What is IEC/ISA 62443-3-3:2013? Cybersecurity & Compliance

The International Society of Automation (ISA) and the International Electrotechnical Commission (IEC) started creating the 62443 series of standards in 2002. The series, which includes IEC/ISA 62443-3-3, was initially referred to as the ISA99 series and contained industrial automation and control systems security (IACS) standards created following the guidance of the American National Standards Institute (ANSI)

IEC/ISA 62443-3-3: 2013 defines system requirements (SRs) and requirement enhancements (REs) needed to comply with the foundational requirements (FRs) and principles listed in part 1:1 of the 62443 series of standards.

Keep reading to learn more about IEC 62443-3-3 and how your organization can integrate various security standards to comply with the FRs of the 62443 series.

Discover how UpGuard helps organizations defend themselves against cyber threats>

ISA/IEC System Security Requirements & Security Policies

The ISA/IEC 62443 standards require organizations to implement several cybersecurity principles to comply with the series’s FRs. These cybersecurity principles include:

• Least Privilege: The practice of limiting a user’s access rights, account access, and computing power based on their role and the access needed to complete their role-defined duties
• Defense In Depth: This principle allows organizations to delay or prevent cyber attacks from affecting critical infrastructure by separating systems into “zones” that communicate with one another through “conduits”
• Risk Analysis: The process of identifying and assessing potential hazards and risks that could negatively affect a system or organization by utilizing risk assessment methodologies, practices, and countermeasures
• Compensating Security Measures: IACS components often do not meet the requirements of ISA security levels, and compensating IACS security measures are necessary to facilitate solutions and elevated security capabilities‍
• Zones and Conduits: The 62443 series recommends a system architecture that references ISA95 and utilizes several zones and conduits

Key Publications in the 62443 Series

The 62443 series splits itself into four parts: modules on general topics, policies and procedures, systems, and components and requirements.

• IEC 62443-1-1 (Concepts & Modules): Part 1:1 of 62443 outlines industrial-process concepts (including FRs) used throughout the series and the modules the series includes.
• IEC 62443-2-1 (Security Program Requirements for IACS Asset Owners): ISA-62443-2-1 helps product suppliers and automation solution operators and defines security procedures owners should follow while operating the IACS network security management system.
• IEC 62443-2-4 (Requirements for IACS Service Providers): Part 2:4 includes 12 sections that define requirements for IACS integrators.
• IEC 62443-3-2 (Security Risk Assessment and System Design): Part 3:2 establishes target security levels (SL-T) for recommended zones and conduits and documents security requirements for system design.‍
• IEC 62443-4-1 (Secure Product Development Lifecycle Requirements): Part 4:1 is divided into eight secure development lifecycle practices and includes requirements for testing security features, patch management, managing vulnerabilities, etc.‍
• ISA/IEC 62443-4-2 (Technical Security Requirements for IACS Components): Part 4:2 includes technical requirements for system components and embedded devices and defines typical component security constraints (CCSCs).

ISA/IEC 62443-3-3

Part 3:3 of the ISA/IEC 62443 series of standards defines the SRs organizations need to implement to reach the FRs listed in part 1:1. Each FR applies across five security levels (SLs), which users can adhere to depending upon the results of their risk analysis and vulnerability management protocols.

The five SLs for each FR are:

• Level 0: No specific protections needed
• Level 1: Protections needed for casual or coincidental events
• Level 2: Protections needed for intentional or malicious users using limited resources, low-level skills, and low motivation
• Level 3: Protections needed for intentional or malicious users using moderate resources, targeted skills, and moderate motivation
• Level 4: Protections needed for intentional or malicious users using advanced resources, sophisticated skills, and high motivation

These five SLs allow organizations to tailor protections to their specific needs, requirements, and perceived complexity of potential threats.

Fundamental Requirements & 62443-3-3 System Requirements

The FRs of the 62443 series include international standards to ensure information security and protect operational technology. 62443-3-3 helps users comply with the following seven FRs:

• FR 1: Identification, Authentication Control, and Access Control (AC)
• FR 2: Use Control (UC)
• FR 3: System Integrity (SI)
• FR 4: Data Confidentiality (DC)
• FR 5: Restricted Data Flow (RDF)
• FR 6: Timely Response to Events (TRE)
• FR 7: Resource Availability (RA)

System Requirements of FR 1

The first fundamental requirement of the 62443 series centers around identification, authentication control, and access control (AC). Here are the system requirements needed to comply with the FR according to part 3:3.

