kSIST-TS CLC IEC/FprTS 62443-6-1:2024

SLOVENSKI STANDARD
01-oktober-2024
Zaščita industrijske avtomatizacije in nadzornih sistemov - 1-6. del: Metodologija
ocenjevanja varnosti za IEC 62443-2-4
Security for industrial automation and control systems - Part 6-1: Security evaluation
methodology for IEC 62443-2-4
IT-Sicherheit für industrielle Automatisierungssysteme - Teil 6-1: Security-
Evaluierungsmethodik für IEC 62443-2-4
Sécurité des automatismes industriels et des systèmes de commande - Partie 6-1:
Méthodologie d'évaluation de la sécurité pour la IEC 62443-2-4
Ta slovenski standard je istoveten z: CLC IEC/FprTS 62443-6-1:2024
ICS:
25.040.01 Sistemi za avtomatizacijo v Industrial automation
industriji na splošno systems in general
35.030 Informacijska varnost IT Security
kSIST-TS CLC IEC/FprTS 62443-6- en,fr,de
1:2024
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

TECHNICAL SPECIFICATION FINAL DRAFT
CLC IEC/FprTS 62443-6-1
SPÉCIFICATION TECHNIQUE
TECHNISCHE SPEZIFIKATION
August 2024
ICS 25.040.40 -
English Version
Security for industrial automation and control systems - Part 6-1:
Security evaluation methodology for IEC 62443-2-4
(IEC/TS 62443-6-1:2024)
Sécurité des automatismes industriels et des systèmes de IT-Sicherheit für industrielle Automatisierungssysteme - Teil
commande - Partie 6-1: Méthodologie d'évaluation de la 6-1: Security-Evaluierungsmethodik für IEC 62443-2-4
sécurité pour la IEC 62443-2-4 (IEC/TS 62443-6-1:2024)
(IEC/TS 62443-6-1:2024)
This draft Technical Specification is submitted to CENELEC members for vote by correspondence.
Deadline for CENELEC: 2024-11-01.

The text of this draft consists of the text of IEC/TS 62443-6-1:2024 (65/1030/DTS).

CENELEC members are the national electrotechnical committees of Austria, Belgium, Bulgaria, Croatia, Cyprus, the Czech Republic,
Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, the
Netherlands, Norway, Poland, Portugal, Republic of North Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland,
Türkiye and the United Kingdom.

Recipients of this draft are invited to submit, with their comments, notification of any relevant patent rights of which they are aware and to
provide supporting documentation.

Warning : This document is not a Technical Specification. It is distributed for review and comments. It is subject to change without notice
and shall not be referred to a Technical Specification.

European Committee for Electrotechnical Standardization
Comité Européen de Normalisation Electrotechnique
Europäisches Komitee für Elektrotechnische Normung
CEN-CENELEC Management Centre: Rue de la Science 23, B-1040 Brussels
© 2024 CENELEC All rights of exploitation in any form and by any means reserved worldwide for CENELEC Members.
Project: 79829 Ref. No. CLC IEC/FprTS 62443-6-1:2024 E

European foreword
This document (CLC IEC/FprTS 62443-6-1:2024) consists of the text of document
IEC/TS 62443-6-1:2024, prepared by IEC/TC 65 “Industrial-process measurement, control and
automation".
This document is currently submitted to voting in accordance with the Internal Regulations, Part 2,
Subclause 11.3.3 for acceptance as a CENELEC Technical Specification.
The following date is proposed:
• latest date by which the existence of (doa) dor + 6 months
this document has to be announced at
national level
Annex ZA
(normative)
Normative references to international publications
with their corresponding European publications
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
NOTE 1 Where an International Publication has been modified by common modifications, indicated by (mod),
the relevant EN/HD applies.
NOTE 2 Up-to-date information on the latest versions of the European Standards listed in this annex is available
here: www.cencenelec.eu.
Publication Year Title EN/HD Year
IEC 62443-2-4 2015 Security for industrial automation and control EN 62443-2-4 2019
systems – Part 2-4: Security program
requirements for IACS service providers
+ A1 2017 + A1 2019
IEC TS 62443-6-1 ®
Edition 1.0 2024-03
TECHNICAL
SPECIFICATION
Security for industrial automation and control systems –

Part 6-1: Security evaluation methodology for IEC 62443-2-4

INTERNATIONAL
ELECTROTECHNICAL
COMMISSION
ICS 25.040.40  ISBN 978-2-8322-8328-8

– 2 – IEC TS 62443-6-1:2024 © IEC 2024
CONTENTS
FOREWORD . 3
INTRODUCTION . 5
1 Scope . 6
2 Normative references . 6
3 Terms, definitions and abbreviated terms . 6
3.1 Terms and definitions. 6
3.2 Abbreviated terms . 8
4 Overview . 9
5 Methodology for the evaluation . 9
5.1 Scoping of the subject under evaluation (SuE) . 9
5.2 Content of conformity statements and conformance evidence . 9
5.3 Evaluation of conformity statement and conformance evidence . 10
5.4 Particular requirements for evaluations related to ML-4. 10
6 Table used for evaluation . 10
6.1 Overview . 10
6.2 Evaluation criteria . 11
6.3 Conformance evidence related to maturity level ML-1 . 11
6.4 Conformance evidence related to maturity level ML-2 . 11
6.5 Conformance evidence related to maturity level ML-3 . 11
6.6 Conformance evidence related to maturity level ML-4 . 12
6.7 Overview of evaluation criteria and examples of conformance evidence
(Table 1) . 13
Annex A (informative) Legend for maturity levels . 131
Bibliography . 132

