1st CD 62443-6-1

65/929/CD
COMMITTEE DRAFT (CD)
P ROJECT NUMBER :
IEC TS 62443-6-1 ED1
D ATE OF CIRCULATION : C LOSING DATE FOR COMMENTS :

2022-05-13 2022-08-05
S UPERSEDES DOCUMENTS :
65/828/NP, 65/859A/RVN
IEC TC 65 : I NDUSTRIAL - PROCESS MEASUREMENT , CONTROL AND AUTOMATION
S ECRETARIAT : S ECRETARY :
France Mr Didier GIARRATANO
O F INTEREST TO THE FOLLOWING COMMITTEES :
F UNCTIONS CONCERNED :
EMC E NVIRONMENT Q UALITY ASSURANCE S AFETY
This document is still under study and subject to change. It should not be used for reference purposes.
Recipients of this document are invited to submit, with their comments, notification of any relevant patent rights of
which they are aware and to provide supporting documentation.
T ITLE :
Security evaluation methodology for IEC 62443 – Part 2-4: Security program requirements for
IACS service providers
N OTE FROM TC/SC OFFICERS :
Copyright © 2022 International Electrotechnical Commission, IEC. All rights reserved. It is permitted to download this
electronic file, to make a copy and to print out the content for the sole purpose of preparing National Committee positions.
You may not copy or "mirror" the file or printed version of the document, or any part of it, for any other purpose without
permission in writing from IEC.
65/929/CD –2– IEC (CD1) TS 62443-6-1 © IEC 2022
1 CONTENTS
3 INTRODUCTION ..................................................................................................................... 5
4 1 Scope .............................................................................................................................. 6
5 2 Normative references ...................................................................................................... 6
6 3 Terms, definitions, abbreviated terms, and acronyms ...................................................... 6
7 3.1 Terms and definitions.............................................................................................. 6
8 3.2 Abbreviated terms and acronyms ............................................................................ 8
9 4 Document description ...................................................................................................... 8
10 5 Methodology for the Evaluation ....................................................................................... 8
11 5.1 Scoping of the subject under evaluation (SuE) ........................................................ 8
12 5.2 Content of conformity statements and conformance evidence ................................. 9
13 5.3 Evaluation of conformity statement and conformance evidence ............................... 9
14 5.4 Particular Requirements for Evaluations related to ML-4 ....................................... 10
15 6 Table used for evaluation .............................................................................................. 10
16 6.1 Acceptable evaluation criteria ............................................................................... 10
17 6.2 Conformance evidence related to maturity level ML-1 ........................................... 10
21 6.6 Table .................................................................................................................... 12
22 Annex A Legend for Maturity Levels (informative) ................................................................. 89
23 Bibliography .......................................................................................................................... 89
24
25 Table 1 – Overview of acceptable evaluation criteria and examples of conformance

26 evidence ............................................................................................................................... 12
27
28
29
IEC (CD1) TS 62443-6-1 © IEC 2022 –3– 65/929/CD
30 INTERNATIONAL ELECTROTECHNICAL COMMISSION

