IEC 62443-2-4:2015/AMD1:2017

IEC 62443-2-4 ®
Edition 1.0 2017-08
INTERNATIONAL
STANDARD
NORME
INTERNATIONALE
A MENDMENT 1
AM ENDEMENT 1
Security for industrial automation and control systems –
Part 2-4: Security program requirements for IACS service providers

Sécurité des automatismes industriels et des systèmes de commande –
Partie 2-4: Exigences de programme de sécurité pour les fournisseurs de
service IACS
IEC 62443-2-4:2015-06/AMD1:2017-08(en-fr)

All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form
or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from
either IEC or IEC's member National Committee in the country of the requester. If you have any questions about IEC
copyright or have an enquiry about obtaining additional rights to this publication, please contact the address below or
your local IEC member National Committee for further information.

Droits de reproduction réservés. Sauf indication contraire, aucune partie de cette publication ne peut être reproduite
ni utilisée sous quelque forme que ce soit et par aucun procédé, électronique ou mécanique, y compris la photocopie
et les microfilms, sans l'accord écrit de l'IEC ou du Comité national de l'IEC du pays du demandeur. Si vous avez des
questions sur le copyright de l'IEC ou si vous désirez obtenir des droits supplémentaires sur cette publication, utilisez
les coordonnées ci-après ou contactez le Comité national de l'IEC de votre pays de résidence.

IEC Central Office Tel.: +41 22 919 02 11
3, rue de Varembé info@iec.ch
CH-1211 Geneva 20 www.iec.ch
Switzerland
About the IEC
The International Electrotechnical Commission (IEC) is the leading global organization that prepares and publishes
International Standards for all electrical, electronic and related technologies.

About IEC publications
The technical content of IEC publications is kept under constant review by the IEC. Please make sure that you have the
latest edition, a corrigendum or an amendment might have been published.

IEC publications search - webstore.iec.ch/advsearchform Electropedia - www.electropedia.org
The advanced search enables to find IEC publications by a The world's leading online dictionary on electrotechnology,
variety of criteria (reference number, text, technical containing more than 22 000 terminological entries in English
committee,…). It also gives information on projects, replaced and French, with equivalent terms in 16 additional languages.
and withdrawn publications. Also known as the International Electrotechnical Vocabulary

(IEV) online.
IEC Just Published - webstore.iec.ch/justpublished
Stay up to date on all new IEC publications. Just Published IEC Glossary - std.iec.ch/glossary
details all new publications released. Available online and 67 000 electrotechnical terminology entries in English and
once a month by email. French extracted from the Terms and Definitions clause of
IEC publications issued since 2002. Some entries have been
IEC Customer Service Centre - webstore.iec.ch/csc collected from earlier publications of IEC TC 37, 77, 86 and
If you wish to give us your feedback on this publication or CISPR.

need further assistance, please contact the Customer Service

Centre: sales@iec.ch.
A propos de l'IEC
La Commission Electrotechnique Internationale (IEC) est la première organisation mondiale qui élabore et publie des
Normes internationales pour tout ce qui a trait à l'électricité, à l'électronique et aux technologies apparentées.

A propos des publications IEC
Le contenu technique des publications IEC est constamment revu. Veuillez vous assurer que vous possédez l’édition la
plus récente, un corrigendum ou amendement peut avoir été publié.

Recherche de publications IEC - Electropedia - www.electropedia.org
webstore.iec.ch/advsearchform Le premier dictionnaire d'électrotechnologie en ligne au
La recherche avancée permet de trouver des publications IEC monde, avec plus de 22 000 articles terminologiques en
en utilisant différents critères (numéro de référence, texte, anglais et en français, ainsi que les termes équivalents dans
comité d’études,…). Elle donne aussi des informations sur les 16 langues additionnelles. Egalement appelé Vocabulaire
projets et les publications remplacées ou retirées. Electrotechnique International (IEV) en ligne.

IEC Just Published - webstore.iec.ch/justpublished Glossaire IEC - std.iec.ch/glossary
Restez informé sur les nouvelles publications IEC. Just 67 000 entrées terminologiques électrotechniques, en anglais
Published détaille les nouvelles publications parues. et en français, extraites des articles Termes et Définitions des
Disponible en ligne et une fois par mois par email. publications IEC parues depuis 2002. Plus certaines entrées
antérieures extraites des publications des CE 37, 77, 86 et
Service Clients - webstore.iec.ch/csc CISPR de l'IEC.

