IEC 62443 standard: security for industrial applications
Overview on the parts of the standard
The IEC 62443 standard series defines the necessary security processes and functional measures for device/component manufacturers, system integrators, and operators of machines and plants. It is a common security standard for industrial automation systems and consists of 13 parts which describe the security-relevant requirements for processes and functional measures as well as the technical state of the art. The following table summarizes the available standard parts:
Roles definition in the IEC 62443 standard
The IEC 62443 standard defines three different roles. Depending on your role, different security-related requirements arise in order to fulfill the requirements of the IEC 62443 standard.
- Role 1: Manufacturer or Product Supplier. With regard to the devices used to build automation infrastructures and systems, for example, PLCnext Control devices, mGuard security appliance, switches etc., this is Phoenix Contact.
- Role 2: System Integrator
As a system integrator, you are responsible for the standard-compliant integration and commissioning of components and systems involved into an automation solution. - Role 3: Operator or Application/System Owner
As an application owner/operator, you are responsible for implementing and following the standard-compliant policies, capabilities, and procedures that secure the operation and maintenance of the automation solution on-site.
Target groups (roles) for the various standard parts
Part 1-1 describes the basic concepts, such as network segmentation, zones and conduits and provides an overview on suitable measures (process/functional/mix). Therefore, part 1 is intended for all target groups.
IEC 62443 parts 2-1 to 5 apply to plant owners with the exception of part 2-4 which addresses system integrators.
The parts 3-1 to 3 apply to system integrators and the parts 4-1 and 4-2 to device/component manufacturers.
Only the parts 3-1, 3-3 and 4-2 (marked with a dark green header in the figure above) describe actual "features". All other parts contain procedural definitions, descriptions, and technical reports on the current "state-of-the-art".
For device and solution providers, the following parts of the standard are relevant: part 4-1, 4-2, 3-3 und 2-4.
Example of roles and applying standard parts
In the context of planning and implementing new production plants or machinery, every party involved is now able to…
- act according to applicable legislation and have their individual parts and business contributions certified according to one and the same worldwide accepted standard
- specify protection requirements and implementation details to service providers and project partners and evaluate the results
All measures and procedures have to be performed in accordance with the individual roles and responsibilities in the current IT security context.