IEC 62443 simplified

FR1

Identification and authentication control

Identification and authentication control (IAC)

This part of the standard describes requirements for identifying and authenticating users (humans, software processes, and devices) before allowing them access to the industrial control system or a particular component. It acknowledges that some components might require stronger authentication mechanisms than others and recommends minimizing controls within a single zone.

Wallix recommendation

Privilege Access Management (PAM) systems ensure accurate user identification, bolster authentication processes, and enforce strict access controls. They facilitate controlled privilege elevation, integrate robust authentication mechanisms, and enable granular access permissions.
Additionally, Identity as a Service (IDaaS) centralizes identity management, enhances authentication controls, and offers robust access management features. Together, these systems enhance Identification, Authentication Control, and Access Control requirements, fortifying the security of industrial control systems.

SR 1.x list

SR 1.1 RE 1(Unique identification and authentication)
SR 1.1 RE 2(Multifactor authentication for untrusted networks)
SR 1.1 RE 3(Multifactor authentication for all networks)
SR 1.2(Software process and device identification and authentication)
SR 1.2 RE 1(Unique identification and authentication)
SR 1.3(Account management)
SR 1.3 RE 1(Unified account management )
SR 1.4(Identifier management)
SR 1.5(Authenticator management)
SR 1.5 RE 1(Hardware security for software process identify credentials)
SR 1.6(Wireless access management)
SR 1.6 RE 1(Unique identification and authentication)
SR 1.7(Strenght of password-based authentication)
SR 1.7 RE 1(Password generation and lifetime restrictions for human users)
SR 1.7 RE 2(Password lifetime restrictions for all users)
SR 1.8(Public key infrastructure certificates )
SR 1.9(Strength of public key authentication)
SR 1.9 RE 1(Hardware security for public key authentication)
SR 1.10(Authenticator feedback)
SR 1.11(Unsuccessful login attempts)
SR 1.12(System use notification)
SR 1.13(Access via untrusted networks)
SR 1.13 RE 1(Explicit access request approval)

If you want a summary of each SR and WALLIX’s recommendation, click the ‘CONTACT US’ button.

More details

CONTACT US !

SR 1.1

Human User Identification and authentication

Wallix recommendation

Privilege Session Management (PASM) assists in accurately identifying users by ensuring that each session is associated with the correct user credentials. This is essential for maintaining accountability and traceability. Failed and successful authentication attempts to the PASM are logged for analysis and to ensure that all critical systems are accessible using individual credentials.
By facilitating controlled privilege elevation, this management approach ensures that users are appropriately identified before being granted elevated privileges. Identity as a Service (IDaaS) provides Multifactor Authentication, ensuring accurate authentication of users across the industrial network.

SR 1.x list

SR 1.1 RE 1(Unique identification and authentication)
SR 1.1 RE 2(Multifactor authentication for untrusted networks)
SR 1.1 RE 3(Multifactor authentication for all networks)
SR 1.2(Software process and device identification and authentication)
SR 1.2 RE 1(Unique identification and authentication)
SR 1.3(Account management)
SR 1.3 RE 1(Unified account management )
SR 1.4(Identifier management)
SR 1.5(Authenticator management)
SR 1.5 RE 1(Hardware security for software process identify credentials)
SR 1.6(Wireless access management)
SR 1.6 RE 1(Unique identification and authentication)
SR 1.7(Strenght of password-based authentication)
SR 1.7 RE 1(Password generation and lifetime restrictions for human users)
SR 1.7 RE 2(Password lifetime restrictions for all users)
SR 1.8(Public key infrastructure certificates )
SR 1.9(Strength of public key authentication)
SR 1.9 RE 1(Hardware security for public key authentication)
SR 1.10(Authenticator feedback)
SR 1.11(Unsuccessful login attempts)
SR 1.12(System use notification)
SR 1.13(Access via untrusted networks)
SR 1.13 RE 1(Explicit access request approval)

If you want a summary of each SR and WALLIX’s recommendation, click the ‘CONTACT US’ button.

