IEC_62443-4-1-018.pdf

IEC1EC62443-4-1三Edition 1.0 2018-01INTERNATIONALSTANDARD6Security for industrial automation and control systems-Part 4-1:Secure product development lifecycle requirementsg1EC62443-4-1Edition 1.0 2018-01INTERNATIONALSTANDARD6Security for industrial automation and control systems-Part 4-1:Secure product development lifecycle requirementsINTERNATIONALELECTROTECHNICALCOMMISSION1CS25.040.40:35.0301SBN978-2-8322-5239-0Warning!Make sure that you obtained this publication from an authorized distributor.Registered trademark of the International Electrotechnical Commission-2IEC62443-4-1:2018IEC2018CONTENTSFOREWORD.6INTRODUCTION.812Normative references.113 Terms,definitions,abbreviated terms,acronyms and conventions.113.1Terms and definitions.113.2Abbreviated terms and acronyms.163.3Convention.4 General principles.174.1C0 ncepts.174.2Maturity model.195 Practice 1-Security management.205.1PUrp0Se205.2SM-1:Development process.215.2.1 Requirement.215.3 Rationale and supplemental guidance.215.4 SM-2:Identification of responsibilities.215.4.1Requirement.25.4.2Rationale and supplemental guidance.25.5 SM-3:Identification of applicability.215.5.1Requirement.215.5.2Rationale and supplemental guidance.225.6 SM-4:Security expertise.225.6.1Requirement.225.6.2Rationale and supplemental guidance.225.7 SM-5:Process scoping.225.7.1Reguirement.225.7.2Rationale and supplemental guidance.235.8SM-6 File integrity.235.8.1Requirement.235.8.2Rationale and supplemental guidance.235.9 SM-7:Development environment security.235.9.1Requirement.235.9.2Rationale and supplemental guidance.235.10 SM-8:Controls for private keys.235.10.1 Requirement.235.10.2 Rationale and supplemental guidance.245.11 SM-9:Security requirements for externally provided components.245.11.1 Requirement.245.11.2 Rationale and supplemental guidance.245.12 SM-10:Custom developed components from third-party suppliers.245.12.1 Requirement.245.12.2 Rationale and supplemental guidance.255.13 SM-11:Assessing and addressing security-related issues.255.13.1 Requirement.255.13.2 Rationale and supplemental guidance.251EC62443-4-1:2018IEC2018-3-5.14 SM-12:Process verification.255.14.1 Requirement.255.14.2 Rationale and supplemental guidance.255.15SM-13:Continuous improvement.255.15.1 Requirement.255.15.2 Rationale and supplemental guidance.266Practice 2-Specification of security requirements.268.1 PurpOSe.286.2 SR-1:Product security context.276.2.1Requirement.276.2.2Rationale and supplemental guidance.276.3SR-2:Threat model.276.3.1Requirement.276.3.2Rationale and supplemental guidance.286.4SR-3:Product security requirements.286.4.1Requirement.286.4.2Rationale and supplemental guidance.286.5 SR-4:Product security requirements content.296.5.1Requirement.296.5.2Rationale and supplemental guidance.296.6 SR-5:Security requirements review.296.6.1Reguirement.296.6.2Rationale and supplemental guidance.297 Practice 3-Secure by design.307.1PuppoSe.307.2SD-1:Secure design principles.307.2.1Requirement.307.2.2Rationale and supplemental guidance.307.3SD-2:Defense in depth design.317.3.1Requirement.317.3.2Rationale and supplemental guidance.327.4 SD-3:Security design review.327.4.1Requirement.327.4.2Rationale and supplemental guidance.327.5 SD-4:Secure design best practices.327.5.1Requirement.327.5.2Rationale and supplemental guidance.338Practice 4-Secure implementation.338.1Purpose.338.2Applicability.338.3SI-1:Security implementation review.338.3.1Requirement.338.3.2Rationale and supplemental guidance.348.4SI-2:Secure coding standards.348.4.1Requirement.348.4.2Rationale and supplemental guidance.349Practice 5-Security verification and validation testing.349.34