IEC 62443-4-2 compliance list

Introduction 

PLCnext Control AXC F 1152AXC F 2152 and AXC F 3152 from firmware version 2023.0.x LTS and the SPLC 1000 from firmware version 01.01.0000 are certified according to IEC 62443-4-1 and IEC 62443-4-2 Full ML3 Process Profile. 

For more information on the certified controller, refer to the topics AXC F 1152AXC F 2152AXC F 3152 and SPLC 1000.

They support an IEC 62443-4-2 SL2 feature set like described below. In addition a subset of SL3 features is already supported.

FR1 – Identification and authentication control (IAC)

No. Description Security Level Fulfillment Links
CR 1.1 Human user identification and authentication SL1 PLCnext provides that each user can be identified and authenticated by the PLCnext User Manager in the WBM
CR 1.1
RE1
Unique identification and authentication SL2 PLCnext provides that each user can be uniquely identified and authenticated by the PLCnext User Manager in the WBM
CR 1.2 Software process and device identification and authentication SL2 PLCnext provides that each non human user access can be identified and authenticated by the PLCnext User Manager in the WBM
CR 1.2
RE1
Unique identification and authentication SL3 PLCnext provides that each non human user access can be uniquely identified and authenticated by the PLCnext User Manager in the WBM. Via the Trust Store unique identification and authentication can be configured.
CR 1.3 Account management SL1 PLCnext provides that users can be managed via the User Manager in the WBM, via LDAP.
CR 1.4 Identifier management SL1 PLCnext provides that users can be managed via the User Manager in the WBM, via LDAP, or via the Linux Configuration files. 
CR 1.5 Authenticator management SL1 PLCnext provides that the initial authenticator content is defined by the PLCnext User Manager in the WBM
CR 1.7 Strength of password-based authentication SL1 PLCnext provides that each user is assigned to configurable password complexity rulesets. The rulesets can be configured according to password guidelines. 
CR 1.7
RE1  
Password generation and lifetime restrictions for human users SL3 PLCnext provides that each user is assigned to configurable password complexity rulesets. The rulesets can be configured according to password guidelines including expiration rules.
CR 1.8 Public key infrastructure certificates SL2 PLCnext provides an Identity Store and a Trust Store in the WBM.
CR 1.9 Strength of public key authentication SL2 PLCnext provides an Identity Store and a Trust Store in the WBM.
CR 1.9
RE1
Hardware security for public key-based authentication SL3 The device identity is protected via TPM. Other identities are stored on the internal SD card and need to be protected by the system environment.
CR 1.10 Authenticator feedback SL1 Each component of the PLCnext Runtime with authentication function provides the possibility to hide the feedback of authenticator information during the authentication process.
CR 1.11 Unsuccessful login attempts SL1 PLCnext defines rules how to handle authentication errors including unsuccessful login attempts. 
CR 1.12 System use notification SL1 PLCnext provides that a system usage message is displayed before authentication. The message is configurable by authorized personnel in the user authentication.
CR 1.14 Strength of symmetric key authentication SL2 Symmetric keys are used only internally for TLS and OPC UA secure communication.  

FR2 – Use control (UC)

No. Description Security Level Fulfillment Links
CR 2.1 Authorization enforcement SL1 PLCnext provides that users can be managed via the User Manager in the WBM, via LDAP, or via the Linux Configuration files. 
CR 2.1
RE1
Authorization enforcement for all users (humans, software processes and devices) SL2 PLCnext provides that users can be managed via the User Manager in the WBM, via LDAP, or via the Linux Configuration files. User are assigned to roles which have a predefined set of permissions. 
CR 2.1
RE2  
Permission mapping to roles SL2 PLCnext provides that users can be managed via the User Manager in the WBM, via LDAP, or via the Linux Configuration files. User are assigned to roles which have a predefined set of permissions. User Manager assigns roles and permissions to the session representing the user.
CR 2.5   Session lock SL1 PLCnext provides that there is an implemented time limit of 20 minutes. 
CR 2.6   Remote session termination SL2 PLCnext provides that there is an implemented default timeout of 20 minutes. The duration can be set in the WBM
CR 2.7 Concurrent session control SL3 PLCnext provides that the User Manager provides configurable total number of sessions.
CR 2.8   Auditable events SL1 PLCnext provides a security logging to log all auditable events. 
CR 2.9 Audit storage capacity SL1 PLCnext provides a security logging ensuring the audit storage capacity. 
CR 2.10   Response to audit processing failures SL1 PLCnext provides that there is an external logging system for checking and reporting local errors.
CR 2.11 Timestamps SL1 PLCnext provides that Timestamp is available and can be set via PLCnext Engineer.
CR 2.11
RE1
Time synchronization SL2 PLCnext provides that you can set the system time using the PLCnext Engineer software. 
CR 2.12   Non-repudiation SL1 PLCnext provides a security logging to log all auditable actions and events. 

