{ "sRequirements": [ { "requirementStandard": "IEC 62443 2-4 (§4.1.5)", "requirementName": "IACS integration service providers", "requirementDescription": "An IACS integration service provider, often external and contracted, implements and deploys Automation Solutions according to the asset owner’s requirements, usually from design to handover.", "requirementSatisfaction": "IACS integration service provider activities typically include: • Analyzing the physical environment and processes to be controlled. • Designing the Automation Solution, including device configurations, control loops, and potential Safety Instrumented System (SIS) integration. • Defining external network connections for the Automation Solution. • Implementing, configuring, updating, backing up, and testing the solution for handover to the asset owner. • Securing approval from the asset owner for key decisions and outputs throughout the process." }, { "requirementStandard": "IEC 62443 2-4 (§4.1.6)", "requirementName": "IACS maintenance service providers", "requirementDescription": "An IACS maintenance service provider is an organization contracted by the asset owner to maintain and service Automation Solutions as per their requirements", "requirementSatisfaction": "Maintenance activities begin after the Automation Solution handover to the asset owner and may continue indefinitely. They often involve: • Patching and antivirus updates. • Equipment maintenance and upgrades, including minor engineering adjustments. • Component and system migration. • Change management. • Contingency plan management." }, { "requirementStandard": "IEC 62443 2-4 (§4.2.1)", "requirementName": "Maturity levels - Initial", "requirementDescription": "At this level, the models are fundamentally the same. Service providers often deliver these services in an ad-hoc and frequently undocumented manner", "requirementSatisfaction": "Service requirements are often outlined in a contract’s statement of work with the asset owner, making consistency across projects challenging" }, { "requirementStandard": "IEC 62443 2-4 (§4.2.2)", "requirementName": "Maturity levels - Managed", "requirementDescription": "At this level, the models are fundamentally the same, but IEC 62443-2-4 acknowledges that there may be a significant delay between defining a service and executing (practicing) it. Consequently, the execution-related aspects of the Capability Maturity Model Integration (CMMI)-SVC Level 2 are deferred to Level 3.", "requirementSatisfaction": "At this level, the provider effectively manages service delivery in line with policies and objectives. Personnel show competence and follow documented procedures. This level ensures service practices are repeatable and executed according to plans." }, { "requirementStandard": "IEC 62443 2-4 (§4.2.3)", "requirementName": "Maturity levels-Defined (Practiced)", "requirementDescription": "At this level, the models are fundamentally the same, but the execution-related aspects of CMMI-SVC Level 2 are integrated here. Therefore, a service at Level 3 is essentially a Level 2 service that the service provider has successfully practiced for an asset owner at least once.", "requirementSatisfaction": "Level 3 service is consistently performed across the provider’s organization. It can be tailored for individual projects as per the contract and statement of work from the asset owner" }, { "requirementStandard": "IEC 62443 2-4 (§4.2.4)", "requirementName": "Maturity levels- Improving", "requirementDescription": "At this level, Part 2-4 combines CMMI-SVC levels 4 and 5.", "requirementSatisfaction": "Service providers use process metrics to continually monitor and improve service efficiency and performance. This can include adopting more efficient procedures or enhancing security through technology and management adjustments, as per IEC 62443-3-3 guidelines, resulting in an evolving security program." }, { "requirementStandard": "IEC 62443 2-4 (§Annex A)", "requirementName": "Solution staffing Training Security requirements – IEC 62443-2-4", "requirementDescription": "The service provider must ensure that only personnel informed about and compliant with the responsibilities, policies, and procedures specified in this document are assigned to Automation Solution-related activities.", "requirementSatisfaction": "This Base Requirement (BR) and its Requirement Enhancements (REs) aim to protect the Automation Solution from potential threats originating from service provider, subcontractor, and consultant personnel who may not fully understand security best practices. Security breaches often result from actions taken inadvertently or negligence. This capability ensures that service provider personnel working on the Automation Solution are security-aware, typically through training and procedure reviews." }, { "requirementStandard": "IEC 62443 2-4 (§Annex A)", "requirementName": "Solution staffing Training Security requirements – IEC 62443-2-4", "requirementDescription": "The service provider must be capable of assigning subcontractor or consultant personnel to Automation Solution-related activities only if they have been informed about and adhere to the responsibilities, policies, and procedures specified in this specification.", "requirementSatisfaction": "This capability ensures security-aware subcontractor personnel, consultants, and representatives can be engaged by the service provider for the Automation Solution. Refer to ISO/IEC 27036-3 for further supply chain organizational requirements." }, { "requirementStandard": "IEC 62443 2-4 (§Annex A)", "requirementName": "Solution staffing Training Security requirements – asset owner", "requirementDescription": "The service provider shall have the capability to ensure that it assigns only service provider, subcontractor, or consultant personnel to Automation Solution-related activities who have been informed of and comply with the security-related responsibilities, policies, and procedures required by the asset owner.", "requirementSatisfaction": "This BR mitigates threats to the Automation Solution from service providers, subcontractors, and consultants who may not fully understand their security responsibilities. Security breaches often result from personnel unaware of asset owner-defined security requirements. This capability ensures that service provider personnel, including subcontractors and consultants, adhere to the asset owner’s security requirements through training and procedure reviews" }, { "requirementStandard": "IEC 62443 2-4 (§Annex A)", "requirementName": "Solution staffing Training Security requirements – asset owner", "requirementDescription": "The service provider shall have the capability to ensure that it assigns only service provider, subcontractor, or consultant personnel to Automation Solution-related activities who have been informed about and comply with the asset owner’s Management of Change (MoC) and Permit To Work (PtW) processes. These processes pertain to changes involving devices, workstations, servers, and connections between them.", "requirementSatisfaction": "This REs minimizes unauthorized access and changes by service provider personnel to the Automation Solution. This capability ensures that personnel working on the Automation Solution understand and follow the asset owner’s MoC and PtW processes, critical for managing changes and ensuring proper device, workstation, and server management." }, { "requirementStandard": "IEC 62443 2-4 (§Annex A)", "requirementName": "Solution staffing Training Sensitive data", "requirementDescription": "The service provider shall possess the capability to assign only its personnel to Automation Solution-related tasks who have been informed about and adhere to the policies, procedures, and contractual obligations necessary to safeguard the confidentiality of the asset owner’s data", "requirementSatisfaction": "This BR and its REs aim to protect asset owner data from mishandling and unauthorized disclosure in the Automation Solution. This capability ensures that service provider personnel understand their responsibility to safeguard proprietary data. Typically, Non-Disclosure Agreements (NDAs) outline data protection terms, and the service provider must inform personnel about these terms. Asset owners may require evidence of personnel being informed (e.g., written acknowledgment)." }, { "requirementStandard": "IEC 62443 2-4 (§Annex A)", "requirementName": "Solution staffing Training Sensitive data", "requirementDescription": "The service provider shall possess the capability to ensure that it assigns only subcontractors, consultants, and representatives to Automation Solution-related activities who have been informed of and comply with the policies and procedures necessary to safeguard the confidentiality of the asset owner’s data.", "requirementSatisfaction": "Holding this capability ensures subcontractors, consultants, and representatives working on Automation Solution-related tasks understand their duty to protect asset owner’s confidential data. NDAs typically define data protection terms, and the service provider must inform personnel about these terms. Asset owners may require evidence (e.g., written confirmation) of personnel being informed." }, { "requirementStandard": "IEC 62443 2-4 (§Annex A)", "requirementName": "Solution staffing Background checks Service provider", "requirementDescription": "The service provider shall possess the capability to ensure that it designates exclusively service provider personnel for Automation Solution-related tasks who have successfully undergone security-related background checks, to the extent feasible and within the bounds of applicable laws.", "requirementSatisfaction": "These REs aim to ensure personnel assigned to the Automation Solution are trustworthy. While background checks can’t guarantee trustworthiness, they help identify past issues. This capability involves a defined process for verifying personnel trustworthiness. It’s important to note that conducting background checks may be constrained by laws or lack of support. The service provider decides how and when to conduct checks, which can include identity verification and criminal record checks." }, { "requirementStandard": "IEC 62443 2-4 (§Annex A)", "requirementName": "Solution staffing Background checks Subcontractor", "requirementDescription": "The service provider shall be capable of ensuring that only subcontractors, consultants, and representatives assigned to Automation Solution-related activities have successfully undergone security-related background checks where feasible and to the extent permitted by applicable law.", "requirementSatisfaction": "Holding this capability ensures the service provider has a process to verify the integrity of subcontractors, consultants, and representatives working on the Automation Solution. Background checks may not always be feasible due to laws or lack of support. The service provider decides how and when to conduct checks, which can include identity verification and criminal record checks." }, { "requirementStandard": "IEC 62443 2-4 (§Annex A)", "requirementName": "Solution staffing Personnel assignments Security contact", "requirementDescription": "The service provider shall have the capability to designate a security contact within its organization for the Automation Solution, who is responsible and accountable for the following activities: Liaising with the asset owner regarding Part 2-4 requirements, communicating the service provider’s security perspective to the asset owner’s staff, ensuring tenders align with Part 2-4 and internal IACS security requirements, reporting deviations from the asset owner’s and internal requirements.", "requirementSatisfaction": "This BR improves security communication between the asset owner and service provider. It mandates the service provider to appoint a security contact to coordinate security matters, including deviations from requirements. This contact fosters collaboration to address and rectify deviations." }, { "requirementStandard": "IEC 62443 2-4 (§Annex A)", "requirementName": "Solution staffing Personnel assignments Security lead", "requirementDescription": "The service provider must document minimum IACS cybersecurity qualifications for security lead positions and ensure that only personnel meeting these qualifications are assigned as security leads to Automation Solutions.", "requirementSatisfaction": "This BR focuses on enhancing security decision-making and implementation to minimize risks to the Automation Solution. The service provider must have qualified cybersecurity personnel with documented qualifications, which may involve IACS cybersecurity experience, training, and certifications. These qualifications should be agreed upon by the service provider and asset owner before staffing." }, { "requirementStandard": "IEC 62443 2-4 (§Annex A)", "requirementName": "Solution staffing Personnel assignments Change", "requirementDescription": "The service provider must be capable of informing the asset owner about changes in personnel from the service provider, subcontractors, or consultants who have access to the Automation Solution.", "requirementSatisfaction": "This capability, as specified by this BR, aims to safeguard the Automation Solution from unnecessary access by service providers, subcontractors, and consultants. The service provider must establish a clear process to promptly inform the asset owner of staffing changes. The asset owner can then adjust access by revoking