Si vous désirez nous donner des commentaires sur cette
publication ou si vous avez des questions contactez-nous:
sales@iec.ch.
IEC 62443-2-4 ®
Edition 1.0 2017-08
INTERNATIONAL
STANDARD
NORME
INTERNATIONALE
A MENDMENT 1
AM ENDEMENT 1
Security for industrial automation and control systems –

Part 2-4: Security program requirements for IACS service providers

Sécurité des automatismes industriels et des systèmes de commande –

Partie 2-4: Exigences de programme de sécurité pour les fournisseurs de

service IACS
INTERNATIONAL
ELECTROTECHNICAL
COMMISSION
COMMISSION
ELECTROTECHNIQUE
INTERNATIONALE
ICS 25.040.40; 35.110 ISBN 978-2-8322-6486-7

– 2 – IEC 62443-2-4:2015/AMD1:2017
© IEC 2017
FOREWORD
This amendment has been prepared by IEC technical committee 65: Industrial-process
measurement, control and automation.
This bilingual version (20219-02) corresponds to the monolingual English version, published
in 2017-08.
The text of this amendment is based on the following documents:
CDV Report on voting
65/637A/CDV 65/661/RVC
Full information on the voting for the approval of this amendment can be found in the report
on voting indicated in the above table.
The French version of this amendment has not been voted upon.

IMPORTANT – The 'colour inside' logo on the cover page of this publication indicates
that it contains colours which are considered to be useful for the correct
understanding of its contents. Users should therefore print this document using a
colour printer.
_____________
1 Scope
Replace the first paragraph by the following new text:
This part of IEC 62443 specifies a comprehensive set of requirements for security capabilities
for IACS service providers that they can offer to the asset owner during integration and
maintenance activities of an Automation Solution. Because not all requirements apply to all
industry groups and organizations, Subclause 4.1.4 provides for the development of Profiles
that allow for the subsetting of these requirements. Profiles are used to adapt this document
to specific environments, including environments not based on an IACS.
Delete Note 4 and renumber Note 5 to "Note 4".

3.1.14
safety instrumented system
Add the following Note 2 to entry:
Note 2 to entry: Not all industry sectors use this term. This term is not restricted to any specific industry sector,
and it is used generically to refer to systems that enforce functional safety. Other equivalent terms include safety
systems and safety related systems.

© IEC 2017
4.1.4 Profiles
Replace the existing text with the following:
This document recognizes that not all of the requirements in Annex A apply to all industry
sectors/environments. To allow subsetting and adaptation of these requirements, this
document provides for the use of “Profiles”.
Profiles are written as IEC Technical Reports (TRs) by industry groups/sectors or other
organizations, including asset owners and service providers, to select/adapt Annex A
requirements that are most appropriate to their specific needs.
Each TR may define one or more profiles, and each profile identifies a subset of the
requirements defined in Annex A and specifies, where necessary, how specific requirements
are to be applied in the environment where they are to be used.
It is anticipated that asset owners will select these profiles to specify the requirements that
apply to their Automation Solutions.

4.2 Maturity model
Table 1 – Maturity levels
Replace, in the fourth column, row for Level 2, the second paragraph that begins with “At this
level, the service provider has…” by the following:
At this level, the service provider has the capability to manage the delivery and performance of the service
according to written policies (including objectives). The service provider also has evidence to show that personnel
who will perform the service have the expertise, are trained, and/or are capable of following written procedures to
perform the service.
5.1 Contents
Insert the following new paragraph between the first paragraph and the note:
Not all requirements apply to all service providers, and asset owners may request service
providers to perform only a subset of the required capabilities specified in Annex A. In
addition, industry sectors, service providers, and asset owners may define their own profiles
that contain a subset of these requirements (see 4.1.4).

