ISA/IEC 62443

Summary

The ISA/IEC 62443 standard defines the necessary elements to establish a cyber security management system (CSMS) for industrial automation and control systems (IACS) and provides guidance on how to develop those elements. The version used in this section is IEC 62443-3-3 edition 1.0 2013-08.

Definitions

Definition	Requirements
IAC-1_1. Human user identification and authentication	237. Ascertain human interaction
IAC-1_2. Software process and device identification and authentication	143. Unique access credentials 176. Restrict system objects 264. Request authentication
IAC-1_3. Account management	034. Manage user accounts
IAC-1_5. Authenticator management	228. Authenticate using standard protocols 229. Request access credentials 319. Make authentication options equally secure
IAC-1_6. Wireless access management	253. Restrict network access
IAC-1_7. Strength of password-based authentication	129. Validate previous passwords 130. Limit password lifespan 133. Passwords with at least 20 characters 136. Force temporary password change 138. Define lifespan for temporary passwords 332. Prevent the use of breached passwords 334. Avoid knowledge-based authentication
IAC-1_8. Public key infrastructure (PKI) certificates	090. Use valid certificates 093. Use consistent certificates
IAC-1_9. Strength of public key authentication	088. Request client certificates 373. Use certificate pinning
IAC-1_11. Unsuccessful login attempts	131. Deny multiple password changing attempts 227. Display access notification
IAC-1_12. System use notification	225. Proper authentication responses 227. Display access notification 301. Notify configuration changes 358. Notify upcoming expiration dates
IAC-1_13. Access via untrusted networks	160. Encode system outputs 321. Avoid deserializing untrusted data 340. Use octet stream downloads 348. Use consistent encoding
UC-2_1. Authorization enforcement	096. Set user's required privileges 114. Deny access with inactive credentials
UC-2_2. Wireless use control	248. SSID without dictionary words 250. Manage access points 253. Restrict network access 254. Change SSID name
UC-2_3. Use control for portable and mobile devices	205. Configure PIN 210. Delete information from mobile devices 214. Allow data destruction 373. Use certificate pinning
UC-2_4. Mobile code	205. Configure PIN 352. Enable trusted execution
UC-2_6. Remote session termination	023. Terminate inactive user sessions
UC-2_7. Concurrent session control	025. Manage concurrent sessions
UC-2_8. Auditable events	075. Record exceptional events in logs
UC-2_9. Audit storage capacity	322. Avoid excessive logging 377. Store logs based on valid regulation
UC-2_11. Timestamps	079. Record exact occurrence time of events
SI-3_1. Communication integrity	046. Manage the integrity of critical files 147. Use pre-existent mechanisms 224. Use secure cryptographic mechanisms
SI-3_2. Malicious code protection	041. Scan files for malicious code 115. Filter malicious emails 155. Application free of malicious code 340. Use octet stream downloads
SI-3_5. Input validation	173. Discard unsafe inputs
SI-3_7. Error handling	313. Inform inability to identify users
SI-3_8. Session integrity	024. Transfer information using session objects 029. Cookies with security attributes 030. Avoid object reutilization 031. Discard user session data 357. Use stateless session tokens
SI-3_9. Protection of audit information	080. Prevent log modification 377. Store logs based on valid regulation
DC-4_1. Information confidentiality	176. Restrict system objects 178. Use digital signatures 185. Encrypt sensitive information 329. Keep client-side storage without sensitive data 365. Avoid exposing technical information
DC-4_3. Use of cryptography	145. Protect system cryptographic keys 148. Set minimum size of asymmetric encryption 149. Set minimum size of symmetric encryption 150. Set minimum size for hash functions 370. Use OAEP padding with RSA 371. Use GCM Padding with AES
RDF-5_1. Network segmentation	259. Segment the organization network
RDF-5_2. Zone boundary protection	258. Filter website content 341. Use the principle of deny by default
RDF-5_3. User content filtering	116. Disable images of unknown origin 258. Filter website content 266. Disable insecure functionalities 340. Use octet stream downloads
TRE-6_1. Audit log accessibility	378. Use of log management system
RA-7_1. Denial of service protection	072. Set maximum response time 327. Set a rate limit 345. Establish protections against overflows
RA-7_6. Network and security configuration settings	062. Define standard configurations
RA-7_7. Least functionality	186. Use the principle of least privilege 255. Allow access only to the necessary ports 353. Schedule firmware updates
CR-1_1-RE_1. Unique identification and authentication	264. Request authentication 305. Prioritize token usage 319. Make authentication options equally secure 335. Define out of band token lifespan 357. Use stateless session tokens
CR-1_1-RE_2. Multifactor authentication for all interfaces	262. Verify third-party components 362. Assign MFA mechanisms to a single account
CR-1_7. Strength of password-based authentication	126. Set a password regeneration mechanism 127. Store hashed passwords 130. Limit password lifespan 132. Passphrases with at least 4 words 133. Passwords with at least 20 characters 135. Passwords with random salt 139. Set minimum OTP length 333. Store salt values separately 334. Avoid knowledge-based authentication
CR-1_7-RE_2. Password lifetime restrictions for all users	130. Limit password lifespan 138. Define lifespan for temporary passwords 140. Define OTP lifespan
CR-2_1-RE_3. Permission mapping to roles	034. Manage user accounts
CR-3_1-RE_1. Communication authentication	024. Transfer information using session objects 030. Avoid object reutilization 181. Transmit data using secure protocols 369. Set a maximum lifetime in sessions

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.