badges, deleting accounts, and modifying access control lists as required. Notification timing and details are typically agreed upon by the service provider and asset owner, with consideration for temporary accounts." }, { "requirementStandard": "IEC 62443 2-4 (§Annex A)", "requirementName": "Assurance Solution components Verification", "requirementDescription": "The service provider must be able to furnish documentation confirming that Automation Solution components, as identified by the asset owner (e.g., through security assessments, threat analyses, or security testing), possess sufficient security measures commensurate with their associated risk levels.", "requirementSatisfaction": "This capability ensures that Automation Solution components match the associated risk level with their security measures. The service provider sets up a process to confirm compliance with the asset owner’s security standards, using methods like security assessments, testing, or certifications. Security testing identifies vulnerabilities and assesses system responses to attacks, although it doesn’t ensure complete vulnerability-free status. Common security tests include penetration tests, fuzz tests, robustness tests, and vulnerability scans." }, { "requirementStandard": "IEC 62443 2-4 (§Annex A)", "requirementName": "Assurance Security tools and software Technical description", "requirementDescription": "The service provider should be able to recommend security analysis tools (e.g., network scanning tools) for use with the Automation Solution. Additionally, they should provide instructions on tool usage, identify potential adverse effects on the Automation Solution’s performance, and offer recommendations to mitigate these effects.", "requirementSatisfaction": "These capabilities are crucial for evaluating the Automation Solution’s security using asset owner-approved tools. This includes identifying unauthorized devices or open ports. To meet this, the service provider must outline a process for recommending appropriate security analysis tools for the Automation Solution. They should also offer guidance on potential tool-related issues, instructions for avoiding these problems, and effective tool usage tips. This requirement means the service provider needs to be aware of tool-related issues, report them to the asset owner, and propose mitigation strategies, such as configuring tools to minimize network impact, strategic test scheduling, and other measures." }, { "requirementStandard": "IEC 62443 2-4 (§Annex A)", "requirementName": "Assurance Security tools and software Approval", "requirementDescription": "The service provider must have the capability to obtain approval from the asset owner before deploying security analysis tools (e.g., network scans) at the asset owner’s site.", "requirementSatisfaction": "This capability requires the service provider to establish a defined process for collaborating with the asset owner on the use of security analysis tools within the Automation Solution and obtaining approval. It also mandates that the service provider must inform the asset owner about potential adverse impacts these tools may have on the Automation Solution." }, { "requirementStandard": "IEC 62443 2-4 (§Annex A)", "requirementName": "Assurance Security tools and software Detection", "requirementDescription": "The service provider must have the capability to schedule and employ security analysis tools for the purpose of identifying undocumented or unauthorized systems or vulnerabilities within the Automation Solution. This capability should align with the asset owner’s standard operating procedures.", "requirementSatisfaction": "This capability requires the service provider to establish a defined process for using tools to detect unauthorized devices and vulnerabilities, like open ports, within the Automation Solution’s networks. It also involves coordinating and scheduling the use of security analysis tools to avoid disruptions to the Automation Solution’s operations. The service provider should communicate potential adverse effects of these tools to the asset owner. Integration service providers may schedule tool use beforehand, while maintenance service providers should follow asset owner-defined cycles." }, { "requirementStandard": "IEC 62443 2-4 (§Annex A)", "requirementName": "Assurance Security tools and software Robustness", "requirementDescription": "The service provider must ensure that the control system components within the Automation Solution can maintain essential control system functions even when subjected to system and/or network scans during normal operation.", "requirementSatisfaction": "This capability ensures the service provider has a defined process to assess the robustness of the Automation Solution’s control system components accessible by network scanning tools, as detailed in IEC 62443-3-3. Robustness testing is typically employed to provide this assurance." }, { "requirementStandard": "IEC 62443 2-4 (§Annex A)", "requirementName": "Assurance Hardening guidelines Technical description", "requirementDescription": "The service provider shall have the capability to furnish the asset owner with documentation outlining the process of hardening the Automation Solution.", "requirementSatisfaction": "The service provider must furnish a comprehensive hardening guide to the asset owner, comprising security mechanisms, configuration settings, and security-enhancement recommendations for the Automation Solution. This guide assists the asset owner in effective governance and a comprehensive understanding of Automation Solution security, including its integration with plant networks and systems. To meet this requirement, the service provider needs a well-defined process for delivering the hardening guide, addressing both architectural and configuration aspects. This encompasses guidance on firewall placement, firewall rules, and considerations for new component installations within the Automation Solution. Typically, the hardening process aligns with recommendations from a risk assessment on the Automation Solution." }, { "requirementStandard": "IEC 62443 2-4 (§Annex A)", "requirementName": "Assurance Hardening guidelines Verification", "requirementDescription": "The service provider must be able to verify the adherence to its security hardening guidelines and procedures during Automation Solution-related activities. This capability ensures that the prescribed security measures are consistently implemented.", "requirementSatisfaction": "For this capability, the service provider needs a defined process to ensure that their personnel, subcontractors, consultants, and representatives follow the hardening procedures in SP.02.03 BR, often using checklists for verification." }, { "requirementStandard": "IEC 62443 2-4 (§Annex A)", "requirementName": "Architecture Risk Assessment Perform", "requirementDescription": "The service provider shall have the capability to conduct a security risk assessment of the Automation Solution or contribute to (participate in) a security risk assessment conducted by the asset owner or its agent.", "requirementSatisfaction": "This BR and its REs specify capabilities to help the service provider identify and analyze risks for the Automation Solution’s security. Having this capability means the service provider has a process for participating in or conducting risk assessments. Depending on the situation, they may lead the assessment or actively contribute to one led by the asset owner or a third party. In the active role, the service provider may provide detailed knowledge of the Automation Solution, threat and vulnerability information, or other assistance. For guidance on conducting risk assessments, refer to IEC 62443-2-1 and IEC 62443-3-2." }, { "requirementStandard": "IEC 62443 2-4 (§Annex A)", "requirementName": "Architecture Risk Assessment Reporting", "requirementDescription": "The service provider shall inform the asset owner of the results of security risk assessments it conducts on the Automation Solution, including details about risk mitigation mechanisms and procedures.", "requirementSatisfaction": "This capability involves the service provider having a clear process to review the results of risk assessments on the Automation Solution. They must inform the asset owner of identified security issues and offer recommendations for addressing them with security mechanisms and procedures." }, { "requirementStandard": "IEC 62443 2-4 (§Annex A)", "requirementName": "Architecture Risk Assessment Verification", "requirementDescription": "The service provider shall have the capability to verify that security architecture reviews, security assessments, or threat analyses of the control system used in the Automation Solution have been conducted by a third party.", "requirementSatisfaction": "This capability means the service provider can verify that a third party has reviewed the security of the control system in the Automation Solution, usually under the direction of the control system supplier." }, { "requirementStandard": "IEC 62443 2-4 (§Annex A)", "requirementName": "Architecture Network design Connectivity", "requirementDescription": "The service provider must possess the ability to ensure that the physical network segmentation architecture utilized in the Automation Solution, along with its deployment of network security devices or equivalent mechanisms, adheres to the approved Automation Solution design as provided by the asset owner.", "requirementSatisfaction": "The capabilities in this BR and its REs are vital for enforcing access controls, protecting network segments from unauthorized access, and securing external connections in the Automation Solution. Access controls regulate traffic based on source and destination addresses, content, and other factors, aligning with the asset owner’s approval. Segmentation and security device placement should be determined through a risk assessment (see IEC 62443-3-2) and this standard’s requirements (IEC 62443-2-4). As the implementation progresses, this capability ensures design documents accurately represent the Automation Solution architecture (refer to SP.06.01 BR)." }, { "requirementStandard": "IEC 62443 2-4 (§Annex A)", "requirementName": "Architecture Network design Connectivity", "requirementDescription": "The service provider must be able to identify and document the network segments within the Automation Solution, along with their interfaces to other segments, including external networks, and clearly designate each interface as either trusted or untrusted.", "requirementSatisfaction": "This capability ensures the service provider can clearly identify all network segments in the Automation Solution, their connections, and external access points. They must label each connection as either trusted or untrusted, with untrusted interfaces allowing connections to untrusted devices in other segments/systems. Trust boundaries can be established through risk assessments, as outlined in IEC 62443-3-2." }, { "requirementStandard": "IEC 62443 2-4 (§Annex A)", "requirementName": "Architecture Network design Connectivity", "requirementDescription": "The service provider must be capable of safeguarding identified untrusted interfaces within the Automation Solution by implementing network security devices or equivalent measures, complete with documented and regularly maintained security rules.", "requirementSatisfaction": "This capability ensures the service provider has processes to secure the Automation Solution against external access and manage access between Level 2 and Level 3, typically using firewalls and rules. It also involves safeguarding Basic Process Control System (BPCS) interfaces within the Automation Solution with network security measures and providing information for creating security rules for BPCS ports and applications. If the service provider handles network security devices, they should offer configuration support as needed. Risk assessments, per IEC 62443-3-2, help identify the interfaces that require protection." }, { "requirementStandard": "IEC 62443 2-4 (§Annex A)", "requirementName": "Architecture Solution Components Vulnerabilities", "requirementDescription": "The service provider must possess capabilities to manage vulnerabilities within the Automation Solution and its associated policies and procedures. These capabilities cover: Handling newly discovered vulnerabilities in the Automation Solution and related policies and procedures under the service provider’s responsibility. Managing publicly disclosed vulnerabilities impacting the Automation Solution.", "requirementSatisfaction": "This capability requires the service provider to have a defined process for assessing, reporting, and addressing vulnerabilities in their Automation Solution components. It typically includes event analysis, risk assessment, network scans, automated methods, and assurance measures (see SP.08.01 BR, SP.03.01 BR, SP.02.02 BR, and SP.02.01 BR). Software patches for vulnerability fixes are classified as security patches." }, { "requirementStandard": "IEC 62443 2-4 (§Annex A)", "requirementName": "Architecture Network design Vulnerabilities", "requirementDescription": "The service provider must be capable of supplying the asset owner with documentation outlining how to address known security vulnerabilities in the communication protocols used in the Automation Solution, both in design and implementation, before integration or maintenance activities", "requirementSatisfaction": "This