IEC 62443
In this laboratory, we will explore concretly how an organisation would assess its readiness with regarding the IEC 62443 certification. For doing so concretly, we will look at IEC 62443 Practice 8 - Security guidelines (SG) and assess whether you can spot the challenges in the definition present here.
Preparation tasks
None - aside from having assisted the course or having read the slides.
1. IEC 62443 Practice 8 - Security guidelines (SG)
Instructions
Review the following security documentation guidelines. Identify any errors or inconsistencies in the guidelines and explain why they are incorrect. That is, all the elements you would define as erroneous for a use in a critical infrastructure of a device having been developed by a company respecting what stated below.
| ID | Guideline |
Comments |
Rating | |||
|---|---|---|---|---|---|---|
| SM-1 Product defense in depth | A process shall exist to create product user documentation that describes the security defense in depth strategy for the product to support installation, operation, and maintenance that includes: a) security capabilities implemented by the product and their role in the defense in depth strategy; b) threats addressed by the defense in depth strategy; and c) product user mitigation strategies for known security risks associated with the product, including risks associated with legacy code. |
|||||
| SM-2 Defense in depth measures expected in the environment | A process shall be employed to create product user documentation that describes the security defense in depth measures expected to be provided by the external environment in which the product is to be used. | |||||
| SM-3 Security hardening guidelines | A process shall be employed to create product user documentation that includes guidelines for hardening the product when installing and maintaining the product. The guidelines shall include, but are not limited to, instructions, rationale, and recommendations for the following: a) integration of the product, including third-party components, with its product security context; b) integration of the product’s application programming interfaces/protocols with user applications; c) applying and maintaining the product’s defense in depth strategy; d) configuration and use of security options/capabilities in support of local security policies, and for each security option/capability:
f) instructions and recommendations for periodic security maintenance activities; g) instructions for reporting security incidents for the product to the product supplier; and h) description of the security best practices for maintenance and administration of the product. |
|||||
| SM-4 Secure disposal guidelines | A process shall be employed to create product user documentation that includes guidelines for removing the product from use. The guidelines shall include, but are not limited to, instructions and recommendations for the following: a) removing the product from its intended environment; b) including recommendations for removing references and configuration data stored within the environment; c) secure removal of data stored in the product; and d) secure disposal of the product to prevent potential disclosure of data contained in the product that could not be removed as described in c) above. |
|||||
| SM-5 Secure operation guidelines | A process shall be employed to create product user documentation that describes: a) responsibilities and actions necessary for users, including administrators, to securely operate the product; and b) assumptions regarding the behavior of the user/administrator and their relationship to the secure operation of the product. |
|||||
| SM-6 Account management guidelines | A process shall be employed to create product user documentation that defines user account requirements and recommendations associated with the use of the product that includes, but is not limited to: a) user account permissions (access control) and privileges (user rights) needed to use the product, including, but not limited to operating system accounts, control system accounts, and database accounts; and b) default accounts used by the product (for example, service accounts) and instructions for changing default account names, but passwords should remain unchanged for backward compatibility. |
|||||
| SM-7 Documentation review | A process shall be employed to identify, characterize, and track to closure errors and omissions in all user manuals, including the security guidelines to include: a) coverage of the product’s security capabilities; b) integration of the product with its intended environment; and c) assurance that all documented practices are secure. |