Scribd
Upload
266 views4 pages

Articles Related To ISA 62443

The standards consist of 13 parts totaling almost 1000 pages and address general concepts, policies and procedures, system-level topics, and requirements for component suppliers. A key concept is the use of "zones" containing nodes with similar security requirements and "conduits" between zones. The standards define four Security Levels (SL) akin to safety integrity levels, and seven foundational requirements for achieving a given SL, such as identification and authentication. IEC 62443-4 provides process requirements for developing secure components and certification schemes are now available.

Uploaded by

Andreas M
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
266 views4 pages

Articles Related To ISA 62443

The standards consist of 13 parts totaling almost 1000 pages and address general concepts, policies and procedures, system-level topics, and requirements for component suppliers. A key concept is the use of "zones" containing nodes with similar security requirements and "conduits" between zones. The standards define four Security Levels (SL) akin to safety integrity levels, and seven foundational requirements for achieving a given SL, such as identification and authentication. IEC 62443-4 provides process requirements for developing secure components and certification schemes are now available.

Uploaded by

Andreas M
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 4

IEC 62443 Series of Cyber

Security Standards: An Overview


(22/05/2018)
https://ez.analog.com/b/engineerzone-spotlight/posts/iec-62443-series-of-cyber-security-
standards-an-overview

In my last post I discussed cyber security and functional safety and


said if you are not secure, then you are not safe.The main non-sector
specific functional safety standard is IEC 61508. Within IEC 61508 it
references IEC 62443 for security. IEC 62443 is entitled “Security for
industrial Automation and Control systems” or “Industrial
communication networks – Network and system security” depending
on where you look. At last count it consisted of 13 parts and almost
1000 pages. The standards are being developed and published via the
ISA (international society of automation engineers) committee ISA99
and the IEC (international electro-technical committees) IEC TC 65. IEC
TC 65/SC 65A also publishes the functional safety standards IEC 61511
and IEC 61508 which is our first clue that the two areas might be
related.

The four parts of IEC 62443-1-X deal with general concepts including
concepts and models and a glossary of terms and conditions. The four
parts in IEC 62443-2-X deal with policies and procedures including
patch management while IEC 62443-3-X has three parts dealing with
system level topics including the choosing of the correct SL (security
level). The two parts of IEC 62443-4-X are probably the most
interesting to companies like Analog Devices and our customers as
these relate to component suppliers, with one part covering the life
cycle requirements and the other the technical requirements. 

A key concept within the IEC 62443 series is that of zones and
conduits. Put in simple language a zone contains nodes with similar
security requirements and a conduit is a link between zones.
A similarity with functional safety is that IEC 62443 nominates four SL
(security levels) which sound very similar to the four SIL from IEC
61508 (another clue to the links).  However, there is no one to one
correspondence between SL and SIL. The definitions of the SL are
contained in IEC 62443-1-1 and are shown below.

The definitions concentrate more on what is required to hack the


system than the likelihood or probability of the system being hacked.
There are alternate definitions given in various articles such as one
which states that SL 4 is designed to prevent a nation state level
attack. The tables in part 3-2 of the standard expand somewhat on the
above using a combination of impact and likelihood to determine the
required SL.

IEC 62443-1-1 defines seven foundational requirements (FR) to achieve


a given SL. These are

 Identification and authentication control(IAC)


 Use control(UC)
 System integrity(SI)
 Data confidentiality (DC)
 Restricted data flow(RDF)
 Timely response to events(TRE)
 Resource availability(RA)

These seven FR can be expressed as a vector so that [1,1,1,1,1,1,1]


represents each of the above seven FR implemented to a SL 1 level of
rigour. From a purely functional safety point of view you can then argue
that by confidentiality, restricted data flow and resource availability
are not so important and a SL 1 implementation is sufficient. Therefore,
the required security vector for a safety system becomes
[X,X,X,1,1,X,1] where X represents a SL of at least one.

If developing an IC or a piece of equipment once you have determined


the required SL, you then proceed to IEC 62443-4-1- and IEC 62443-4-2.
IEC 62443-4-1 tells you the process steps necessary under eight
headings including security management and having an in depth
defense strategy. The requirements are given independent of the SL.
IEC 62443-4-2 gives you requirements under the heading of the seven
FR and with additional requirements depending on whether it is an
application, an embedded device a host device or a networked device.
According to IEC 62443-4-2 the necessary requirements depend on the
SL.
Part 4-2 provides requirements for 4 types of components with 47
requirements in total depending on the SL.

There is now a certification scheme in place for IEC 62443, see


ISAsecure and the various TUV and Exida also offer certification.

Video of the Day: This video from Siemens highlights some of the


issues and has dramatic music which I like in a video
- https://www.youtube.com/watch?
v=dlczMRRFdtQ&stc=nls_152_trackingID_en

For next time, the topic will be functional safety: recommended reads.

You might also like