• 1.1 Human User Identification and Authentication: All human network users should be uniquely identified and authenticated
• 1.2 Software Process and Device Identification and Authentication: All devices should be identified and authenticated by secure system interfaces
• 1.3: Account Management: The system should be able to handle maximum user bandwidth and manage all user accounts comfortably
• 1.4: Identifier Management: The system must support all user, group, role, and interface identifiers 
• 1.5: Authenticator Management: Users must have procedures and an authenticator management system in place to ensure passwords are unique
• 1.6: Wireless Access Management: The system must be able to identify and authenticate all wireless users
• 1.7: Strength of Password-Based Authentication: The system must be able to enforce minimum password requirements
• 1.8: Public Key Infrastructure (PKI) Certificates: Certificates should validate key holders and ensure they are legitimate
• 1.9: Strength of Public Key Authentication: The system must be able to enforce minimum PKI requirements
• 1.10: Authenticator Feedback: The system should not display the characters of a password when typed by a user 
• 1.11: Unsuccessful Login Attempts: The IACS should only allow a specific number of unsuccessful login attempts and set lock-out times for authentication failure
• 1.12: System Use Notification: The system should display use messages that warn against unauthorized use and prohibit recorded use
• 1.13: Access Via Untrusted Networks: Compliant IACSs should have the ability to control access from untrusted networks
  

System Requirements of FR 2

The second FR of the 62443 series regards use control (UC). Here are the system requirements listed in ISA 62443-3-3:

• 2.1: Authorization Enforcement: The system should be able to enforce authorization on all users, roles, and parameters
• 2.2: Wireless Use Control: The system’s wireless networks should monitor and enforce restrictions on remote access events using industry security practices
• 2.3: Use control for Portable and Mobile Devices: Controllers must design the IACS to allow portable and mobile device usage to be monitored and controlled
• 2.4: Mobile Code: Any code retrieved from outside the system should be verified to prevent tampering and malicious activities
• 2.5: Session Lock: The IACS should not use session locks to govern critical functions
• 2.6: Remote Session Termination: The system should be able to terminate remote sessions after inactivity or after the user initiates such action
• 2.7: Concurrent Session Control: Concurrent sessions should be managed and controlled based on user authorization standards
• 2.8: Auditable Events: Control systems should be able to record auditable events in the system log
• 2.9: Audit Storage Capacity: The storage capacity of the system should be large enough to store the required audit logs
• 2.10: Response to Audit Processing Failures: The system should alert operators and continue access to essential functions during audit processing failures
• 2.11: Timestamps: All audit records should utilize timestamps

System Requirements of FR 3

The third FR of 62443-3-3 deals with system integrity controls. Here are the system requirements for FR 3:

• 3.1: Communication Integrity: Information transmitted in and out of the system should be protected using internal and external solutions
• 3.2: Malicious Code Protection: The IACS should utilize antivirus solutions to protect itself against malicious code
• 3.3: Security Functionality Verification: During test phases and maintenance procedures, the IACS should verify all security functions and report all deviations
• 3.4: Software and Information Integrity: An SIEM solution should detect, record, report, and protect information at rest
• 3.5: Input Validation: The IACS should validate all inputs that directly impact the control system and all process inputs
• 3.6: Deterministic Output: Outputs need to return to a predefined state when the IACS cannot achieve regular operation
• 3.7: Error Handling: The IACS should respond and recover from error conditions swiftly
• 3.8: Session Integrity: The system needs to have the ability to reject invalid session IDs and install session-based protocols
• 3.9: Protection of Audit Information: Audit information should be encrypted to protect it during transmission and rest

System Requirements of FR 4

Fundamental requirement 4 ensures that regulated systems follow best practices for data confidentiality. Here are the system requirements for FR 4:

• 4.1: Information Confidentiality: Confidential information should be protected at rest and in transmission
• 4.2: Information Persistence: The system should be able to retrieve past information and data in subsequent sessions
• 4.3: Use of Cryptography: Any cryptography algorithms used by the system should adhere to industry best practices (including algorithms used for backups)

System Requirements of FR 5

FR 5 restricts how data flow can occur across an organization’s IACS. Here are the system requirements for FR 5:

