IEC TR 62443-3-1:2009

IEC/TR 62443-3-1 ®
Edition 1.0 2009-07
TECHNICAL
REPORT
colour
inside
Industrial communication networks – Network and system security –
Part 3-1: Security technologies for industrial automation and control systems

IEC/TR 6244-3-1:2009(E)
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by
any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from either IEC or
IEC's member National Committee in the country of the requester.
If you have any questions about IEC copyright or have an enquiry about obtaining additional rights to this publication,
please contact the address below or your local IEC member National Committee for further information.

Droits de reproduction réservés. Sauf indication contraire, aucune partie de cette publication ne peut être reproduite
ni utilisée sous quelque forme que ce soit et par aucun procédé, électronique ou mécanique, y compris la photocopie
et les microfilms, sans l'accord écrit de la CEI ou du Comité national de la CEI du pays du demandeur.
Si vous avez des questions sur le copyright de la CEI ou si vous désirez obtenir des droits supplémentaires sur cette
publication, utilisez les coordonnées ci-après ou contactez le Comité national de la CEI de votre pays de résidence.

IEC Central Office
3, rue de Varembé
CH-1211 Geneva 20
Switzerland
Email: 0Hinmail@iec.ch
Web: 1Hwww.iec.ch
About IEC publications
The technical content of IEC publications is kept under constant review by the IEC. Please make sure that you have the
latest edition, a corrigenda or an amendment might have been published.
ƒ Catalogue of IEC publications: 2Hwww.iec.ch/searchpub
The IEC on-line Catalogue enables you to search by a variety of criteria (reference number, text, technical committee,…).
It also gives information on projects, withdrawn and replaced publications.
ƒ IEC Just Published: 3Hwww.iec.ch/online_news/justpub
Stay up to date on all new IEC publications. Just Published details twice a month all new publications released. Available
on-line and also by email.
ƒ Electropedia: 4Hwww.electropedia.org
The world's leading online dictionary of electronic and electrical terms containing more than 20 000 terms and definitions
in English and French, with equivalent terms in additional languages. Also known as the International Electrotechnical
Vocabulary online.
ƒ Customer Service Centre: 5Hwww.iec.ch/webstore/custserv
If you wish to give us your feedback on this publication or need further assistance, please visit the Customer Service
Centre FAQ or contact us:
Email: 6Hcsc@iec.ch
Tel.: +41 22 919 02 11
Fax: +41 22 919 03 00
IEC/TR 62443-3-1 ®
Edition 1.0 2009-07
TECHNICAL
REPORT
colour
inside
Industrial communication networks – Network and system security –
Part 3 1: Security technologies for industrial automation and control systems

INTERNATIONAL
ELECTROTECHNICAL
COMMISSION
PRICE CODE
XD
ICS 25.040.40; 33.040.040; 35.040 ISBN 978-2-88910-711-7
– 2 – TR 62443-3-1 © IEC:2009(E)
CONTENTS
FOREWORD.139H8
INTRODUCTION.140H10
1 Scope.141H12
2 Normative references.142H13
3 Terms, definitions and acronyms.143H13
3.1 Terms and definitions .144H13
3.2 Acronyms .145H20
4 Overview .146H21
5 Authentication and authorization technologies .147H22
5.1 General .148H22
5.2 Role-based authorization tools .149H23
5.2.1 Overview .150H23
5.2.2 Security vulnerabilities addressed by this technology.151H23
5.2.3 Typical deployment .152H24
5.2.4 Known issues and weaknesses .153H24
5.2.5 Assessment of use in the industrial automation and control systems
environment.154H25
5.2.6 Future directions.155H25
5.2.7 Recommendations and guidance.156H25
5.2.8 Information sources and reference material.157H25
5.3 Password authentication .158H25
5.3.1 Overview .159H25
5.3.2 Security vulnerabilities addressed by this technology.160H26
5.3.3 Typical deployment .161H26
5.3.4 Known issues and weaknesses .162H26
5.3.5 Assessment of use in the industrial automation and control systems
environment.163H27
5.3.6 Future directions.164H27
5.3.7 Recommendations and guidance.165H28
5.3.8 Information sources and reference material.166H28
5.4 Challenge/response authentication .167H29
5.4.1 Overview .168H29
5.4.2 Security vulnerabilities addressed by this technology.169H29
5.4.3 Typical deployment .170H29
5.4.4 Known issues and weaknesses .171H29
5.4.5 Assessment of use in the industrial automation and control systems
environment.172H30
5.4.6 Future directions.173H30
5.4.7 Recommendations and guidance.174H30
5.4.8 Information sources and reference material.175H30
5.5 Physical/token authentication.176H30
5.5.1 Overview .177H30
5.5.2 Security vulnerabilities addressed by this technology.178H30
5.5.3 Typical deployment .179H31
5.5.4 Known issues and weaknesses .180H31
5.5.5 Assessment of use in the industrial automation and control systems
environment.181H31