capability guarantees the application of compensating mechanisms to rectify communication vulnerabilities in the Automation Solution. It entails the service provider notifying the asset owner of known communication weaknesses and proposing mitigation measures. For example, if sensitive data is transmitted through unencrypted protocols, the service provider should recommend security measures like lockable switches and physical link security." }, { "requirementStandard": "IEC 62443 2-4 (§Annex A)", "requirementName": "Architecture Network design Network time", "requirementDescription": "The service provider must ensure secure and accurate time distribution/synchronization for the Automation Solution using a protocol widely accepted by both the security and industrial automation communities.", "requirementSatisfaction": "This capability guarantees the use of accurate timestamps in the Automation Solution, vital for event log forensics. It means the service provider has a process to incorporate a network time source into the Automation Solution. The source’s provision is not specified here, but the service provider must handle its integration. A widely accepted time source protocol is IEEE 1588-2008/IEC 61588:2009." }, { "requirementStandard": "IEC 62443 2-4 (§Annex A)", "requirementName": "Architecture Devices – All Least functionality", "requirementDescription": "The service provider must ensure that only approved software and hardware features are enabled within the Automation Solution. This involves: Remove non-essential software, services, and communication access points, as well as unnecessary USB devices, Bluetooth, and wireless communications. Authorize active network addresses. Secure diagnostic and configuration ports both physically and logically. Configure unused network device ports to prevent unauthorized access. Ensure ongoing security during maintenance processes throughout the Automation Solution’s lifespan.", "requirementSatisfaction": "This capability bolsters Automation Solution security by minimizing attack surfaces, limiting access to authorized users, and maintaining security. It involves processes to remove unnecessary features and secure interfaces, including network devices and ports. Tools like those in SP.02.02 BR and its REs are employed. By restricting software, communication access, USB devices, and wireless functions to essential operations, security risks are reduced. Techniques like network scanning remove unnecessary software and unauthorized network addresses. Physical access to configuration ports is controlled to prevent unauthorized changes, and network device ports are secured to prevent unauthorized access. Re-enabling disabled functions requires asset owner approval, and maintenance processes must ensure security settings are maintained." }, { "requirementStandard": "IEC 62443 2-4 (§Annex A)", "requirementName": "Architecture Devices – All Least functionality", "requirementDescription": "The service provider’s hardening procedures must guarantee the installation of only essential, authorized, and documented digital certificates for Certification Authoritys (CAs).", "requirementSatisfaction": "This capability ensures the service provider can identify and remove unused or unauthorized CA certificates. Operating system installations and upgrades often include unnecessary Certificate Authority certificates. By installing only necessary CA certificates, it prevents the authentication of unwanted or unnecessary applications." }, { "requirementStandard": "IEC 62443 2-4 (§Annex A)", "requirementName": "Architecture Devices – Workstations Session lock", "requirementDescription": "The service provider must support session locking for Automation Solution workstations as specified by the asset owner. This applies exclusively to the workstations under the service provider’s responsibility. Session locking prevents unauthorized viewing of user displays and disables user input (e.g., keyboard and mouse) until unlocked by the user or an administrator.", "requirementSatisfaction": "This capability ensures the ability to lock workstations, protecting user display information and preventing input device use. The service provider has a process for enabling automatic screen locking as required by the asset owner. Automatic screen locking suspends display and input until the authorized user unlocks it, often through password reentry. The need for automatic screen locking depends on site security requirements, typically determined through risk assessments (refer to IEC 62443-3-2). For example, workstations managing network devices and wireless networks in unattended and accessible areas usually require automatic screen locking. This requirement applies only to workstations under the service provider’s responsibility." }, { "requirementStandard": "IEC 62443 2-4 (§Annex A)", "requirementName": "Architecture Devices – Workstations Access control", "requirementDescription": "The service provider must ensure that wired and wireless workstations, including handheld devices, used for maintenance and engineering of control/instrumentation devices, comply with: Automation Solution’s access controls for these devices, Network security measures (e.g., network security devices) at the Automation Solution’s Level 3 boundary.", "requirementSatisfaction": "These capabilities ensure consistent access control, preventing unauthorized access from workstations/handhelds to field devices. The service provider must have a process to eliminate direct connections that could bypass access controls, particularly for non-integrated workstations or handhelds accessing control/instrumentation devices." }, { "requirementStandard": "IEC 62443 2-4 (§Annex A)", "requirementName": "Architecture Devices – Workstations Access control", "requirementDescription": "The service provider must support multifactor authentication for Automation Solution workstations as mandated by the asset owner. This requirement is limited to the workstations under the service provider’s responsibility.", "requirementSatisfaction": "This capability mandates the service provider to apply multi-factor authentication on workstations, following the asset owner’s requirements. They must provide necessary hardware, configure workstations for multi-factor authentication, and adapt the authentication method based on site security requirements established through risk assessments. Typically, multi-factor authentication is used for workstations in unattended or uncontrolled spaces, and this requirement pertains to workstations under the service provider’s responsibility. Multi-factor authentication involves a combination of at least two factors, such as something known to the user (e.g., password), something possessed (e.g., smart card), something inherent (e.g., retinal scan), or the user’s location." }, { "requirementStandard": "IEC 62443 2-4 (§Annex A)", "requirementName": "Architecture Devices – Network Least functionality", "requirementDescription": "The service provider must ensure the use of least privilege for administrating the network devices under their responsibility.", "requirementSatisfaction": "This BR and its REs emphasize the importance of protecting network devices in the Automation Solution, which are often targeted in attacks. This capability ensures the service provider has a defined process for applying the principle of least privilege in network device administration. Least privilege restricts access to only necessary resources (e.g., directories and files) and limits operating system privileges to the essentials." }, { "requirementStandard": "IEC 62443 2-4 (§Annex A)", "requirementName": "Architecture Devices – Network Cryptography", "requirementDescription": "The service provider must ensure the use of encryption to protect sensitive data used in the administration of network devices, whether in transit or at rest. This data is identified as requiring safeguarding (refer to SP.03.10 BR and its REs).", "requirementSatisfaction": "This capability safeguards sensitive data, as defined in SP.03.10 BR and its REs, through encryption during network device administration. Encryption is applied within the device and during data transmission. It can occur at different levels (network, transport, or message) to protect data during transmission. Encryption within network devices also prevents configuration attacks by malicious software (e.g., hacking attempts). Consider encryption mechanisms with integrity protection, like AES_GCM, for enhanced security." }, { "requirementStandard": "IEC 62443 2-4 (§Annex A)", "requirementName": "Architecture Devices – Network Access control", "requirementDescription": "The service provider must ensure that access controls for network device administration incorporate mutual authentication.", "requirementSatisfaction": "This capability ensures the service provider has a process for configuring network devices to enable mutual authentication. Mutual authentication verifies both the user’s and the network device’s identities, allowing the device to confirm user authorization and the user to verify the device’s legitimacy, preventing spoofing. Techniques like challenge/response, user password/device certificate, and Kerberos (Request for Comment (RFC) 1510) are employed for mutual authentication." }, { "requirementStandard": "IEC 62443 2-4 (§Annex A)", "requirementName": "Architecture Data protection Communications", "requirementDescription": "The service provider must ensure the Automation Solution verifies that all control actions and data flows (e.g., between workstations and controllers), including configuration changes, meet the following criteria: 1) validity, 2) authorization by an authorized user, and 3) compliance with approved connections and directions", "requirementSatisfaction": "This capability establishes controls, manual and automated, to prevent invalid or unauthorized commands on Automation Solution devices like controllers. The service provider ensures that commands are valid, authorized, and transmitted through approved connections. It also verifies that only authorized users can request commands and that commands are validated for correctness. For example, manual control is needed before changing a setpoint. An identifiable process ensures authorized data flows in the correct direction over approved connections, preventing unauthorized adjustments if an unauthorized entity initiates a command change." }, { "requirementStandard": "IEC 62443 2-4 (§Annex A)", "requirementName": "Architecture Data protection Sensitive data", "requirementDescription": "The service provider must document data storage points and data flows within the Automation Solution that need safeguarding, as defined or approved by the asset owner. This documentation should include security requirements such as confidentiality and integrity.", "requirementSatisfaction": "These capabilities ensure the documentation and appropriate security of data in the Automation Solution, whether stored or transmitted. Collaboration between the asset owner and service provider identifies the data in need of protection, including control system data like passwords, certificates, and keys, as well as other valuable data (e.g., recipes). This capability means the service provider has a process to identify and specify necessary data protection, whether data is at rest or in transit. The criteria for safeguarding data are usually site-specific and provided or approved by the asset owner. Data at rest can be in memory or storage devices, while data in transit involves data flow between entities. Examples of protected data include legal or regulatory information, asset owner confidential data (including proprietary information), configuration and operational data, system data (keys, certificates, access control lists, and passwords), audit logs, backup data, historical data, and data warehouses." }, { "requirementStandard": "IEC 62443 2-4 (§Annex A)", "requirementName": "Architecture Data protection Sensitive data", "requirementDescription": "The service provider must protect data in the Automation Solution, as outlined in SP 03.10 BR, from unauthorized disclosure or modification, whether it’s at rest or in transit.", "requirementSatisfaction": "This capability ensures the service provider enhances the Automation Solution after identifying sensitive data and securing it as required. Early project risk assessments (refer to IEC 62443-3-2) can help identify data in need of protection. Protection mechanisms include safeguards against unauthorized memory dumps and network sniffing, as well as cryptographic measures like encryption keys, public key security infrastructure, digital signatures, data transport and message encryption, and database encryption." }, { "requirementStandard": "IEC 62443 2-4 (§Annex A)", "requirementName": "Architecture Data protection Data/event retention", "requirementDescription": "The service provider must provide documentation to the asset owner outlining the Automation Solution’s data retention capabilities, covering capacities, pruning, purging functions, and retention timeouts.", "requirementSatisfaction": "This capability means the service provider has a process to document how the Automation Solution manages sensitive data like historical data and events, whether it involves internal storage capacities or the export of such data to a history archive. Historical data and events are valuable for forensics, event analysis, and correlation" }, { "requirementStandard": "IEC 