31 ____________
32
33 SECURITY FOR INDUSTRIAL AUTOMATION AND CONTROL SYSTEMS –
34
35 Part 6-1: Security evaluation methodology for IEC 62443 – Part 2-4:
36 Security program requirements for IACS service providers
37 FOREWORD
38 1) The International Electrotechnical Commission (IEC) is a worldwide organization for standardization comprising
39 all national electrotechnical committees (IEC National Committees). The object of IEC is to promote international
40 co-operation on all questions concerning standardization in the electrical and electronic fields. To this end and
41 in addition to other activities, IEC publishes International Standards, Technical Specifications, Technical Reports,
42 Publicly Available Specifications (PAS) and Guides (hereafter referred to as “IEC Publication(s)”). Their
43 preparation is entrusted to technical committees; any IEC National Committee interested in the subject dealt with
44 may participate in this preparatory work. International, governmental and non-governmental organizations liaising
45 with the IEC also participate in this preparation. IEC collaborates closely with the International Organization for
46 Standardization (ISO) in accordance with conditions determined by agreement between the two organizations.
47 2) The formal decisions or agreements of IEC on technical matters express, as nearly as possible, an international
48 consensus of opinion on the relevant subjects since each technical committee has representation from all
49 interested IEC National Committees.
50 3) IEC Publications have the form of recommendations for international use and are accepted by IEC National
51 Committees in that sense. While all reasonable efforts are made to ensure that the technical content of IEC
52 Publications is accurate, IEC cannot be held responsible for the way in which they are used or for any
53 misinterpretation by any end user.
54 4) In order to promote international uniformity, IEC National Committees undertake to apply IEC Publications
55 transparently to the maximum extent possible in their national and regional publications. Any divergence between
56 any IEC Publication and the corresponding national or regional publication shall be clearly indicated in the latter.
57 5) IEC itself does not provide any attestation of conformity. Independent certification bodies provide conformity
58 assessment services and, in some areas, access to IEC marks of conformity. IEC is not responsible for any
59 services carried out by independent certification bodies.
60 6) All users should ensure that they have the latest edition of this publication.
61 7) No liability shall attach to IEC or its directors, employees, servants or agents including individual experts and
62 members of its technical committees and IEC National Committees for any personal injury, property damage or
63 other damage of any nature whatsoever, whether direct or indirect, or for costs (including legal fees) and
64 expenses arising out of the publication, use of, or reliance upon, this IEC Publication or any other IEC
65 Publications.
66 8) Attention is drawn to the Normative references cited in this publication. Use of the referenced publications is
67 indispensable for the correct application of this publication.
68 9) Attention is drawn to the possibility that some of the elements of this IEC Publication may be the subject of patent
69 rights. IEC shall not be held responsible for identifying any or all such patent rights.
70 IEC TS 62443-6-1 has been prepared by IEC technical committee TC 65: Industrial-process
71 measurement, control and automation. It is a Technical Specification.
72 The text of this Technical Specification is based on the following documents:
Draft Report on voting

XX/XX/DTS XX/XX/RVDTS
73
74 Full information on the voting for its approval can be found in the report on voting indicated in
75 the above table.
76 The language used for the development of this Technical Specification is English.
77 This document was drafted in accordance with ISO/IEC Directives, Part 2, and developed in
78 accordance with ISO/IEC Directives, Part 1 and ISO/IEC Directives, IEC Supplement, available
79 at https://www.iec.ch/members_experts/refdocs. The main document types developed by IEC
80 are described in greater detail at https://www.iec.ch/standardsdev/publications.
65/929/CD –4– IEC (CD1) TS 62443-6-1 © IEC 2022
81 The committee has decided that the contents of this document will remain unchanged until the
82 stability date indicated on the IEC website under webstore.iec.ch in the data related to the
83 specific document. At this date, the document will be
84 • reconfirmed,
85 • withdrawn,
86 • replaced by a revised edition, or
87 • amended.
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
IEC (CD1) TS 62443-6-1 © IEC 2022 –5– 65/929/CD
114 INTRODUCTION
115 Repeatable and comparable evaluations of security program according to IEC 62443-2-4 Ed.
116 1.1 require a common agreed understanding for acceptable evaluation criteria and conformance
117 evidence.
118 This document supports service providers and evaluators to do a conformity assessment by
119 evaluating the security program against the requirements of IEC 62443-2-4 Ed. 1.1.
120 This document includes examples of conformance evidence for the requested maturity level
121 provided by the service provider.
65/929/CD –6– IEC (CD1) TS 62443-6-1 © IEC 2022
122 SECURITY FOR INDUSTRIAL AUTOMATION AND CONTROL SYSTEMS –

