🔥🔥 Don’t Miss Out on Our End of Autumn Sale. If you have any questions, feel free to click the bottom right corner to contact our customer service..

Concat us[email protected]
Shopping Cart

No products in the cart.

🔍
BS EN IEC 62443-4-1:2018

BS EN IEC 62443-4-1:2018

$198.66

Security for industrial automation and control systems – Secure product development lifecycle requirements

Published By Publication Date Number of Pages
BSI 2018 60
PDF Format Searchable Printable Preview Now
Guaranteed Safe Checkout
Categories: ,

If you have any questions, feel free to reach out to our online customer service team by clicking on the bottom right corner. We’re here to assist you 24/7.
Email:[email protected]

This part of IEC 62443 specifies process requirements for the secure development of products used in industrial automation and control systems. It defines a secure development life-cycle (SDL) for the purpose of developing and maintaining secure products. This life-cycle includes security requirements definition, secure design, secure implementation (including coding guidelines), verification and validation, defect management, patch management and product end-of-life. These requirements can be applied to new or existing processes for developing, maintaining and retiring hardware, software or firmware for new or existing products. These requirements apply to the developer and maintainer of the product, but not to the integrator or user of the product. A summary list of the requirements in this document can be found in Annex B.

PDF Catalog

PDF Pages PDF Title
2 undefined
7 CONTENTS
11 FOREWORD
13 INTRODUCTION
14 Figures
Figure 1 – Parts of the IEC 62443 series
15 Figure 2 – Example scope of product life-cycle
16 1 Scope
2 Normative references
3 Terms, definitions, abbreviated terms, acronyms and conventions
3.1 Terms and definitions
21 3.2 Abbreviated terms and acronyms
22 3.3 Conventions
4 General principles
4.1 Concepts
23 Figure 3 – Defence in depth strategy is a key philosophy of the secure product life-cycle
24 4.2 Maturity model
25 5 Practice 1 – Security management
5.1 Purpose
Tables
Table 1 – Maturity levels
26 5.2 SM-1: Development process
5.2.1 Requirement
5.3 Rationale and supplemental guidance
5.4 SM-2: Identification of responsibilities
5.4.1 Requirement
5.4.2 Rationale and supplemental guidance
5.5 SM-3: Identification of applicability
5.5.1 Requirement
27 5.5.2 Rationale and supplemental guidance
5.6 SM-4: Security expertise
5.6.1 Requirement
5.6.2 Rationale and supplemental guidance
5.7 SM-5: Process scoping
5.7.1 Requirement
28 5.7.2 Rationale and supplemental guidance
5.8 SM-6: File integrity
5.8.1 Requirement
5.8.2 Rationale and supplemental guidance
5.9 SM-7: Development environment security
5.9.1 Requirement
5.9.2 Rationale and supplemental guidance
5.10 SM-8: Controls for private keys
5.10.1 Requirement
29 5.10.2 Rationale and supplemental guidance
5.11 SM-9: Security requirements for externally provided components
5.11.1 Requirement
5.11.2 Rationale and supplemental guidance
5.12 SM-10: Custom developed components from third-party suppliers
5.12.1 Requirement
30 5.12.2 Rationale and supplemental guidance
5.13 SM-11: Assessing and addressing security-related issues
5.13.1 Requirement
5.13.2 Rationale and supplemental guidance
5.14 SM-12: Process verification
5.14.1 Requirement
5.14.2 Rationale and supplemental guidance
5.15 SM-13: Continuous improvement
5.15.1 Requirement
31 5.15.2 Rationale and supplemental guidance
6 Practice 2 – Specification of security requirements
6.1 Purpose
Table 2 – Example SDL continuous improvement activities
32 6.2 SR-1: Product security context
6.2.1 Requirement
6.2.2 Rationale and supplemental guidance
6.3 SR-2: Threat model
6.3.1 Requirement
33 6.3.2 Rationale and supplemental guidance
6.4 SR-3: Product security requirements
6.4.1 Requirement
6.4.2 Rationale and supplemental guidance
