535:
and processes. ISASecure certifications were expanded to include the
Industrial IOT component certification (ICSA) in December 2022. Certification Bodies in the ISASecure certification scheme are independently accredited by ISO 17011 Accreditation Bodies to the ISASecure technical readiness requirements and the ISO 17025 and ISO 17065 standards. Multilateral recognition agreements under the IAF ensure that the ISASecure certifications are mutually recognized by all global IAF signatories.
89:(ISA), a professional automation engineering society and ANSI-accredited standards development organization (SDO) established the Industrial Automation and Control System Security standards committee (ISA99). The ISA99 committee developed a multi-part series of standards and technical reports about Industrial Automation and Control System (IACS) cyber security. These work products were submitted by ISA for approval and then published as North American
526:
field of product certification, this procedure is used to reduce the complexity in the approval procedure for manufacturers of products tested and certified according to harmonized standards. A product that has been tested by a CBTL (certified testing laboratory) according to a harmonized standard such as the IEC 62443, can use the CB report as a basis for a later national certification and approval such as GS, PSE, CCC, NOM, GOST/R, BSMI.
333:
Part 4-2: This part defines technical requirements for products or components. Like the requirements for systems (Section -3-3), the requirements are divided into 12 subject areas and refer to them. In addition to the technical requirements, common component security constraints (CCSC) are defined,
534:
The ISA Security
Compliance Institute (ISCI), a wholly owned subsidiary of the ISA, created an industry consensus conformity assessment scheme that certifies to the ISA/IEC 62443 standards and operates under the ISASecure brand. This scheme is used to certify automation control systems, components
469:
IEC 62443 certification schemes have been established by several global testing, inspection, and certification (TIC) companies. The schemes are based on the referenced standards and define test methods, surveillance audit policies, public documentation policies, and other specific aspects of their
397:
Technical requirements for systems (IEC 62443-3-3) and products (IEC 62443-4-2) are evaluated in the standard by four so-called
Security Levels (SL). The different levels indicate the resistance against different classes of attackers. The standard emphasizes that the levels should be evaluated per
370:
Based on CMMI, IEC 62443 describes different maturity levels for processes through so-called "maturity levels". To fulfill a certain level of a maturity level, all process-related requirements must always be practiced during product development or integration, i.e. the selection of only individual
329:
Part 4-1: This part defines how a secure product development process should look like. It is divided into eight areas ("Practices"): management of development, definition of security requirements, design of security solutions, secure development, testing of security features, handling of security
525:
The origin of the CB Scheme comes from the CEE (former
European "Commission for Conformity Testing of Electrical Equipment") and was integrated into the IEC in 1985. Currently, 54 Member Bodies are in the IECEE, 88 NCBs (National Certification Bodies), and 534 CB Test Laboratories (CBTL). In the
559:
In 2023, ISASecure announced the development of a new certification for assessing and certifying automation and control systems in operation at asset owner sites. It is named the
Automation and Control System Security Assurance (ACSSA) certification. It is slated for completion at the end of
493:
A global infrastructure of national accreditation bodies (AB) ensures consistent evaluation of the IEC 62443. The ABs operate per the requirements of ISO/IEC 17011, a standard that contains requirements for the competence, consistency, and impartiality of accreditation bodies when accrediting
381:
Maturity Level 2 - Managed: The product supplier is able to manage the development of a product according to written guidelines. It must be demonstrated that the personnel who carry out the process have the appropriate expertise, are trained and/or follow written procedures. The processes are
460:
Processes, systems and products used in industrial automation environments can be certified according to IEC 62443. Many testing, inspection, and certification (TIC) companies offer product and process certifications based on IEC 62443. By accrediting according to the ISO/IEC 17000 series of
119:
In 2021, the IEC approved the IEC 62443 family of standards as 'horizontal standards'. This means that when sector specific standards for operational technology are being developed by subject matter experts, the IEC 62443 standards must be used at the foundation for requirements addressing
120:
cybersecurity in those standards. This approach serves to avoid the proliferation of partial and/or conflicting requirements for addressing cybersecurity of operational technology across industry sectors where the same or similar technology or products are deployed at operating sites.
45:. The series is divided into different sections and describes both technical and process-related aspects of automation and control systems cybersecurity. The series is also known as ISA/IEC 62443 in recognition of the fact that much of the initial development was done by the
447:
Zones have boundaries that separate the elements inside the zone from those outside. Information moves within and between zones. Zones can be divided into sub-zones that define different security levels (Security Level) and thus enable defense-in-depth.
443:
Zones divide a system into homogeneous zones by grouping the (logical or physical) assets with common security requirements. The security requirements are defined by
Security Level (SL). The level required for a zone is determined by the risk analysis.
