IEC 62443 standard: security for industrial applications 

Overview on the parts of the standard

The IEC 62443 standard series defines the necessary security processes and functional measures for device/component manufacturers, system integrators, and operators of machines and plants. It is a common security standard for industrial automation systems and consists of 13 parts which describe the security-relevant requirements for processes and functional measures as well as the technical state of the art. The following table summarizes the available standard parts:

 

 

Roles definition in the IEC 62443 standard

The IEC 62443 standard defines three different roles. Depending on your role, different security-related requirements arise in order to fulfill the requirements of the IEC 62443 standard.

  • Role 1: Manufacturer or Product Supplier. With regard to the devices used to build automation infrastructures and systems, for example, PLCnext Control devices, mGuard security appliance, switches etc., this is Phoenix Contact.
  • Role 2: System Integrator
    As a system integrator, you are responsible for the standard-compliant integration and commissioning of components and systems involved into an automation solution.
  • Role 3: Operator or Application/System Owner
    As an application owner/operator, you are responsible for implementing and following the standard-compliant policies, capabilities, and procedures that secure the operation and maintenance of the automation solution on-site.
Note: A basic assumption of the IEC 62443 is that security mechanisms and processes must be implemented by all three roles (as defined by the standard), rather than by a single actor.
Note: Phoenix Contact acts in all three roles: as a component supplier (product business unit), system integrator (VMMs) and as an operator (production). Refer to ICS Security Concept by Phoenix Contact for further information.

Target groups (roles) for the various standard parts

Part 1-1 describes the basic concepts, such as network segmentation, zones and conduits and provides an overview on suitable measures (process/functional/mix). Therefore, part 1 is intended for all target groups.

IEC 62443 parts 2-1 to 5 apply to plant owners with the exception of part 2-4 which addresses system integrators.

The parts 3-1 to 3 apply to system integrators and the parts 4-1 and 4-2 to device/component manufacturers.

Only the parts 3-1, 3-3 and 4-2 (marked with a dark green header in the figure above) describe actual "features". All other parts contain procedural definitions, descriptions, and technical reports on the current "state-of-the-art".

For device and solution providers, the following parts of the standard are relevant: part 4-1, 4-2, 3-3 und 2-4.

Example of roles and applying standard parts

In the context of planning and implementing new production plants or machinery, every party involved is now able to…

  • act according to applicable legislation and have their individual parts and business contributions certified according to one and the same worldwide accepted standard
  • specify protection requirements and implementation details to service providers and project partners and evaluate the results

All measures and procedures have to be performed in accordance with the individual roles and responsibilities in the current IT security context.

 

 

 

 

•  Web browser recommendation: Chrome/Edge 88 or newer, Firefox ESR 90 or neweror Safari  • 
• Published/reviewed: 2023-11-02 • Revision 011 •