123
124 Part 6-1: Security evaluation methodology for IEC 62443 – Part 2-4:
126 1 Scope
127 This document specifies the evaluation methodology for conformance assessment of IEC
128 62443-2-4 Ed. 1.1.
129 This document is intended for first-party, second-party or third-party conformity assessment
130 activity, e.g.: by product suppliers, service providers, asset owners and conformity assessment
131 bodies.
132 NOTE 1: 62443-2-4 Ed. 1.1 specifies requirements for a security program executed by service providers to the asset
133 owner during integration and maintenance activities of an automation solution.
134 NOTE 2: terms first-party conformity assessment activity, second-party conformity assessment activity and third-
135 party conformity assessment activity are defined in ISO/IEC 17000:2020.
136 2 Normative references
137 The following documents are referred to in the text in such a way that some or all of their content
138 constitutes requirements of this document. For dated references, only the edition cited applies.
139 For undated references, the latest edition of the referenced document (including any
140 amendments) applies.
141 IEC 62443-2-4 Ed. 1.1:2017, Security for industrial automation and control systems - Part 2-4:
143 IEC TS 62443-1-5 ED1, Security for industrial automation and control systems – Part 1-5:
144 Scheme for IEC 62443 cyber security profiles
145 [Editor’s note: The reference to IEC TS 62443-1-5 ED1 assumes that it is finalised before this
146 document. During the preparation of this CD document, IEC 62443-1-5 CD was published.]
147 3 Terms, definitions, abbreviated terms, and acronyms
148 3.1 Terms and definitions
149 For the purposes of this document, the following terms and definitions apply.
150 ISO and IEC maintain terminological databases for use in standardization at the following
151 addresses:
152 • IEC Electropedia: available at https://www.electropedia.org/

153 • ISO Online browsing platform: available at https://www.iso.org/obp
154 3.1.1
155 evaluator
156 individual or organisation that performs an evaluation
157 [SOURCE: ISO/IEC 25000:2014, 4.10]
158 NOTE 1 to entry: Evaluator can act in context of first-party, second-party or third-party conformity assessment activity
159 according ISO/IEC 17000:2020
IEC (CD1) TS 62443-6-1 © IEC 2022 –7– 65/929/CD
160 3.1.2
161 evaluation
162 systematic determination of the extent of the subject under evaluation (SuE) meets its specified
163 requirements
164 [SOURCE: ISO/IEC 12207:2008, 4.12]
165 3.1.3
166 evidence of existence
167 EoE
168 Documentation created or provided as evidence that a process, procedures, templates and/or
169 checklists had been created to support service provider activities
170 3.1.4
171 examine
172 generate a verdict by analysis using evaluator expertise
173 [SOURCE: ISO/IEC 18045:2008, 3.7]
174 3.1.5
175 key performance indicator
176 KPI
177 metrics or other quantifiable measures used to evaluate effectiveness and performance of
178 processes, services etc.
179 Note 1 to entry: The key performance indicator can be used to assess the success of applied measures or to
180 demonstrate continuous improvement.
181 [SOURCE: ISO 18788:2015]
182 3.1.6
183 overall maturity level
184 maturity level which is assigned to the entire security program
185 Note 1 to entry: Maturity level are specified in IEC 62443-2-4 Ed. 1.1:2017, Table 1.
186 3.1.7
187 process
188 set of interrelated or interacting activities that transforms input to output
189 [SOURCE: ISO 9000:2015]
190 3.1.8
191 project
192 integration/maintenance service execution for an asset owner by using a defined process
193 producing artefacts
194 3.1.9
195 proof of execution
196 PoE
197 documentation/artefacts on the execution of activities performed during the integration and
198 maintenance of an Automation Solution
199 Note 1 to entry: In general, evidence of existence is the baseline documentation used during the execution
200 3.1.10
201 reference architecture
202 generic configuration of hardware and software elements used as initial system customized for
203 an asset owner during the service activity
65/929/CD –8– IEC (CD1) TS 62443-6-1 © IEC 2022
204 [SOURCE: ISO/IEC 20547-3:2020, 3.2]
205 3.1.11
206 subject under evaluation
207 SuE
208 Subject, which was agreed to be evaluated, related to conformity to the standard including
209 processes that apply to a reference architecture
210 Note 1 to entry: Subject under evaluation can be set equal to object of conformity assessment in ISO/IEC 17000:2020.
211 EXAMPLE 1 processes.
212 EXAMPLE 2 systems.
213 EXAMPLE 3 solutions.
214 EXAMPLE 4 components.
215 3.1.12
216 security program
217 portfolio of security services, including integration services and maintenance services, and their
218 associated policies, procedures, and products that are applicable to the IACS
219 Note to entry: The security program for IACS service providers refers to the policies and procedures defined by them
220 to address security concerns of the IACS.
221 [SOURCE: IEC 62443-2-4 Ed 1.1:2017, 3.1.18]
222 3.2 Abbreviated terms and acronyms
EoE Evidence of Existence