62443-2-4 (Annex A)", "requirementName": "Architecture Data protection Cryptography", "requirementDescription": "The service provider must ensure that the cryptographic mechanisms, including algorithms and key management/distribution/protection, used in the Automation Solution are widely accepted by both the security and industrial automation communities.", "requirementSatisfaction": "This capability ensures that the service provider uses current encryption technology widely accepted for use in IACSs within the components they provide for the Automation Solution." }, { "requirementStandard": "IEC 62443-2-4 (Annex A)", "requirementName": "Architecture Data protection Sanitizing", "requirementDescription": "The service provider must ensure that when removing a component from the Automation Solution, all data within the component requiring safeguarding (as defined in SP 03.10 BR) is permanently deleted.", "requirementSatisfaction": "This capability prevents sensitive data in a removed component/device from being accessed by unauthorized individuals. It means the service provider has a process to sanitize devices removed from active participation in the Automation Solution, ensuring confidential or sensitive data is removed. Typically, this involves destroying memory or performing multiple data-clearing passes, the number of which depends on the memory type." }, { "requirementStandard": "IEC 62443-2-4 (Annex A)", "requirementName": "Wireless Network design Technical Description", "requirementDescription": "The service provider must ensure that its Automation Solution architecture documentation for wireless systems is up-to-date in describing various technical aspects such as data exchange, security mechanisms, and remote management.", "requirementSatisfaction": "This capability ensures protection against unauthorized access to the Automation Solution via wireless networks. It means the service provider has a process to maintain up-to-date wireless communication architecture documentation, covering data flows, security mechanisms, and the use of wireless bridges." }, { "requirementStandard": "IEC 62443-2-4 (Annex A)", "requirementName": "Wireless Network design Access control", "requirementDescription": "The service provider must ensure that access to wireless devices is protected by authentication and access control mechanisms widely accepted in both the security and industrial automation communities.", "requirementSatisfaction": "These capabilities ensure the protection of wireless devices and their communications from unauthorized access. It means the service provider has a process for implementing widely accepted authentication mechanisms and access control lists to prevent unauthorized access to wireless devices." }, { "requirementStandard": "IEC 62443-2-4 (Annex A)", "requirementName": "Wireless Network design Communications (Cryptography)", "requirementDescription": "The service provider must ensure that wireless communications are protected by widely accepted cryptographic mechanisms in both the security and industrial automation communities.", "requirementSatisfaction": "This capability means the service provider has a process to ensure that networks within the Automation Solution utilize widely accepted security mechanisms to protect data during transmission. This includes securing wireless communications between wireless devices and access points, as well as between different access points." }, { "requirementStandard": "IEC 62443-2-4 (Annex A)", "requirementName": "Wireless Network design Communications (Standards Compliance)", "requirementDescription": "The service provider must ensure that wireless protocols in the Automation Solution comply with widely accepted industrial security standards and applicable regulations.", "requirementSatisfaction": "These capabilities instill confidence in the use of vetted wireless protocols for industrial applications. It means the service provider utilizes widely accepted standard wireless technology in the Automation Solution and ensures compliance with local regulations for the chosen wireless technology." }, { "requirementStandard": "IEC 62443-2-4 (Annex A)", "requirementName": "Wireless Network Design Wireless network identifiers", "requirementDescription": "The service provider must ensure the use of unique, Automation Solution-specific identifiers for wireless networks, employing non-obvious, descriptive acronyms that are not directly linked to the asset owner’s site.", "requirementSatisfaction": "This capability ensures wireless networks are configured to avoid easy identification, preventing obvious network identifiers. It means the service provider has a process to assign unique identifiers (e.g., Service Set Identifiers (SSIDs)) to each wireless network. These identifiers must not reveal the physical network, its location, or its owner to external observers. If the asset owner defines the identifier values, the service provider may provide guidance on their definition or review the defined identifiers, as necessary." }, { "requirementStandard": "IEC 62443-2-4 (Annex A)", "requirementName": "Wireless Network design Connectivity", "requirementDescription": "The service provider shall ensure that wireless devices in the Automation Solution with IP addresses use static addressing and have DHCP disabled.", "requirementSatisfaction": "This capability ensures wireless networks prevent: 1) unauthorized device address use, 2) DHCP exhaustion attacks (by disabling DHCP). It means the service provider has a process to prevent dynamic address assignment mechanisms from changing the IP addresses of wireless devices." }, { "requirementStandard": "IEC 62443-2-4 (Annex A)", "requirementName": "SIS Risk Assessment Verification", "requirementDescription": "The service provider must verify that security architecture reviews and/or risk assessments for the SIS communications in the Automation Solution have been conducted and addressed.", "requirementSatisfaction": "This capability ensures that security risks associated with the SIS are addressed. It means the service provider can verify that security concerns related to SIS communications, identified through risk assessments and reviews, have been resolved. Typically, the control system supplier conducts these reviews in response to IEC 61511-1 Clause 8.2.4 and addresses the issues. In some cases, mitigation of risks falls to the service provider during Automation Solution installation/maintenance, requiring them to determine and implement the necessary mitigations." }, { "requirementStandard": "IEC 62443-2-4 (Annex A)", "requirementName": "SIS Network design Communications (Interference Protection)", "requirementDescription": "The service provider must protect SIS safety communications and functions from interference by the BPCS or other Automation Solution communications. Note that this requirement doesn’t apply to non-critical communications, such as configuration downloads, status monitoring, and logging, between the SIS and the BPCS.", "requirementSatisfaction": "This requirement ensures that SIS communications vital for safety functions remain unaffected by other Automation Solution traffic. The service provider must be capable of isolating these critical SIS communications from other traffic, potentially through methods like firewalls and non-routable interfaces between the BPCS and SIS. It’s also essential to confirm that these isolation measures do not impact the performance or operation of safety-critical communications. Risk assessments, zones, and conduits, as defined in IEC 62443-3-2, can be useful for setting these requirements." }, { "requirementStandard": "IEC 62443-2-4 (Annex A)", "requirementName": "SIS Network design Communications (External Communications)", "requirementDescription": "The service provider must ensure that external communications, including remote access, do not disrupt the SIS’s operation.", "requirementSatisfaction": "This requirement ensures that external communications, including remote access like Remote Desktop Protocol (RDP), do not affect the SIS’s operation. While SP.05.02 BR focuses on protecting SIS communications within the Automation Solution, this requirement is about safeguarding the SIS’s overall operation from external influences." }, { "requirementStandard": "IEC 62443-2-4 (Annex A)", "requirementName": "SIS Devices – Workstations Communications (Protection from Compromise)", "requirementDescription": "The service provider must protect external SIS Early Warning Systems (EWSs) from potential compromise by Level 3 or higher communications.", "requirementSatisfaction": "The capability specified by this BR ensures that safeguards, like network security devices, permit only authorized communications from Level 3 applications to external SIS engineering workstations. Access from Level 3 applications to SIS engineering workstations within the SIS is prohibited by SP.05.03 BR. This capability involves an identifiable process to channel all communications between the SIS engineering workstation and Level 3 (and above) applications through a network security device or equivalent mechanism connecting Level 2 and Level 3 (or above)." }, { "requirementStandard": "IEC 62443-2-4 (Annex A)", "requirementName": "SIS Devices – Workstations Communications (Remote Access Protection)", "requirementDescription": "The service provider must ensure that remote access, like RDP, cannot compromise the Automation Solution’s internal SIS EWS within the SIS.", "requirementSatisfaction": "This capability aims to safeguard internal SIS engineering workstations from remote access vulnerabilities. Refer to SP.05.05 BR for external SIS EWS access. It means the service provider must have a process to either prevent remote access on internal SIS engineering workstations or implement security measures to block such access." }, { "requirementStandard": "IEC 62443-2-4 (Annex A)", "requirementName": "SIS Devices – Workstations Connectivity (Access Control)", "requirementDescription": "The service provider must ensure that all external access to the SIS is authorized and controlled at its interface.", "requirementSatisfaction": "This capability limits physical access routes to the SIS, reducing its vulnerability. It requires the service provider to implement access controls at the SIS interface, typically through a dedicated gateway, which can be provided by the BPCS or the SIS." }, { "requirementStandard": "IEC 62443-2-4 (Annex A)", "requirementName": "SIS Devices – Workstations Connectivity (Least Functionality)", "requirementDescription": "The service provider must safeguard SIS functions on the Automation Solution’s SIS EWS from interference by other SIS EWS software.", "requirementSatisfaction": "This capability aims to prevent the inclusion of harmful T3 offline software in the SIS EWS. It means the service provider has a process to protect safety-related software in SIS EWS from compromise by other software in the same environment." }, { "requirementStandard": "IEC 62443-2-4 (Annex A)", "requirementName": "SIS Devices – Wireless Connectivity (Unauthorized Device Prevention)", "requirementDescription": "The service provider must verify that unauthorized wireless devices are not part of SIS safety functions.", "requirementSatisfaction": "This capability is essential to prevent SIS attacks from unauthorized wireless devices. Wireless devices, unrestricted by physical boundaries, can pose threats to SIS security. The service provider must have a process to confirm that wireless device communications are not integrated into SIS safety functions when prohibited by the asset owner. ‘Integral part’ refers to communications fully incorporated into SIS safety functions. Refer to SP.04.01 BR for broader requirements on wireless technology use in the Automation Solution." }, { "requirementStandard": "IEC 62443-2-4 (Annex A)", "requirementName": "SIS User interface Configuration mode (Control)", "requirementDescription": "The service provider must enable the capability to control the SIS configuration mode, allowing it to be turned on and off. When disabled, this interface must prevent any configuration changes to the SIS.", "requirementSatisfaction": "These capabilities are intended to restrict configuration access to the SIS. The SIS is designed to be locked during normal operation, preventing configuration changes. Unlocking is required when configuration changes are needed. Locking mechanisms can be physical or software-based, serving to safeguard the SIS from unauthorized modifications." }, { "requirementStandard": "IEC 62443-2-4 (Annex A)", "requirementName": "SIS User interface Configuration mode (Hardware Interface)", "requirementDescription": "The service provider must offer a hardware configuration mode interface, as per SP.05.09 BR, that can be physically locked when configuration mode is disabled.", "requirementSatisfaction": "This capability ensures that intentional human intervention, like holding a physical key, is needed to enable SIS configuration changes. It adds confidence that inadvertent changes won’t occur. The service provider must have a hardware interface, like a key switch, that can be disabled (e.g., by removing the key) to prevent configuration changes." }, { "requirementStandard": "IEC 62443-2-4 (Annex A)", "requirementName": "SIS User interface Configuration mode (Third-party Verification)", "requirementDescription": "The service provider must allow an independent third party to verify that the SIS