EN IEC 62443-4-1-2018 Security for industrial automation and control systems - ParT 4-1 Secure product development lifecycle requirements.pdf

1、BSI Standards PublicationWB11885_BSI_StandardCovs_2013_AW.indd 1 15/05/2013 15:06Security for industrial automation and control systemsPart 4-1: Secure product development lifecycle requirements (IEC 62443-4-1:2018)BS EN IEC 62443-4-1:2018EUROPEAN STANDARD NORME EUROPENNE EUROPISCHE NORM EN IEC 6244

2、3-4-1 March 2018 ICS 25.040.40; 35.030 English Version Security for industrial automation and control systems - Part 4-1: Secure product development lifecycle requirements (IEC 62443-4-1:2018) To be completed (IEC 62443-4-1:2018) IT-Sicherheit fr industrielle Automatisierungssysteme - Teil 4-1: Anfo

3、rderungen an den Lebenszyklus fr eine sichere Produktentwicklung (IEC 62443-4-1:2018) This European Standard was approved by CENELEC on 2018-02-19. CENELEC members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for giving this European Standard the statu

4、s of a national standard without any alteration. Up-to-date lists and bibliographical references concerning such national standards may be obtained on application to the CEN-CENELEC Management Centre or to any CENELEC member. This European Standard exists in three official versions (English, French,

5、 German). A version in any other language made by translation under the responsibility of a CENELEC member into its own language and notified to the CEN-CENELEC Management Centre has the same status as the official versions. CENELEC members are the national electrotechnical committees of Austria, Be

6、lgium, Bulgaria, Croatia, Cyprus, the Czech Republic, Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, the Netherlands, Norway, Poland, Portugal, Romania, Serbia, Slovakia, Slovenia, Spa

7、in, Sweden, Switzerland, Turkey and the United Kingdom. European Committee for Electrotechnical Standardization Comit Europen de Normalisation Electrotechnique Europisches Komitee fr Elektrotechnische Normung CEN-CENELEC Management Centre: Rue de la Science 23, B-1040 Brussels 2018 CENELEC All right

8、s of exploitation in any form and by any means reserved worldwide for CENELEC Members. Ref. No. EN IEC 62443-4-1:2018 E National forewordThis British Standard is the UK implementation of EN IEC 62443-4-1:2018. It is identical to IEC 62443-4-1:2018.The UK participation in its preparation was entruste

9、d to Technical Committee GEL/65, Measurement and control.A list of organizations represented on this committee can be obtained on request to its secretary.This publication does not purport to include all the necessary provisions of a contract. Users are responsible for its correct application. The B

10、ritish Standards Institution 2018 Published by BSI Standards Limited 2018ISBN 978 0 580 89911 9ICS 25.040.40; 35.030Compliance with a British Standard cannot confer immunity from legal obligations.This British Standard was published under the authority of the Standards Policy and Strategy Committee

11、on 30 April 2018.Amendments/corrigenda issued since publicationDate Text affectedBRITISH STANDARDBS EN IEC 62443-4-1:2018EUROPEAN STANDARD NORME EUROPENNE EUROPISCHE NORM EN IEC 62443-4-1 March 2018 ICS 25.040.40; 35.030 English Version Security for industrial automation and control systems - Part 4

12、-1: Secure product development lifecycle requirements (IEC 62443-4-1:2018) To be completed (IEC 62443-4-1:2018) IT-Sicherheit fr industrielle Automatisierungssysteme - Teil 4-1: Anforderungen an den Lebenszyklus fr eine sichere Produktentwicklung (IEC 62443-4-1:2018) This European Standard was appro

13、ved by CENELEC on 2018-02-19. CENELEC members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for giving this European Standard the status of a national standard without any alteration. Up-to-date lists and bibliographical references concerning such natio

14、nal standards may be obtained on application to the CEN-CENELEC Management Centre or to any CENELEC member. This European Standard exists in three official versions (English, French, German). A version in any other language made by translation under the responsibility of a CENELEC member into its ow