5.3 IEC 62264-1 hierarchy model
Replace the first paragraph with the following:
Many of the requirements in Annex A refer to network or application levels in phrases such as
“a wireless handheld device is used in Level 2”. When capitalized, “Level” in this context
refers to the position in the IEC 62264-1 Hierarchy Model. The Level of a referenced object
(e.g. wireless handheld device) is represented by the lowest Level function that it executes.
The zones and conduits model described by IEC 62443-3-2 is referenced by requirements in
Annex A that address, independent of the IEC 62264-1 Hierarchy Model Level, trust
boundaries that subdivide the Automation Solution into partitions referred to as “zones” by
IEC 62443-3-2.
– 4 – IEC 62443-2-4:2015/AMD1:2017
© IEC 2017
5.5.3 Functional area column
Replace the first paragraph with the following:
This column provides the top level technical organization of the requirements. Table 3
provides a list of the functional areas. The functional areas in this column can be used to
provide a high level summary of the areas in which service providers claim conformance.
However, because the “Architecture” functional area is so broad, its use as a summary level is
limited. Therefore, it is subdivided into three summary levels based on the Topic column (see
5.5.4) values for Architecture as shown below:
Summary Level Topic column
Network Security Devices – Network
Network design
Solution Hardening Devices – All
Devices – Workstations
Risk assessment,
Solution components
Data Protection Data Protection

5.5.7 Requirement description
Add “column” to the title as follows:
Requirement description column
Replace the existing text with the following:
This column contains the textual description of the requirement. It may also contain notes that
are examples provided to help in understanding the requirement.
Each requirement defines a capability required of the service provider. Whether an asset
owner requires the service provider to perform the capability is beyond the scope of this
document.
The term “ensure” is used in many requirements to mean “provide a high level of confidence”.
It is used when the service provider needs to have some means, such as a demonstration,
verification, or process, of providing this level of confidence.
The phrase “commonly accepted by both the security and industrial automation communities”
is used in these requirement descriptions in place of specific security technologies, such as
specific encryption algorithms. This phrase is used to allow evolution of more secure
technologies as a replacement for technologies whose weaknesses have been exposed.
To be compliant to these requirements, service providers will have to use technologies (e.g.
encryption) that are commonly accepted and used by the security and industrial automation
communities at the time compliance is claimed. Technologies that are no longer considered
secure, such as the Digital Encryption Standard (DES) and the Wireless Equivalent Privacy
(WEP) security algorithms, would be non-conformant.

© IEC 2017
5.5.8 Rationale
Add “column” to the title as follows:
Rationale column
– 6 – IEC 62443-2-4:2015/AMD1:2017
© IEC 2017
Annex A – Security requirements
Table A.1 – Security program requirements
Change the text in the “Requirement description” and “Rationale” columns to:
Req ID BR/R Functional Topic Subtopic Doc Requirement description Rationale
E area ?
SP.01.04 BR Solution staffing Background Service provider No The service provider shall have the The capabilities specified by this BR and its REs are
checks capability to ensure that it assigns used to protect the Automation Solution from being
only service provider personnel to staffed with personnel whose trustworthiness may be
Automation Solution related questionable. While the background check cannot
activities who have successfully guarantee trustworthiness, it can identify personnel
passed security-related background who have had trouble with their trustworthiness.
checks, where feasible, and to the
Having this capability means that the service provider
extent allowed by applicable law.
has an identifiable process for verifying the integrity of
the service provider personnel it will assign to work on
the Automation Solution. This requirement also
recognizes that the ability to perform background
checks is not always possible because of applicable
laws or because of lack of support by local authorities
and/or service organizations. For example, there may
be countries that do not prohibit background checks,
but that provide no support for conducting a
background check, making it infeasible or impractical
for the service provider to perform such a check.
How and how often background checks are performed
are left to the service provider. Examples of
background checks include identity verification and
criminal record checks.
© IEC 2017
Change the text in the “Requirement description” and “Rationale” columns to:
Req ID BR/RE Functional Topic Subtopic Doc Requirement description Rationale
area ?
SP.01.04 RE(1) Solution Background Subcontractor No The service provider shall have the Having this capability means that the service provider
staffing checks capability to ensure that it assigns has an identifiable process for verifying the integrity of
only subcontractors, consultants, the subcontractors, consultants, and representatives of
and representatives to the service provider who will be assigned to work on
Automation Solution related activities the Automation Solution. This requirement also
who have successfully passed recognizes that the ability to perform background
security-related background checks, checks is not always possible because of applicable
where feasible, and to the extent laws or because of lack of support by local authorities
allowed by applicable law. and/or service organizations. For example, there may
be countries that do not prohibit background checks,
but that provide no support for conducting a
background check, making it infeasible or impractical
for the service provider to perform such a check.
How and how often background checks are performed
are left to the service provider. Examples of
background checks include identity verification and
criminal record checks.
See ISO/IEC 27036-3 for additional supply chain
organizational requirements.
– 8 – IEC 62443-2-4:2015/AMD1:2017
© IEC 2017
Change the text in the “Requirement description” and “Rationale” columns to:
Req ID BR/RE Functional Topic Subtopic Doc Requirement description Rationale
area ?
SP.01.06 BR Solution Personnel Security lead No The service provider shall have The capability specified by this BR is used to reduce
staffing assignments documented minimum IACS cyber- errors in security decision making and implementation.
security qualifications for security Making poor choices or lacking the ability to properly
lead positions and the capability to implement security can unnecessarily expose the
assign security leads to Automation Solution to security threats and/or
Automation Solutions who meet compromises.
these qualifications.
Having this capability means that the service provider
has documented the qualifications
(expertise/competencies) that it requires of personnel
who lead cyber-security related activities and has an
identifiable process for staffing each
Automation Solution with personnel who have this
expertise. Expertise may include IACS cyber-security
experience, training and certifications, and in general,
the service provider and asset owner will typically
come to agreement on the cyber-security qualifications
for personnel before staffing begins. The phrase "meet
these qualifications" is used to indicate that the
security leads assigned to the Automation Solution
have relevant experiences that confirm their
compliance with these qualifications.

