2.4 โ Mobile code 6.6.1 Requirement 6.6.2 Rationale and supplemental guidance 6.6.3 Requirement enhancements 6.6.4 Security levels |
| 45 | 6.7 SR 2.5 โ Session lock 6.7.1 Requirement 6.7.2 Rationale and supplemental guidance 6.7.3 Requirement enhancements 6.7.4 Security levels 6.8 SR 2.6 โ Remote session termination 6.8.1 Requirement 6.8.2 Rationale and supplemental guidance 6.8.3 Requirement enhancements |
| 46 | 6.8.4 Security levels 6.9 SR 2.7 โ Concurrent session control 6.9.1 Requirement 6.9.2 Rationale and supplemental guidance 6.9.3 Requirement enhancements 6.9.4 Security levels 6.10 SR 2.8 โ Auditable events 6.10.1 Requirement 6.10.2 Rationale and supplemental guidance |
| 47 | 6.10.3 Requirement enhancements 6.10.4 Security levels 6.11 SR 2.9 โ Audit storage capacity 6.11.1 Requirement 6.11.2 Rationale and supplemental guidance 6.11.3 Requirement enhancements |
| 48 | 6.11.4 Security levels 6.12 SR 2.10 โ Response to audit processing failures 6.12.1 Requirement 6.12.2 Rationale and supplemental guidance 6.12.3 Requirement enhancements 6.12.4 Security levels 6.13 SR 2.11 โ Timestamps 6.13.1 Requirement 6.13.2 Rationale and supplemental guidance |
| 49 | 6.13.3 Requirement enhancements 6.13.4 Security levels 6.14 SR 2.12 โ Non-repudiation 6.14.1 Requirement 6.14.2 Rationale and supplemental guidance 6.14.3 Requirement enhancements 6.14.4 Security levels |
| 50 | 7 FR 3 โ System integrity 7.1 Purpose and SL-C(SI) descriptions 7.2 Rationale 7.3 SR 3.1 โ Communication integrity 7.3.1 Requirement 7.3.2 Rationale and supplemental guidance |
| 51 | 7.3.3 Requirement enhancements 7.3.4 Security levels 7.4 SR 3.2 โ Malicious code protection 7.4.1 Requirement 7.4.2 Rationale and supplemental guidance |
| 52 | 7.4.3 Requirement enhancements 7.4.4 Security levels 7.5 SR 3.3 โ Security functionality verification 7.5.1 Requirement 7.5.2 Rationale and supplemental guidance |
| 53 | 7.5.3 Requirement enhancements 7.5.4 Security levels 7.6 SR 3.4 โ Software and information integrity 7.6.1 Requirement 7.6.2 Rationale and supplemental guidance |
| 54 | 7.6.3 Requirement enhancements 7.6.4 Security levels 7.7 SR 3.5 โ Input validation 7.7.1 Requirement 7.7.2 Rationale and supplemental guidance 7.7.3 Requirement enhancements 7.7.4 Security levels |
| 55 | 7.8 SR 3.6 โ Deterministic output 7.8.1 Requirement 7.8.2 Rationale and supplemental guidance 7.8.3 Requirement enhancements 7.8.4 Security levels 7.9 SR 3.7 โ Error handling 7.9.1 Requirement 7.9.2 Rationale and supplemental guidance 7.9.3 Requirement enhancements |
| 56 | 7.9.4 Security levels 7.10 SR 3.8 โ Session integrity 7.10.1 Requirement 7.10.2 Rationale and supplemental guidance 7.10.3 Requirement enhancements 7.10.4 Security levels |
| 57 | 7.11 SR 3.9 โ Protection of audit information 7.11.1 Requirement 7.11.2 Rationale and supplemental guidance 7.11.3 Requirement enhancements 7.11.4 Security levels 8 FR 4 โ Data confidentiality 8.1 Purpose and SL-C(DC) descriptions 8.2 Rationale |
| 58 | 8.3 SR 4.1 โ Information confidentiality 8.3.1 Requirement 8.3.2 Rationale and supplemental guidance 8.3.3 Requirement enhancements 8.3.4 Security levels |
| 59 | 8.4 SR 4.2 โ Information persistence 8.4.1 Requirement 8.4.2 Rationale and supplemental guidance 8.4.3 Requirement enhancements 8.4.4 Security levels 8.5 SR 4.3 โ Use of cryptography 8.5.1 Requirement |