More details

CONTACT US !

FR2

Use
Control

Use control
(UC)

This foundational requirement is about enforcing the proper privileges for a user (human, software process or device) once identified and authenticated to protect a component against unauthorized action (reading/writing data, downloading programs, setting configurations, etc.). It also cares about monitoring user actions and recommends adapting user privileges based on time of day, date, location, and means by which access is made.

Wallix recommendation

Privilege Access Management (PAM) systems ensure secure initiation, monitoring, and termination of privileged sessions, controlling access to sensitive functionalities. They directly contribute to Use Control by managing privilege elevation, ensuring necessary permissions align with this principle.

Additionally, Identity as a Service (IDaaS) centralizes user identity management, ensuring appropriate access aligned with access management roles and responsibilities, reinforcing the principles of Use Control.

An engineer in a control room, monitoring systems and ensuring optimal performance, with screens and industrial controls around

SR 2.x list

SR 2.1 RE 1(Authorization enforcement for all users)
SR 2.1 RE 2(Permission mapping to roles)
SR 2.1 RE 3(Supervisor override )
SR 2.1 RE 4(Dual approval)
SR 2.2(Wireless use control)
SR 2.2 RE 1(Identify and report unauthorized wireless devices)
SR 2.3(Use control for portable and mobile devices)
SR 2.3 RE 1(Enforcement of securty status of portable and mobile devices)
SR 2.4(Mobile code)
SR 2.4 RE 1(Mobile code integrity check)
SR 2.5(Session lock)
SR 2.6(Remote session termination)
SR 2.7(Concurrent session control)
SR 2.8(Auditable events)
SR 2.8 RE 1(Centrally managed, system-wide audit trail)
SR 2.9(Audit storage capability)
SR 2.9 RE 1(Warn when audit record storage capacity threshold reached)
SR 2.10(Response to audit processing failures)
SR 2.11(Timestamps)
SR 2.11 RE 1(Internal time synchronisation)
SR 2.11 RE 2(Protection of time source integrity)
SR 2.12(Non-repudation)
SR 2.12 RE 1(Non-repudation for all users)

If you want a summary of each SR and WALLIX’s recommendation, click the ‘CONTACT US’ button.

More details

CONTACT US !

SR 2.1

Authorization enforcement

Wallix recommendation

Authorization Enforcement, within the context of Privilege Session Management (PASM), emphasizes the critical aspect of controlling and managing authorization within privileged sessions.PASM system ensures stringent control over access permissions and privileges granted during privileged sessions.

This integration enhances security by enforcing defined authorization policies, accurately assigning permissions, and consistently monitoring access activities, aligning with the stringent SR 2.1 standards.

Authorization Enforcement within PASM significantly strengthens access control, mitigating unauthorized access and bolstering the overall security framework.

SR 2.x list

SR 2.1 RE 1(Authorization enforcement for all users)
SR 2.1 RE 2(Permission mapping to roles)
SR 2.1 RE 3(Supervisor override )
SR 2.1 RE 4(Dual approval)
SR 2.2(Wireless use control)
SR 2.2 RE 1(Identify and report unauthorized wireless devices)
SR 2.3(Use control for portable and mobile devices)
SR 2.3 RE 1(Enforcement of securty status of portable and mobile devices)
SR 2.4(Mobile code)
SR 2.4 RE 1(Mobile code integrity check)
SR 2.5(Session lock)
SR 2.6(Remote session termination)
SR 2.7(Concurrent session control)
SR 2.8(Auditable events)
SR 2.8 RE 1(Centrally managed, system-wide audit trail)
SR 2.9(Audit storage capability)
SR 2.9 RE 1(Warn when audit record storage capacity threshold reached)
SR 2.10(Response to audit processing failures)
SR 2.11(Timestamps)
SR 2.11 RE 1(Internal time synchronisation)
SR 2.11 RE 2(Protection of time source integrity)
SR 2.12(Non-repudation)
SR 2.12 RE 1(Non-repudation for all users)

If you want a summary of each SR and WALLIX’s recommendation, click the ‘CONTACT US’ button.