© IEC 2017
Change the text in the “Rationale” column to:
Req ID BR/RE Functional Topic Subtopic Doc Requirement description Rationale
area ?
SP.03.02 RE(2) Architecture Network design Connectivity No The service provider shall have the Having this capability means that the service provider
capability to ensure that interfaces of has an identifiable process for protecting the
the Automation Solution that have been Automation Solution from external access and for
identified as untrusted are protected by controlling access between Level 2 and Level 3 (e.g.
network security devices or equivalent through the use of firewalls/firewall rules).
mechanisms, with documented and
Within the Automation Solution, having this capability
maintained security rules. At a
also means that the service provider has an identifiable
minimum, the following shall be
process for protecting BPCS interfaces using network
protected:
security devices or equivalent mechanisms, and for
1. External interfaces
providing the information necessary to create security
2. Level 2/Level 3 interfaces (see rules that are used to grant/deny access to BPCS ports
NOTE 2 below) and applications.
3. Interfaces between the BPCS and
If the service provider supplies or is responsible for the
the SIS
network security device or the equivalent mechanism,
4. Interfaces connecting wired and then the required support includes being able to
wireless BPCS networks configure the network security device/mechanism as
needed. Risk assessments (see IEC 62443-3-2) can be
5. Interfaces connecting the BPCS to
used to determine which interfaces require
data warehouses (e.g. enterprise
safeguarding.
historians)
NOTE 1 For some, responsibility for
maintaining firewall rules and
documentation transfers to the asset
owner prior to or at Automation Solution
turnover. In this case, the service
provider’s role may be, as required by
the asset owner, only to support
verification that the firewall rules are
accurate and up-to-date.
NOTE 2 Depending on the
Automation Solution, Level 2/Level 3
interfaces may be “External” interface.

– 10 – IEC 62443-2-4:2015/AMD1:2017
© IEC 2017
Change the text in the “Rationale” column to:
Req ID BR/RE Functional Topic Subtopic Doc Requirement description Rationale
area ?
SP.03.10 RE(2) Architecture Data protection Data/event Yes The service provider shall have the Having this capability means that the service provider
retention capability to provide documentation to has an identifiable process for documenting how the
the asset owner that describes the Automation Solution stores/archives sensitive data,
retention capabilities provided by the such as historical data and events. This may include
Automation Solution for internal capabilities of the Automation Solution (e.g.
storing/archiving sensitive data. This data volumes/capacities) or may identify capabilities
documentation includes capacities, required to export historical data/events to a history
pruning and purging functions, retention archive. Historical data and events can be used during
timeouts, etc. forensics and event analysis and correlation.

