Preview - ANSI+ISA+62443 4 2 2018
Preview - ANSI+ISA+62443 4 2 2018
Preview - ANSI+ISA+62443 4 2 2018
ANSI/ISA-62443-4-2-2018
NOTICE OF COPYRIGHT
This is a copyrighted document and may not be copied or
distributed in any form or manner without the permission of
ISA. This copy of the document was made for the sole use of
the person to whom ISA provided it and is subject to the
restrictions stated in ISA’s license to that person.
It may not be provided to any other person in print,
electronic, or any other form. Violations of ISA’s copyright
will be prosecuted to the fullest extent of the law and may
result in substantial civil and criminal penalties.
This is a preview of "ANSI/ISA 62443-4-2-2...". Click here to purchase the full version from the ANSI store.
ANSI/ISA-62443-4-2-2018
ISBN: 978-1-64331-025-1
Copyright © 2018 by ISA. All rights reserved. Not for resale. Printed in the United States of
America.
ISA
–3– ANSI/ISA-62443-4-2-2018
PREFACE
This preface, as well as all footnotes and annexes, is included for inf ormation purposes and is not
part of ANSI/ISA‑62443‑4‑2-2018.
3.3 Conventions
Replace, in the first sentence of the last paragraph
The SL-C(component), used throughout this document, signifies a capability required to meet a
given SL rating for a given CR.
by
The SL-C(component), used throughout this document, signifies a capability required to meet a
given SL rating for a given FR.
This document has been prepared as part of the service of ISA, the International Society of
Automation, toward a goal of uniformity in the field of instrumentation. To be of real value, this
document should not be static but should be subject to periodic review. Toward this end, the
Society welcomes all comments and criticisms and asks that they be addressed to the Secretary,
Standards and Practices Board; ISA; 67 T.W. Alexander Drive; P. O. Box 12277; Research Triangle
Park, NC 27709; Telephone (919) 549-8411; Fax (919) 549-8288; E-mail: [email protected].
The ISA Standards and Practices Department is aware of the growing need for attention to the
metric system of units in general and the International S ystem of Units (SI) in particular, in the
preparation of instrumentation standards. The Department is further aware of the benefits to USA
users of ISA standards of incorporating suitable references to the SI (and the metric system) in
their business and professional dealings with other countries. Toward this end, this Department
will endeavor to introduce SI-acceptable metric units in all new and revised standards,
recommended practices and technical reports to the greatest extent possible. Standard for Us e of
the International System of Units (SI): The Modern Metric System, published by the American
Society for Testing and Materials as IEEE/ASTM SI 10-97, and future revisions, will be the
reference guide for definitions, symbols, abbreviations, and convers ion factors.
It is the policy of ISA to encourage and welcome the participation of all concerned individuals and
interests in the development of ISA standards, recommended practices and technical reports.
Participation in the ISA standards-making process by an individual in no way constitutes
endorsement by the employer of that individual, of ISA or of any of the standards, recommended
practices and technical reports that ISA develops.
CAUTION – ISA adheres to the policy of the American National Standards I nstitute with
regard to patents. If ISA is informed of an existing patent that is required for use of the
standard, it will require the owner of the patent to either grant a royalty -free license for use
of the patent by users complying with the standard or a license on reasonable terms and
conditions that are free from unfair discrimination.
Even if ISA is unaware of any patent covering this Standard, the user is cautioned that
implementation of the standard may require use of techniques, processes or mater ials
covered by patent rights. ISA takes no position on the existence or validity of any patent
rights that may be involved in implementing the standard. ISA is not responsible for
This is a preview of "ANSI/ISA 62443-4-2-2...". Click here to purchase the full version from the ANSI store.
ANSI/ISA-62443-4-2-2018 –4–
identifying all patents that may require a license before implementation of the standard or
for investigating the validity or scope of any patents brought to its attention. The user
should carefully investigate relevant patents before using the standard for the user’s
intended application.
