IEC 62443-3-3 Edition 1.0 2013-08 INTERNATIONAL STANDARD NORME INTERNATIONALE I

IEC 62443-3-3 Edition 1.0 2013-08 INTERNATIONAL STANDARD NORME INTERNATIONALE Industrial communication networks – Network and system security – Part 3-3: System security requirements and security levels Réseaux industriels de communication – Sécurité dans les réseaux et les systèmes – Partie 3-3: Exigences de sécurité des systèmes et niveaux de sécurité INTERNATIONAL ELECTROTECHNICAL COMMISSION COMMISSION ELECTROTECHNIQUE INTERNATIONALE ICS 25.040.40; 35.110 ISBN 978-2-8322-6422-5 ® Registered trademark of the International Electrotechnical Commission Marque déposée de la Commission Electrotechnique Internationale ® Warning! Make sure that you obtained this publication from an authorized distributor. Attention! Veuillez vous assurer que vous avez obtenu cette publication via un distributeur agréé. colour inside This is a preview - click here to buy the full publication – 2 – IEC 62443-3-3:2013 © IEC 2013 CONTENTS FOREWORD ......................................................................................................................... 9 0 Introduction ................................................................................................................. 11 0.1 Overview............................................................................................................. 11 0.2 Purpose and intended audience ........................................................................... 12 0.3 Usage within other parts of the IEC 62443 series ................................................. 12 Scope ................................................................................................................................. 14 Normative references .......................................................................................................... 14 Terms, definitions, abbreviated terms, acronyms, and conventions ...................................... 14 3.1 Terms and definitions .......................................................................................... 14 3.2 Abbreviated terms and acronyms ......................................................................... 20 3.3 Conventions ........................................................................................................ 22 Common control system security constraints ....................................................................... 22 4.1 Overview............................................................................................................. 22 4.2 Support of essential functions .............................................................................. 23 4.3 Compensating countermeasures .......................................................................... 23 4.4 Least privilege .................................................................................................... 24 FR 1 – Identification and authentication control ................................................................... 24 5.1 Purpose and SL-C(IAC) descriptions.................................................................... 24 5.2 Rationale ............................................................................................................ 24 5.3 SR 1.1 – Human user identification and authentication ......................................... 24 5.3.1 Requirement ................................................................................................ 24 5.3.2 Rationale and supplemental guidance .......................................................... 24 5.3.3 Requirement enhancements ......................................................................... 25 5.3.4 Security levels ............................................................................................. 25 5.4 SR 1.2 – Software process and device identification and authentication ............... 26 5.4.1 Requirement ................................................................................................ 26 5.4.2 Rationale and supplemental guidance .......................................................... 26 5.4.3 Requirement enhancements ......................................................................... 26 5.4.4 Security levels ............................................................................................. 27 5.5 SR 1.3 – Account management............................................................................ 27 5.5.1 Requirement ................................................................................................ 27 5.5.2 Rationale and supplemental guidance .......................................................... 27 5.5.3 Requirement enhancements ......................................................................... 27 5.5.4 Security levels ............................................................................................. 27 5.6 SR 1.4 – Identifier management .......................................................................... 28 5.6.1 Requirement ................................................................................................ 28 5.6.2 Rationale and supplemental guidance .......................................................... 28 5.6.3 Requirement enhancements ......................................................................... 28 5.6.4 Security levels ............................................................................................. 28 5.7 SR 1.5 – Authenticator management .................................................................... 28 5.7.1 Requirement ................................................................................................ 28 5.7.2 Rationale and supplemental guidance .......................................................... 28 5.7.3 Requirement enhancements ......................................................................... 29 5.7.4 Security levels ............................................................................................. 29 5.8 SR 1.6 – Wireless access management ............................................................... 30 5.8.1 Requirement ................................................................................................ 30 This is a preview - click here to buy the full publication IEC 62443-3-3:2013 © IEC 2013 – 3 – 5.8.1 Requirement .................................................................................................. 30 5.8.2 Rationale and supplemental guidance............................................................ 30 5.8.3 Requirement enhancements .......................................................................... 30 5.8.4 Security levels ............................................................................................... 30 5.9 SR 1.7 – Strength of password-based authentication ............................................ 30 5.9.1 Requirement .................................................................................................. 30 5.9.2 Rationale and supplemental guidance............................................................ 30 5.9.3 Requirement enhancements .......................................................................... 31 5.9.4 Security levels ............................................................................................... 31 5.10 SR 1.8 – Public key infrastructure (PKI) certificates .............................................. 31 5.10.1 Requirement .................................................................................................. 31 5.10.2 Rationale and supplemental guidance............................................................ 31 5.10.3 Requirement enhancements .......................................................................... 32 5.10.4 Security levels ............................................................................................... 32 5.11 SR 1.9 – Strength of public key authentication ...................................................... 32 5.11.1 Requirement .................................................................................................. 32 5.11.2 Rationale and supplemental guidance............................................................ 32 5.11.3 Requirement enhancements .......................................................................... 33 5.11.4 Security levels ............................................................................................... 33 5.12 SR 1.10 – Authenticator feedback ......................................................................... 33 5.12.1 Requirement .................................................................................................. 33 5.12.2 Rationale and supplemental guidance............................................................ 33 5.12.3 Requirement enhancements .......................................................................... 33 5.12.4 Security levels ............................................................................................... 