Change the text in the “Requirement description” and “Rationale” columns to:
Req ID BR/RE Functional Topic Subtopic Doc Requirement description Rationale
area ?
SP.05.02 BR SIS Network design Communications No The service provider shall have the The capability specified by this BR is used to ensure
capability to ensure that SIS safety that SIS communications critical to safety functions
communications SIS safety cannot be affected by other communications of the
functions are protected from the Automation Solution.
BPCS or any other Automation
Having this capability means that the service provider
Solution communications.
is able to protect or isolate SIS communications critical
NOTE This requirement does not to safety functions from other Automation Solution
require that communications not traffic (see IEC 61508, for example, through the
critical to safety functions between physical separation of BPCS communications and the
the SIS and the BPCS (e.g. SIS. In this example, firewalls and non-routable
configuration downloads, status interfaces between the BPCS and SIS could be used to
monitoring, logging) be shielded enforce this separation.
from other Automation Solution
Having this capability also means the service provider
communications.
can demonstrate that the countermeasures taken to
isolate functional safety communications do not impact
the performance or operation of communications
critical to safety.
Risk assessments, zones (network segments), and
conduits (connections between network segments), as
described in IEC 62443-3-2, can be used in the
definition of requirements.
© IEC 2017
Change the text in the “Requirement description” and “Rationale” columns to:
Req ID BR/RE Functional Topic Subtopic Doc Requirement description Rationale
area ?
SP.05.03 BR SIS Network design Communications No The service provider shall have the The capability specified by this BR is used to ensure
capability to ensure that that the operation of the SIS cannot be impacted by
communications external to the communications of devices/applications external to the
Automation Solution, including Automation Solution.
remote access communications, are
SP.05.02 BR requires capabilities to protect SIS
not able to interfere with the
communications from other Automation Solution
operation of the SIS.
communications, while this requirement requires
capabilities to protect the operation of the SIS from
communications external to the Automation Solution.
Having this capability means that the service provider
has an identifiable process for ensuring that the
operation of the SIS cannot be affected by
communications of external applications, including
remote access communications such as RDP.

– 12 – IEC 62443-2-4:2015/AMD1:2017
© IEC 2017
Change the text in the “Requirement description” and “Rationale” columns to:
Req ID BR/RE Functional Topic Subtopic Doc Requirement description Rationale
area ?
SP.05.04 BR SIS Network design Communications No The service provider shall have the The capability specified by this BR is used to ensure that the
capability to ensure that SIS cannot be impacted by devices/applications external to
applications, (e.g. control system the SIS.
applications) external to the SIS are
SP.05.03 BR requires capabilities to protect the SIS from
not able to participate in or disrupt
communications external to the Automation Solution, while
or otherwise interfere with SIS
this requirement requires capabilities to protect SIS
communications that are critical to
communications from interference by applications external to
safety functions.
the SIS.
Having this capability means that the service provider has an
identifiable process for ensuring that there are no
communications critical to safety functions (e.g. data and/or
commands) transferred between the SIS and applications
residing external to the SIS. This requirement is intended to
prevent the SIS functions critical to safety operations from
being compromised by traffic originating from sources outside
the SIS.
Change the text in in the “Requirement description” and “Rationale” columns to:
Req ID BR/RE Functional Topic Subtopic Doc Requirement description Rationale
area ?
SP.05.05 BR SIS Devices - Communications No The service provider shall have the The capability specified by this BR is used to employ
capability to ensure that SIS EWSs safeguards, such as network security devices, to
Workstations
that reside outside the SIS (external ensure that only authorized communications from Level
to SIS interface with the control 3 applications to SIS engineering workstations residing
system) cannot be compromised by outside the SIS are permitted. Access from Level 3
communications from Level 3 or applications to SIS engineering workstations that
above. reside within the SIS is prohibited by SP.05.03 BR.
NOTE The term "Level" refers to Having this capability means that the service provider
the position in the Purdue has an identifiable process for ensuring that all
Reference Model as standardized communications between the SIS engineering
by ISA 95 and IEC 62264-1 (see workstation and Level 3 (and above) applications pass
5.3). through a network security device, or equivalent
mechanism, that connects Level 2 and Level 3 (or
above).
© IEC 2017
Change the text in the “Requirement description” and “Rationale” columns to:
Req ID BR/RE Functional Topic Subtopic Doc Requirement description Rationale
area ?
SP.05.05 RE(1) SIS Devices - Communications No The service provider shall have the The capability specified by this RE is defined to be able
Workstations capability to ensure that the to protect SIS engineering workstations that reside
Automation Solution's SIS EWSs inside the SIS from being exploited via remote access
that reside within the SIS (internal connections. See SP.05.05 BR that addresses access
to SIS interface with the control from Level 3 to SIS EWSs external to the SIS.
system) cannot be compromised by
Having this capability means that the service provider
remote access (e.g. RDP).
has an identifiable process for ensuring that SIS
engineering workstations within the SIS (1a) either do
not have remote access installed or (1b) have it
disabled (not accessible), and/or (2) have security
mechanisms that block remote access communications
with these workstations.
NOTE See IEC 62443-3-2 for guidance on what to
consider in such risk assessments from a cyber-
security perspective.
Change the text in the “Requirement description” and “Rationale” columns to:
Req ID BR/RE Functional Topic Subtopic Doc Requirement description Rationale
area ?
Devices - The service provider shall have the The capability specified by this BR is used to limit the
SP.05.06 BR SIS Connectivity No
Workstations capability to ensure that all access number of physical access paths to the SIS, and hence
to the Automation Solution's SIS reduce its attack surface.
from outside the SIS is mediated
Having this capability means that the service provider
and authorized at the interface to
has an identifiable process for ensuring that access
the SIS.
controls to the SIS are implemented at the interface to
the SIS, for example by a gateway used only to provide
access to the SIS from the BPCS. Implementation of
this gateway may be provided by the BPCS or the SIS.