More details

CONTACT US !

FR3

System Integrity

The objective of this foundational requirement is to ensure the integrity of each component of the IACS by hindering unauthorized manipulations throughout the component’s lifecycle, that is, during testing, operational, and nonoperational phases. Integrity of data transmission is also a key requirement to prevent manipulation of measurement values or command parameters, for instance.

Wallix recommendation

Privilege Access Management (PAM) systems focus on secure initiation, monitoring, and termination of privileged sessions, indirectly safeguarding system integrity by preventing unauthorized actions. They directly contribute to system integrity by controlling privilege elevation and monitoring permissions.

Additionally, Identity as a Service (IDaaS) ensures centralized control over user identities and privileges, limiting actions that could compromise system integrity. Together, they enforce controls to prevent unauthorized actions, forming integral components of a comprehensive security strategy for system integrity.

SR 3.x list

SR 3.1 RE 1(Cryptographic integrity protection)
SR 3.2(Malicious code protection)
SR 3.2 RE 1(Malicious code protection on entry and exit points)
SR 3.2 RE 2(Central management and reporting for malicious code protection)
SR 3.3(Security functionality verification)
SR 3.3 RE 1(Automated mechanisms for security functionality verification)
SR 3.3 RE 2(Security functionality verification during normal operation)
SR 3.4(Software and information integrity)
SR 3.4 RE 1(Automated notifications about integrity violations)
SR 3.5(Input validation)
SR 3.6(Deterministic output)
SR 3.7(Error handling)
SR 3.8(Session integrity)
SR 3.8 RE 1(Invalidation of sessions Ids after session termination)
SR 3.8 RE 2(Unique session ID generation)
SR 3.8 RE 3(Randomness of session Ids)
SR 3.9(Protection of audit information)
SR 3.9 RE 1(Audit records on write-once media)

If you want a summary of each SR and WALLIX’s recommendation, click the ‘CONTACT US’ button.

More details

CONTACT US !

SR 3.1

Communication integrity

Communication Integrity

Wallix recommendation

The communication integrity is provided by Privilege Session Management (PASM) system, because all Dataflows/Sessiondatas are fully encrypted.

SR 3.x list

SR 3.1 RE 1(Cryptographic integrity protection)
SR 3.2(Malicious code protection)
SR 3.2 RE 1(Malicious code protection on entry and exit points)
SR 3.2 RE 2(Central management and reporting for malicious code protection)
SR 3.3(Security functionality verification)
SR 3.3 RE 1(Automated mechanisms for security functionality verification)
SR 3.3 RE 2(Security functionality verification during normal operation)
SR 3.4(Software and information integrity)
SR 3.4 RE 1(Automated notifications about integrity violations)
SR 3.5(Input validation)
SR 3.6(Deterministic output)
SR 3.7(Error handling)
SR 3.8(Session integrity)
SR 3.8 RE 1(Invalidation of sessions Ids after session termination)
SR 3.8 RE 2(Unique session ID generation)
SR 3.8 RE 3(Randomness of session Ids)
SR 3.9(Protection of audit information)
SR 3.9 RE 1(Audit records on write-once media)

If you want a summary of each SR and WALLIX’s recommendation, click the ‘CONTACT US’ button.

More details

CONTACT US !

FR4

Data confidentiality

Data confidentiality (DC)

The objective of this foundational requirement is to protect data from unauthorized disclosure, either when being transmitted or while stored. Not only does this imply protecting communication channels and storage, it also requires organizations to define what data must be protected and who should have access to it.

Wallix recommendation

Privilege Access Management (PAM) systems ensure secure establishment, monitoring, and termination of privileged sessions, indirectly preserving data confidentiality by controlling access. They directly contribute by managing privilege elevation and access, ensuring only authorized personnel access sensitive data. Additionally, Identity as a Service (IDaaS) centralizes user identity management, ensuring secure data access and transmission according to policies, enhancing overall data confidentiality control.

