IEC 62443-4-2 compliance list
Introduction
PLCnext Control AXC F 1152, AXC F 2152 and AXC F 3152 from firmware version 2023.0.x LTS, the SPLC 1000 from firmware version 01.01.0000, the RFC 4072S from firmware version 2023.0 LTS and the BPC 9102S from firmware version 2023.0.4 LTS are certified according to IEC 62443-4-1 and IEC 62443-4-2 Full ML3 Process Profile.
For more information on the certified controller, refer to the topics AXC F 1152, AXC F 2152, AXC F 3152 , SPLC 1000, RFC 4072S and BPC 9102S.
They support an IEC 62443-4-2 SL2 feature set like described below. In addition a subset of SL3 features is already supported.
FR1 – Identification and authentication control (IAC)
| No. | Description | Security Level | Fulfillment | Links |
| CR 1.1 | Human user identification and authentication | SL1 | PLCnext provides that each user can be identified and authenticated by the PLCnext User Manager in the WBM. |
|
| CR 1.1 RE1 |
Unique identification and authentication | SL2 | PLCnext provides that each user can be uniquely identified and authenticated by the PLCnext User Manager in the WBM. |
|
| CR 1.2 | Software process and device identification and authentication | SL2 | PLCnext provides that each non human user access can be identified and authenticated by the PLCnext User Manager in the WBM. |
|
| CR 1.2 RE1 |
Unique identification and authentication | SL3 | PLCnext provides that each non human user access can be uniquely identified and authenticated by the PLCnext User Manager in the WBM. Via the Trust Store unique identification and authentication can be configured. |
|
| CR 1.3 | Account management | SL1 | PLCnext provides that users can be managed via the User Manager in the WBM, via LDAP. |
|
| CR 1.4 | Identifier management | SL1 | PLCnext provides that users can be managed via the User Manager in the WBM, via LDAP, or via the Linux Configuration files. |
|
| CR 1.5 | Authenticator management | SL1 | PLCnext provides that the initial authenticator content is defined by the PLCnext User Manager in the WBM. |
|
| CR 1.7 | Strength of password-based authentication | SL1 | PLCnext provides that each user is assigned to configurable password complexity rulesets. The rulesets can be configured according to password guidelines. |
|
| CR 1.7 RE1 |
Password generation and lifetime restrictions for human users | SL3 | PLCnext provides that each user is assigned to configurable password complexity rulesets. The rulesets can be configured according to password guidelines including expiration rules. |
|
| CR 1.8 | Public key infrastructure certificates | SL2 | PLCnext provides an Identity Store and a Trust Store in the WBM. |
|
| CR 1.9 | Strength of public key authentication | SL2 | PLCnext provides an Identity Store and a Trust Store in the WBM. |
|
| CR 1.9 RE1 |
Hardware security for public key-based authentication | SL3 | The device identity is protected via TPM. Other identities are stored on the internal SD card and need to be protected by the system environment. |
|
| CR 1.10 | Authenticator feedback | SL1 | Each component of the PLCnext Runtime with authentication function provides the possibility to hide the feedback of authenticator information during the authentication process. |
|
| CR 1.11 | Unsuccessful login attempts | SL1 | PLCnext defines rules how to handle authentication errors including unsuccessful login attempts. |
|
| CR 1.12 | System use notification | SL1 | PLCnext provides that a system usage message is displayed before authentication. The message is configurable by authorized personnel in the user authentication. |
|
| CR 1.14 | Strength of symmetric key authentication | SL2 | Symmetric keys are used only internally for TLS and OPC UA secure communication. |
FR2 – Use control (UC)
| No. | Description | Security Level | Fulfillment | Links |
| CR 2.1 | Authorization enforcement | SL1 | PLCnext provides that users can be managed via the User Manager in the WBM, via LDAP, or via the Linux Configuration files. |
|
| CR 2.1 RE1 |
Authorization enforcement for all users (humans, software processes and devices) | SL2 | PLCnext provides that users can be managed via the User Manager in the WBM, via LDAP, or via the Linux Configuration files. User are assigned to roles which have a predefined set of permissions. |
|
| CR 2.1 RE2 |