configuration cannot be changed when the hardware interface described in SP.05.09 RE(1) is locked in the ’disable’ mode.", "requirementSatisfaction": "The service provider must have an identifiable process for obtaining a third-party report that verifies the functionality of the SIS configuration locking mechanism. This report may be initiated by either the control system supplier or the service provider, and it can occur during product verification or after hardware interface delivery." }, { "requirementStandard": "IEC 62443-2-4 (§Annex A)", "requirementName": "Configuration management Network design Connectivity", "requirementDescription": "The service provider must supply accurate infrastructure documentation for the Automation Solution, covering logical and physical aspects, including network devices, internal and external interfaces. This documentation must be regularly updated to reflect the current state of the system.", "requirementSatisfaction": "These requirements ensure that accurate documentation of the Automation Solution’s network architecture is available for security purposes, such as risk assessments and forensics. The service provider must maintain up-to-date network architecture documentation, including network segments, devices, and interfaces, both internal and external. Various identification methods, such as MAC addresses and IP addresses, are used to distinguish network interfaces. The goal is to provide clear and unambiguous identification of these interfaces. Additionally, risk assessments, zones, and conduits as defined in IEC 62443-3-2 can be employed in developing the network architecture." }, { "requirementStandard": "IEC 62443-2-4 (§Annex A)", "requirementName": "Configuration management Network design Connectivity", "requirementDescription": "The service provider must maintain up-to-date as-built and equipment configuration documents", "requirementSatisfaction": "Having this capability means the service provider maintains a process for updating network segment documentation." }, { "requirementStandard": "IEC 62443-2-4 (§Annex A)", "requirementName": "Configuration management Devices - All Inventory registers", "requirementDescription": "The service provider must maintain an inventory register with device and software details in the Automation Solution.", "requirementSatisfaction": "This capability ensures an updated component inventory for tracking authorization and industry-specific vulnerabilities in the Automation Solution. It requires the service provider to maintain comprehensive documentation on all relevant components, including model numbers, version numbers, and serial numbers. This documentation serves as a requirementStandardce for assessing vulnerabilities or authorizations." }, { "requirementStandard": "IEC 62443-2-4 (§Annex A)", "requirementName": "Configuration management Devices - Control and instrumentation Verification", "requirementDescription": "The capability specified by this requirement is used to confirm the correct configuration of wired and wireless control and instrumentation devices.", "requirementSatisfaction": "This capability verifies the integrity of device configurations, detecting unauthorized or erroneous changes. It means the service provider has a process to confirm that device configuration values are correctly written/downloaded." }, { "requirementStandard": "IEC 62443-2-4 (§Annex A)", "requirementName": "Configuration management Devices - All Inventory register", "requirementDescription": "The service provider must maintain an inventory register, including version and serial numbers, for all devices and software components it’s responsible for in the Automation Solution.", "requirementSatisfaction": "The capability specified here ensures that an inventory is maintained to determine component authorization and assess vulnerabilities. This includes documenting all components of the Automation Solution for which the service provider is responsible, including model numbers, version numbers, serial numbers, and relevant information. This documentation aids in identifying vulnerabilities and determining whether they apply to the Automation Solution." }, { "requirementStandard": "IEC 62443-2-4 (§Annex A)", "requirementName": "Configuration management Devices - Control and instrumentation Verification", "requirementDescription": "The service provider shall verify the correct configuration of control and instrumentation devices.", "requirementSatisfaction": "The service provider shall verify device configurations to detect unauthorized or erroneous changes." }, { "requirementStandard": "IEC 62443-2-4 (§Annex A)", "requirementName": "Remote access Security tools and software Connectivity", "requirementDescription": "The service provider shall ensure that all remote access applications used in the Automation Solution are widely accepted in both security and industrial automation communities", "requirementSatisfaction": "The service provider ensures that remote access applications meet accepted security standards, maintaining an identifiable process to support commonly accepted mechanisms (e.g., RDP) for remote access. Clients for remote access may be provided by either the client or the service provider." }, { "requirementStandard": "IEC 62443-2-4 (§Annex A)", "requirementName": "Remote access Security tools and software Technical description", "requirementDescription": "The service provider must offer comprehensive instructions for installing, configuring, operating, and terminating remote access applications in the Automation Solution.", "requirementSatisfaction": "The service provider must ensure remote access applications meet security standards. This involves providing installation, configuration, and operation documentation for recommended remote access apps in the Automation Solution. Additionally, the service provider must furnish instructions to the asset owner for terminating these connections. Remote access connections must be controllable by the asset owner." }, { "requirementStandard": "IEC 62443-2-4 (§Annex A)", "requirementName": "Remote access Security tools and software Technical description", "requirementDescription": "The service provider must inform the asset owner of all planned remote access connections. This information should encompass the connection’s purpose, the chosen remote access application, the method of connection (e.g., via the Internet through VPNs), and details about the remote client’s identity and location.", "requirementSatisfaction": "The service provider ensures that remote access to the Automation Solution is well-documented and managed to prevent unauthorized access attempts. This capability involves defining and communicating the specifics of all planned remote access connections to the asset owner. Documentation should include the intended location of the remote access client, enabling the asset owner to review and approve or disapprove access from specific locations. It’s important to note that the Automation Solution may not automatically verify the physical location of remote clients, especially in cases of portable devices." }, { "requirementStandard": "IEC 62443-2-4 (§Annex A)", "requirementName": "Remote access Security tools and software Approval", "requirementDescription": "The service provider must obtain approval from the asset owner before utilizing any remote access connection.", "requirementSatisfaction": "The service provider must ensure that all remote access connections to the Automation Solution are authorized by the asset owner. This entails having an identifiable process for using only approved connections. These connections can vary in type and origin (user-to-system, system-to-system, Internet-based, modem-based), and they may be provided and managed by either party. Specific management requirements and approval timelines are not covered by this requirement and should be determined separately. The asset owner may specify particular requirements, such as disallowing TCP/IP protocols over modem-based external connections. A risk assessment, as described in IEC 62443-3-2, can help define these requirements, including encryption, modem usage, disconnection practices, and routing capabilities." }, { "requirementStandard": "IEC 62443-2-4 (§Annex A)", "requirementName": "Remote access Data protection Cryptography", "requirementDescription": "The service provider must authenticate and encrypt all remote access connections over the Internet or other publicly accessible media that they use to access the Automation Solution remotely (e.g., from a service provider facility).", "requirementSatisfaction": "The service provider must protect all connections used for remote access to the Automation Solution, whether over the Internet or other publicly accessible media. This protection involves ensuring that connections are authenticated and encrypted. Authentication verifies the identity of the remote party, while encryption secures the communication channel. These measures are crucial for preventing unauthorized access and maintaining data confidentiality and integrity. The service provider may utilize various cryptographic techniques, such as symmetric and asymmetric encryption, as appropriate to the security requirements of the Automation Solution." }, { "requirementStandard": "IEC 62443-2-4 (§Annex A)", "requirementName": "Event management Events – Security compromises Responding", "requirementDescription": "The service provider must have capabilities for managing cybersecurity incidents in the Automation Solution, including detection, reporting to the asset owner, and responding to incidents, which may involve supporting an incident response team.", "requirementSatisfaction": "The service provider must manage security incidents relevant to the Automation Solution, including detection, handling, and reporting, to maintain the security of the solution. This capability involves having processes for identifying and responding to security incidents for the components they are responsible for. The definition of incidents, what is considered significant, and when to report them to the asset owner are all part of the service provider’s incident-handling procedures. The specifics of incident identification and reporting may be outlined in agreements between the asset owner and service provider, such as non-disclosure agreements. Often, the process includes event analysis, correlation, and examination to identify incidents. Handling vulnerabilities and reporting incidents related to product development are covered in other standards, such as IEC 62443-4-1 and ISO/IEC 30111." }, { "requirementStandard": "IEC 62443-2-4 (§Annex A)", "requirementName": "Event management Events – Security compromises Reporting", "requirementDescription": "The service provider must enable automatic security compromise detection to be reported via a communication interface accepted by both security and industrial automation communities and accessible to the asset owner.", "requirementSatisfaction": "This capability involves the service provider’s process for automatically reporting detected security compromises, regardless of whether they result in a loss or are classified as incidents. Compromises can be detected in real-time or during subsequent event analysis, such as using a Security Information and Event Management (SIEM) system." }, { "requirementStandard": "IEC 62443-2-4 (§Annex A)", "requirementName": "Event management Events – Security-related Logging", "requirementDescription": "The service provider must configure the Automation Solution to log all security-related events, including user and account management activities, to an audit log retained for the duration specified by the asset owner.", "requirementSatisfaction": "The service provider must support security-related audit logs, which are crucial for forensics and event correlation to identify security incidents. These logs require higher integrity protection than regular event logs, as they safeguard against repudiation claims. This capability involves establishing a process for auditing security-related events such as logins, logouts, and user account changes, both successful and unsuccessful." }, { "requirementStandard": "IEC 62443-2-4 (§Annex A)", "requirementName": "Event management Events – Security-related Reporting", "requirementDescription": "The service provider must enable access to security-related data and events through interfaces widely accepted by both security and industrial automation communities.", "requirementSatisfaction": "This capability ensures that the service provider has a defined process for enabling the asset owner to collect security data and events over the network. These interfaces support various methods, including polling (e.g., SNMP reads), asynchronous reporting (e.g., SNMP traps), and logging (e.g., Syslog, Syslog-ng, and Common Event Format (CEF)). The use of widely accepted interfaces facilitates the integration of off-the-shelf software packages for data collection and analysis. For example, network devices often maintain a SIEM package that contains security-related data accessible through SNMP." }, { "requirementStandard": "IEC 62443-2-4 (§Annex A)", "requirementName": "Event management Events – Security-related Logging", "requirementDescription": "The capability specified by this requirement ensures that the service provider can validate the logging of security-related events using a pre-approved simulated event provided by the asset owner.", "requirementSatisfaction": "This