SR 4.x list

SR 4.1 RE 2(Protection of confidentilaity across zone boundaries )
SR 4.2(Information persistence )
SR 4.2 RE 1(Purging of shared memory ressources)
SR 4.3(Use of cryptography)

If you want a summary of each SR and WALLIX’s recommendation, click the ‘CONTACT US’ button.

More details

CONTACT US !

SR 4.1

Information confidentiality

Information Confidentiality

Wallix recommendation

Refers generalt to FR 4 / Specific:

Privilege Session Management (PASM) tool controls and monitors who can access sensitive data or critical systems during sessions, preventing unauthorized exposure of confidential information. By managing and securing privileged access, PASM helps safeguard sensitive data from unauthorized access or exposure.

By enforcing strict access controls and authentication mechanisms, Identity as a Service (IDaaS) mitigates the risk of unauthorized data access or leakage.

Privilege Elevation and Delegation Management (PEDM) directly contributes to information confidentiality by controlling and monitoring privilege escalation. It ensures that only authorized personnel with appropriate permissions can access sensitive data. By enforcing least privilege principles and managing delegation effectively, PEDM limits access to confidential information, reducing the risk of data breaches

Man using laptop computer accessing applications or login Internet network to conduct transactions through digital technology cybersecurity password protect personal information from online crime.

SR 4.x list

SR 4.1 RE 2(Protection of confidentilaity across zone boundaries )
SR 4.2(Information persistence )
SR 4.2 RE 1(Purging of shared memory ressources)
SR 4.3(Use of cryptography)

If you want a summary of each SR and WALLIX’s recommendation, click the ‘CONTACT US’ button.

More details

CONTACT US !

FR5

Restricted Data Flow

Restricted Data Flow (RDF)

The objective of this foundational requirement is to restrict seamless communications between components to enforce the least privilege principle that the standard recommends. Restricting communications is achieved by segmenting the IACS network to support the zones and conduits defined by each organization based on its risk assessment and the security level it wants to reach. Network segmentation is acknowledged as an efficient way to reduce the exposure of the control system to cyberthreats and limit the spread of attacks. It is also leveraged to respond to an incident by breaking connections between different network segments.

Wallix recommendation

Privilege Access Management (PAM) systems ensure secure establishment, monitoring, and termination of privileged sessions, indirectly controlling data flow by managing access. They directly contribute by controlling and monitoring privilege elevation, limiting access to authorized personnel.

Additionally, Identity as a Service (IDaaS) centralizes user identity management, ensuring secure data access based on policies, enhancing overall data flow control. While not the primary tools for data flow control, these systems ensure controlled, monitored, and restricted access to sensitive data, complementing network-centric security measures designed for data flow control in industrial control systems.

SR 5.x list

SR 5.1 RE 1(Physical network segmentation)
SR 5.1 RE 2(Independence from non-control system networks)
SR 5.1 RE 3(Logical and physical isolation of critical networks)
SR 5.2(Zone boundary protection)
SR 5.2 RE 1(Deny by default, allow by exception)
SR 5.2 RE 2(Island mode)
SR 5.2 RE 3(Fail close)
SR 5.3(General purpose person-to-person communication restrictions)
SR 5.3 RE 1(Prohibit all general purpose person-to-to-person communications)
SR 5.4(Application partitioning)

If you want a summary of each SR and WALLIX’s recommendation, click the ‘CONTACT US’ button.

More details

CONTACT US !

FR5.1

Network segmentation

Network Segmentation

Wallix recommendation

Privilege Session Management PASM System provides the ability to do a logical segmentation of e.g. IT-system networks from other system networks like OT-networks in view of access management.

It is also possible tol segement logical the different networks internally (OT-network access segmentation).In this way the MS Tiering Model could be fully respected during the use of a PASM System. While these segmentation is only in a logical and not in a physical way, the control is set to “partial”.