TR 62443-3-1 © IEC:2009(E) – 3 –
5.5.6 Future directions.182H31
5.5.7 Recommendations and guidance.183H31
5.5.8 Information sources and reference material.184H32
5.6 Smart card authentication .185H32
5.6.1 Overview .186H32
5.6.2 Security vulnerabilities addressed by this technology.187H32
5.6.3 Typical deployment .188H32
5.6.4 Known issues and weaknesses .189H33
5.6.5 Assessment of use in the industrial automation and control systems
environment.190H33
5.6.6 Future directions.191H33
5.6.7 Recommendations and guidance.192H33
5.6.8 Information sources and reference material.193H34
5.7 Biometric authentication.194H34
5.7.1 Overview .195H34
5.7.2 Security vulnerabilities addressed by this technology.196H34
5.7.3 Typical deployment .197H34
5.7.4 Known issues and weaknesses .198H34
5.7.5 Assessment of use in the industrial automation and control systems
environment.199H35
5.7.6 Future directions.200H35
5.7.7 Recommendations and guidance.201H35
5.7.8 Information sources and reference material.202H35
5.8 Location-based authentication .203H35
5.8.1 Overview .204H35
5.8.2 Security vulnerabilities addressed by this technology.205H36
5.8.3 Typical deployment .206H36
5.8.4 Known issues and weaknesses .207H36
5.8.5 Assessment of use in the industrial automation and control systems
environment.208H36
5.8.6 Future directions.209H37
5.8.7 Recommendations and guidance.210H37
5.8.8 Information sources and reference material.211H37
5.9 Password distribution and management technologies.212H37
5.9.1 Overview .213H37
5.9.2 Security vulnerabilities addressed by this technology.214H37
5.9.3 Typical deployment .215H37
5.9.4 Known issues and weaknesses .216H37
5.9.5 Assessment of use in the industrial automation and control systems
environment.217H38
5.9.6 Future directions.218H38
5.9.7 Recommendations and guidance.219H39
5.9.8 Information sources and reference material.220H39
5.10 Device-to-device authentication .221H39
5.10.1 Overview .222H39
5.10.2 Security vulnerabilities addressed by this technology.223H40
5.10.3 Typical deployment .224H40
5.10.4 Known issues and weaknesses .225H40
5.10.5 Assessment of use in the industrial automation and control systems
environment.226H40

– 4 – TR 62443-3-1 © IEC:2009(E)
5.10.6 Future directions.227H41
5.10.7 Recommendations and guidance.228H41
5.10.8 Information sources and reference material.229H41
6 Filtering/blocking/access control technologies .230H41
6.1 General .231H41
6.2 Network firewalls .232H41
6.2.1 Overview .233H41
6.2.2 Security vulnerabilities addressed by this technology.234H42
6.2.3 Typical deployment .235H43
6.2.4 Known issues and weaknesses .236H43
6.2.5 Assessment of use in the industrial automation and control systems
environment.237H43
6.2.6 Future directions.238H44
6.2.7 Recommendations and guidance.239H44
6.2.8 Information sources and reference material.240H44
6.3 Host-based firewalls .241H45
6.3.1 Overview .242H45
6.3.2 Security vulnerabilities addressed by this technology.243H45
6.3.3 Typical deployment .244H45
6.3.4 Known issues and weaknesses .245H46
6.3.5 Assessment of use in the industrial automation and control systems
environment.246H46
6.3.6 Future directions.247H46
6.3.7 Recommendations and guidance.248H46
6.3.8 Information sources and reference material.249H47
6.4 Virtual Networks .250H47
6.4.1 Overview .251H47
6.4.2 Security vulnerabilities addressed by this technology.252H48
6.4.3 Known issues and weaknesses .253H48
6.4.4 Assessment of use in the industrial automation and control systems
environment.254H48
6.4.5 Future directions.255H48
6.4.6 Recommendations and guidance.256H48
6.4.7 Information sources and reference material.257H49
7 Encryption technologies and data validation .258H49
7.1 General .259H49
7.2 Symmetric (secret) key encryption .260H49
7.2.1 Overview .261H49
7.2.2 Security vulnerabilities addressed by this technology.262H50
7.2.3 Typical deployment .263H50
7.2.4 Known issues and weaknesses .264H51
7.2.5 Assessment of use in the industrial automation and control systems
environment.265H51
7.2.6 Future directions.266H51
7.2.7 Recommendations and guidance.267H52
7.2.8 Information sources and reference material.268H52
7.3 Public key encryption and key distribution .269H53
7.3.1 Overview .270H53
7.3.2 Security vulnerabilities addressed by this technology.271H53
7.3.3 Typical deployment .272H54