• 5.1: Network Segmentation: Personnel should isolate network segments when possible and deploy risk evaluations to reduce the risk of a cyber incident‍
• 5.2: Zone Boundary Protection: Network access protocols should be enforced to install protections at zone boundaries‍
• 5.3: General-Purpose Person-to-Person Communication Restrictions: The IACS should have the ability to prevent messaging in the event of a malicious attack‍
• 5.4: Application Partitioning: Applications should be partitioned based on criticality and in a manner that implements an industry-accepted zoning model

System Requirements of FR 6

The sixth fundamental requirement of the 62443 series ensures IACS operators install standards for timely response to events during the development process. Here are the SRs for FR 6:

• 6.1: Audit Log Accessibility: The system should only grant authorized users read-only access to audit logs and not be able to modify the logs
• 6.2: Continuous Monitoring: Personnel should install ongoing monitoring protocols to ensure constant awareness and support risk decisions

System Requirements of FR 7

The final fundamental requirement of the 62443 series includes protocols to manage resource availability. Here are the SRs listed in IEC 62443-3-3 for FR 7:

• 7.1: DoS Protection: The IACS should operate in a predetermined degraded mode when a denial of service attack occurs
• 7.2: Resource Management: System standards should manage the allocation of resources and prevent resource exhaustion
• 7.3: Control System Backup: Up-to-date backups should always be available to implement a complete system recovery in the event of a system failure
• 7.4: Control System Recovery and Reconstitution: System workflows should ensure the system can return to a secure state quickly and efficiently
• 7.5: Emergency Power: Security states and degraded modes should not be affected when the IACS switches from standard to emergency power
• 7.6: Network and Security Configuration Settings: The IACS should meet industry best practices for network security
• 7.7: Least Functionality: Unnecessary functions should be restricted and managed to protect resources during security incidents
• 7.8: Control System Component Inventory: The IACS should maintain and manage an updated inventory of all control system components

How To Comply With ISA’s Security Standards

Any organization interested in complying with ISA’s 62443 series security standards needs to share responsibility across departments. The 62443 series requires key cybersecurity stakeholders to collaborate and ensure all components of their IACS defend against cyber risks and vulnerabilities.

An organization’s people, standards, cybersecurity metrics, and culture will all play a critical role in adhering to the fundamental and system requirements found throughout the 62443 series. The series also leverages the fundamental pillars of the NIST Cybersecurity Framework (NIST CSF), which IT and cybersecurity professionals are typically more familiar with.

The main principles of the NIST CSF include:

• Discover: Personnel should monitor and assess all system components regularly to anticipate, identify, and prevent system risks and malicious activity
• Segment: Systems should be segmented where possible to mitigate the impact cyber attacks and security incidents can have on a system
• Detect: Personnel should install procedures and protocols to detect new vulnerabilities and risks across the system continually
• Respond: Organizations should leverage Incident response and business continuity plans to accelerate incident management and system repair

How UpGuard Can Help with 62443-3-3?

UpGuard’s cybersecurity solutions can help organizations meet many of ISA’s 62443-3-3 system requirements. Simultaneously, UpGuard BreachSight and Vendor Risk can assist users with critical cybersecurity concepts, including attack surface management, vendor risk management, incident response, network security, etc.

The complete features of BreachSight and Vendor Risk include:

• Data leak detection: Protect your brand’s reputation, intellectual property, and customer data with timely detection of data leaks
• Continuous monitoring: Get real-time updates and manage exposures across your attack surface, including domains, IPs, apps, endpoints, plugins, and firewalls‍
• Attack surface reduction: Reduce your attack surface by discovering exploitable vulnerabilities and domains at risk of typosquatting‍ 
• Shared security profile: Create an UpGuard Shared profile to eliminate the hassle of answering security questionnaires
• Workflows and waivers: Streamline remediation workflows, quickly waive risks, and respond to security queries
• Reporting and insights: Access tailor-made reports for different stakeholders and view information about your external attack surface‍
• Vendor Security questionnaires: Automate security questionnaires to gain deeper insight into your vendor relationships and third-party security posture‍
• Security ratings: Appraise the security posture of individual vendors by using our data-driven, objective, and dynamic security ratings‍
• Risk assessments: Streamline risk assessment workflows, gather evidence, and quickly request remediation