capability ensures the service provider’s process for verifying the functioning of security-related event logging and reporting aligns with SP 08.02 BR and SP 08.02 RE(1). Audit logs offer enhanced integrity protection compared to regular event logs and help prevent disputes over accountability for actions." }, { "requirementStandard": "IEC 62443-2-4 (§Annex A)", "requirementName": "Event management Events – Alarms & Events Logging", "requirementDescription": "The service provider must enable the Automation Solution to log and alert the operator about process-related events, including state changes, operating conditions, and configuration changes, as specified by the asset owner.", "requirementSatisfaction": "The service provider must support process-related event logs to aid in forensics and event correlation for security incident identification. This capability involves ensuring the Automation Solution logs and notifies operators of events as specified by the asset owner, including alarms, system events, and control system events. It may also involve safeguarding sensitive data based on risk assessment." }, { "requirementStandard": "IEC 62443-2-4 (§Annex A)", "requirementName": "Event management Events – Alarms & Events Reporting", "requirementDescription": "The service provider must enable secure reporting of alarms, alerts, and events through a commonly accepted interface in both the security and industrial automation communities.", "requirementSatisfaction": "This capability ensures that the service provider has a defined process to enable the Automation Solution to report alarms and events to external applications, such as a centralized log, through a secure and commonly accepted interface that safeguards the transmitted events against tampering and unauthorized access. This interface may support event notifications or event polling." }, { "requirementStandard": "IEC 62443-2-4 (§Annex A)", "requirementName": "Event management Events – Alarms & Events Robustness", "requirementDescription": "The service provider shall document the Automation Solution’s ability to handle large event storms.", "requirementSatisfaction": "The capability specified by this BR is used to document the Automation Solution’s resilience against denial of service during event storms. Event storm characteristics depend on the number of devices and the process nature. This capability involves providing documentation that outlines these limits, typically established through robustness and stress testing." }, { "requirementStandard": "IEC 62443-2-4 (§Annex A)", "requirementName": "Account management Accounts – User and service accounts Administration", "requirementDescription": "The service provider must ensure the Automation Solution supports: 1) a unified, possibly distributed or redundant database for user and service account management, 2) restricted access for authorized users, 3) decentralized access for account management, and 4) decentralized enforcement of account settings (e.g., passwords, Operating System (OS) privileges, access control lists).", "requirementSatisfaction": "This capability simplifies user account management in multi-workstation and server Automation Solutions, preventing inconsistencies and security problems. It ensures that the Automation Solution has: 1) a unified, possibly distributed or redundant database, 2) account management limited to authorized users (including user, administrator/superuser, and service accounts), 3) account administration from specified workstations/servers within the Automation Solution (not confined to a single dedicated workstation), and 4) decentralized enforcement of access control lists and privileges." }, { "requirementStandard": "IEC 62443-2-4 (§Annex A)", "requirementName": "Account management Accounts – User and service accounts Administration", "requirementDescription": "The service provider shall enable the creation and maintenance of unique user accounts.", "requirementSatisfaction": "This capability ensures each Automation Solution user has a unique account, preventing account sharing." }, { "requirementStandard": "IEC 62443-2-4 (§Annex A)", "requirementName": "Account management Accounts – User and service account Technical description", "requirementDescription": "The service provider shall provide documentation to the asset owner that identifies default user and service accounts and describes password-setting/reset procedures for these accounts.", "requirementSatisfaction": "The capability specified by this REs ensures there are no hidden accounts or unchangeable passwords. This means the service provider has a process to list all user and service accounts and instruct the asset owner on changing their passwords. For service and server accounts (e.g., DCOM server), changing passwords may involve: 1) changing the account password, 2) updating the ’logon’ password in related services, and 3) modifying passwords used by other connecting software processes." }, { "requirementStandard": "IEC 62443-2-4 (§Annex A)", "requirementName": "Account management Accounts – User and service accounts Administration", "requirementDescription": "The service provider must ensure unique, automatically generated account-password pairs for non-operator and non-service group users.", "requirementSatisfaction": "The service provider must prevent the generation of duplicate passwords for user accounts, ensuring uniqueness, except for operator and service groups. This process ensures that each generated user account is unique and has a unique identifier. Note that this requirement does not apply to Automation Solutions that don’t generate individual user accounts and passwords." }, { "requirementStandard": "IEC 62443-2-4 (§Annex A)", "requirementName": "Account management Accounts – User and service accounts Expiration", "requirementDescription": "The service provider must configure service, auto-login, operator, and other essential function accounts, as needed by the asset owner, to ensure they never expire or become automatically disabled.", "requirementSatisfaction": "The service provider must ensure that permanent accounts, such as service, auto-login, operator, and other required accounts, are configured to prevent expiration or automatic disabling. This measure prevents denial of service incidents due to expired or disabled accounts. Operator accounts, in particular, are individual user accounts with specific privileges for monitoring and controlling the physical environment, such as the process. This requirement doesn’t restrict administrators from intentionally removing or disabling permanent accounts. A common practice on Unix-based systems is to configure the root account with a ’false’ or ’no-login’ shell to deny logins, and to create an alias with a different name for authorized administrative users." }, { "requirementStandard": "IEC 62443-2-4 (§Annex A)", "requirementName": "Account management Accounts – Administrator Least functionality", "requirementDescription": "The service provider must disable or, if necessary, rename or secure the built-in administrator account to prevent exploitation.", "requirementSatisfaction": "The service provider should take measures to thwart attackers from obtaining administrative privileges via the built-in administrator account, making it challenging to exploit. This involves disabling or renaming the built-in administrator account, or implementing measures to obscure and hinder its exploitation, as granting access to this account could facilitate malware infiltration and system control." }, { "requirementStandard": "IEC 62443-2-4 (§Annex A)", "requirementName": "Account management Accounts – Default Least functionality", "requirementDescription": "The service provider must remove or disable unused system default accounts.", "requirementSatisfaction": "This capability prevents attackers from accessing the Automation Solution through unused system default accounts. The service provider must have a process for removing unnecessary built-in accounts, whether they come with the operating system or control system software." }, { "requirementStandard": "IEC 62443-2-4 (§Annex A)", "requirementName": "Account management Accounts – User Least functionality", "requirementDescription": "The service provider must be able to remove user accounts when they are no longer needed, including temporary accounts and accounts of service provider personnel no longer assigned to the Automation Solution.", "requirementSatisfaction": "The service provider must deactivate or remove unnecessary accounts, such as those belonging to personnel who are no longer involved with the Automation Solution, to enhance security." }, { "requirementStandard": "IEC 62443-2-4 (§Annex A)", "requirementName": "Account management Accounts – User Least functionality", "requirementDescription": "The service provider must remove unnecessary user accounts, including temporary ones used for integration or maintenance, and accounts for service provider personnel no longer assigned to the Automation Solution. Refer to SP.01.07 BR for notifying the asset owner of personnel removal.", "requirementSatisfaction": "These capabilities prevent unauthorized access to the Automation Solution through unnecessary accounts, such as those of service provider personnel no longer assigned to the project. The service provider must have a process to remove or disable accounts once they are no longer required, ensuring the Automation Solution only retains necessary accounts." }, { "requirementStandard": "IEC 62443-2-4 (§Annex A)", "requirementName": "Account management Accounts – User Logging", "requirementDescription": "The service provider shall have the capability to generate an audit log report after the completion of integration/maintenance activities that shows that accounts used to support these activities have been removed from the Automation Solution if they are no longer needed.", "requirementSatisfaction": "This capability ensures the service provider follows a clear process to confirm the removal of accounts created for its activities, preventing unnecessary retention in the Automation Solution. Refer to SP.08.02 BR for security event logging requirements, including account removal." }, { "requirementStandard": "IEC 62443-2-4 (§Annex A)", "requirementName": "Account management Passwords Composition", "requirementDescription": "The service provider must enable password policies meeting industry-accepted complexity standards, such as a minimum of eight characters with a combination of at least three from: lowercase, uppercase, digits, and special characters (e.g., % and #).", "requirementSatisfaction": "This BR ensures the service provider can accommodate diverse asset owner password complexity policies, enhancing security. They must have a clear process for this support. Specific password complexity isn’t covered here. Refer to IEC 62443-3-3 for related security requirements, IEC 62443-3-2 for risk-based complexity, and IEC 62443-2-1 for asset owner policies." }, { "requirementStandard": "IEC 62443-2-4 (§Annex A)", "requirementName": "Account management Passwords Expiration", "requirementDescription": "The service provider must enable password expiration for local and system-wide (e.g., domain) user accounts as per the asset owner’s specified time frame.", "requirementSatisfaction": "These capabilities ensure periodic password changes to mitigate security risks. The service provider must establish a process for configuring passwords to automatically expire based on the asset owner’s specified timeframe. Verification of expiration is Automation Solution-specific, typically performed during handover and maintenance cycles. Asset owners should set expiration periods based on risk assessments, periodically reviewing them. Refer to IEC 62443-3-2 for risk assessment, IEC 62443-3-3 for control system requirements, and IEC 62443-2-1 for asset owner requirements." }, { "requirementStandard": "IEC 62443-2-4 (§Annex A)", "requirementName": "Account management Passwords Expiration", "requirementDescription": "The service provider must enable password policies to prompt users to change passwords N days before expiration, as specified by the asset owner. This requirement excludes non-expiring passwords.", "requirementSatisfaction": "This capability ensures the service provider has a process to notify users about expiring passwords, allowing them time for changes." }, { "requirementStandard": "IEC 62443-2-4 (§Annex A)", "requirementName": "Account management Passwords Change", "requirementDescription": "The service provider shall have the capability to ensure that default passwords are changed as required by the asset owner.", "requirementSatisfaction": "This capability prevents the use of well-known default passwords in any Automation Solution. The service provider must have a process for changing default passwords per asset owner requirements, usually during installation, reinstallation, or reset/recovery." }, { "requirementStandard": "IEC 62443-2-4 (§Annex A)", "requirementName": "Account management Passwords Reuse", "requirementDescription": "The service provider must enable password policies that prevent users from reusing their last N passwords, as specified by the asset owner.", "requirementSatisfaction": "These capabilities prevent users from quickly changing passwords back and forth, effectively bypassing password changes. The service provider must have a process to verify compliance with the asset owner’s specified password