TR 62443-3-1 © IEC:2009(E) – 5 –
7.3.4 Known issues and weaknesses .273H54
7.3.5 Assessment of use in the industrial automation and control systems
environment.274H54
7.3.6 Future directions.275H55
7.3.7 Problems of encryption usage .276H55
7.3.8 Information sources and reference material.277H56
7.4 Virtual private networks (VPNs) .278H56
7.4.1 Overview .279H56
7.4.2 Security vulnerabilities addressed by this technology.280H56
7.4.3 Typical deployment .281H57
7.4.4 Known issues and weaknesses .282H59
7.4.5 Assessment of use in the industrial automation and control systems
environment.283H59
7.4.6 Future directions.284H60
7.4.7 Recommendations and guidance.285H60
7.4.8 Information sources and reference material.286H60
8 Management, audit, measurement, monitoring, and detection tools .287H60
8.1 General .288H60
8.2 Log auditing utilities .289H60
8.2.1 Overview .290H60
8.2.2 Security vulnerabilities addressed by this technology.291H61
8.2.3 Typical deployment .292H62
8.2.4 Known issues and weaknesses .293H62
8.2.5 Assessment of use in the industrial automation and control systems
environment.294H62
8.2.6 Future directions.295H62
8.2.7 Recommendations and guidance.296H63
8.2.8 Information sources and reference material.297H63
8.3 Virus and malicious code detection systems.298H63
8.3.1 Security vulnerabilities addressed by this technology.299H64
8.3.2 Typical deployment .300H64
8.3.3 Known issues and weaknesses .301H64
8.3.4 Assessment of use in the industrial automation and control systems
environment.302H64
8.3.5 Cost range.303H65
8.3.6 Future directions.304H65
8.3.7 Recommendations and guidance.305H65
8.3.8 Information sources and reference material.306H65
8.4 Intrusion detection systems (IDS).307H65
8.4.1 Overview .308H65
8.4.2 Security vulnerabilities addressed by this technology.309H66
8.4.3 Typical deployment .310H66
8.4.4 Known issues and weaknesses .311H66
8.4.5 Assessment of use in the industrial automation and control systems
environment.312H67
8.4.6 Future directions.313H68
8.4.7 Recommendations and guidance.314H68
8.4.8 Information sources and reference material.315H68
8.5 Vulnerability scanners.316H68
8.5.1 Overview .317H68

– 6 – TR 62443-3-1 © IEC:2009(E)
8.5.2 Security vulnerabilities addressed by this technology.318H69
8.5.3 Typical deployment .319H70
8.5.4 Known issues and weaknesses .320H70
8.5.5 Assessment of use in the industrial automation and control systems
environment.321H70
8.5.6 Future directions.322H71
8.5.7 Recommendations and guidance.323H71
8.5.8 Information sources and reference material.324H71
8.6 Forensics and analysis tools (FAT) .325H71
8.6.1 Overview .326H71
8.6.2 Security vulnerabilities addressed by this technology.327H72
8.6.3 Typical deployment .328H72
8.6.4 Known issues and weaknesses .329H72
8.6.5 Assessment of use in the industrial automation and control systems
environment.330H73
8.6.6 Future directions.331H73
8.6.7 Recommendations and guidance.332H73
8.6.8 Information sources and reference material.333H74
8.7 Host configuration management tools (HCM) .334H74
8.7.1 Overview .335H74
8.7.2 Security vulnerabilities addressed by this technology.336H74
8.7.3 Typical deployment .337H74
8.7.4 Known issues and weaknesses .338H75
8.7.5 Assessment of use in the industrial automation and control systems
environment.339H75
8.7.6 Future directions.340H75
8.7.7 Recommendations and guidance.341H75
8.7.8 Information sources and reference material.342H76
8.8 Automated software management tools (ASM) .343H76
8.8.1 Overview .344H76
8.8.2 Security vulnerabilities addressed by this technology.345H76
8.8.3 Typical deployment .346H77
8.8.4 Known issues and weaknesses .347H77
8.8.5 Assessment of use in the industrial automation and control systems
environment.348H77
8.8.6 Future directions.349H78
8.8.7 Recommendations and guidance.350H78
8.8.8 Information sources and reference material.351H78
9 Industrial automation and control systems computer software.352H78
9.1 General .353H78
9.2 Server and workstation operating systems .354H79
9.2.1 Overview .355H79
9.2.2 Security vulnerabilities addressed by this technology.356H79
9.2.3 Typical deployment .357H79
9.2.4 Known issues and weaknesses .358H79
9.2.5 Assessment of use in the industrial automation and control systems
environment.359H79
9.2.6 Future directions.360H80
9.2.7 Recommendations and guidance.361H80
9.2.8 Information sources and reference material.362H80

