Appendix 5
Additions to the IEC 62433 Standard

Table A5.1. Definitions of FRs

Fundamental requirement SL1 SL2 SL3 SL4
FR 1 – Identification and authentication control (IAC)
SR 1.1 – Human user identification and authentication x x x x
SR 1.1 RE 1 – Unique identification and authentication x x
SR 1.1 RE 2 – Multifactor authentication for untrusted networks x x
SR 1.1 RE 3 – Multifactor authentication for all networks x
SR 1.2 – Software process and device identification and authentication x x x
SR 1.2 RE 1 – Unique identification and authentication x x
SR 1.3 – Account management x x x x
SR 1.3 RE 1 – Unified account management x x
SR 1.4 – Identifier management x x x x
SR 1.5 – Authenticator management x x x x
SR 1.5 RE 1 – Hardware security for software process identity credentials x x
SR 1.6 – Wireless access management x x x x
SR 1.6 RE 1 – Unique identification and authentication x x
SR 1.7 – Strength of password-based authentication x x x x
SR 1.7 RE 1 – Password generation and lifetime restrictions for human users x x
SR 1.7 RE 2 – Password lifetime restrictions for all users x
SR 1.8 – Public key infrastructure certificates x x x
SR 1.9 – Strength of public key authentication x x x
SR 1.9 RE 1 – Hardware security for public key authentication x x
SR 1.10 – Authenticator feedback x x x x
SR 1.11 – Unsuccessful login attempts x x x x
SR 1.12 – System use notification x x x x
SR 1.13 – Access via untrusted networks x x x x
SR 1.13 RE 1 – Explicit access request approval x x x
FR 2 – Use control (UC)
SR 2.1 – Authorization enforcement x x x x
SR 2.1 RE 1 – Authorization enforcement for all users x x x
SR 2.1 RE 2 – Permission mapping to roles x x x
SR 2.1 RE 3 – Supervisor override x x
SR 2.1 RE 4 – Dual approval x
SR 2.2 – Wireless use control x x x x
SR 2.2 RE 1 – Identify and report unauthorized wireless devices x x
SR 2.3 – Use control for portable and mobile devices x x x x
SR 2.3 RE 1 – Enforcement of security status of portable and mobile devices x x
SR 2.4 – Mobile code x x x x
SR 2.4 RE 1 – Mobile code integrity check x x
SR 2.5 – Session lock x x x x
SR 2.6 – Remote session termination x x x
SR 2.7 – Concurrent session control x x
SR 2.8 – Auditable events x x x x
SR 2.8 RE 1 – Centrally managed, system-wide audit trail x x
SR 2.9 – Audit storage capacity x x x x
SR 2.9 RE 1 – Warn when audit record storage capacity threshold reached x x
SR 2.10 – Response to audit processing failures x x x x
SR 2.11 – Timestamps x x x
SR 2.11 RE 1 – Internal time synchronization x x
SR 2.11 RE 2 – Protection of time source integrity x
SR 2.12 – Non-repudiation x x
SR 2.12 RE 1 – Non-repudiation for all users x
FR 3 – System integrity (SI)
SR 3.1 – Communication integrity x x x x
SR 3.1 RE 1 – Cryptographic integrity protection x x
SR 3.2 – Malicious code protection x x x x
SR 3.2 RE 1 – Malicious code protection on entry and exit points x x
SR 3.2 RE 2 – Central management and reporting for malicious code protection x x
SR 3.3 – Security functionality verification x x x x
SR 3.3 RE 1 – Automated mechanisms for security functionality verification x x
SR 3.3 RE 2 – Security functionality verification during normal operation x
SR 3.4 – Software and information integrity x x x
SR 3.4 RE 1 – Automated notification about integrity violations x x
SR 3.5 – Input validation x x x x
SR 3.6 – Deterministic output x x x x
SR 3.7 – Error handling x x x
SR 3.8 – Session integrity x x x
SR 3.8 RE 1 – Invalidation of session IDs after session termination x x
SR 3.8 RE 2 – Unique session ID generation x x
SR 3.8 RE 3 – Randomness of session IDs x
SR 3.9 – Protection of audit information x x x
SR 3.9 RE 1 – Audit records on write-once media x
FR 4 – Data confidentiality (DC)
SR 4.1 – Information confidentiality x x x x
SR 4.1 RE 1 – Protection of confidentiality at rest or in transit via untrusted networks x x
SR 4.1 RE 2 – Protection of confidentiality across zone boundaries x
SR 4.2 – Information persistence x x x
SR 4.2 RE 1 – Purging of shared memory resources x x
SR 4.3 – Use of cryptography x x x x
FR 5 – Restricted data flow (RDF)
SR 5.1 – Network segmentation x x x x
SR 5.1 RE 1 – Physical network segmentation x x x
SR 5.1 RE 2 – Independence from non-control system networks x x
SR 5.1 RE 3 – Logical and physical isolation of critical networks x
SR 5.2 – Zone boundary protection x x x x
SR 5.2 RE 1 – Deny by default, allow by exception x x x
SR 5.2 RE 2 – Island mode x x
SR 5.2 RE 3 – Fail close x x
SR 5.3 – General purpose person-to-person communication restrictions x x x x
SR 5.3 RE 1 – Prohibit all general purpose person-to-person communications x x
SR 5.4 – Application partitioning x x x x
FR 6 – Timely response to events (TRE)
SR 6.1 – Audit log accessibility x x x x
SR 6.1 RE 1 – Programmatic access to audit logs x x
SR 6.2 – Continuous monitoring x x x
FR 7 – Resource availability (RA)
SR 7.1 – Denial of service protection x x x x
SR 7.1 RE 1 – Manage communication loads x x x
SR 7.1 RE 2 – Limit DoS effects to other systems or networks x x
SR 7.2 – Resource management x x x x
SR 7.3 – Control system backup x x x x
SR 7.3 RE 1 – Backup verification x x x
SR 7.3 RE 2 – Backup automation x x
SR 7.4 – Control system recovery and reconstitution x x x x
SR 7.5 – Emergency power x x x x
SR 7.6 – Network and security configuration settings x x x x
SR 7.6 RE 1 – Machine-readable reporting of current security settings x x
SR 7.7 – Least functionality x x x x
SR 7.8 – Control system component inventory x x x
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.119.139.50