FAT Factory Acceptance Test
KPI Key Performance Indicator
ML Maturity Level
PoE Proof of Execution
SAT Site Acceptance Test
SIEM Security Information and Event Management
SuE Subject under Evaluation
223 4 Document description
224 This document contains two parts:
225 • Clause 5 which describes the methodology to be used for the evaluation of the security
226 program as SuE which the service provider claims conformity to IEC 62443-2-4 Ed. 1.1. Sub
227 clauses 5.1 to 5.3 describes which tasks have to be fulfilled during evaluation. Sub clause
228 5.4 shall only be followed when evaluating requirements against maturity level ML-4.
229 • Clause 6 gives detailed information that shall be used to evaluate each requirement of IEC
230 62443-2-4 Ed. 1.1. It includes specification what kind of evidence is needed to fulfil the
231 respective maturity level. Table 1 included in Clause 6 shows acceptable evaluation criteria
232 and examples for conformance evidence for each requirement.
233 5 Methodology for the Evaluation
234 5.1 Scoping of the subject under evaluation (SuE)
235 The scope of SuE shall be specified and shall contain at least the following information:
IEC (CD1) TS 62443-6-1 © IEC 2022 –9– 65/929/CD
236 • security program to which conformance to IEC 62443-2-4 Ed. 1.1 is claimed for an
237 integration service, a maintenance service or both
238 • organization (unit, department(s)) that implements the security program as part of its
239 integration service, a maintenance service or both
240 • security requirements of IEC 62443-2-4 Ed. 1.1 for which the service provider is claiming
241 conformity; those may be all requirements, a particular requirements subset as specified by
242 an IEC 62443 cyber security profile, or specific requirements
243 • requested maturity level, i.e. ML-1, ML-2, ML-3 or ML-4, for each requirement in scope.
244 Evaluations may be performed related to different maturity levels for various particular
245 requirements of IEC 62443-2-4 Ed. 1.1. It is not required that service providers have to select
246 a particular overall (summary) ML-value for the evaluation of a SuE.
247 NOTE 1: Requirements for cyber security profiles are specified in IEC 62443-1-5.
248 [Editor’s note: The reference to IEC TS 62443-1-5 ED1 assumes that it is finalised before this document. During the
249 preparation of this CD document, IEC 62443-1-5 CD was published.]
250 NOTE 2: The conformity assessment body may restrict the selection of requirements in the context of ISO/IEC
251 17000:2020 third-party conformity assessment activities.
252 NOTE 3: ML-1 does not provide for repeatability of security program execution. Evaluations in the context of ISO/IEC
253 17000:2020 third-party conformity assessment activities are only possible with ML-2 or higher.
254 5.2 Content of conformity statements and conformance evidence
255 To support claims of conformance, the service provider shall provide documented evidence to
256 support the maturity level for each requirement for which conformance is claimed. It may also
257 be necessary for the service provider to provide a conformity statement that explains how the
258 related requirement is fulfilled by the SuE for the requested maturity level. Table 1 provides
259 examples for conformance evidence.
260 For requirements not in scope:
261 • they shall be marked accordingly and