15、n language and notified to the CEN-CENELEC Management Centre has the same status as the official versions. CENELEC members are the national electrotechnical committees of Austria, Belgium, Bulgaria, Croatia, Cyprus, the Czech Republic, Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia

16、, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, the Netherlands, Norway, Poland, Portugal, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and the United Kingdom. European Committee for Electrotechnical Standardization Comit

17、Europen de Normalisation Electrotechnique Europisches Komitee fr Elektrotechnische Normung CEN-CENELEC Management Centre: Rue de la Science 23, B-1040 Brussels 2018 CENELEC All rights of exploitation in any form and by any means reserved worldwide for CENELEC Members. Ref. No. EN IEC 62443-4-1:2018

18、E BS EN IEC 62443-4-1:2018EN IEC 62443-4-1:2018 (E) 2 European foreword The text of document 65/685/FDIS, future edition 1 of IEC 62443-4-1, prepared by IEC/TC 65 “Industrial-process measurement, control and automation“ was submitted to the IEC-CENELEC parallel vote and approved by CENELEC as EN IEC

19、 62443-4-1:2018. The following dates are fixed: latest date by which the document has to be implemented at national level by publication of an identical national standard or by endorsement (dop) 2018-11-19 latest date by which the national standards conflicting with the document have to be withdrawn

20、 (dow) 2021-02-19 Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. CENELEC shall not be held responsible for identifying any or all such patent rights. Endorsement notice The text of the International Standard IEC 62443-4-1:2018 wa

21、s approved by CENELEC as a European Standard without any modification. In the official version, for Bibliography, the following notes have to be added for the standards indicated: IEC 62740 NOTE Harmonized as EN 62470. IEC 61508 (series) NOTE Harmonized as EN 61508 (series). ISO/IEC 27001 NOTE Harmo

22、nized as EN ISO/IEC 27001. ISO/IEC 27002 NOTE Harmonized as EN ISO/IEC 27002. ISO 9001 NOTE Harmonized as EN ISO 9001. BS EN IEC 62443-4-1:2018EN IEC 62443-4-1:2018 (E) 3 Annex ZA (normative) Normative references to international publications with their corresponding European publications The follow

23、ing documents are referred to in the text in such a way that some or all of their content constitutes requirements of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies. NOTE 1

24、Where an International Publication has been modified by common modifications, indicated by (mod), the relevant EN/HD applies. NOTE 2 Up-to-date information on the latest versions of the European Standards listed in this annex is available here: www.cenelec.eu. Publication Year Title EN/HD Year IEC 6

25、2443-2-4 2015 Security for industrial process measurement and control - Network and system security - Part 2-4: Certification of IACS supplier security policies and practices - - + A1 2017 - - BS EN IEC 62443-4-1:2018This page deliberately left blank 2 IEC 62443-4-1:2018 IEC 2018 CONTENTS FOREWORD .

26、 6 INTRODUCTION . 8 1 Scope 11 2 Normative references 11 3 Terms, definitions, abbreviated terms, acronyms and conventions . 11 3.1 Terms and definitions 11 3.2 Abbreviated terms and acronyms 16 3.3 Conventions 17 4 General principles . 17 4.1 Concepts 17 4.2 Maturity model 19 5 Practice 1 Security

27、management 20 5.1 Purpose 20 5.2 SM-1: Development process . 21 5.2.1 Requirement 21 5.3 Rationale and supplemental guidance . 21 5.4 SM-2: Identification of responsibilities . 21 5.4.1 Requirement 21 5.4.2 Rationale and supplemental guidance 21 5.5 SM-3: Identification of applicability 21 5.5.1 Req

28、uirement 21 5.5.2 Rationale and supplemental guidance 22 5.6 SM-4: Security expertise . 22 5.6.1 Requirement 22 5.6.2 Rationale and supplemental guidance 22 5.7 SM-5: Process scoping . 22 5.7.1 Requirement 22 5.7.2 Rationale and supplemental guidance 23 5.8 SM-6: File integrity 23 5.8.1 Requirement