– 14 – IEC 62443-2-4:2015/AMD1:2017
© IEC 2017
Change the text in the “Requirement description” and “Rationale” columns to:
Req ID BR/RE Functional Topic Subtopic Doc Requirement description Rationale
area ?
SP.05.07 BR SIS Devices - Least No The service provider shall have the The capability specified by this BR is used to reduce
Workstations functionality capability to ensure that SIS the possibility that the SIS EWS will contain T3 offline
functions performed by the software (see IEC 61508-3) that could intentionally or
Automation Solution's SIS EWS are inadvertently cause harm to the SIS.
protected from compromise by other
Having this capability means that the service provider
SIS EWS software.
has an identifiable process for ensuring that safety-
related software running in SIS EWSs is protected from
compromise from other software running in the SIS
EWS.
Change the text in the “Requirement description” and “Rationale” columns to:
Req ID BR/RE Functional Topic Subtopic Doc Requirement description Rationale
area ?
SP.05.08 BR SIS Devices - Connectivity No The service provider shall have the The capability specified by this BR is used to prevent
Wireless capability to verify that attacks against the SIS by unauthorized wireless
unauthorized wireless devices are devices. Since wireless devices are not bounded by
not used as an integral part of SIS physical security perimeters nor by physical
safety functions. implementation, they can present a threat to the SIS.
Having this capability means that the service provider
has an identifiable process for verifying that wireless
device communications are not used as an integral part
of SIS safety functions when prohibited by the asset
owner. “Integral part” refers to communications that are
implemented and incorporated into SIS safety
functions. See SP.04.01 BR for requirements for the
general use of wireless technologies within the
Automation Solution.
© IEC 2017
Change the text in the “Requirement description” column to:
Req ID BR/RE Functional Topic Subtopic Doc Requirement description Rationale
area ?
SP.05.09 BR SIS User interface Configuration No The service provider shall have the The capabilities specified by this BR and its REs are used to
mode capability to ensure that SIS prevent configuration access to the SIS during normal
configuration mode can be enabled operation through a mechanism that requires the SIS to be
and disabled. While disabled, this unlocked to configure it, and locked at all other times.
interface shall prohibit the SIS from
Having this capability means that the service provider is able
being configured.
to ensure that the SIS can be locked to prevent configuration
NOTE This interface will typically changes from being made and unlocked to allow them to be
prevent configuration messages made. Locks can be physical key switches or software
from being delivered to the SIS. controlled locks, but however implemented they allow the SIS
to be locked to prevent inadvertent or malicious changes from
being made.
Change the text in the “Requirement description” column to:
Req ID BR/RE Functional Topic Subtopic Doc Requirement description Rationale
area ?
SP.05.09 RE(1) SIS User interface Configuration No The service provider shall have the The capability specified by this RE is defined to require
mode capability to provide a hardware intentional human intervention to enable configuration of the
implementation of the configuration SIS, such as holding a physical key open (unlocked) while
mode interface required by the configuration is being changed, for the purpose of
SP.05.09 BR and to ensure that this increasing confidence that inadvertent changes to the SIS
hardware implementation is capable configuration cannot occur.
of being physically locked while
Having this capability means that the service provider is able
configuration mode is disabled.
to ensure that the SIS has a hardware interface that can be
disabled to prevent configuration changes from being made.
The hardware interface, such as a physical key switch, when
physically locked (e.g. removing the key), configuration mode
is disabled.
– 16 – IEC 62443-2-4:2015/AMD1:2017
© IEC 2017
Change the text in the “Doc?”, “Requirement description” and “Rationale” columns to:
Req ID BR/RE Functional Topic Subtopic Doc Requirement description Rationale
area ?
SP.08.04 BR Event Events - Alarms Robustness Yes The service provider shall have the The capability specified by this BR is used to document
management & Events capability to document the the limits of the Automation Solution’s ability to protect
Automation Solution’s ability to against denial of service during event storms. The
withstand the near-simultaneous characteristics of event storms (e.g. number of
occurrence of large numbers of events/second) are typically dependent on the number
events, typically referred to as of control and instrumentation devices in the
event storms. Automation Solution and the nature of the physical
process.
Having this capability means that the service provider
has an identifiable process for providing documentation
that describes the limits of the Automation Solution’s
ability to handle event storms. Robustness testing and
stress testing are often used to demonstrate this
assurance.
Change the text in the “Rationale” column to:
Req ID BR/RE Functional Topic Subtopic Doc Requirement description Rationale
area ?
SP.09.09 BR Account Passwords Shared No The service provider shall have the The capabilities specified by this BR and its RE are used to
management capability to ensure that accounts ensure that the use of shared passwords is managed.
whose passwords have been approved Without management of shared passwords, the asset owner
by the asset owner to be shared with may not be aware of or lose track of who has access to the
the service provider are securely Automation Solution.
documented and maintained.
Having this capability means that the service provider has an
identifiable process for documenting the list of accounts for
which passwords have been divulged to it by the asset owner
and protecting that list from unauthorized disclosure and
modification. The service provider is accountable and
responsible for maintaining a log of who has been given
passwords for these accounts, including its subcontractors,
consultants, and representatives.