Table 1 – Overview of evaluation criteria and examples of conformance evidence . 13

IEC TS 62443-6-1:2024 © IEC 2024 – 3 –
INTERNATIONAL ELECTROTECHNICAL COMMISSION
____________
SECURITY FOR INDUSTRIAL AUTOMATION AND CONTROL SYSTEMS –

Part 6-1: Security evaluation methodology for IEC 62443-2-4

FOREWORD
1) The International Electrotechnical Commission (IEC) is a worldwide organization for standardization comprising
all national electrotechnical committees (IEC National Committees). The object of IEC is to promote international
co-operation on all questions concerning standardization in the electrical and electronic fields. To this end and
in addition to other activities, IEC publishes International Standards, Technical Specifications, Technical Reports,
Publicly Available Specifications (PAS) and Guides (hereafter referred to as “IEC Publication(s)”). Their
preparation is entrusted to technical committees; any IEC National Committee interested in the subject dealt with
may participate in this preparatory work. International, governmental and non-governmental organizations liaising
with the IEC also participate in this preparation. IEC collaborates closely with the International Organization for
Standardization (ISO) in accordance with conditions determined by agreement between the two organizations.
2) The formal decisions or agreements of IEC on technical matters express, as nearly as possible, an international
consensus of opinion on the relevant subjects since each technical committee has representation from all
interested IEC National Committees.
3) IEC Publications have the form of recommendations for international use and are accepted by IEC National
Committees in that sense. While all reasonable efforts are made to ensure that the technical content of IEC
Publications is accurate, IEC cannot be held responsible for the way in which they are used or for any
misinterpretation by any end user.
4) In order to promote international uniformity, IEC National Committees undertake to apply IEC Publications
transparently to the maximum extent possible in their national and regional publications. Any divergence between
any IEC Publication and the corresponding national or regional publication shall be clearly indicated in the latter.
5) IEC itself does not provide any attestation of conformity. Independent certification bodies provide conformity
assessment services and, in some areas, access to IEC marks of conformity. IEC is not responsible for any
services carried out by independent certification bodies.
6) All users should ensure that they have the latest edition of this publication.
7) No liability shall attach to IEC or its directors, employees, servants or agents including individual experts and
members of its technical committees and IEC National Committees for any personal injury, property damage or
other damage of any nature whatsoever, whether direct or indirect, or for costs (including legal fees) and
expenses arising out of the publication, use of, or reliance upon, this IEC Publication or any other IEC
Publications.
8) Attention is drawn to the Normative references cited in this publication. Use of the referenced publications is
indispensable for the correct application of this publication.
9) IEC draws attention to the possibility that the implementation of this document may involve the use of (a)
patent(s). IEC takes no position concerning the evidence, validity or applicability of any claimed patent rights in
respect thereof. As of the date of publication of this document, IEC had not received notice of (a) patent(s), which
may be required to implement this document. However, implementers are cautioned that this may not represent
the latest information, which may be obtained from the patent database available at https://patents.iec.ch. IEC
shall not be held responsible for identifying any or all such patent rights.
IEC TS 62443-6-1 has been prepared by IEC technical committee TC 65: Industrial-process
measurement, control and automation. It is a Technical Specification.
The text of this Technical Specification is based on the following documents:
Draft Report on voting
65/1030/DTS 65/1042A/RVDTS
Full information on the voting for its approval can be found in the report on voting indicated in
the above table.
The language used for the development of this Technical Specification is English.

– 4 – IEC TS 62443-6-1:2024 © IEC 2024
This document was drafted in accordance with ISO/IEC Directives, Part 2, and developed in
accordance with ISO/IEC Directives, Part 1 and ISO/IEC Directives, IEC Supplement, available
at https://www.iec.ch/members_experts/refdocs. The main document types developed by IEC
are described in greater detail at https://www.iec.ch/standardsdev/publications.
A list of all parts in the IEC 62443 series, published under the general title Security for industrial
automation and control systems, can be found on the IEC website.
The committee has decided that the contents of this document will remain unchanged until the
stability date indicated on the IEC website under webstore.iec.ch in the data related to the
specific document. At this date, the document will be
• reconfirmed,
• withdrawn, or
• revised.
IMPORTANT – The "colour inside" logo on the cover page of this document indicates
that it contains colours which are considered to be useful for the correct understanding
of its contents. Users should therefore print this document using a colour printer.

IEC TS 62443-6-1:2024 © IEC 2024 – 5 –
INTRODUCTION
Repeatable and comparable evaluations of the security program according to IEC 62443-2-4
require a common understanding for acceptable evaluation criteria and conformance evidence.
This document supports service providers and evaluators to do a conformity assessment by
evaluating the security program against the requirements of IEC 62443-2-4.
This document specifies the evaluation methodology to s
...