Skip to main content

ISA/IEC 62443

logo

Summary

The ISA/IEC 62443 standard defines the necessary elements to establish a cyber security management system (CSMS) for industrial automation and control systems (IACS) and provides guidance on how to develop those elements. The version used in this section is IEC 62443-3-3 edition 1.0 2013-08.

Definitions

DefinitionRequirements
CR-1_1-RE_1. Unique identification and authentication264. Request authentication
305. Prioritize token usage
319. Make authentication options equally secure
335. Define out of band token lifespan
357. Use stateless session tokens
CR-1_1-RE_2. Multifactor authentication for all interfaces262. Verify third-party components
362. Assign MFA mechanisms to a single account
CR-1_7. Strength of password-based authentication126. Set a password regeneration mechanism
127. Store hashed passwords
130. Limit password lifespan
132. Passphrases with at least 4 words
133. Passwords with at least 20 characters
135. Passwords with random salt
139. Set minimum OTP length
333. Store salt values separately
334. Avoid knowledge-based authentication
CR-1_7-RE_2. Password lifetime restrictions for all users130. Limit password lifespan
138. Define lifespan for temporary passwords
140. Define OTP lifespan
CR-2_1-RE_3. Permission mapping to roles034. Manage user accounts
CR-3_1-RE_1. Communication authentication024. Transfer information using session objects
030. Avoid object reutilization
181. Transmit data using secure protocols
369. Set a maximum lifetime in sessions
DC-4_1. Information confidentiality176. Restrict system objects
178. Use digital signatures
185. Encrypt sensitive information
329. Keep client-side storage without sensitive data
365. Avoid exposing technical information
DC-4_3. Use of cryptography145. Protect system cryptographic keys
148. Set minimum size of asymmetric encryption
149. Set minimum size of symmetric encryption
150. Set minimum size for hash functions
370. Use OAEP padding with RSA
371. Use GCM Padding with AES
IAC-1_1. Human user identification and authentication237. Ascertain human interaction
IAC-1_2. Software process and device identification and authentication143. Unique access credentials
176. Restrict system objects
264. Request authentication
IAC-1_3. Account management034. Manage user accounts
IAC-1_5. Authenticator management228. Authenticate using standard protocols
229. Request access credentials
319. Make authentication options equally secure
IAC-1_6. Wireless access management253. Restrict network access
IAC-1_7. Strength of password-based authentication129. Validate previous passwords
130. Limit password lifespan
133. Passwords with at least 20 characters
136. Force temporary password change
138. Define lifespan for temporary passwords
332. Prevent the use of breached passwords
334. Avoid knowledge-based authentication
IAC-1_8. Public key infraestructure (PKI) certificates090. Use valid certificates
093. Use consistent certificates
IAC-1_9. Strength of public key authentication088. Request client certificates
373. Use certificate pinning
IAC-1_11. Unsuccessful login attempts131. Deny multiple password changing attempts
227. Display access notification
IAC-1_12. System use notification225. Proper authentication responses
227. Display access notification
301. Notify configuration changes
358. Notify upcoming expiration dates
IAC-1_13. Access via untrusted networks160. Encode system outputs
321. Avoid deserializing untrusted data
340. Use octet stream downloads
348. Use consistent encoding
RA-7_1. Denial of service protection072. Set maximum response time
327. Set a rate limit
345. Establish protections against overflows
RA-7_6. Network and security configuration settings062. Define standard configurations
RA-7_7. Least functionality186. Use the principle of least privilege
255. Allow access only to the necessary ports
353. Schedule firmware updates
RDF-5_1. Network segmentation259. Segment the organization network
RDF-5_2. Zone boundary protection258. Filter website content
341. Use the principle of deny by default
RDF-5_3. User content filtering116. Disable images of unknown origin
258. Filter website content
266. Disable insecure functionalities
340. Use octet stream downloads
SI-3_1. Communication integrity046. Manage the integrity of critical files
147. Use pre-existent mechanisms
224. Use secure cryptographic mechanisms
SI-3_2. Malicious code protection041. Scan files for malicious code
115. Filter malicious emails
155. Application free of malicious code
340. Use octet stream downloads
SI-3_5. Input validation173. Discard unsafe inputs
SI-3_7. Error handling313. Inform inability to identify users
SI-3_8. Session integrity024. Transfer information using session objects
029. Cookies with security attributes
030. Avoid object reutilization
031. Discard user session data
357. Use stateless session tokens
SI-3_9. Protection of audit information080. Prevent log modification
377. Store logs based on valid regulation
TRE-6_1. Audit log accessibility378. Use of log management system
UC-2_1. Authorization enforcement096. Set user's required privileges
114. Deny access with inactive credentials
UC-2_2. Wireless use control248. SSID without dictionary words
250. Manage access points
253. Restrict network access
254. Change SSID name
UC-2_3. Use control for portable and mobile devices205. Configure PIN
210. Delete information from mobile devices
214. Allow data destruction
373. Use certificate pinning
UC-2_4. Mobile code205. Configure PIN
352. Enable trusted execution
UC-2_6. Remote session termination023. Terminate inactive user sessions
UC-2_7. Concurrent session control025. Manage concurrent sessions
UC-2_8. Auditable events075. Record exceptional events in logs
UC-2_9. Audit storage capacity322. Avoid excessive logging
377. Store logs based on valid regulation
UC-2_11. Timestamps079. Record exact occurrence time of events