FR3 – System integrity (SI)

No. Description Security Level Fulfillment Links
CR 3.1 Communication integrity SL1 PLCnext uses TLS for the communication channels (HTTPS, OPC UA, ...). TLS ensures the integrity and authenticity of the communication.
CR 3.1
RE1
Communication authentication SL2 PLCnext uses TLS for the communication channels (HTTPS, OPC UA, ...). TLS ensures the integrity and authenticity of the communication.
CR 3.3 Security functionality verification SL1 PLCnext provides various security measures and different verification interfaces that can be used to check the security settings by the system integrator or asset owner during production according to the needs of the system design. Security logging and central security logging are major interfaces that can be enhanced by additional checks. 
CR 3.4 Software and information integrity SL1 PLCnext provides integrity of data in transition by using TLS. The User Management controls the access permission to the data in rest. Physical access to the controller must be protected by a lockable cabinet. Use of external SD card is not permitted.
CR 3.4
RE1
Authenticity of software and information SL2 PLCnext provides a User Management which grants authenticity for data access.
Physical access is protect by the cabinet. External SD card is not allowed.
Only Users with valid credentials and permissions can access the device and change data.
User actions are logged and wrong access attempts to the device are logged also.
CR 3.5 Input validation SL1 PLCnext provides input validation on interfaces. 
CR 3.6   Deterministic output SL1 Deterministic outputs are configured in PLCnext Engineer using the so-called (substitution) behavior, which defines the default value for each output module in case of failure. 
CR 3.7 Error handling SL1 PLCnext does not provide any information that could be exploited by adversaries to attack the device. Special permissions are required to read error messages. Unauthenticated users do not receive critical information.
CR 3.8   Session integrity SL2 PLCnext authorization is performed by the User Manager, which creates secure sessions.
CR 3.9 Protection of audit information SL2 Only the PLCnext roles SecurityAdmin and SecurityAuditor have the permission to read security loggings. 

FR4 – Data confidentiality (DC)

No. Description Security Level Fulfillment Links
CR 4.1 Information confidentiality SL1 PLCnext provides integrity of data in transition by using TLS. The User Management controls the access permission to the data in rest. Physical access to the controller must be protected by a lockable cabinet. Use of external SD card is not permitted. 
CR 4.2   Information persistence SL2 Reset 1 and reset 2 set back the device to factory defaults securely.
CR 4.3 Use of cryptography SL1 PLCnext provides TLS for the communication channels (HTTPS, OPC UA, ...).
The cryptography is based on openssl and offers state-of-the-art security mechanisms.

FR5 – Restricted data flow (RDF)

No. Description Security Level Fulfillment Links
CR 5.1 Network segmentation SL1 PLCnext provides separate Ethernet interfaces. Each controller may require different configuration options for network segmentation.

FR6 – Timely response to events (TRE)

No. Description Security Level Fulfillment Links
CR 6.1 Audit log accessibility SL1 PLCnext provides a security logging to log all auditable actions and events. 
CR 6.1
RE1  
Programmatic access to audit logs SL3 PLCnext provides a security logging to log all auditable actions and events and provides it to central logging server via syslog-ng.
CR 6.2 Continuous monitoring SL2 PLCnext provides a security logging to log all auditable actions and events and provides it to central logging server via syslog-ng.

FR7 – Resource availability (RA)

No. Description Security Level Fulfillment Links
CR 7.1   Denial of service protection SL1 PLCnext provides netload limiter, firewall (nf-tables) to control the communication load. 
CR 7.1
RE1
Manage communication load from component SL2 PLCnext provides netload limiter, firewall (nf-tables) to control the communication load. The task management is designed to manage and recover from high communication load. 
CR 7.2   Resource management SL1 PLCnext provides netload limiter, firewall (nf-tables) to control the communication load and resource management. In addition, the task management controls execution and resource load. 
CR 7.3 Control system backup SL1 PLCnext provides an app to start a backup during normal operations. 
It generates a backup file which must be transferred to the location for backups defined by the system. The backup file can be explicitly downloaded by SSH access, via the OPC UA file interface or automatically by configuring rsync daemon. The function of the app and scope of the backup data is configurable and can also be executed called from system tools like cron jobs, or similar. 
CR 7.3
RE1
Backup integrity verification SL2 PLCnext’s backup data is integrity protected. Before starting a restore the data integrity is validated. 
CR 7.4 Control system recovery and reconstitution SL1 PLCnext provides recovery after a disruption or failure. 
To recover a device based on the backup data, it must be set to delivery status by reset 1,
configured according to the system configuration and Security Profile must be activated.
The restore data is provided as an app itself and is installed by starting the app.
 