However, ISA asks that anyone reviewing this standard who is aware of any patents that
may impact implementation of the standard notify the ISA Standards and Practices
Department of the patent and its owner.
Additionally, the use of this standard may involve hazardous materials, operations or
equipment. The standard cannot anticipate all possible applications or address all possible
safety issues associated with use in hazardous conditions. The user of this standard must
exercise sound professional judgment concerning its use and applicability un der the user’s
particular circumstances. The user must also consider the applicability of any governmental
regulatory limitations and established safety and health practices before implementing this
standard.
ISA ( www.isa.org ) is a nonprofit professional association that sets the standard for those who apply
engineering and technology to improve the management, safety, and cybersecurity of modern
automation and control systems used across industry and critical infra structure. Founded in 1945,
ISA develops widely used global standards; certifies industry professionals; provides education
and training; publishes books and technical articles; hosts conferences and exhibits; and provides
networking and career development programs for its 40,000 members and 400,000 customers
around the world.
ISA owns Automation.com , a leading online publisher of automation-related content, and is the
founding sponsor of The Automation Federation ( www.automationfederation.org ), an association of
nonprofit organizations serving as “The Voice of Automation.” Through a wholly owned subsidiary,
ISA bridges the gap between standards and their implemen tation with the ISA Security Compliance
Institute ( www.isasecure.org ) and the ISA Wireless Compliance Institute ( www.isa100wci.org ).
The following people served as active m embers of ISA99 Working Group 04, Task Group 4 in the
preparation of this document:
–5– ANSI/ISA-62443-4-2-2018
This standard was approved for publication by the ISA Standards and Practices Board on 12 July
2018.
NAME COMPANY
ANSI/ISA-62443-4-2-2018 –6–
–7– ANSI/ISA-62443-4-2-2018
CONTENTS
0 Introduction .................................................................................................................... 13
0.1 Overview .............................................................................................................. 13
0.2 Purpose and intended audience ........................................................................... 13
1 Scope ............................................................................................................................ 17
2 Normative references ..................................................................................................... 17
3 Terms, definitions, abbreviated terms, acronyms, and conventions ................................ 17
3.1 Terms and definitions ............................................................................................ 17
3.2 Abbreviated terms and acronyms .......................................................................... 23
3.3 Conventions .......................................................................................................... 25
4 Common Component Security Constraints ..................................................................... 26
4.1 Overview ............................................................................................................... 26
4.2 CCSC 1 Support of essential functions .................................................................. 26
4.3 CCSC 2 Compensating countermeasures.............................................................. 26
4.4 CCSC 3 Least privilege ......................................................................................... 27
4.5 CCSC 4 Software development process ................................................................ 27
5 FR 1 – Identification and authentication control .............................................................. 27
5.1 Purpose and SL-C(IAC) descriptions ..................................................................... 27
5.2 Rationale .............................................................................................................. 27
5.3 CR 1.1 – Human user identification and authentication ......................................... 27
5.4 CR 1.2 – Software process and device identification and authentication................ 28
5.5 CR 1.3 – Account management ............................................................................. 29
5.6 CR 1.4 – Identifier management ............................................................................ 30
5.7 CR 1.5 – Authenticator management ..................................................................... 30
5.8 CR 1.6 – Wireless access management ................................................................ 32
5.9 CR 1.7 – Strength of password-based authentication ............................................ 32
5.10 CR 1.8 – Public key infrastructure certificates ....................................................... 33
5.11 CR 1.9 – Strength of public key-based authentication ........................................... 33
5.12 CR 1.10 – Authenticator feedback ......................................................................... 34
5.13 CR 1.11 – Unsuccessful login attempts ................................................................. 35
5.14 CR 1.12 – System use notification ........................................................................ 36
5.15 CR 1.13 – Access via untrusted networks ............................................................. 36
5.16 CR 1.14 – Strength of symmetric key-based authentication ................................... 36
6 FR 2 – Use control ......................................................................................................... 37
6.1 Purpose and SL-C(UC) descriptions ...................................................................... 37
6.2 Rationale .............................................................................................................. 38
6.3 CR 2.1 – Authorization enforcement ...................................................................... 38
6.4 CR 2.2 – Wireless use control ............................................................................... 39
6.5 CR 2.3 – Use control for portable and mobile devices ........................................... 40
6.6 CR 2.4 – Mobile code ............................................................................................ 40
6.7 CR 2.5 – Session lock ........................................................................................... 40
6.8 CR 2.6 – Remote session termination ................................................................... 40
6.9 CR 2.7 – Concurrent session control ..................................................................... 41
This is a preview of "ANSI/ISA 62443-4-2-2...". Click here to purchase the full version from the ANSI store.
