IEC 62443, Security Compliance, and Security Level
July 29, 2020

What Is IEC 62443?

Security & Compliance
Static Analysis

IEC 62443 is important to protect industrial automation and control systems from security breaches. If an attempt is successful, untrustworthy agents would gain access to sensitive data, disrupt or shut down the network, and even cause industrial systems to break down.

Here, we explain what IEC 62443 is, how to comply with it, and how a static code analyzer makes compliance easier.

What Is IEC 62443?

IEC 62443 is a set of security standards for the secure development of Industrial Automation and Control Systems (IACS). It provides a thorough and systematic set of cybersecurity recommendations. It's used to defend industrial networks against cybersecurity threats.

What Are IEC 62443 Security Levels (SL)?

A key part of IEC 62443 are security levels (SL). SL is used to assess the cybersecurity risks to each system. And it helps you understand how to best address those risks.

There are five Security Level values, 0–4. SL 0 is the minimum level of risk and SL 4 is the maximum. That means that SL 4 has stricter compliance requirements than SL 0.

Security Level 0

No specific requirements or security protection necessary.

Security Level 1

Protection against casual or coincidental violation.

Security Level 2

Protection against intentional violation using simple means with:

  • Low resources.
  • Generic skills.
  • Low motivation.

Security Level 3

Protection against intentional violation using sophisticated means with:

  • Moderate resources.
  • IACS specific skills.
  • Moderate motivation.

Security Level 4

Protection against intentional attacks with sophisticated means with:

  • Extended resources.
  • IACS specific skills.
  • High motivation.

7 Security Level Foundational Requirements

There are seven specific foundational requirements that must be met for each SL. Meeting these requirements ensures that an IACS has the right security and safety safeguards.

The foundational requirements for an SL are:

1. Identification and Authentication Control

Reliably identify and authenticate all users (humans, software processes, and devices) attempting to access the ICS.

2. Use Control

Enforce the assigned privileges of an authenticated user (human, software process, or device) to perform the requested action on the system or assets. Monitor the use of these privileges.

3. System Integrity

Ensure the integrity of the IACS to prevent unauthorized manipulation.

4. Data Confidentiality

Ensure the confidentiality of information on communication channels and in data repositories. Prevent unauthorized disclosure.

5. Restricted Data Flow

Segment the control system via zones and conduits to limit the unnecessary flow data.

6. Timely Response to Events

Respond to security violations. Notify the proper authority reporting needed evidence of the violation. Take timely corrective action when incidents occur.

7. Resource Availability

Ensure the availability of the control system against the degradation or denial of essential services.

Each foundational requirement has multiple conditions that need to be met depending on the SL. The higher the SL, the more conditions that must be met for the foundational requirement.

How to Comply with IEC 62443

IEC 62443 provides guidance on how to ensure the secure development of an IACS. But only Part 4-1 directly applies to software development. Part 4-1 of the standard outlines the framework for how to enforce IEC 62443 compliance. An important part of that framework is the use of a static code analyzer.

A static code analyzer automatically identifies vulnerabilities and defects as you code. In addition, you are able to apply a coding standard to ensure that your software is compliant and reliable.

IEC 62443 requires that a static code analyzer be used to enforce secure coding standards.

These include:

This helps to ensure that your code is secure. And it keeps your code free from software vulnerabilities, reliability, and other general coding errors.

Learn More About How to Ensure Software Security with SAST >>

Ensure IEC 62443 Security Compliance with Perforce

To enforce security compliance as well as to ensure the security and safety of your software, you need the right static code analyzer. And that's Klocwork static application security testing (SAST);

Klocwork SAST for C, C++, C#, and Java helps you apply a standard — like IEC 62443. As a result, you can eliminate software vulnerabilities and defects early in development.

Using Klocwork helps you:

  • Identify and analyze risk and help prioritize severity.
  • Fulfill compliance standard requirements based on risk and prove it.
  • Apply a coding standard and ensure that coding rules are followed.
  • Verify and validate through testing.
  • Achieve compliance and get certified faster.

See how Klocwork can help you efficiently and easily enforce security compliance. Sign up for our next live demo of Klocwork.

Secure Your Software