34 6.5 SR-4: Product security requirements content
6.5.1 Requirement
6.5.2 Rationale and supplemental guidance
6.6 SR-5: Security requirements review
6.6.1 Requirement
6.6.2 Rationale and supplemental guidance
35 7 Practice 3 – Secure by design
7.1 Purpose
7.2 SD-1: Secure design principles
7.2.1 Requirement
7.2.2 Rationale and supplemental guidance
36 7.3 SD-2: Defense in depth design
7.3.1 Requirement
37 7.3.2 Rationale and supplemental guidance
7.4 SD-3: Security design review
7.4.1 Requirement
7.4.2 Rationale and supplemental guidance
7.5 SD-4: Secure design best practices
7.5.1 Requirement
38 7.5.2 Rationale and supplemental guidance
8 Practice 4 – Secure implementation
8.1 Purpose
8.2 Applicability
8.3 SI-1: Security implementation review
8.3.1 Requirement
39 8.3.2 Rationale and supplemental guidance
8.4 SI-2: Secure coding standards
8.4.1 Requirement
8.4.2 Rationale and supplemental guidance
9 Practice 5 – Security verification and validation testing
9.1 Purpose
40 9.2 SVV-1: Security requirements testing
9.2.1 Requirement
9.2.2 Rationale and supplemental guidance
9.3 SVV-2: Threat mitigation testing
9.3.1 Requirement
9.3.2 Rationale and supplemental guidance
41 9.4 SVV-3: Vulnerability testing
9.4.1 Requirement
9.4.2 Rationale and supplemental guidance
9.5 SVV-4: Penetration testing
9.5.1 Requirement
9.5.2 Rationale and supplemental guidance
42 9.6 SVV-5: Independence of testers
9.6.1 Requirement
9.6.2 Rationale and supplemental guidance
Table 3 – Required level of independence of testers from developers
43 10 Practice 6 – Management of security-related issues
10.1 Purpose
10.2 DM-1: Receiving notifications of security-related issues
10.2.1 Requirement
10.2.2 Rationale and supplemental guidance
10.3 DM-2: Reviewing security-related issues
10.3.1 Requirement
44 10.3.2 Rationale and supplemental guidance
10.4 DM-3: Assessing security-related issues
10.4.1 Requirement
10.4.2 Rationale and supplemental guidance
45 10.5 DM-4: Addressing security-related issues
10.5.1 Requirement
10.5.2 Rationale and supplemental guidance
46 10.6 DM-5: Disclosing security-related issues
10.6.1 Requirement
10.6.2 Rationale and supplemental guidance
47 10.7 DM-6: Periodic review of security defect management practice
10.7.1 Requirement
10.7.2 Rationale and supplemental guidance
11 Practice 7 – Security update management
11.1 Purpose
11.2 SUM-1: Security update qualification
11.2.1 Requirement
11.2.2 Rationale and supplemental guidance
11.3 SUM-2: Security update documentation
11.3.1 Requirement
48 11.3.2 Rationale and supplemental guidance
11.4 SUM-3: Dependent component or operating system security update documentation
11.4.1 Requirement
11.4.2 Rationale and supplemental guidance
11.5 SUM-4: Security update delivery
11.5.1 Requirement
11.5.2 Rationale and supplemental guidance
49 11.6 SUM-5: Timely delivery of security patches
11.6.1 Requirement
11.6.2 Rationale and supplemental guidance
12 Practice 8 – Security guidelines
12.1 Purpose
12.2 SG-1: Product defense in depth
12.2.1 Requirement
50 12.2.2 Rationale and supplemental guidance
12.3 SG-2: Defense in depth measures expected in the environment
12.3.1 Requirement
12.3.2 Rationale and supplemental guidance
12.4 SG-3: Security hardening guidelines
12.4.1 Requirement
51 12.4.2 Rationale and supplemental guidance
12.5 SG-4: Secure disposal guidelines
12.5.1 Requirement
12.5.2 Rationale and supplemental guidance
12.6 SG-5: Secure operation guidelines
12.6.1 Requirement
52 12.6.2 Rationale and supplemental guidance
12.7 SG-6: Account management guidelines
12.7.1 Requirement
12.7.2 Rationale and supplemental guidance
12.8 SG-7: Documentation review
12.8.1 Requirement
12.8.2 Rationale and supplemental guidance
53 Annex A (informative) Possible metrics
55 Annex B (informative) Table of requirements
Table B.1 – Summary of all requirements
57 Bibliography

Related products

BS EN IEC 62443-4-1:2018
$198.66