ANSI/ISA-62443-4-2-2018 –8–
–9– ANSI/ISA-62443-4-2-2018
ANSI/ISA-62443-4-2-2018 – 10 –
– 11 – ANSI/ISA-62443-4-2-2018
FOREWORD
This document is part of a multipart standard that addresses the issue of security for the components which are contained
in industrial automation and control systems (IACS). It has been developed by working group 04, task group 4 of the
ISA99 committee in cooperation with IEC TC65/WG10.
This document prescribes the security requirements for the components that are used to build control systems. These
security requirements are derived from the system requirements for IACS defined in ISA‑62443‑3‑3:2013 [1] 1 and as
such, assigns component security levels (SLs) which are based on the system security levels.
—————————
1 Numbers in brackets indicate references in the Bibliography.
This is a preview of "ANSI/ISA 62443-4-2-2...". Click here to purchase the full version from the ANSI store.
– 13 – ANSI/ISA-62443-4-2-2018
0 Introduction
NOTE The format of this document follows the ISO/IEC requirements discussed in ISO/IEC Directives, Part 2 [13].
These directives specify the format of this document as well as the use of terms like “shall”, “should”, and “may”. The
requirements specified in normative clauses use the conventions discus sed in Appendix H of the Directives document.
0.1 Overview
Industrial automation and control system (IACS) organizations increasingly use commercial -off-
the-shelf (COTS) networked devices that are inexpensive, efficient and highly automated. Control
systems are also increasingly interconnected with non-IACS networks for valid business reasons.
These devices, open networking technologies and increased connectivity provide an increased
opportunity for cyber-attack against control system hardware and software. That weakness may
lead to health, safety and environmental (HSE), financial and/or reputational consequences in
deployed control systems.
Organizations choosing to deploy business information technology (IT) cyber security solutions to
address IACS security may not fully comprehend the results of their decision. While many business
IT applications and security solutions can be applied to IACS, they need to be applied in an
appropriate way to eliminate inadvertent consequences. For this reason, the approac h used to
define system requirements needs to be based on a combination of functional requirements and
risk assessment, often including an awareness of operational issues as well.
IACS security countermeasures should not have the potential to cause loss of essential services
and functions, including emergency procedures. (IT security countermeasures, as often deployed,
do have this potential.) IACS security goals focus on control system availability, plant protection,
plant operations (even in a degraded mode) and time-critical system response. IT security goals
often do not place the same emphasis on these factors; they may be more concerned with
protecting information rather than physical assets. These different goals need to be clearly stated
as security objectives regardless of the degree of plant integration achieved. A key step in the risk
assessment, as required by ISA‑62443‑2‑1 2 [5], should be the identification of which services and
functions are truly essential for operations. (For example, in some facilities engineering support
may be determined to be a non-essential service or function.) In some cases, it may be acceptable
for a security action to cause temporary loss of a non -essential service or function, unlike an
essential service or function that should not be adver sely affected.
This document provides the cyber security technical requirements for the components that make
up an IACS, specifically the embedded devices, network components, host components and
software applications. This document derives its requirements from the IACS System security
requirements described in ISA‑62443‑3‑3 [11]. The intent of this document is to specify security
capabilities that enable a component to mitigate threats for a given security level (SL) without the
assistance of compensating countermeasures.