33 5.13 SR 1.11 – Unsuccessful login attempts ................................................................. 34 5.13.1 Requirement .................................................................................................. 34 5.13.2 Rationale and supplemental guidance............................................................ 34 5.13.3 Requirement enhancements .......................................................................... 34 5.13.4 Security levels ............................................................................................... 34 5.14 SR 1.12 – System use notification ......................................................................... 34 5.14.1 Requirement .................................................................................................. 34 5.14.2 Rationale and supplemental guidance............................................................ 34 5.14.3 Requirement enhancements .......................................................................... 35 5.14.4 Security levels ............................................................................................... 35 5.15 SR 1.13 – Access via untrusted networks ............................................................. 35 5.15.1 Requirement .................................................................................................. 35 5.15.2 Rationale and supplemental guidance............................................................ 35 5.15.3 Requirement enhancements .......................................................................... 35 5.15.4 Security levels ............................................................................................... 35 6 FR 2 – Use control......................................................................................................... 36 6.1 Purpose and SL-C(UC) descriptions ...................................................................... 36 6.2 Rationale .............................................................................................................. 36 6.3 SR 2.1 – Authorization enforcement ...................................................................... 36 6.3.1 Requirement .................................................................................................. 36 6.3.2 Rationale and supplemental guidance............................................................ 36 6.3.3 Requirement enhancements .......................................................................... 37 6.3.4 Security levels ............................................................................................... 37 6.4 SR 2.2 – Wireless use control ............................................................................... 37 6.4.1 Requirement .................................................................................................. 37 This is a preview - click here to buy the full publication – 4 – IEC 62443-3-3:2013 © IEC 2013 6.4.2 Rationale and supplemental guidance............................................................ 38 6.4.3 Requirement enhancements .......................................................................... 38 6.4.4 Security levels ............................................................................................... 38 6.5 SR 2.3 – Use control for portable and mobile devices ........................................... 38 6.5.1 Requirement .................................................................................................. 38 6.5.2 Rationale and supplemental guidance............................................................ 38 6.5.3 Requirement enhancements .......................................................................... 39 6.5.4 Security levels ............................................................................................... 39 6.6 SR 2.4 – Mobile code ............................................................................................ 39 6.6.1 Requirement .................................................................................................. 39 6.6.2 Rationale and supplemental guidance............................................................ 39 6.6.3 Requirement enhancements .......................................................................... 39 6.6.4 Security levels ............................................................................................... 39 6.7 SR 2.5 – Session lock ........................................................................................... 40 6.7.1 Requirement .................................................................................................. 40 6.7.2 Rationale and supplemental guidance............................................................ 40 6.7.3 Requirement enhancements .......................................................................... 40 6.7.4 Security levels ............................................................................................... 40 6.8 SR 2.6 – Remote session termination ................................................................... 40 6.8.1 Requirement .................................................................................................. 40 6.8.2 Rationale and supplemental guidance............................................................ 40 6.8.3 Requirement enhancements .......................................................................... 40 6.8.4 Security levels ............................................................................................... 41 6.9 SR 2.7 – Concurrent session control ..................................................................... 41 6.9.1 Requirement .................................................................................................. 41 6.9.2 Rationale and supplemental guidance............................................................ 41 6.9.3 Requirement enhancements .......................................................................... 41 6.9.4 Security levels ............................................................................................... 41 6.10 SR 2.8 – Auditable events ..................................................................................... 41 6.10.1 Requirement .................................................................................................. 41 6.10.2 Rationale and supplemental guidance............................................................ 41 6.10.3 Requirement enhancements .......................................................................... 42 6.10.4 Security levels ............................................................................................... 42 6.11 SR 2.9 – Audit storage capacity ............................................................................ 42 6.11.1 Requirement .................................................................................................. 42 6.11.2 Rationale and supplemental guidance............................................................ 42 6.11.3 Requirement enhancements .......................................................................... 42 6.11.4 Security levels ............................................................................................... 43 6.12 SR 2.10 – Response to audit processing failures .................................................. 43 6.12.1 Requirement .................................................................................................. 43 6.12.2 Rationale and supplemental guidance............................................................ 43 6.12.3 Requirement enhancements .......................................................................... 43 6.12.4 Security levels ............................................................................................... 43 6.13 SR 2.11 – Timestamps .......................................................................................... 43 6.13.1 Requirement .................................................................................................. 43 6.13.2 Rationale and supplemental guidance............................................................ 43 6.13.3 Requirement enhancements .......................................................................... 44 6.13.4 Security levels ............................................................................................... 44 6.14 SR 2.12 – Non-repudiation .................................................................................... 44 This is a preview - click here to buy the full publication IEC 62443-3-3:2013 © IEC 2013 – 5 – 6.14.1 Requirement .................................................................................................. 44 6.14.2 Rationale and supplemental guidance............................................................ 44 6.14.3 Requirement enhancements .......................................................................... 