TR 62443-3-1 © IEC:2009(E) – 7 –
9.3 Real-time and embedded operating systems .363H81
9.3.1 Overview .364H81
9.3.2 Security vulnerabilities addressed by this technology.365H81
9.3.3 Typical deployment .366H81
9.3.4 Known issues and weaknesses .367H81
9.3.5 Assessment of use in the industrial automation and control systems
environment.368H82
9.3.6 Future directions.369H82
9.3.7 Recommendations and guidance.370H82
9.3.8 Information sources and reference material.371H82
9.4 Web technologies .372H83
9.4.1 Overview .373H83
9.4.2 Security vulnerabilities addressed by this technology.374H83
9.4.3 Typical deployment .375H83
9.4.4 Known issues and weaknesses .376H83
9.4.5 Assessment of use in the industrial automation and control systems
environment.377H83
9.4.6 Future directions.378H83
9.4.7 Recommendations and guidance.379H83
9.4.8 Information sources and reference material.380H84
10 Physical security controls.381H84
10.1 General .382H84
10.2 Physical protection .383H85
10.2.1 Security vulnerabilities addressed by this technology.384H85
10.2.2 Typical deployment .385H85
10.2.3 Known issues and weaknesses .386H86
10.2.4 Assessment of use in the industrial automation and control systems
environment.387H86
10.2.5 Future directions.388H87
10.2.6 Recommendations and guidance.389H87
10.2.7 Information sources and reference material.390H87
10.3 Personnel security .391H88
10.3.1 Overview .392H88
10.3.2 Security vulnerabilities addressed by this technology.393H88
10.3.3 Typical deployment .394H89
10.3.4 Known issues and weaknesses .395H89
10.3.5 Assessment of use in the industrial automation and control systems
environment.396H90
10.3.6 Future directions.397H90
10.3.7 Recommendations and guidance.398H90
10.3.8 Information sources and reference material.399H91
Annex A (informative) Trade name declarations.400H92
Bibliography .401H96

Figure 1 – Firewall zone separation .402H42
Figure 2 – Security gateway to security gateway VPN .403H57
Figure 3 – Host to security gateway VPN .404H57
Figure 4 – Host to host gateway VPN .405H58

– 8 – TR 62443-3-1 © IEC:2009(E)

INTERNATIONAL ELECTROTECHNICAL COMMISSION
____________
INDUSTRIAL COMMUNICATION NETWORKS –
NETWORK AND SYSTEM SECURITY –
Part 3-1: Security technologies for industrial automation
and control systems
FOREWORD
1) The International Electrotechnical Commission (IEC) is a worldwide organization for standardization comprising
all national electrotechnical committees (IEC National Committees). The object of IEC is to promote
international co-operation on all questions concerning standardization in the electrical and electronic fields. To
this end and in addition to other activities, IEC publishes International Standards, Technical Specifications,
Technical Reports, Publicly Available Specifications (PAS) and Guides (hereafter referred to as “IEC
Publication(s)”). Their preparation is entrusted to technical committees; any IEC National Committee interested
in the subject dealt with may participate in this preparatory work. International, governmental and non-
governmental organizations liaising with the IEC also participate in this preparation. IEC collaborates closely
with the International Organization for Standardization (ISO) in accordance with conditions determined by
agreement between the two organizations.
2) The formal decisions or agreements of IEC on technical matters express, as nearly as possible, an international
consensus of opinion on the relevant subjects since each technical committee has representation from all
interested IEC National Committees.
3) IEC Publications have the form of recommendations for international use and are accepted by IEC National
Committees in that sense. While all reasonable efforts are made to ensure that the technical content of IEC
Publications is accurate, IEC cannot be held responsible for the way in which they are used or for any
misinterpretation by any end user.
4) In order to promote international uniformity, IEC National Committees undertake to apply IEC Publications
transparently to the maximum extent possible in their national and regional publications. Any divergence
between any IEC Publication and the corresponding national or regional publication shall be clearly indicated in
the latter.
5) IEC provides no marking procedure to indicate its approval and cannot be rendered responsible for any
equipment declared to be in conformity with an IEC Publication.
6) All users should ensure that they have the latest edition of this publication.
7) No liability shall attach to IEC or its directors, employees, servants or agents including individual experts and
members of its technical committees and IEC National Committees for any personal injury, property damage or
other damage of any nature whatsoever, whether direct or indirect, or for costs (including legal fees) and
expenses arising out of the publication, use of, or reliance upon, this IEC Publication or any other IEC
Publications.
8) Attention is drawn to the Normative references cited in this publication. Use of the referenced publications is
indispensable for the correct application of this publication.
9) Attention is drawn to the possibility that some of the elements of this IEC Publication may be the subject of
patent rights. IEC shall not be held responsible for identifying any or all such patent rights.
The main task of IEC technical committees is to prepare International Standards. However, a
technical committee may propose the publication of a technical report when it has collected
data of a different kind from that which is normally published as an International Standard, for
example “state of the art”.
IEC 62443-3-1, which is a technical report, has been prepared by IEC technical committee 65:
Industrial-process measurement, control and automation.
This technical report is closely related to ANSI/ISA-TR99.03.01-2007.