CR 7.6   Network and security configuration settings SL1 PLCnext provides that the network and security configuration can be set via the WBM.
CR 7.7   Least functionality SL1 PLCnext provides that the Security Profile follows the principle of least functionality: only components that have been considered in the threat analysis may run. This specifies exactly what is permissible. This specifies exactly what is permissible.
CR 7.8   Control system component inventory SL2 PLCnext provides via OPC UA (device info) the component inventory information.

Embedded device requirement (EDR)

No. Description Security Level Fulfillment Links
EDR 2.4 Mobile code SL1 PLCnext provides integrity of data in transition by using TLS. The User Management controls the access permission to the mobile code in rest. Physical access to the controller must be protected by a lockable cabinet. Use of external SD card is not permitted. 
EDR 2.4
RE1
Mobile code authenticity check SL2 PLCnext provides integrity of data in transition by using TLS. The User Management controls the access permission to the mobile code in rest. Physical access to the controller must be protected by a lockable cabinet. Use of external SD card is not permitted. 
EDR 2.13 Use of physical diagnostic and test interfaces SL2 PLCnext protects access to physical test and diagnostic interfaces through the housing. Interfaces cannot be accessed through the housing with testbed adapters. The device must be protected in a lockable cabinet.
The device and SD card must be shipped in a secure manner.
EDR 3.2 Protection from malicious code SL1 PLCnext provides protection from malicious code  by using TLS for data in transition. The User Management controls the access permission to the data in rest.
EDR 3.10 Support for updates SL1 PLCnext provides a WBM page to install updates. OPC UA Software Update is supported to integrate PLCnext into the Device and Patch Management Service. 
EDR 3.10
RE1
Update authenticity and integrity SL2 PLCnext provides RAUC update containers signed with an X509.3 certificate from a product vendor. Before installation, the authenticity and integrity of the update is verified. All update files provided via the download center are verifiable with a SHA 256.
EDR 3.11 Physical tamper resistance and detection SL2 PLCnext provides that the cabinet must be locked; application must supervise cabinet accesses.
EDR 3.12 Provisioning product supplier roots of trust SL2 PLCnext provides a device identifier called IdevID.
This device identity is installed during production and protected by the TPM.
The boot integrity check validates the further trust roots such as firmware update.
EDR 3.13 Provisioning asset owner roots of trust SL2 PLCnext provides the Certificate Authentication web page to install Asset Owner Roots of Trust via the Trust Store mechanism.
Devices (SD cards) containing installed Asset Owner Roots of Trust must be specially protected in the field by locked cabinets in the field and must not be sent to other sites without special protection from physical access.
EDR 3.14 Integrity of the boot process SL1 PLCnext provides a partial boot integrity check for the OS and FW prior starting the PLC function. The result is shown in the WBM and a notification in the security logging is generated. 
EDR 3.14
RE1
Authenticity of the boot process SL2 PLCnext provides a partial boot integrity check for the OS and FW based on the root of trust of the device.

Network device requirement (NDR)

No. Description Security Level Fulfillment Links
NDR 1.13 Access via untrusted networks SL1 PLCnext provides separate Ethernet interfaces. Each controller may require different configuration options for network segmentation. By using the firewall, access via untrusted networks is managed. 
NDR 1.13
RE1
Explicit access request approval SL3 PLCnext provides separate Ethernet interfaces. Each controller may require different configuration options for network segmentation. By using the firewall, access via untrusted networks is managed. The firewall is configured to reject output and input communication requests by default. Only explicitly configured communication requests are allowed. 
NDR 5.2 Zone boundary protection SL1 PLCnext provides separate Ethernet interfaces. Each controller may require different configuration options for network segmentation. By using the netload limiter and firewall, zone boundary protection can be established. 
NDR 5.2
RE1
Deny all, permit by exception SL2 PLCnext provides separate Ethernet interfaces. Each controller may require different configuration options for network segmentation. By using the firewall, access via untrusted networks is managed. The firewall is configured to reject output and input communication requests by default. Only explicitly configured communication requests are allowed. 
NDR 5.2
RE2
Island mode SL3 PLCnext provides separate Ethernet interfaces. Each controller may require different configuration options for network segmentation. By using the Netload Limiter and firewall, zone boundary protection can be established. The firewall can be configured for each Ethernet interface. 
NDR 5.3 General purpose, person-to-person communication restrictions  SL1 PLCnext provides firewall configurations to reject output and input communication requests by default. Only explicitly configured communication requests including dedicated ports as well as IP addresses are allowed.

 

 

 


•  Web browser recommendation: Chrome, Firefox 78 or newer, Edge 88 or newer, or Safari • 
• Published/reviewed: 2023-01-13 • Revision 005 •