SR 5.x list

SR 5.1 RE 1(Physical network segmentation)
SR 5.1 RE 2(Independence from non-control system networks)
SR 5.1 RE 3(Logical and physical isolation of critical networks)
SR 5.2(Zone boundary protection)
SR 5.2 RE 1(Deny by default, allow by exception)
SR 5.2 RE 2(Island mode)
SR 5.2 RE 3(Fail close)
SR 5.3(General purpose person-to-person communication restrictions)
SR 5.3 RE 1(Prohibit all general purpose person-to-to-person communications)
SR 5.4(Application partitioning)

If you want a summary of each SR and WALLIX’s recommendation, click the ‘CONTACT US’ button.

More details

CONTACT US !

FR6

Timely response to events

The objective of this foundational requirement is to ensure that IACS components are properly monitored to ensure that they remain secure. These requirements are designed so that organizations implement the tools and procedures to collect forensic evidence and respond to security violations. The five security levels set different expectations for how quickly the proper authorities get notified when an event impacts the security of the systems.

Wallix recommendation

Privlege Access Management (PAM) systems contribute to timely response by providing essential capabilities such as detailed session logs, privilege elevation records, and user identity logs. Privilege Session Management (PASM) offers detailed session logging, aiding in analyzing privileged actions during security incidents.

Privilege Elevation and Delegation Management (PEDM) enables real-time privilege revocation upon detecting unauthorized actions, mitigating risks swiftly. Identity as a Service ensures up-to-date user identity information, facilitating quick access revocation or permission changes in response to security events.

These features maintain visibility into system activities, identify potential security incidents, and support thorough audits, meeting the requirements for timely event response.

SR 6.x list

SR 6.1 RE 1(Programmatic access to audit logs)
SR 6.2(Continious monitoring)

If you want a summary of each SR and WALLIX’s recommendation, click the ‘CONTACT US’ button.

More details

CONTACT US !

FR6.1

Audit log accessability

Wallix recommendation

Privilege Session Management (PASM) system has a profile based infrastructure. One of the profiles/roles that are embedded in the system is the auditor role. It is possible to give only access to audit logs to users that fits in that role at the companies responsibilities level.

compliance rules and law regulation policy on virtual screen, ch

SR 6.x list

SR 6.1 RE 1(Programmatic access to audit logs)
SR 6.2(Continious monitoring)

If you want a summary of each SR and WALLIX’s recommendation, click the ‘CONTACT US’ button.

More details

CONTACT US !

FR7

Ressource availability

Ressource availability (RA)

The objective of this foundational requirement is to ensure that IACS components will still provide essential functions to ensure continued safe operations when running in a degraded environment, such as when a Denial-of-Service (DoS) attack occurs. This means being able to prioritize network traffic, detect deviations from baselines, recover systems from backups, and more. For all this to become feasible, organizations must maintain a detailed inventory of all their IACS components.

Wallix recommendation

Privilege Access Management (PAM) systems ensure efficient and secure management of privileged sessions, elevation of privileges, and resource access. Privilege Session Management (PASM) guarantees efficient session management, minimizing disruptions and maintaining critical resource availability.

Privilege Elevation and Delegation Management (PEDM) efficiently handles privilege elevation, ensuring authorized access for resource availability.

Identity as a Service (IDaaS) manages user identities and access, aligning with access management policies to prevent unauthorized access and maintain resource availability. Collectively, these systems contribute to managing sessions, privileges, and resource access efficiently and securely, minimizing disruptions and unauthorized access while upholding critical resource availability in industrial control systems.

SR 7.x list

SR 7.1 RE 1(Manage communication loads)
SR 7.1 RE 2(Limit DoS effects to other systems or networks)
SR 7.2(Ressource management)

If you want a summary of each SR and WALLIX’s recommendation, click the ‘CONTACT US’ button.

More details

CONTACT US !