TR 62443-3-1 © IEC:2009(E) – 9 –
The text of this technical report is based on the following documents:
Enquiry draft Report on voting
65/424/DTR 65/431A/RVC
Full information on the voting for the approval of this technical report can be found in the report
on voting indicated in the above table.
This publication has been drafted in accordance with ISO/IEC Directives, Part 2.
A list of all parts of IEC 62443 series, published under the general title Industrial
communication networks – Network and system security, can be found on the IEC website.
The committee has decided that the contents of this publication will remain unchanged until the
maintenance result date indicated on the IEC web site under http://webstore.iec.ch in the data
related to the specific publication. At this date, the publication will be:
• reconfirmed;
• withdrawn;
• replaced by a revised edition, or
• amended.
A bilingual version of this publication may be issued at a later date.
NOTE The revision of this technical report will be synchronized with the other parts of the IEC 62443 series.

IMPORTANT – The “colour inside” logo on the cover page of this publication indicates
that it contains colours which are considered to be useful for the correct understanding
of its contents. Users should therefore print this publication using a colour printer.

– 10 – TR 62443-3-1 © IEC:2009(E)
INTRODUCTION
The need for protecting Industrial Automation and Control System (IACS) computer
environments from malicious cyberintrusions has grown significantly over the last decade. The
combination of the increased use of open systems, platforms, and protocols in the IACS
environment, along with an increase in joint ventures, alliance partners and outsourcing, has
lead to increased threats and a higher probability of cyberattacks. As these threats and
vulnerabilities increase, the risk of a cyberattack on an industrial communication network
correspondingly increases, as well as the need for protection of computer and networked-
based information sharing and analysis centres. Additionally, the growth in intelligent
equipment and embedded systems; increased connectivity to computer and networked
equipment and software; and enhanced external connectivity coupled with rapidly increasing
incidents of network intrusion, more intelligent hackers, and malicious yet easily accessible
software, all add to the risk as well.
There are numerous electronic security technologies and cyberintrusion countermeasures
potentially available to the IACS environment. This technical report addresses several
categories of cybersecurity technologies and countermeasure techniques and discusses
specific types of applications within each category, the vulnerabilities addressed by each type,
suggestions for their deployment, and their known strengths and weaknesses. Additionally,
guidance is provided for using the various categories of security technologies and
countermeasure techniques for mitigation of the above-mentioned increased risks.
This technical report does not make recommendations of one cybersecurity technology or
mitigation method over others, but provides suggestions and guidance for using the
technologies and methods, as well as information to consider when developing a site or
corporate cybersecurity policy, program and procedures for the IACS environment.
The responsible standards development working group intends to update this technical report
periodically to reflect new information, cybersecurity technologies, countermeasures, and
cyberrisk mitigation methods. The committee cautions the reader that following the
recommended guidance in this report will not necessarily ensure that optimized cybersecurity is
attained for the reader’s industrial automation or control systems environment. It will, however,
help to identify and address vulnerabilities, and to reduce the risk of undesired cyberintrusions
that could compromise confidential information or, even worse, cause human and
environmental harm, as well as disruption or failure of the industrial network or control systems
and the industry and infrastructure critical assets they monitor and regulate.
This technical report provides an evaluation and assessment of many current types of
electronic-based cybersecurity technologies, mitigation methods and tools that may apply to
protecting the IACS environment from detrimental cyberintrusions and attacks. For the various
technologies, methods and tools introduced in this report, a d
...