If you are dealing with cyber security in industrial automation and control systems (IACS), there is one topic you cannot avoid: IEC 62443. In recent years, this standard has become a central building block for securing Industry 4.0 systems and offers a detailed structure for protecting industrial infrastructures against cyber attacks. But what exactly is behind this standard? And how can you ensure that your systems meet the right security levels (SL)? This is exactly what we will clarify here by taking a detailed look at all aspects of IEC 62443 and the security levels in particular.
What is IEC 62443? An introduction to the standard
IEC 62443 is a series of standards developed specifically for cyber security in industry. It was published by the International Electrotechnical Commission (IEC) and is aimed at securing industrial automation and control systems (IACS). The standard is designed to help companies manage risks and protect their systems from potential cyber threats that exist in critical infrastructures such as energy supply, transportation or manufacturing.
An important aspect of IEC 62443 is its horizontal applicability, which means that it has been developed not just for a specific industry or technology, but has broad application across different industries. It is designed to enable organizations to continuously improve their security strategies and processes to adapt to an ever-changing threat landscape.
The structure of IEC 62443 - A look at the series of standards
IEC 62443 consists of several parts that together form a complete framework for cybersecurity in IACS. These parts are divided into four main categories:
IEC 62443-1: General principles, terms and concepts
- This section provides the basic definitions, concepts and a model for cyber security. It helps to develop a common understanding of the security requirements.
- It also introduces the concept of “Zones & Conduits”, which provides a structured approach to protecting systems at different levels.
IEC 62443-2: Guidelines and procedures for security management
- This part deals with the organizational and procedural requirements that are necessary for the successful implementation of cyber security.
- It includes aspects such as security management systems, training, emergency plans and regular reviews of security controls.
IEC 62443-3: Security requirements at system level
- This is where the security requirements for IACS are defined at system level, e.g. in relation to networks, communication and physical security.
- A central concept is zoning, in which the system is divided into different zones that are assigned different security levels depending on the risk and protection requirements.
IEC 62443-4: Requirements for components and safe development
- This section deals with the development and life cycle of IACS components. Requirements are placed on the development of safe products and their integration into an overall system.
- Special requirements apply here for host devices, network devices, software applications and embedded devices.
Together, these four parts form the basis for cyber security in industrial automation and control systems and provide companies with a comprehensive guide to securing their systems.
Security levels in IEC 62443 - What they mean and how to achieve them
A central concept of IEC 62443 is the Security Level (SL). These security levels define how strongly a system must be protected against various threats. The SLs range from SL 0 (no specific security requirements) to SL 4 (highest protection against advanced, targeted attacks). Each level corresponds to a different set of protective measures tailored to the respective risks and threats.
The five security levels:
SL 0 – No requirements
- This level means that no special security requirements are necessary for the system. This is generally intended for less critical systems.
SL 1 – Protection against incidental or accidental breaches
- Here, the system is protected against accidental threats. This could include, for example, protection against accidental misconfiguration or unintentional access.
SL 2 – Protection against intentional violations with simple means
- Systems at this level need protection against basic, deliberate attacks that can be carried out with limited resources and without in-depth expertise.
SL 3 – Protection against deliberate attacks using advanced means
- This level is aimed at targeted attacks that require specialized skills and tools. Attackers at SL 3 are usually well prepared and have in-depth knowledge.
SL 4 – Protection against sophisticated, targeted attacks
- SL 4 is the highest security level and is directed against attackers with highly developed means and extensive resources. Attacks at this level require a high degree of motivation and planning.
Application of the security level: system level vs. component level
The security levels in IEC 62443 are not only applied to systems, but also to components. This means that when selecting and evaluating components, a company must also consider their ability to achieve a certain security level. Components can include both hardware and software elements.
At system level:
The security requirements at the system level relate to the entire infrastructure, which is defined by zoning and the application of security levels to each zone. Zoning is a concept in which the system is divided into different zones, each of which has different security requirements. Zones with a higher risk (e.g. production networks) are assigned a higher security level.
At component level:
Specific requirements are also defined for the components of a system to ensure that the individual elements meet the required security level. For example, host devices and network devices must offer certain security functions in order to protect the overall system from attacks.
The seven basic security requirements of IEC 62443
The Security Levels (SL) are not just abstract security levels, but are based on seven Fundamental Requirements (FRs) that provide the framework for the entire security strategy. These requirements must be considered in every system or component:
- Identification and authentication: ensuring that only authorized users have access to the system.
- Usage control: Restricting and controlling who can do what in the system.
- System integrity: Ensuring that the system is protected against unauthorized changes.
- Data confidentiality: Protecting data from unauthorized access or manipulation.
- Restricted data flow: Preventing the unauthorized exchange of data.
- Prompt response to events: Monitoring and responding quickly to security-related events.
- Resource availability: Ensuring that the required resources are available in an emergency.
The combination of these seven requirements and the security levels ensures that you can develop a customized security concept that suits your system and the specific threats.
Challenges in the application of the security level
Although IEC 62443 provides clear guidelines for achieving security levels, there are some challenges in practical implementation:
Changing threat landscape:
- Attacks are becoming more sophisticated and are constantly evolving. Therefore, security measures need to be regularly reviewed and adapted to keep pace with new threats.
Blanket SL assignments:
- A common challenge is the blanket assignment of security levels to components or systems. Such assignments are often inaccurate and do not take into account the specific requirements of a system or component. A differentiated approach is therefore essential.
Product certification and SL comparability:
- Many manufacturers label their products with a blanket security level to enable easy comparability. However, this contradicts the differentiated approach of IEC 62443, which addresses specific requirements and contexts.
How do you achieve IEC 62443 certification?
IEC 62443 certification is an important step in ensuring the cyber security of your industrial systems and documenting this to the outside world. To obtain certification, your company must fulfill all relevant requirements of IEC 62443 and prove that security measures are continuously implemented and monitored.
External testing bodies such as ISASecure, which are specifically geared towards the certification of automation and control systems, can play a role here.
IEC 62443 training: Why it is so important
The path to successful implementation of IEC 62443 requires not only technical knowledge, but also awareness of the importance of security levels and correct implementation in practice. For this reason, IEC 62443 training courses are crucial. They help you to develop a deep understanding of the standard and ensure that everyone involved in the company implements the security requirements correctly.
Practical example: Application of IEC 62443 in energy supply
A good example of the application of IEC 62443 is the energy supply industry. Here, the systems are extremely important for public security, and an attack on this infrastructure could have serious consequences. These systems must therefore achieve high security levels.
Zoning: In an energy supply network, different zones could be defined, e.g. a production zone for the control of generators and a communication zone for the transmission of data. Each zone is equipped with a different security level, depending on the risk it poses to the overall system.
Components: Special network devices and software solutions may be required in the communication zone, which must have a higher security level (SL 4) in order to guarantee the integrity and confidentiality of the transmitted data.
Conclusion: IEC 62443 as the key to cyber security in industry
IEC 62443 provides a comprehensive framework for cyber security in industrial automation and control systems. With its detailed structure and definition of security levels, it enables companies to tailor their systems precisely to the threats and risks to which they are exposed. The series of standards not only provides a clear guideline for the implementation of security measures, but also an opportunity for continuous improvement and adaptation to new threats. In an increasingly connected world, compliance with IEC 62443 is crucial to ensure the security and resilience of critical infrastructure.