© IEC 2017
Change the text in the “Rationale” column to:
Req ID BR/RE Functional Topic Subtopic Doc Requirement description Rationale
area ?
SP.10.02 BR Malware Security tools Installation No The service provider shall have the The capabilities specified by this BR and its RE are
protection and software capability to ensure that: used to ensure that the Automation Solution is
protected against malware.
1) malware protection mechanisms
have been correctly
Having this capability means that the service provider
installed/updated and properly
has an identifiable process for applying and managing
configured in accordance with the
anti-malware software for Automation Solution
service provider's approved
platforms for which the service provider is responsible.
procedures,
This includes installing and updating anti-malware
2) malware definition files are installed software, keeping its malware definition files current,
within the time period agreed to with and maintaining its operational configuration settings.
the asset owner, The intent is to have anti-malware software with its
latest definition files, operational configuration, and
3) malware configurations are
software updates running on all relevant hardware
maintained and kept current.
platforms in the Automation Solution.
Having this capability also means that the service
provider has an identifiable process for coming to
agreement with the asset owner on the time period
between the release of the malware definition files and
their installation.
EXAMPLE 1: If anti-virus software is used, installation
of anti-virus definition files is performed within the
agreed-to time period.
EXAMPLE 2: If whitelisting software is used,
whitelisting configurations are kept current.
EXAMPLE 3: Keeping a log of the installation and
configuration activities, including updates to software
and malware definition files, is a way of demonstrating
this capability.
– 18 – IEC 62443-2-4:2015/AMD1:2017
© IEC 2017
Change the text in the “Rationale” column to:
Req ID BR/RE Functional Topic Subtopic Doc Requirement description Rationale
area ?
SP.10.05 BR Malware Devices - All Sanitizing No The service provider shall have the The capability specified by this BR is used to ensure
protection capability to ensure that all devices, that devices with detectable infections are not installed
including workstations, supplied to the in the Automation Solution. The term “known malware”
Automation Solution by the service is used to indicate malware that has been previously
provider are free of known malware discovered and for which malware definition files have
prior to use in the Automation Solution. been developed and are available.
Having this capability means that the service provider
has an identifiable process for verifying/ensuring that
malware is not present in equipment provided by it to
the Automation Solution.
Verification can include checking the equipment for
malware, installing software to the equipment at the
site from malware-free media (see SP.10.05 RE(2)),
and/or ensuring the supply chain provides malware free
equipment (e.g. the control system vendor performs
malware scans prior to delivery). See ISO 27036 for
more information on supply chain security.