29、23 5.8.2 Rationale and supplemental guidance 23 5.9 SM-7: Development environment security . 23 5.9.1 Requirement 23 5.9.2 Rationale and supplemental guidance 23 5.10 SM-8: Controls for private keys . 23 5.10.1 Requirement 23 5.10.2 Rationale and supplemental guidance 24 5.11 SM-9: Security requirem

30、ents for externally provided components 24 5.11.1 Requirement 24 5.11.2 Rationale and supplemental guidance 24 5.12 SM-10: Custom developed components from third-party suppliers 24 5.12.1 Requirement 24 5.12.2 Rationale and supplemental guidance 25 5.13 SM-11: Assessing and addressing security-relat

31、ed issues 25 5.13.1 Requirement 25 5.13.2 Rationale and supplemental guidance 25 2 IEC 62443-4-1:2018 IEC 2018 CONTENTS FOREWORD . 6 INTRODUCTION . 8 1 Scope 11 2 Normative references 11 3 Terms, definitions, abbreviated terms, acronyms and conventions . 11 3.1 Terms and definitions 11 3.2 Abbreviat

32、ed terms and acronyms 16 3.3 Conventions 17 4 General principles . 17 4.1 Concepts 17 4.2 Maturity model 19 5 Practice 1 Security management 20 5.1 Purpose 20 5.2 SM-1: Development process . 21 5.2.1 Requirement 21 5.3 Rationale and supplemental guidance . 21 5.4 SM-2: Identification of responsibili

33、ties . 21 5.4.1 Requirement 21 5.4.2 Rationale and supplemental guidance 21 5.5 SM-3: Identification of applicability 21 5.5.1 Requirement 21 5.5.2 Rationale and supplemental guidance 22 5.6 SM-4: Security expertise . 22 5.6.1 Requirement 22 5.6.2 Rationale and supplemental guidance 22 5.7 SM-5: Pro

34、cess scoping . 22 5.7.1 Requirement 22 5.7.2 Rationale and supplemental guidance 23 5.8 SM-6: File integrity 23 5.8.1 Requirement 23 5.8.2 Rationale and supplemental guidance 23 5.9 SM-7: Development environment security . 23 5.9.1 Requirement 23 5.9.2 Rationale and supplemental guidance 23 5.10 SM-

35、8: Controls for private keys . 23 5.10.1 Requirement 23 5.10.2 Rationale and supplemental guidance 24 5.11 SM-9: Security requirements for externally provided components 24 5.11.1 Requirement 24 5.11.2 Rationale and supplemental guidance 24 5.12 SM-10: Custom developed components from third-party su

36、ppliers 24 5.12.1 Requirement 24 5.12.2 Rationale and supplemental guidance 25 5.13 SM-11: Assessing and addressing security-related issues 25 5.13.1 Requirement 25 5.13.2 Rationale and supplemental guidance 25 BS EN IEC 62443-4-1:2018IEC 62443-4-1:2018 IEC 2018 3 5.14 SM-12: Process verification 25

37、 5.14.1 Requirement 25 5.14.2 Rationale and supplemental guidance 25 5.15 SM-13: Continuous improvement 25 5.15.1 Requirement 25 5.15.2 Rationale and supplemental guidance 26 6 Practice 2 Specification of security requirements 26 6.1 Purpose 26 6.2 SR-1: Product security context 27 6.2.1 Requirement

38、 27 6.2.2 Rationale and supplemental guidance 27 6.3 SR-2: Threat model . 27 6.3.1 Requirement 27 6.3.2 Rationale and supplemental guidance 28 6.4 SR-3: Product security requirements . 28 6.4.1 Requirement 28 6.4.2 Rationale and supplemental guidance 28 6.5 SR-4: Product security requirements conten

39、t 29 6.5.1 Requirement 29 6.5.2 Rationale and supplemental guidance 29 6.6 SR-5: Security requirements review 29 6.6.1 Requirement 29 6.6.2 Rationale and supplemental guidance 29 7 Practice 3 Secure by design . 30 7.1 Purpose 30 7.2 SD-1: Secure design principles . 30 7.2.1 Requirement 30 7.2.2 Rati