Permission mapping to roles | SL2 | PLCnext provides that users can be managed via the User Manager in the WBM, via LDAP, or via the Linux Configuration files. User are assigned to roles which have a predefined set of permissions. User Manager assigns roles and permissions to the session representing the user. |
|
| CR 2.5 | Session lock | SL1 | PLCnext provides that there is an implemented time limit of 20 minutes. |
|
| CR 2.6 | Remote session termination | SL2 | PLCnext provides that there is an implemented default timeout of 20 minutes. The duration can be set in the WBM. |
|
| CR 2.7 | Concurrent session control | SL3 | PLCnext provides that the User Manager provides configurable total number of sessions. |
|
| CR 2.8 | Auditable events | SL1 | PLCnext provides a security logging to log all auditable events. |
|
| CR 2.9 | Audit storage capacity | SL1 | PLCnext provides a security logging ensuring the audit storage capacity. |
|
| CR 2.10 | Response to audit processing failures | SL1 | PLCnext provides that there is an external logging system for checking and reporting local errors. |
|
| CR 2.11 | Timestamps | SL1 | PLCnext provides that Timestamp is available and can be set via PLCnext Engineer. |
|
| CR 2.11 RE1 |
Time synchronization | SL2 | PLCnext provides that you can set the system time using the PLCnext Engineer software. |
|
| CR 2.12 | Non-repudiation | SL1 | PLCnext provides a security logging to log all auditable actions and events. |
|
FR3 – System integrity (SI)
| No. | Description | Security Level | Fulfillment | Links |
| CR 3.1 | Communication integrity | SL1 | PLCnext uses TLS for the communication channels (HTTPS, OPC UA, ...). TLS ensures the integrity and authenticity of the communication. |
|
| CR 3.1 RE1 |
Communication authentication | SL2 | PLCnext uses TLS for the communication channels (HTTPS, OPC UA, ...). TLS ensures the integrity and authenticity of the communication. |
|
| CR 3.3 | Security functionality verification | SL1 | PLCnext provides various security measures and different verification interfaces that can be used to check the security settings by the system integrator or asset owner during production according to the needs of the system design. Security logging and central security logging are major interfaces that can be enhanced by additional checks. |
|
| CR 3.4 | Software and information integrity | SL1 | PLCnext provides integrity of data in transition by using TLS. The User Management controls the access permission to the data in rest. Physical access to the controller must be protected by a lockable cabinet. Use of external SD card is not permitted. |
|
| CR 3.4 RE1 |
Authenticity of software and information | SL2 | PLCnext provides a User Management which grants authenticity for data access. Physical access is protect by the cabinet. External SD card is not allowed. Only Users with valid credentials and permissions can access the device and change data. User actions are logged and wrong access attempts to the device are logged also. |
|
| CR 3.5 | Input validation | SL1 | PLCnext provides input validation on interfaces. |
|
| CR 3.6 | Deterministic output | SL1 | Deterministic outputs are configured in PLCnext Engineer using the so-called (substitution) behavior, which defines the default value for each output module in case of failure. |
|
| CR 3.7 | Error handling | SL1 | PLCnext does not provide any information that could be exploited by adversaries to attack the device. Special permissions are required to read error messages. Unauthenticated users do not receive critical information. |
|
| CR 3.8 | Session integrity | SL2 | PLCnext authorization is performed by the User Manager, which creates secure sessions. |
|
| CR 3.9 | Protection of audit information | SL2 | Only the PLCnext roles SecurityAdmin and SecurityAuditor have the permission to read security loggings. |
|
FR4 – Data confidentiality (DC)
| No. | Description | Security Level | Fulfillment | Links |
| CR 4.1 | Information confidentiality | SL1 | PLCnext provides integrity of data in transition by using TLS. The User Management controls the access permission to the data in rest. Physical access to the controller must be protected by a lockable cabinet. Use of external SD card is not permitted. |
|
| CR 4.2 | Information persistence | SL2 | Reset 1 and reset 2 set back the device to factory defaults securely. |
|