548:
ICSA (IIOT Component
Security Assurance) certification of IIOT automation components according to IEC 62443-4-1 and IEC 62443-4-2 with four exceptions and seventeen extensions to the IEC 62443-4-2 standard to account for unique characteristics of IIOT
340:
CCSC 2 specifies that the technical requirements that the component cannot meet itself can be met by compensating countermeasures at system level (see IEC 62443-3-3). For this purpose, the countermeasures must be described in the documentation of the
82:(IEC) standards creation process where all national committees involved agree upon a common standard. Multiple organizations and committees submitted input to the IEC working groups and helped shape the IEC 62443 family of standard.
555:
EDSA (Embedded Device
Security Assurance) certification of components based on the IEC 62443-4-2. This certification was offered in 2010 and phased out when the IEC 62443-4-2 standard was formally approved and published in
505:
TIC companies are accredited by an AB to provide inspection according to the ISO/IEC 17020, testing laboratories according to ISO/IEC 17025 and certification of products, processes, and services according to ISO/IEC 17065.
434:
Defense in Depth is a concept in which several levels of security (defense) are distributed throughout the system. The goal is to provide redundancy in case a security measure fails or a vulnerability is exploited.
522:) is a multilateral agreement that facilitates market access for manufacturers of electrical and electronic products. Under the CB Scheme processes, products and systems can be certified according to IEC 62443.
451:
Conduits group the elements that allow communication between two zones. They provide security functions that enable secure communication and allow the coexistence of zones with different security levels.
311:
Part 2-1: This part of the standard is aimed at operators of automation solutions and defines requirements for how security during the operation of plants is to be considered (see ISO/IEC 27001).
388:
Maturity Level 4 - Improving: Product suppliers use appropriate process metrics to monitor the effectiveness and performance of the process and demonstrate continuous improvement in these areas.
461:
standards, the companies share a single, consistent set of certification requirements for IEC 62443 certifications which elevates the usefulness of the resulting certificates of conformance.
314:
Part 2-4: This part defines requirements ("capabilities") for integrators. These requirements are divided into 12 topics: Assurance, architecture, wireless, security engineering systems,
385:
Maturity Level 3 - Defined (practiced): The process is repeatable throughout the supplier's organization. The processes have been practiced and there is evidence that this has been done.
358:
IEC 62443 describes different levels of maturity for processes and technical requirements. The maturity levels for processes are based on the maturity levels from the
97:
or ISA99 standards were renumbered to be the ANSI/ISA-62443 series in 2010. The content of this series was submitted to and used by the IEC working groups.
470:
program. Cybersecurity certification programs for IEC 62443 standards are being offered globally by many recognized
Certification Bodies (CB), including
417:
Security Level 4: Protection against intentional misuse using sophisticated means with extensive resources, IACS-specific knowledge and high motivation.
414:
Security Level 3: Protection against intentional misuse by sophisticated means with moderate resources, IACS-specific knowledge and moderate motivation.
499:
659:
Industrial communication networks – Network and system security – Part 3-1: Security technologies for industrial automation and control systems
378:
Maturity Level 1 - Initial: Product suppliers usually carry out product development ad hoc and often undocumented (or not fully documented).
552:
SDLA (Secure
Development Lifecycle Assurance) certification of automation systems development organizations according to the IEC 62443-4-1
502:
for laboratory accreditation. A Multilateral Recognition Arrangement (MLA) between ABs will ensure global recognition of accredited CBs.
583:
79:
791:
337:
CCSC 1 describes that components must take into account the general security characteristics of the system in which they are used.
411:
Security Level 2: Protection against intentional misuse by simple means with few resources, general skills and low motivation.
46:
645::2024, Security for industrial automation and control systems - Part 2-1: Security program requirements for IACS asset owners
359:
90:
752:
Industrial communication networks – Network and system security – Part 3-3: System security requirements and security levels
786:
738:
Security for industrial automation and control systems – Part 2-4: Security program requirements for IACS service providers
86:
149:
The following table lists the parts of the IEC 62443 series of standards published to date with their status and title.
721:
Security for industrial automation and control systems – Part 4-2: Technical security requirements for IACS components
545:
CSA (Component Security Assurance) certification of automation components according to IEC 62443-4-1 and IEC 62443-4-2
676:
Security for industrial automation and control systems – Part 4-1: Secure product development lifecycle requirements
495:
101:
483:
70:
The different roles each follow a risk-based approach to prevent and manage security risks in their activities.
796:
347:
CCSC 4 requires that the component is developed and supported by IEC 62443-4-1 compliant development processes.
704:
Security for industrial automation and control systems – Part 3-2: Security risk assessment for system design
17:
628:
Industrial communication networks – Network and system security – Part 1-1: Terminology, concepts and models
690:
Security for industrial automation and control systems – Part 2-3: Patch management in the IACS environment
398:
technical requirement (see IEC 62443-1-1) and are not suitable for the general classification of products.