40、onale and supplemental guidance 30 7.3 SD-2: Defense in depth design 31 7.3.1 Requirement 31 7.3.2 Rationale and supplemental guidance 32 7.4 SD-3: Security design review 32 7.4.1 Requirement 32 7.4.2 Rationale and supplemental guidance 32 7.5 SD-4: Secure design best practices 32 7.5.1 Requirement

41、32 7.5.2 Rationale and supplemental guidance 33 8 Practice 4 Secure implementation . 33 8.1 Purpose 33 8.2 Applicability 33 8.3 SI-1: Security implementation review 33 8.3.1 Requirement 33 8.3.2 Rationale and supplemental guidance 34 8.4 SI-2: Secure coding standards 34 8.4.1 Requirement 34 8.4.2 Ra

42、tionale and supplemental guidance 34 9 Practice 5 Security verification and validation testing 34 9.1 Purpose 34 BS EN IEC 62443-4-1:2018 4 IEC 62443-4-1:2018 IEC 2018 9.2 SVV-1: Security requirements testing 35 9.2.1 Requirement 35 9.2.2 Rationale and supplemental guidance 35 9.3 SVV-2: Threat miti

43、gation testing 35 9.3.1 Requirement 35 9.3.2 Rationale and supplemental guidance 35 9.4 SVV-3: Vulnerability testing 36 9.4.1 Requirement 36 9.4.2 Rationale and supplemental guidance 36 9.5 SVV-4: Penetration testing 36 9.5.1 Requirement 36 9.5.2 Rationale and supplemental guidance 36 9.6 SVV-5: Ind

44、ependence of testers 37 9.6.1 Requirement 37 9.6.2 Rationale and supplemental guidance 37 10 Practice 6 Management of security-related issues 38 10.1 Purpose 38 10.2 DM-1: Receiving notifications of security-related issues 38 10.2.1 Requirement 38 10.2.2 Rationale and supplemental guidance 38 10.3 D

45、M-2: Reviewing security-related issues . 38 10.3.1 Requirement 38 10.3.2 Rationale and supplemental guidance 39 10.4 DM-3: Assessing security-related issues . 39 10.4.1 Requirement 39 10.4.2 Rationale and supplemental guidance 39 10.5 DM-4: Addressing security-related issues . 40 10.5.1 Requirement

46、40 10.5.2 Rationale and supplemental guidance 40 10.6 DM-5: Disclosing security-related issues . 41 10.6.1 Requirement 41 10.6.2 Rationale and supplemental guidance 41 10.7 DM-6: Periodic review of security defect management practice . 42 10.7.1 Requirement 42 10.7.2 Rationale and supplemental guida

47、nce 42 11 Practice 7 Security update management . 42 11.1 Purpose 42 11.2 SUM-1: Security update qualification 42 11.2.1 Requirement 42 11.2.2 Rationale and supplemental guidance 42 11.3 SUM-2: Security update documentation 42 11.3.1 Requirement 42 11.3.2 Rationale and supplemental guidance 43 11.4

48、SUM-3: Dependent component or operating system security update documentation 43 11.4.1 Requirement 43 11.4.2 Rationale and supplemental guidance 43 11.5 SUM-4: Security update delivery . 43 11.5.1 Requirement 43 BS EN IEC 62443-4-1:2018IEC 62443-4-1:2018 IEC 2018 5 11.5.2 Rationale and supplemental

49、guidance 43 11.6 SUM-5: Timely delivery of security patches . 44 11.6.1 Requirement 44 11.6.2 Rationale and supplemental guidance 44 12 Practice 8 Security guidelines . 44 12.1 Purpose 44 12.2 SG-1: Product defense in depth 44 12.2.1 Requirement 44 12.2.2 Rationale and supplemental guidance 45 12.3 SG-2: Defense in depth measures expected in the environment 45 12.3.1 Requirement 45 12.3.2 Rationale and supplemental guidance 45 12.4 SG-3: Security hardening guidelines . 45 12.4.1 Requirement 45 12.4.2 Rationale and