| 60 | 8.5.2 Rationale and supplemental guidance 8.5.3 Requirement enhancements 8.5.4 Security levels 9 FR 5 โ Restricted data flow 9.1 Purpose and SL-C(RDF) descriptions 9.2 Rationale |
| 61 | 9.3 SR 5.1 โ Network segmentation 9.3.1 Requirement 9.3.2 Rationale and supplemental guidance 9.3.3 Requirement enhancements |
| 62 | 9.3.4 Security levels 9.4 SR 5.2 โ Zone boundary protection 9.4.1 Requirement 9.4.2 Rationale and supplemental guidance 9.4.3 Requirement enhancements |
| 63 | 9.4.4 Security levels 9.5 SR 5.3 โ General purpose person-to-person communication restrictions 9.5.1 Requirement 9.5.2 Rationale and supplemental guidance 9.5.3 Requirement enhancements |
| 64 | 9.5.4 Security levels 9.6 SR 5.4 โ Application partitioning 9.6.1 Requirement 9.6.2 Rationale and supplemental guidance 9.6.3 Requirement enhancements 9.6.4 Security levels 10 FR 6 โ Timely response to events 10.1 Purpose and SL-C(TRE) descriptions |
| 65 | 10.2 Rationale 10.3 SR 6.1 โ Audit log accessibility 10.3.1 Requirement 10.3.2 Rationale and supplemental guidance 10.3.3 Requirement enhancements 10.3.4 Security levels 10.4 SR 6.2 โ Continuous monitoring 10.4.1 Requirement 10.4.2 Rationale and supplemental guidance |
| 66 | 10.4.3 Requirement enhancements 10.4.4 Security levels 11 FR 7 โ Resource availability 11.1 Purpose and SL-C(RA) descriptions 11.2 Rationale |
| 67 | 11.3 SR 7.1 โ Denial of service protection 11.3.1 Requirement 11.3.2 Rationale and supplemental guidance 11.3.3 Requirement enhancements 11.3.4 Security levels 11.4 SR 7.2 โ Resource management 11.4.1 Requirement 11.4.2 Rationale and supplemental guidance 11.4.3 Requirement enhancements |
| 68 | 11.4.4 Security levels 11.5 SR 7.3 โ Control system backup 11.5.1 Requirement 11.5.2 Rationale and supplemental guidance 11.5.3 Requirement enhancements 11.5.4 Security levels 11.6 SR 7.4 โ Control system recovery and reconstitution 11.6.1 Requirement 11.6.2 Rationale and supplemental guidance |
| 69 | 11.6.3 Requirement enhancements 11.6.4 Security levels 11.7 SR 7.5 โ Emergency power 11.7.1 Requirement 11.7.2 Rationale and supplemental guidance 11.7.3 Requirement enhancements 11.7.4 Security levels 11.8 SR 7.6 โ Network and security configuration settings 11.8.1 Requirement 11.8.2 Rationale and supplemental guidance |
| 70 | 11.8.3 Requirement enhancements 11.8.4 Security levels 11.9 SR 7.7 โ Least functionality 11.9.1 Requirement 11.9.2 Rationale and supplemental guidance 11.9.3 Requirement enhancements 11.9.4 Security levels |
| 71 | 11.10 SR 7.8 โ Control system component inventory 11.10.1 Requirement 11.10.2 Rationale and supplemental guidance 11.10.3 Requirement enhancements 11.10.4 Security levels |
| 72 | Annex A (informative)Discussion of the SL vector |
| 74 | Figure A.1 โ High-level process-industry example showing zones and conduits |
| 75 | Figure A.2 โ High-level manufacturing example showing zones and conduits |
| 76 | Figure A.3 โ Schematic of correlation of the use of different SL types |
| 80 | Annex B (informative)Mapping of SRs and REs to FR SL levels 1-4 Table B.1 โ Mapping of SRs and REs to FR SL levels 1-4 (1 of 4) |
| 84 | Bibliography |