reuse policy." }, { "requirementStandard": "IEC 62443-2-4 (§Annex A)", "requirementName": "Account management Passwords Change", "requirementDescription": "The service provider must enable password policies that restrict users from changing their passwords more often than once every N days, as specified by the asset owner.", "requirementSatisfaction": "This capability ensures the service provider has a process to prevent users from frequently changing passwords to reuse a favorite one. Users cannot change their passwords again within N days after the initial change." }, { "requirementStandard": "IEC 62443-2-4 (§Annex A)", "requirementName": "Account management Passwords Shared", "requirementDescription": "The service provider must securely document and maintain accounts approved by the asset owner for sharing passwords.", "requirementSatisfaction": "These capabilities manage shared passwords to prevent unauthorized access and maintain accountability. The service provider must document accounts shared by the asset owner, protect the list, and maintain a log of password recipients, including subcontractors, consultants, and representatives." }, { "requirementStandard": "IEC 62443-2-4 (§Annex A)", "requirementName": "Account management Passwords Shared", "requirementDescription": "The service provider must report shared passwords that are no longer required, knowingly disclosed, or compromised to the asset owner, and assist in password changes when necessary.", "requirementSatisfaction": "This capability involves the service provider maintaining and reporting on shared or compromised passwords, including those for auto-login accounts. For instance, when passwords are no longer needed within the service provider organization, they are reported to the asset owner for potential changes, with the possibility of requiring the service provider’s assistance. Password sharing typically occurs during testing, commissioning, troubleshooting, and maintenance. In case of suspected compromise, the service provider promptly notifies the account owner to facilitate password changes." }, { "requirementStandard": "IEC 62443-2-4 (§Annex A)", "requirementName": "Account management Passwords Shared", "requirementDescription": "The service provider must report shared, disclosed, or compromised passwords to the asset owner and assist with necessary password changes.", "requirementSatisfaction": "This capability ensures the service provider tracks and reports shared, compromised, or disclosed passwords, including auto-login accounts, to the asset owner for password changes. For instance, passwords shared within the service provider organization are reported when no longer needed. The asset owner may require the service provider’s assistance for these changes. Similarly, if service provider personnel share passwords, they report these to the asset owner when no longer necessary. Password sharing typically occurs during testing, commissioning, troubleshooting, and maintenance. Additionally, the service provider promptly notifies the account owner and requests password changes when a compromise is suspected." }, { "requirementStandard": "IEC 62443-2-4 (§Annex A)", "requirementName": "Malware protection Manual process Malware protection mechanism", "requirementDescription": "The service provider must supply the asset owner with documented instructions for the correct installation, configuration, and updates of tested and verified malware protection mechanisms in the Automation Solution.", "requirementSatisfaction": "This capability ensures the asset owner has the required documentation for using compatible anti-malware mechanisms with the Automation Solution. The service provider must have a process to provide documentation for widely accepted malware protection software (e.g., antivirus, whitelisting) that works effectively on Automation Solution hardware platforms (e.g., workstations) under their responsibility. If the control system supplier doesn’t recommend a specific anti-malware product, the service provider must be capable of fulfilling this role." }, { "requirementStandard": "IEC 62443-2-4 (§Annex A)", "requirementName": "Malware protection Security tools and software Installation", "requirementDescription": "The service provider must ensure that: 1) malware protection mechanisms are correctly installed, updated, and configured per approved procedures, 2) malware definition files are installed within the agreed-upon timeframe, and 3) malware configurations are consistently maintained and updated.", "requirementSatisfaction": "These capabilities protect the Automation Solution from malware. The service provider must have a process for applying and managing anti-malware software on their responsible Automation Solution platforms, including installation, updates, definition file maintenance, and operational settings. The goal is to ensure up-to-date anti-malware software with current definitions, configurations, and updates on relevant hardware platforms within the Automation Solution. Additionally, the service provider must establish an agreement with the asset owner regarding the timeframe for installing malware definition file updates." }, { "requirementStandard": "IEC 62443-2-4 (§Annex A)", "requirementName": "Malware protection Security tools and software Installation", "requirementDescription": "The service provider must create and maintain documentation for the use of malware protection mechanisms in their responsible Automation Solution. This documentation includes, for each component: 1) the malware protection installation status or a note if installation is not feasible, 2) the current configuration settings, 3) the approved malware definition files status, and 4) the use of additional features to reduce infection risk and mitigate its effects (e.g., isolation, infection reporting).", "requirementSatisfaction": "This capability involves the service provider documenting the anti-malware status for each hardware platform in the Automation Solution, whether or not anti-malware software is installed. All platforms should have anti-malware software installed, except when it’s technically infeasible (e.g., no suitable software available)." }, { "requirementStandard": "IEC 62443-2-4 (§Annex A)", "requirementName": "Malware protection Security tools and software Detection", "requirementDescription": "The service provider shall have the capability to verify that malware, other than zero-day malware, can be detected and properly handled by the installed malware protection mechanisms.", "requirementSatisfaction": "The capability specified by this BR is used to verify that anti-malware mechanisms work as intended. Having this capability means that the service provider has an identifiable process for verifying that an infected file can be detected and subsequently quarantined/deleted by the anti-malware product. The only exception is a zero-day infection, which is an infraction for which there is no malware definition file available. This is generally the case when the malware has not been previously seen or detected." }, { "requirementStandard": "IEC 62443-2-4 (§Annex A)", "requirementName": "Malware protection Manual process Malware definition files", "requirementDescription": "The service provider must provide the asset owner with documentation on: 1) the evaluation and approval process for malware definition files in the Automation Solution, and 2) reporting the status of these files to the asset owner within an agreed-upon timeframe (N days after manufacturer release). This status includes file applicability (e.g., component and version) and approval state (e.g., approved, installed, disapproved, etc.) for each malware definition file.", "requirementSatisfaction": "These capabilities help the asset owner ensure that malware definition files are up to date and evaluated by the service provider. The service provider must establish a process to evaluate and approve malware definition files from anti-malware software providers for application to Automation Solution hardware platforms, ensuring they function correctly. The process must include file applicability, evaluating their functional impact, and documenting the evaluation results (e.g., approved, rejected). If malware definition files are disapproved, the service provider must take steps to inform the asset owner within the specified timeframe. After approval, the service provider verifies that the updated files are installed within the agreed-upon timeframe." }, { "requirementStandard": "IEC 62443-2-4 (§Annex A)", "requirementName": "Malware protection Manual process Malware protection mechanisms", "requirementDescription": "The service provider must supply the asset owner with documented instructions for the correct installation, configuration, and updates of tested and verified malware protection mechanisms in the Automation Solution.", "requirementSatisfaction": "This capability ensures the asset owner has the required documentation for using compatible anti-malware mechanisms with the Automation Solution. The service provider must have a process to provide documentation for widely accepted malware protection software (e.g., antivirus, whitelisting) that works effectively on Automation Solution hardware platforms (e.g., workstations) under their responsibility. If the control system supplier doesn’t recommend a specific anti-malware product, the service provider must be capable of fulfilling this role." }, { "requirementStandard": "IEC 62443-2-4 (§Annex A)", "requirementName": "Malware protection Devices – All Sanitizing", "requirementDescription": "The service provider must ensure that all devices, including workstations, supplied to the Automation Solution are free of known malware before use.", "requirementSatisfaction": "This capability prevents infected devices from being installed in the Automation Solution. “Known malware” refers to previously discovered malware with available definition files. The service provider must have a process to verify and ensure malware absence in provided equipment, which can involve equipment checks, malware-free software installation on-site (refer to SP.10.05 RE(2)), and ensuring the supply chain provides malware-free equipment (e.g., control system vendor conducts malware scans before delivery). For more on supply chain security, see ISO 27036." }, { "requirementStandard": "IEC 62443-2-4 (§Annex A)", "requirementName": "Malware protection Portable media Usage", "requirementDescription": "The service provider must ensure that portable media used for system testing, commissioning, and maintenance serves this purpose exclusively.", "requirementSatisfaction": "This capability prevents portable media used within the Automation Solution from being used elsewhere, reducing the risk of malware infection. The service provider must have a process to ensure that portable media, which could potentially infect the Automation Solution with malware, is not used in other environments. For instance, if a USB memory device contains diagnostics tools or data, it should not be connected to workstations or servers outside the Automation Solution." }, { "requirementStandard": "IEC 62443-2-4 (§Annex A)", "requirementName": "Malware protection Portable media Sanitizing", "requirementDescription": "The service provider must ensure that all portable media used in or connected to the Automation Solution is free of known malware before use.", "requirementSatisfaction": "This capability prevents infected portable media from entering the Automation Solution. “Known malware” refers to previously discovered malware with available definition files. The service provider must have a process to prevent infected portable devices from compromising the Automation Solution. Portable media types include, but aren’t limited to, installation media, CDs/DVDs/Blu-rays, USB drives, smartphones, flash memory, Solid State Drive (SSD), hard drives, and portable computers. Refer to SP.07.XX for remote connection requirements related to the Automation Solution." }, { "requirementStandard": "IEC 62443-2-4 (§Annex A)", "requirementName": "Patch management Manual process Patch qualification", "requirementDescription": "The service provider must provide documentation to the asset owner outlining the process for evaluating and approving security patches for the software within their responsibility in the Automation Solution.", "requirementSatisfaction": "This capability ensures the service provider has a documented process, which the asset owner can review, for verifying compatibility of new software security patches with the Automation Solution (refer to SP.10.04 BR). Often, the service provider adapts documentation from the control system product supplier to fit the Automation Solution’s needs. This involves providing a document to the asset owner, outlining the policies for selecting, testing, and approving security patches. These patches cover control system, component, operating system software, and third-party applications integrated into or with the Automation Solution. IEC TR 62443-2-3 defines patch management and related responsibilities for control system suppliers and asset owners. SP 11.XX outlines service provider patch management capabilities in support of asset owner responsibilities per IEC TR 62443-2-3." }, { "requirementStandard": "IEC 62443-2-4 (§Annex A)", "requirementName": "Patch management Manual process Patch qualification", "requirementDescription": "The service provider must be able to reevaluate