426:
The standard explains various basic principles that should be considered for all roles in all activities.
735:
687:
673:
542:
SSA (System Security Assurance) certification of systems according to IEC 62443-3-3 and IEC 62443-4-1
319:
116:
in industrial automation environments and were also submitted to and used by the IEC working groups.
749:
718:
701:
656:
625:
487:
315:
139:
Policies and Procedures: This part focuses on methods and processes associated with IACS security.
573:
514:
The IEC System for Conformity Assessment Schemes for Electrotechnical Equipment and Components (
801:
34:
330:
vulnerabilities, creation and publication of updates and documentation of security features.
113:
8:
145:
Components and Requirements: This part provides detailed requirements for IACS products.
498:
for work in management systems, products, services, and personnel accreditation or the
578:
78:
As an international standard, the IEC 62443 family of standards is the result of the
323:
602:
344:
CCSC 3 requires that the "Least Privilege" principle is applied in the component.
56:
It divides the cybersecurity topics by stakeholder category / roles including:
642:
471:
42:
780:
63:
the service providers (service providers for integration and for maintenance)
408:
Security Level 1: Protection against unintentional or accidental misuse.
519:
38:
136:
General: This part covers topics that are common to the entire series.
766:
334:
which must be met by components to be compliant with IEC 62443-4-2:
195:
Security technologies for industrial automation and control systems
538:
The ISCI offers multiple certifications under the ISASecure brand:
479:
475:
105:
93:
standards. The ISA standards documents originally referred to as
405:
Security Level 0: No special requirement or protection required.
130:
Industrial communication networks - Network and system security
515:
142:
System: This part is about requirements at the system level.
112:
guidelines in 2011. The guidelines describe how to handle
771:
33:
is a series of standards that address cybersecurity for
371:
criteria ("cherry picking") is not standard-compliant.
50:
494:
conformity assessment bodies. ABs are members of the
283:
Technical Specification, Edition 1.0, September 2023
243:
Technical security requirements for IACS components
186:
Security program requirements for IACS asset owners
464:
208:Secure product development lifecycle requirements
132:series of standards is organized into four parts:
269:System security requirements and security levels
100:In parallel, the German engineering associations
778:
174:Technical Specification, Edition 1.0, July 2009
374:The maturity levels are described as follows:
353:
326:, backup & recovery, and project staffing.
455:
234:Security risk assessment and system design
584:International Electrotechnical Commission
225:Patch management in the IACS environment
222:Technical Report, Edition 1.0, June 2015
192:Technical Report, Edition 1.0, July 2009
80:International Electrotechnical Commission
260:Requirements for IACS service providers
322:, user management, malware protection,
286:Scheme for IEC 62443 security profiles
14:
779:
438:
360:Capability Maturity Model Integration
731:
729:
714:
712:
669:
667:
638:
636:
51:International Society for Automation
27:International cybersecurity standard
429:
87:International Society of Automation
66:the component/system manufacturers.
24:
509:
25:
813:
760:
726:
709:
664:
633:
529:
392:
365:
484:TÜV Nord, TÜV Rheinland, TÜV SÜD
465:Accredited certification schemes
792:Information assurance standards
743:
695:
681:
650:
619:
595:
13:
1:
589:
518:) Certification Body Scheme (
320:event management and logging
166:Components and Requirements
123:
7:
787:Computer security standards
567:
421:
354:Maturity and Security Level
257:Edition 2.0, December 2023
240:Edition 1.0, February 2019
10:
818:
456:Certification to standards
205:Edition 1.0, January 2018
73:
603:"Understanding IEC 62443"
266:Edition 1.0, August 2013
183:Edition 2.0, August 2010
165:
162:
159:
156:
316:configuration management
160:Policies and Procedures
574:Cybersecurity standards
231:Edition 1.0, June 2020
85:Starting in 2002, the
35:operational technology
797:Industrial automation
736:IEC 62443-2-4:2023,
177:Concepts and models
114:information security
153:
439:Zones and conduits
362:(CMMI) framework.
