Skip to main content

ISA/IEC 62443

logo

Summary

The ISA/IEC 62443 standard defines the necessary elements to establish a cyber security management system (CSMS) for industrial automation and control systems (IACS) and provides guidance on how to develop those elements. The version used in this section is IEC 62443-3-3 edition 1.0 2013-08.

Definitions

DefinitionRequirements
IAC-1_1. Human user identification and authentication
237. Ascertain human interaction
IAC-1_2. Software process and device identification and authentication
143. Unique access credentials
176. Restrict system objects
264. Request authentication
IAC-1_3. Account management
034. Manage user accounts
IAC-1_5. Authenticator management
228. Authenticate using standard protocols
229. Request access credentials
319. Make authentication options equally secure
IAC-1_6. Wireless access management
253. Restrict network access
IAC-1_7. Strength of password-based authentication
129. Validate previous passwords
130. Limit password lifespan
133. Passwords with at least 20 characters
136. Force temporary password change
138. Define lifespan for temporary passwords
332. Prevent the use of breached passwords
334. Avoid knowledge-based authentication
IAC-1_8. Public key infrastructure (PKI) certificates
090. Use valid certificates
093. Use consistent certificates
IAC-1_9. Strength of public key authentication
088. Request client certificates
373. Use certificate pinning
IAC-1_11. Unsuccessful login attempts
131. Deny multiple password changing attempts
227. Display access notification
IAC-1_12. System use notification
225. Proper authentication responses
227. Display access notification
301. Notify configuration changes
358. Notify upcoming expiration dates
IAC-1_13. Access via untrusted networks
160. Encode system outputs
321. Avoid deserializing untrusted data
340. Use octet stream downloads
348. Use consistent encoding
UC-2_1. Authorization enforcement
096. Set user's required privileges
114. Deny access with inactive credentials
UC-2_2. Wireless use control
248. SSID without dictionary words
250. Manage access points
253. Restrict network access
254. Change SSID name
UC-2_3. Use control for portable and mobile devices
205. Configure PIN
210. Delete information from mobile devices
214. Allow data destruction
373. Use certificate pinning
UC-2_4. Mobile code
205. Configure PIN
352. Enable trusted execution
UC-2_6. Remote session termination
023. Terminate inactive user sessions
UC-2_7. Concurrent session control
025. Manage concurrent sessions
UC-2_8. Auditable events
075. Record exceptional events in logs
UC-2_9. Audit storage capacity
322. Avoid excessive logging
377. Store logs based on valid regulation
UC-2_11. Timestamps
079. Record exact occurrence time of events
SI-3_1. Communication integrity
046. Manage the integrity of critical files
147. Use pre-existent mechanisms
224. Use secure cryptographic mechanisms
SI-3_2. Malicious code protection
041. Scan files for malicious code
115. Filter malicious emails
155. Application free of malicious code
340. Use octet stream downloads
SI-3_5. Input validation
173. Discard unsafe inputs
SI-3_7. Error handling
313. Inform inability to identify users
SI-3_8. Session integrity
024. Transfer information using session objects
029. Cookies with security attributes
030. Avoid object reutilization
031. Discard user session data
357. Use stateless session tokens
SI-3_9. Protection of audit information
080. Prevent log modification
377. Store logs based on valid regulation
DC-4_1. Information confidentiality
176. Restrict system objects
178. Use digital signatures
185. Encrypt sensitive information
329. Keep client-side storage without sensitive data
365. Avoid exposing technical information
DC-4_3. Use of cryptography
145. Protect system cryptographic keys
148. Set minimum size of asymmetric encryption
149. Set minimum size of symmetric encryption
150. Set minimum size for hash functions
370. Use OAEP padding with RSA
371. Use GCM Padding with AES
RDF-5_1. Network segmentation
259. Segment the organization network
RDF-5_2. Zone boundary protection
258. Filter website content
341. Use the principle of deny by default
RDF-5_3. User content filtering
116. Disable images of unknown origin
258. Filter website content
266. Disable insecure functionalities
340. Use octet stream downloads
TRE-6_1. Audit log accessibility
378. Use of log management system
RA-7_1. Denial of service protection
072. Set maximum response time
327. Set a rate limit
345. Establish protections against overflows
RA-7_6. Network and security configuration settings
062. Define standard configurations
RA-7_7. Least functionality
186. Use the principle of least privilege
255. Allow access only to the necessary ports
353. Schedule firmware updates
CR-1_1-RE_1. Unique identification and authentication
264. Request authentication
305. Prioritize token usage
319. Make authentication options equally secure
335. Define out of band token lifespan
357. Use stateless session tokens
CR-1_1-RE_2. Multifactor authentication for all interfaces
262. Verify third-party components
362. Assign MFA mechanisms to a single account
CR-1_7. Strength of password-based authentication
126. Set a password regeneration mechanism
127. Store hashed passwords
130. Limit password lifespan
132. Passphrases with at least 4 words
133. Passwords with at least 20 characters
135. Passwords with random salt
139. Set minimum OTP length
333. Store salt values separately
334. Avoid knowledge-based authentication
CR-1_7-RE_2. Password lifetime restrictions for all users
130. Limit password lifespan
138. Define lifespan for temporary passwords
140. Define OTP lifespan
CR-2_1-RE_3. Permission mapping to roles
034. Manage user accounts
CR-3_1-RE_1. Communication authentication
024. Transfer information using session objects
030. Avoid object reutilization
181. Transmit data using secure protocols
369. Set a maximum lifetime in sessions
free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.

Last updated on