| CR 4.3 | Use of cryptography | SL1 | PLCnext provides TLS for the communication channels (HTTPS, OPC UA, ...). The cryptography is based on openssl and offers state-of-the-art security mechanisms. |
|
FR5 – Restricted data flow (RDF)
| No. | Description | Security Level | Fulfillment | Links |
| CR 5.1 | Network segmentation | SL1 | PLCnext provides separate Ethernet interfaces. Each controller may require different configuration options for network segmentation. |
|
FR6 – Timely response to events (TRE)
| No. | Description | Security Level | Fulfillment | Links |
| CR 6.1 | Audit log accessibility | SL1 | PLCnext provides a security logging to log all auditable actions and events. |
|
| CR 6.1 RE1 |
Programmatic access to audit logs | SL3 | PLCnext provides a security logging to log all auditable actions and events and provides it to central logging server via syslog-ng. |
|
| CR 6.2 | Continuous monitoring | SL2 | PLCnext provides a security logging to log all auditable actions and events and provides it to central logging server via syslog-ng. |
|
FR7 – Resource availability (RA)
| No. | Description | Security Level | Fulfillment | Links |
| CR 7.1 | Denial of service protection | SL1 | PLCnext provides netload limiter, firewall (nf-tables) to control the communication load. |
|
| CR 7.1 RE1 |
Manage communication load from component | SL2 | PLCnext provides netload limiter, firewall (nf-tables) to control the communication load. The task management is designed to manage and recover from high communication load. |
|
| CR 7.2 | Resource management | SL1 | PLCnext provides netload limiter, firewall (nf-tables) to control the communication load and resource management. In addition, the task management controls execution and resource load. |
|
| CR 7.3 | Control system backup | SL1 | PLCnext provides an app to start a backup during normal operations. It generates a backup file which must be transferred to the location for backups defined by the system. The backup file can be explicitly downloaded by SSH access, via the OPC UA file interface or automatically by configuring rsync daemon. The function of the app and scope of the backup data is configurable and can also be executed called from system tools like cron jobs, or similar. |
|
| CR 7.3 RE1 |
Backup integrity verification | SL2 | PLCnext’s backup data is integrity protected. Before starting a restore the data integrity is validated. |
|
| CR 7.4 | Control system recovery and reconstitution | SL1 | PLCnext provides recovery after a disruption or failure. To recover a device based on the backup data, it must be set to delivery status by reset 1, configured according to the system configuration and Security Profile must be activated. The restore data is provided as an app itself and is installed by starting the app. |
|
| CR 7.6 | Network and security configuration settings | SL1 | PLCnext provides that the network and security configuration can be set via the WBM. |
|
| CR 7.7 | Least functionality | SL1 | PLCnext provides that the Security Profile follows the principle of least functionality: only components that have been considered in the threat analysis may run. This specifies exactly what is permissible. This specifies exactly what is permissible. |
|
| CR 7.8 | Control system component inventory | SL2 | PLCnext provides via OPC UA (device info) the component inventory information. |
|
Embedded device requirement (EDR)
| No. | Description | Security Level | Fulfillment | Links |
| EDR 2.4 | Mobile code | SL1 | PLCnext provides integrity of data in transition by using TLS. The User Management controls the access permission to the mobile code in rest. Physical access to the controller must be protected by a lockable cabinet. Use of external SD card is not permitted. |
|
| EDR 2.4 RE1 |
Mobile code authenticity check | SL2 | PLCnext provides integrity of data in transition by using TLS. The User Management controls the access permission to the mobile code in rest. Physical access to the controller must be protected by a lockable cabinet. Use of external SD card is not permitted. |
|
| EDR 2.13 | Use of physical diagnostic and test interfaces | SL2 | PLCnext protects access to physical test and diagnostic interfaces through the housing. Interfaces cannot be accessed through the housing with testbed adapters. The device must be protected in a lockable cabinet. The device and SD card must be shipped in a secure manner. |
|