152:
579:Functional safety
318:, remote access,
308:
307:
16:(Redirected from
809:
755:
747:
741:
733:
724:
716:
707:
699:
693:
685:
679:
671:
662:
654:
648:
640:
631:
623:
617:
616:
614:
613:
599:
430:Defense in depth
401:The levels are:
324:patch management
154:
151:
21:
817:
816:
812:
811:
810:
808:
807:
806:
777:
776:
763:
758:
750:IEC 62443-3-3,
748:
744:
734:
727:
719:IEC 62443-4-2,
717:
710:
702:IEC 62443-3-2,
700:
696:
688:IEC 62443-2-3,
686:
682:
674:IEC 62443-4-1,
672:
665:
657:IEC 62443-3-1,
655:
651:
641:
634:
626:IEC 62443-1-1,
624:
620:
611:
609:
601:
600:
596:
592:
570:
564:
532:
512:
510:IECEE CB Scheme
467:
458:
441:
432:
424:
395:
368:
356:
126:
76:
47:ISA99 committee
43:control systems
28:
23:
22:
15:
12:
11:
5:
815:
805:
804:
799:
794:
789:
775:
774:
769:
762:
761:External links
759:
757:
756:
742:
725:
708:
694:
680:
663:
649:
632:
618:
593:
591:
588:
587:
586:
581:
576:
569:
566:
562:
561:
557:
553:
550:
546:
543:
531:
530:ISCI ISASecure
528:
511:
508:
472:Bureau Veritas
466:
463:
457:
454:
440:
437:
431:
428:
423:
420:
419:
418:
415:
412:
409:
406:
394:
393:Security Level
391:
390:
389:
386:
383:
379:
367:
366:Maturity Level
364:
355:
352:
351:
350:
349:
348:
345:
342:
338:
331:
327:
312:
306:
305:
303:
301:
299:
297:
295:
293:
291:
289:
287:
284:
281:
277:
276:
274:
272:
270:
267:
264:
261:
258:
255:
252:
250:
248:
245:
244:
241:
238:
235:
232:
229:
226:
223:
220:
217:
215:
213:
210:
209:
206:
203:
200:
193:
190:
187:
184:
181:
178:
175:
172:
168:
167:
164:
161:
158:
147:
146:
143:
140:
137:
125:
122:
75:
72:
68:
67:
64:
61:
26:
9:
6:
4:
3:
2:
814:
803:
802:IEC standards
800:
798:
795:
793:
790:
788:
785:
784:
782:
773:
772:IECEE website
770:
768:
765:
764:
754:
753:
746:
740:
739:
732:
730:
723:
722:
715:
713:
706:
705:
698:
692:
691:
684:
678:
677:
670:
668:
661:
660:
653:
647:
646:
643:IEC 62443-2-1
639:
637:
630:
629:
622:
608:
604:
598:
594:
585:
582:
580:
577:
575:
572:
571:
565:
558:
554:
551:
547:
544:
541:
540:
539:
536:
527:
523:
521:
517:
507:
503:
501:
497:
491:
489:
485:
481:
477:
473:
462:
453:
449:
445:
436:
427:
416:
413:
410:
407:
404:
403:
402:
399:
387:
384:
380:
377:
376:
375:
372:
363:
361:
346:
343:
339:
336:
335:
332:
328:
325:
321:
317:
313:
310:
309:
304:
302:
300:
298:
296:
294:
292:
290:
288:
285:
282:
279:
278:
275:
273:
271:
268:
265:
262:
259:
256:
253:
251:
249:
247:
246:
242:
239:
236:
233:
230:
227:
224:
221:
218:
216:
214:
212:
211:
207:
204:
201:
198:
194:
191:
188:
185:
182:
179:
176:
173:
170:
169:
155:
150:
144:
141:
138:
135:
134:
133:
131:
121:
117:
115:
111:
108:released the
107:
103:
98:
96:
92:
88:
83:
81:
71:
65:
62:
60:the operator,
59:
58:
57:
54:
52:
48:
44:
40:
36:
32:
19:
18:IEC/ISA 62443
751:
745:
737:
720:
703:
697:
689:
683:
675:
658:
652:
644:
627:
621:
610:. Retrieved
606:
597:
563:
537:
533:
524:
513:
504:
492:
480:SGS-TÜV Saar
468:
459:
450:
446:
442:
433:
425:
400:
396:
373:
369:
357:
196:
148:
129:
127:
118:
110:VDI/VDE 2182
109:
99:
94:
84:
77:
69:
55:
30:
29:
767:IEC website
382:repeatable.
95:ANSI/ISA-99
781:Categories
612:2022-09-02
607:www.iec.ch
590:References
549:components
341:component.
128:IEC 62443
39:automation
520:CB Scheme
124:Structure
31:IEC 62443
568:See also
476:Intertek
422:Concepts
157:General
163:System
74:History
49:of the
560:2024.
556:2018.
516:IECEE
199:IAC)
500:ILAC
486:and
280:1-5
263:3-3
254:2-4
237:4-2
228:3-2
219:2-3
202:4-1
189:3-1
180:2-1
171:1-1
104:and
91:ANSI
41:and
496:IAF
106:VDE
102:VDI
37:in
783::
728:^
711:^
666:^
635:^
605:.
490:.
488:UL
482:,
478:,
474:,
53:.
615:.
197:(
20:)
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.