The primary goal of the ISA‑62443 series is to provide a flexible framework that facilitates
addressing current and future vulnerabilities in IACS and applying necessary mitigations in a
systematic, defensible manner. It is important to understand that the intention of the ISA‑62443
series is to build extensions to enterprise security that adapt the requirements for business IT
systems and combines them with the unique requirements for strong integrity and availability
needed by IACS.
—————————
2 Many documents in the ISA‑62443 series are currently under review or in development.
This is a preview of "ANSI/ISA 62443-4-2-2...". Click here to purchase the full version from the ANSI store.
ANSI/ISA-62443-4-2-2018 – 14 –
authorities include government agencies and regulators with the legal aut hority to perform audits
to verify compliance with governing laws and regulations.
System integrators will use this document to assist them in procuring control system components
that make up an IACS solution. The assistance will be in the form of helping system integrators
specify the appropriate security capability level of the individual components they require. The
primary standards for system integrators are ISA‑62443‑2‑1 [5], ISA‑62443‑2‑4 [8],
ISA‑62443‑3‑2 [10] and ISA‑62443‑3‑3 [11] that provide organizational and operational
requirements for a security management system and guide them through the process of defining
security zones for a system and the target security capability levels (SL-T) for those zones. Once
the SL-T for each zone has been defined, components that provide the necessary security
capabilities can be used to achieve the SL-T for each zone.
Product suppliers will use this document to understand the requirements placed on control system
components for specific security capability level (SL-C)s of those components. A component may
not provide a required capability itself but may be designed to integrate with a higher level entity
and thus benefit from that entity’s capability - for example an embedded device may not be
maintaining a user directory itself, but may integrate with a system wide authentication and
authorization service and thus still meet the requirements to provide individual user authentication,
authorization and management capabilities. This document will guide product suppliers as to
which requirements can be allocated and which requirements need to be native in the components.
As defined in Practice 8 of ISA‑62443‑4‑1 [12], the product supplier will provide documentation
of how to properly integrate the component into a system to meet a specific SL-T.
The component requirements (CRs) in this document are derived from the system requirements
(SRs) in ISA‑62443‑3‑3 [11]. The requirements in ISA‑62443‑3‑3 [11] are referred to as SRs,
which are derived from the overall foundational requirements (FRs) defined in ISA‑62443‑1‑1 [1].
CRs may also include a set of requirement enhancements (REs). The combination of CRs and REs
is what will determine the target security level that a component is capable of .
This document provides component requirements for four types of components: software
application, embedded device, host device and network device. Thus the CRs for each type of
component will be designated as follows:
– 15 – ANSI/ISA-62443-4-2-2018
Figure 1 shows a graphical depiction of the ISA‑62443 series when this document was written.
– 17 – ANSI/ISA-62443-4-2-2018
1 Scope
This document in the ISA‑62443 series provides detailed technical control system component
requirements (CRs) associated with the seven foundational requirements (FRs) described in
ISA‑62443‑1‑1 [1] including defining the requirements for control system capability security levels
and their components, SL-C(component).
NOTE Refer to ISA‑62443‑2‑1 [5] for an equivalent set of non-technical, program-related, capability requirements
necessary for fully achieving a SL-T(control system).
2 Normative references
The following referenced documents are indispensable for the application of this document. For
dated references, only the edition cited applies. For undated references, the latest edition of the
referenced document (including any amendments) applies.
ISA‑62443‑1‑1 – Security for industrial automation and control systems, Part 1-1: Concepts and
models [1]
ISA‑TR62443‑1‑2, Security for industrial automation and control systems, Part 1-2: Master
glossary of terms and abbreviations [2]
ISA‑62443‑3‑3:2013 – Security for industrial automation and control systems, Part 3-3: System
security requirements and security levels [11]