its process for evaluating and approving security patches for the software within their responsibility in the Automation Solution in response to changing security risks.", "requirementSatisfaction": "This capability ensures the service provider can adapt its patch evaluation process in response to evolving cybersecurity threats, potentially requiring faster responses. This is typically demonstrated within incident handling capabilities or as a separate periodic review process. It involves the service provider having an identifiable process for reviewing and updating the security patch evaluation process, and responding to changes in the risk landscape. These reviews occur periodically and especially in response to significant risk environment changes, such as new threats, vulnerabilities, and security technology developments." }, { "requirementStandard": "IEC 62443-2-4 (§Annex A)", "requirementName": "Patch management Patch list Patch qualification", "requirementDescription": "The service provider must provide the asset owner with documentation on security patches/updates. This documentation should be available within an agreed timeframe after the patch release by the manufacturer. It includes: 1) security patches relevant to the Automation Solution components under the service provider’s responsibility, 2) their approval status/lifecycle state (refer to IEC TR 62443-2-3) – approved, not approved, not applicable, in test, 3) notification if applying an approved patch requires system restart, 4) reasons for disapproval or inapplicability, and 5) a plan for addressing applicable but unapproved patches.", "requirementSatisfaction": "These capabilities enable the asset owner to access relevant security patch descriptions from the service provider and receive mitigation recommendations for patches they choose not to install. The service provider must have a process for evaluating and approving security patches, as defined in SP.11.01 BR. They inform the asset owner of results within an agreed-upon timeframe (N days after patch release). If the service provider uses customized software libraries, they may need to modify patch packages, which should be addressed in this requirement." }, { "requirementStandard": "IEC 62443-2-4 (§Annex A)", "requirementName": "Patch management Patch list Patch qualification", "requirementDescription": "The service provider must provide the asset owner with an accessible patch list, following an interface accepted by industrial and security communities. This list should include: 1) approved security patches for their responsible Automation Solution software (e.g., control system and component software, operating system software, 3rd party applications), 2) which of these patches are approved for Automation Solution use, and 3) the corresponding software version numbers. The list should be accessible to the asset owner within an agreed timeframe after the patch release by the manufacturer.", "requirementSatisfaction": "This capability involves the service provider outlining to the asset owner how to electronically access an approved security patch list applicable to their components (refer to SP.11.02 BR). The list, accessible through a commonly accepted interface, informs the asset owner about patches they should download from the manufacturer or obtain elsewhere. The list can be obtained through this interface from the control system product supplier, the service provider, or an agent designated by the service provider." }, { "requirementStandard": "IEC 62443-2-4 (§Annex A)", "requirementName": "Patch management Patch list Approval", "requirementDescription": "The service provider must: 1) provide a mitigation plan upon request by the asset owner for security patches that were applicable and approved by the service provider but not approved by the asset owner, potentially due to operational or performance concerns (refer to SP 11.05 BR), and 2) implement the approved mitigation plan.", "requirementSatisfaction": "This capability involves the service provider developing and implementing an approach to mitigate the impact of not installing a security patch that could harm the Automation Solution. This approach may include compensating mechanisms or other means to reduce vulnerabilities addressed by the patch, with asset owner approval for alternative approaches." }, { "requirementStandard": "IEC 62443-2-4 (§Annex A)", "requirementName": "Patch management Security patch Delivery", "requirementDescription": "The service provider’s patch management must allow for: 1) direct patch acquisition by the asset owner from the manufacturer, and/or 2) patch redistribution by the service provider, subject to approval by the asset owner and compliance with the patch manufacturer’s policies.", "requirementSatisfaction": "This capability ensures patches are acquired through authorized channels to minimize the risk of invalid or infected patches. The service provider’s patch delivery policy supports two options: 1) the asset owner obtains the patch directly from the manufacturer, or 2) the service provider delivers the patch at the asset owner’s request, subject to licensing agreements with the patch manufacturer. If the service provider is to deliver patches, a joint decision between the service provider and the asset owner determines the method (e.g., DVD, secure connection)." }, { "requirementStandard": "IEC 62443-2-4 (§Annex A)", "requirementName": "Patch management Security patch Installation", "requirementDescription": "The service provider must provide the asset owner with documentation on patching methods, including manual and patch management server procedures. This documentation should include: 1) instructions for using a patch management server to install patches, and 2) guidance for manual patch installation from portable media.", "requirementSatisfaction": "This capability ensures the asset owner is informed about installing security patches for the Automation Solution. The service provider can provide instructions for patch installation from portable media (e.g., CDs, DVDs, USB drives) and a patch management server." }, { "requirementStandard": "IEC 62443-2-4 (§Annex A)", "requirementName": "Patch management Security patch Installation", "requirementDescription": "The service provider must use the same patch methods as documented for the asset owner when patching the Automation Solution, ensuring consistency.", "requirementSatisfaction": "This capability ensures consistent application of security patches within the Automation Solution, by following the same procedures outlined in the documentation provided to the asset owner. The service provider must follow its documented methods, including those for installing patches from a patch management server or portable media." }, { "requirementStandard": "IEC 62443-2-4 (§Annex A)", "requirementName": "Backup/Restore Manual process Technical Description", "requirementDescription": "The provider must offer backup documentation for the Automation Solution, covering:\n• Instructions for full and partial backups, using: Proprietary backup architecture on removable media, Single system backup on removable media, Distributed backup, with each system backing up part of the solution at the owner’s site, Centralized backup using one system for all solutions at the owner’s site.\n• Backup provisions for: OS files and cryptographic data, Applications, including middleware, Configuration data and databases, Log files and electronic log books, Unconventional file types, e.g., network settings, control system parameters, Field instrumentation settings, Directory information, Other files the provider deems necessary for a complete backup.\n• Recommendations for offsite storage.\n• Measures to prevent changes affecting backup integrity during backup.", "requirementSatisfaction": "This ensures the asset owner’s comprehension of the service provider’s backup capabilities for the Automation Solution. It mandates the creation of a specific document covering full and partial backups, off-site storage, security, recovery requirements, and the owner’s backup strategy. Key considerations include:\n• Data sensitivity (see SP.03.10 BR for safeguarding sensitive data).\n• The significance of backups for incident recovery.\n• Tailoring the owner’s backup strategy to business needs, including frequency, partial backups, timing, and infection recovery.\n• Ensuring uninterrupted backups during changes, such as engineering or patch installations." }, { "requirementStandard": "IEC 62443-2-4 (§Annex A)", "requirementName": "Backup/Restore Restore Technical description", "requirementDescription": "The provider must be able to provide documented instructions to the owner for restoring the Automation Solution to normal operation.", "requirementSatisfaction": "This ensures the owner understands the use of the provider’s restore capabilities for the Automation Solution. The provider must provide documented instructions for restoring from backups, covering normal and abnormal scenarios, even if the architecture has changed. This applies to both operational solutions and simulations." }, { "requirementStandard": "IEC 62443-2-4 (§Annex A)", "requirementName": "Backup/Restore Portable media Technical description", "requirementDescription": "The provider must offer documentation to the owner on controlling and securely managing removable backup media.", "requirementSatisfaction": "This ensures the owner knows how to securely handle the Automation Solution’s backup media. The provider must create a document specific to the Solution, detailing how to protect backup data in line with owner policies. Backup data can be a target for compromise, hindering restoration or accessing confidential data." }, { "requirementStandard": "IEC 62443-2-4 (§Annex A)", "requirementName": "Backup/Restore Backup Verification", "requirementDescription": "The provider must give the owner documentation on verifying a successful system backup.", "requirementSatisfaction": "This ensures the owner can verify the Automation Solution backup. The provider must offer a document outlining how to do this effectively." }, { "requirementStandard": "IEC 62443-2-4 (§Annex A)", "requirementName": "Backup/Restore Restore Verification", "requirementDescription": "The provider must verify that:\n• Complete backup of the Automation Solution is possible.\n• Full restoration of a functioning Automation Solution is achievable from this backup.", "requirementSatisfaction": "This ensures the backup and restore for the Automation Solution work correctly. The provider must verify successful backup and restoration, offering flexibility for partial backups. For databases, it involves stopping automatic rollback to avoid data inconsistencies during backup." }, { "requirementStandard": "IEC 62443-2-4 (§Annex A)", "requirementName": "Backup/Restore Backup Perform", "requirementDescription": "The provider must back up the Automation Solution as per the owner’s schedule and data recovery goals.", "requirementSatisfaction": "This ensures the provider follows the owner’s guidance when backing up the Automation Solution. It requires the provider to have a process for aligning with the owner’s backup and restore strategies, including schedules and disaster recovery plans (refer to SP.12.09 BR). The goal is to integrate provider activities with the owner’s backup needs." }, { "requirementStandard": "IEC 62443-2-4 (§Annex A)", "requirementName": "Backup/Restore Backup Robustness", "requirementDescription": "The provider must ensure that the Automation Solution operates normally during a backup.", "requirementSatisfaction": "This guarantees that the Automation Solution’s operation, like process control, remains unaffected during backup. The provider must have a process to prevent backup operations from disrupting the Automation Solution’s normal operation. Refer to IEC 62443-3-3 for related system capability requirements." }, { "requirementStandard": "IEC 62443-2-4 (§Annex A)", "requirementName": "Backup/Restore Manual process Logging", "requirementDescription": "The provider must offer the owner documentation on creating and managing audit logs for backup and restore activities.", "requirementSatisfaction": "This ensures the owner can handle audit logs for backup and restore operations, offering evidence of these activities, including timing, personnel involved, and status. The provider must have a process for documentation on configuring the Automation Solution to record backup and restore actions in an audit log." }, { "requirementStandard": "IEC 62443-2-4 (§Annex A)", "requirementName": "Backup/Restore Manual process Disaster recovery", "requirementDescription": "The provider must document a recommended disaster recovery plan, which includes:\n• Descriptions of disaster scenarios and their impact on the Automation Solution.\n• Step-by-step instructions for restoring and integrating failed components.\n• Minimum architecture requirements for restoring the entire Automation Solution.", "requirementSatisfaction": "This ensures not only a disaster recovery plan but also an understanding of how a disaster, including cybersecurity threats, can happen and how to recover from it. The provider must create a Solution-specific document detailing crisis management based on a cybersecurity scenario, ensuring backup and restoration remain uncompromised even if components or the entire Solution are lost. Restoration methods may involve equipment like test benches or offline development tools." } ] }