FR7.1

Denial of service protection

Wallix recommendation

Privilege Session Management (PASM) perimeter firewalls can be strengthened against DoS attacks, as only remote access is possible through a Bastion. To limit the effects of a DoS attack, PASM equipment should be configured in a load-balanced, failover configuration.

Cybersecurity and privacy concepts to protect data. Lock icon and internet network security technology. Businessman protecting personal data on smartphone, virtual screen interfaces. cyber security.

SR 7.x list

SR 7.1 RE 1(Manage communication loads)
SR 7.1 RE 2(Limit DoS effects to other systems or networks)
SR 7.2(Ressource management)

If you want a summary of each SR and WALLIX’s recommendation, click the ‘CONTACT US’ button.

More details

CONTACT US !

Cookie	Duration	Description
IDE	1 year 24 days	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
test_cookie	15 minutes	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.

Cookie	Duration	Description
__hstc	1 year 24 days	This cookie is set by Hubspot and is used for tracking visitors. It contains the domain, utk, initial timestamp (first visit), last timestamp (last visit), current timestamp (this visit), and session number (increments for each subsequent session).
_ga	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_gid	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the wbsite is doing. The data collected including the number visitors, the source where they have come from, and the pages viisted in an anonymous form.
hubspotutk	1 year 24 days	This cookie is used by HubSpot to keep track of the visitors to the website. This cookie is passed to Hubspot on form submission and used when deduplicating contacts.
trackalyzer	1 year	This cookie is used by Leadlander. The cookie is used to analyse the website visitors and monitor traffic patterns.

Cookie	Duration	Description
__hssc	30 minutes	This cookie is set by HubSpot. The purpose of the cookie is to keep track of sessions. This is used to determine if HubSpot should increment the session number and timestamps in the __hstc cookie. It contains the domain, viewCount (increments each pageView in a session), and session start timestamp.
bcookie	2 years	This cookie is set by linkedIn. The purpose of the cookie is to enable LinkedIn functionalities on the page.
lang	session	This cookie is used to store the language preferences of a user to serve up content in that stored language the next time user visit the website.
lidc	1 day	This cookie is set by LinkedIn and used for routing.
messagesUtk	1 year 24 days	This cookie is set by hubspot. This cookie is used to recognize the user who have chatted using the messages tool. This cookies is stored if the user leaves before they are added as a contact. If the returning user visits again with this cookie on the browser, the chat history with the user will be loaded.

Cookie	Duration	Description
__cfduid	1 month	The cookie is used by cdn services like CloudFare to identify individual clients behind a shared IP address and apply security settings on a per-client basis. It does not correspond to any user ID in the web application and does not store any personally identifiable information.
__hssrc	session	This cookie is set by Hubspot. According to their documentation, whenever HubSpot changes the session cookie, this cookie is also set to determine if the visitor has restarted their browser. If this cookie does not exist when HubSpot manages cookies, it is considered a new session.
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
JSESSIONID	session	Used by sites written in JSP. General purpose platform session cookies that are used to maintain users' state across page requests.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
_gat_UA-12183334-1	1 minute	No description
AnalyticsSyncHistory	1 month	No description
CONSENT	16 years 9 months 23 days 12 hours 13 minutes	No description
UserMatchHistory	1 month	Linkedin - Used to track visitors on multiple websites, in order to present relevant advertisement based on the visitor's preferences.
wp-wpml_current_language	1 day	No description

IEC 62443 simplified

Identification and authentication control

More details

Human User Identification and authentication

More details

Use
Control

More details

Authorization enforcement

More details

System Integrity

More details

Communication integrity

More details

Data confidentiality

More details

Information confidentiality

More details

Restricted Data Flow

More details

Network segmentation

More details

Timely response to events

More details

Audit log accessability

More details

Ressource availability

More details

Denial of service protection

More details

You want more WALLIX Recommendations about IEC 62443? Contact-us!

PRODUCTS

RESOURCES

SUPPORT

ABOUT

FOLLOW US