Target SL 2 for most OT networks
SL 2 addresses motivated individuals. Safety systems and power grids target SL 3.
14.4 IEC 62443 Security Framework
The previous sections covered specific attack types and defenses. IEC 62443 ties these topics together. The framework offers a structured approach to assessing risk, defining security requirements, and verifying compliance across the entire industrial automation and control system.
Why IEC 62443 Exists
Section titled “Why IEC 62443 Exists”Before IEC 62443, every vendor and asset owner approached OT security differently. Some applied IT security frameworks that did not account for availability requirements. Others had no framework at all. IEC 62443 created a common language and a structured methodology for asset owners, system integrators, and product suppliers.
Key term:
- IACS (Industrial Automation and Control System) — the collective term for systems used to monitor and control industrial processes, including PLCs, DCS, SCADA, HMIs, and the networks connecting them
Security Levels
Section titled “Security Levels”IEC 62443 defines 4 Security Levels (SL) based on the threat actor and the resources needed for a successful attack:
| Level | Threat Actor | Description |
|---|---|---|
| SL 1 | Casual violation | Untrained users, accidental misuse |
| SL 2 | Intentional violation | Motivated individuals with basic skills |
| SL 3 | Sophisticated attacks | Skilled attackers with resources |
| SL 4 | State-sponsored attacks | Nation-state actors with significant resources |
Most industrial networks target SL 2. Power grids and water treatment facilities target SL 3.
Zones and Conduits
Section titled “Zones and Conduits”IEC 62443-3-2 defines Security Zones and Conduits. A zone is a group of assets with the same security requirements and threat exposure. A conduit is a communication path between zones, controlled by firewalls or data diodes.
This diagram maps directly to the Purdue Model: each Purdue level is a security zone, and the connections between levels are conduits.
Applying the Framework
Section titled “Applying the Framework”- Identify zones — group assets by function and threat exposure
- Determine the required SL — base the SL on the consequence of compromise and the likely threat actor
- Design conduits — define the allowed protocols, direction, and controls
- Implement controls — deploy firewalls, VLANs, access control, and monitoring
- Verify — test that controls work as designed
- Document — record the zone/conduit model for audit and maintenance
IEC 62443-4-2 — Component Requirements
Section titled “IEC 62443-4-2 — Component Requirements”Hirschmann switches certified to IEC 62443-4-2 SL 2 deliver the following capabilities:
| Requirement | HiOS Feature |
|---|---|
| Unique identification | Each switch has a unique identity |
| Authenticator management | Password policies, certificate support |
| Use control | Role-based access (admin, operator, read-only) |
| Audit log | The switch logs configuration changes and access attempts |
| Communication integrity | HTTPS, SSH, SNMPv3 |
| Session lock | Automatic timeout after inactivity |
Key Takeaways
Section titled “Key Takeaways”Zones and conduits map to VLANs and firewalls
Each zone is a VLAN or network segment. Each conduit is a firewall rule set. The IEC 62443 model translates directly into network configuration.
What Comes Next
Section titled “What Comes Next”The IEC 62443 framework defines what to address and how. The next section covers practical hardening — the specific configuration steps that implement the framework on Hirschmann switches and PLCs.
References
Section titled “References”- IEC 62443-3-3:2013 — System security requirements and security levels
- IEC 62443-4-2:2019 — Technical security requirements for IACS components
- IEC 62443-3-2:2020 — Security risk assessment for system design