| EDR 3.2 | Protection from malicious code | SL1 | PLCnext provides protection from malicious code by using TLS for data in transition. The User Management controls the access permission to the data in rest. |
|
| EDR 3.10 | Support for updates | SL1 | PLCnext provides a WBM page to install updates. OPC UA Software Update is supported to integrate PLCnext into the Device and Patch Management Service. |
|
| EDR 3.10 RE1 |
Update authenticity and integrity | SL2 | PLCnext provides RAUC update containers signed with an X509.3 certificate from a product vendor. Before installation, the authenticity and integrity of the update is verified. All update files provided via the download center are verifiable with a SHA 256. |
|
| EDR 3.11 | Physical tamper resistance and detection | SL2 | PLCnext provides that the cabinet must be locked; application must supervise cabinet accesses. |
|
| EDR 3.12 | Provisioning product supplier roots of trust | SL2 | PLCnext provides a device identifier called IdevID. This device identity is installed during production and protected by the TPM. The boot integrity check validates the further trust roots such as firmware update. |
|
| EDR 3.13 [1] | Provisioning asset owner roots of trust | SL2 | PLCnext provides the Certificate Authentication web page to install Asset Owner Roots of Trust via the Trust Store mechanism. Devices (SD cards) containing installed Asset Owner Roots of Trust must be specially protected in the field by locked cabinets in the field and must not be sent to other sites without special protection from physical access. |
|
| EDR 3.14 | Integrity of the boot process | SL1 | PLCnext provides a partial boot integrity check for the OS and FW prior starting the PLC function. The result is shown in the WBM and a notification in the security logging is generated. |
|
| EDR 3.14 RE1 |
Authenticity of the boot process | SL2 | PLCnext provides a partial boot integrity check for the OS and FW based on the root of trust of the device. |
|
- This requirement is implemented for AXC F1152, AXC F 2152, AXC F 3152 and AXC F XT SPLC 1000 hardware.
You can find out whether the other controllers fulfill this requirement on the details page of the respective controller (e. g. BPC 9102S).
Network device requirement (NDR)
| No. | Description | Security Level | Fulfillment | Links |
| NDR 1.13 | Access via untrusted networks | SL1 | PLCnext provides separate Ethernet interfaces. Each controller may require different configuration options for network segmentation. By using the firewall, access via untrusted networks is managed. |
|
| NDR 1.13 RE1 |
Explicit access request approval | SL3 | PLCnext provides separate Ethernet interfaces. Each controller may require different configuration options for network segmentation. By using the firewall, access via untrusted networks is managed. The firewall is configured to reject output and input communication requests by default. Only explicitly configured communication requests are allowed. |
|
| NDR 5.2 | Zone boundary protection | SL1 | PLCnext provides separate Ethernet interfaces. Each controller may require different configuration options for network segmentation. By using the netload limiter and firewall, zone boundary protection can be established. |
|
| NDR 5.2 RE1 |
Deny all, permit by exception | SL2 | PLCnext provides separate Ethernet interfaces. Each controller may require different configuration options for network segmentation. By using the firewall, access via untrusted networks is managed. The firewall is configured to reject output and input communication requests by default. Only explicitly configured communication requests are allowed. |
|
| NDR 5.2 RE2 |
Island mode | SL3 | PLCnext provides separate Ethernet interfaces. Each controller may require different configuration options for network segmentation. By using the Netload Limiter and firewall, zone boundary protection can be established. The firewall can be configured for each Ethernet interface. |
|
| NDR 5.3 | General purpose, person-to-person communication restrictions | SL1 | PLCnext provides firewall configurations to reject output and input communication requests by default. Only explicitly configured communication requests including dedicated ports as well as IP addresses are allowed. |
|
• Web browser recommendation:
• Published/reviewed: 2023-11-02 • Revision 011 •
• Published/reviewed: 2023-11-02 • Revision 011 •