© IEC 2017
Change the text in the “Requirement description” and “Rationale” columns to:
Req ID BR/RE Functional Topic Subtopic Doc Requirement description Rationale
area ?
SP.10.05 RE(2) Malware Portable media Sanitizing No The service provider shall have the The capability specified by this RE is used to ensure
protection capability to ensure that all portable that portable media with detectable infections are not
media used in or connected to the used in the Automation Solution. The term “known
Automation Solution by the service malware” is used to indicate malware that has been
provider is free of known malware previously discovered and for which malware definition
prior to use in the files have been developed and are available.
Automation Solution.
Having this capability means that the service provider
has an identifiable process for procedures to prevent
infected portable devices from infecting the
Automation Solution. Types of portable media include
but are not limited to: installation media, CD / DVD/
Blu-ray Media, USB memory devices, smart phones,
flash memory, solid state disks, hard drives, and
portable computers.
See SP.07.XX for requirements associated with remote
connection to the Automation Solution.

– 20 – IEC 62443-2-4:2015/AMD1:2017
© IEC 2017
Change the text in the “Rationale” column to:
Req ID BR/RE Functional Topic Subtopic Doc Requirement description Rationale
area ?
SP.11.06 RE(2) Patch Security patch Installation No The service provider shall have the The capability specified by this RE is used to ensure
management capability to ensure that, for devices that patches installed over the network are authentic
that support installation of and have not been corrupted prior to or during the
software/firmware over the network, the patching process.
update process ensures the authenticity
Having this capability means that the service provider
and integrity of the device
has an identifiable process for securely updating the
software/firmware.
software/firmware in devices. This includes allowing
only authorized users to perform updates, and also
ensuring that update images sent to devices are
authentic (not counterfeit or corrupted) and are
protected against corruption during the update process.
Patching may expose software images to the network.
See SP.03.10 BR and its REs for the safeguarding of
sensitive data.
See IEC 62443-3-3 and IEC 62443-4-2 for
requirements related to authentication, authorization,
integrity, and confidentiality.

___________
– 22 – IEC 62443-2-4:2015/AMD1:2017
© IEC 2017
AVANT-PROPOS
Le présent amendement a été établi par le comité d'études 65 de l’IEC: Mesure, commande et
automation dans les processus industriels.
La présente version bilingue (2019-02) correspond à la version anglaise monolingue publiée
en 2017-08.
Le texte anglais de cet amendement est issu des documents 65/637A/CDV et 65/661/RVC.
Le rapport de vote 65/661/RVC donne toute information sur le vote ayant abouti à
l'approbation de cette norme.
La version française de cet amendement n'a pas été soumise au vote.

IMPORTANT – Le logo «colour inside» qui se trouve sur la page de couverture de cette
publication indique qu'elle contient des couleurs qui sont considérées comme utiles à
une bonne compréhension de son contenu. Les utilisateurs devraient, par conséquent,
imprimer ce document en utilisant une imprimante couleur.

_____________
1 Domaine d’application
Remplacer le premier alinéa par le nouveau texte suivant:
La présente partie de l'IEC 62443 spécifie un ensemble exhaustif d’exigences de capacités de
sécurité pour les fournisseurs de service IACS qu’ils peuvent proposer au propriétaire d'actif
pendant les activités d'intégration et de maintenance d'une Solution d’Automatisation.
Puisque toutes les exigences ne s’appliquent pas à tous les groupes et organismes industriels,
le paragraphe 4.1.4 prévoit le développement de Profils permettant la création de sous-
ensembles de ces exigences. Les profils sont utilisés afin d’adapter le présent document aux
environnements spécifiques, y compris les environnements ne se basant pas sur un IACS.
Supprimer la Note 4 et renuméroter la Note 5 en «Note 4».

3.1.14
système équipé pour la sécurité
Ajouter la Note 2 à l’article suivante:
Note 2 à l’article: Tous les secteurs de l’industrie n’utilisent pas ce terme. Il n’est pas restreint à un secteur
industriel spécifique et est utilisé de façon générique pour désigner les systèmes qui renforcent la sécurité
fonctionnelle. «Systèmes de sécurité» et «systèmes relatifs à la sécurité» sont des termes équivalents.

IEC 62443-2-4:2015/AMD 1:2017 – 23 –
© IEC 2017
4.1.4 Profils
Remplacer le texte existant par ce qui suit:
Le présent document reconnaît que toutes les exigences de l’An
...