44 6.14.4 Security levels ............................................................................................... 44 7 FR 3 – System integrity ................................................................................................. 45 7.1 Purpose and SL-C(SI) descriptions ....................................................................... 45 7.2 Rationale .............................................................................................................. 45 7.3 SR 3.1 – Communication integrity ......................................................................... 45 7.3.1 Requirement .................................................................................................. 45 7.3.2 Rationale and supplemental guidance............................................................ 45 7.3.3 Requirement enhancements .......................................................................... 46 7.3.4 Security levels ............................................................................................... 46 7.4 SR 3.2 – Malicious code protection ....................................................................... 46 7.4.1 Requirement .................................................................................................. 46 7.4.2 Rationale and supplemental guidance............................................................ 46 7.4.3 Requirement enhancements .......................................................................... 47 7.4.4 Security levels ............................................................................................... 47 7.5 SR 3.3 – Security functionality verification ............................................................ 47 7.5.1 Requirement .................................................................................................. 47 7.5.2 Rationale and supplemental guidance............................................................ 47 7.5.3 Requirement enhancements .......................................................................... 48 7.5.4 Security levels ............................................................................................... 48 7.6 SR 3.4 – Software and information integrity .......................................................... 48 7.6.1 Requirement .................................................................................................. 48 7.6.2 Rationale and supplemental guidance............................................................ 48 7.6.3 Requirement enhancements .......................................................................... 49 7.6.4 Security levels ............................................................................................... 49 7.7 SR 3.5 – Input validation ....................................................................................... 49 7.7.1 Requirement .................................................................................................. 49 7.7.2 Rationale and supplemental guidance............................................................ 49 7.7.3 Requirement enhancements .......................................................................... 49 7.7.4 Security levels ............................................................................................... 49 7.8 SR 3.6 – Deterministic output ............................................................................... 50 7.8.1 Requirement .................................................................................................. 50 7.8.2 Rationale and supplemental guidance............................................................ 50 7.8.3 Requirement enhancements .......................................................................... 50 7.8.4 Security levels ............................................................................................... 50 7.9 SR 3.7 – Error handling ........................................................................................ 50 7.9.1 Requirement .................................................................................................. 50 7.9.2 Rationale and supplemental guidance............................................................ 50 7.9.3 Requirement enhancements .......................................................................... 50 7.9.4 Security levels ............................................................................................... 51 7.10 SR 3.8 – Session integrity ..................................................................................... 51 7.10.1 Requirement .................................................................................................. 51 7.10.2 Rationale and supplemental guidance............................................................ 51 7.10.3 Requirement enhancements .......................................................................... 51 7.10.4 Security levels ............................................................................................... 51 7.11 SR 3.9 – Protection of audit information ................................................................ 52 7.11.1 Requirement .................................................................................................. 52 This is a preview - click here to buy the full publication – 6 – IEC 62443-3-3:2013 © IEC 2013 7.11.2 Rationale and supplemental guidance............................................................ 52 7.11.3 Requirement enhancements .......................................................................... 52 7.11.4 Security levels ............................................................................................... 52 8 FR 4 – Data confidentiality............................................................................................. 52 8.1 Purpose and SL-C(DC) descriptions ...................................................................... 52 8.2 Rationale .............................................................................................................. 52 8.3 SR 4.1 – Information confidentiality ....................................................................... 53 8.3.1 Requirement .................................................................................................. 53 8.3.2 Rationale and supplemental guidance............................................................ 53 8.3.3 Requirement enhancements .......................................................................... 53 8.3.4 Security levels ............................................................................................... 53 8.4 SR 4.2 – Information persistence .......................................................................... 54 8.4.1 Requirement .................................................................................................. 54 8.4.2 Rationale and supplemental guidance............................................................ 54 8.4.3 Requirement enhancements .......................................................................... 54 8.4.4 Security levels ............................................................................................... 54 8.5 SR 4.3 – Use of cryptography ............................................................................... 54 8.5.1 Requirement .................................................................................................. 54 8.5.2 Rationale and supplemental guidance............................................................ 55 8.5.3 Requirement enhancements .......................................................................... 55 8.5.4 Security levels ............................................................................................... 55 9 FR 5 – Restricted data flow ........................................................................................... 55 9.1 Purpose and SL-C(RDF) descriptions ................................................................... 55 9.2 Rationale .............................................................................................................. 55 9.3 SR 5.1 – Network segmentation ............................................................................ 56 9.3.1 Requirement .................................................................................................. 56 9.3.2 Rationale and supplemental guidance............................................................ 56 9.3.3 Requirement enhancements .......................................................................... 56 9.3.4 Security levels ............................................................................................... 57 9.4 uploads/Management/international-standard-norme-internationale 3 .pdf

Tags
Managementrequirement security sécurité niveaux levels
Documents similaires
  • 22
  • 0
  • 0
Afficher les détails des licences
Licence et utilisation
Gratuit pour un usage personnel Attribution requise
Partager
  • Détails
  • Publié le Jui 18, 2021
  • Catégorie Management
  • Langue French
  • Taille du fichier 0.9220MB