262 • the provision of conformity statement and conformance evidence as specified in Table 1 is
263 not required.
264 For requirements which are in scope and not applicable:
265 • they shall be marked accordingly,
266 • a rationale or other evidence to support the evaluator examination of the respective
267 requirement as not applicable shall be provided for each, and
268 • the provision of conformance evidence as specified in Table 1 is not required.
269 5.3 Evaluation of conformity statement and conformance evidence
270 The evaluator shall use the provided SuE scoping, conformity statements and conformance
271 evidence to evaluate the SuE. The evaluation process shall consist of an evaluation of each
272 requirement of IEC 62443-2-4 Ed. 1.1 in scope (incl. not applicable) by the following:
273 a) Examine that the conformity statement fulfills the requirement completely for the
274 requested maturity level in scope. Table 1 contains acceptable evaluation criteria, which
275 are intended to lead to an objective verdict.
276 b) Examine that the conformance evidence supports the conformity statement from a). The
277 conformance evidence shall be valid and authentic. The requirements for conformance
278 evidence of the respected maturity level in Subclause 6.2 to 6.5 shall also be fulfilled.
279 Table 1 contains examples of conformance evidence for each maturity level for
280 guidance.
65/929/CD – 10 – IEC (CD1) TS 62443-6-1 © IEC 2022
281 c) If the requirement is marked as not applicable, then the validity of this decision shall be
282 examined on the basis of the rationale or evidence provided.
283 How often the evaluation process is repeated e.g. to get a result is beyond the scope of this
284 document.
285 NOTE: An overall level of ML-X (1-4) for a SuE may only be confirmed, if ML-X (or a higher ML-value) is evaluated
286 for all requirements of IEC 62443-2-4 Ed. 1.1 which are applicable for that SuE or included in the underlying cyber
287 security profile.
288 5.4 Particular Requirements for Evaluations related to ML-4
289 According to the specification of maturity level ML-4 in the standard IEC 62443-2-4 Ed. 1.1, and
290 as outlined further in Subclause 6.5, evaluations of SuE related to a declared maturity level ML-
291 4 require a systematic control of the effectiveness and performance of the fulfilment of the
292 requirements by the SuE, and the demonstration of a continuous improvement of that fulfilment
293 over a period of time. An evaluation of a SuE for a maturity level of ML-4 shall therefore only
294 be performed at least one year after achieving maturity level ML-3 for the particular requirement.
295 The period over which the SuE demonstrates a systematic control, performance and continuous
296 improvement of the fulfilment shall therefore have the duration of at least one year.
297 6 Table used for evaluation
298 Table 1 may be used for the evaluation as described in Clause 5. It provides the following
299 columns:
300 • Columns A to C are the requirements of the standard IEC 62443-2-4 Ed. 1.1.
301 NOTE 1: Each row in column C of Table 2 specifies a requirement for a process that the service provider
302 can perform for the asset owner for the integration or maintenance of the Automation Solution. The text of
303 each requirement description, therefore, begins with “The service provider shall have a process that can be
304 performed for the asset owner to” to clarify that the IEC 62443-2-4 requirements are not to be interpreted
305 as requirements for technical capabilities. Whether an asset owner requires the service provider to perform
306 the process is beyond the scope of this document
307 • Column D describes the acceptable evaluation criteria for these requirements.
308 • Columns E to F provide examples of conformance evidence which may be taken into account
309 to support the related claims for compliance to those criteria for ML-1, ML-2, ML-3 and ML-
310 4.
311 In addition to the examples for conformance evidence provided in Table 1 itself, the following
312 Subclauses 6.2 to 6.5 provide further considerations, which can help to understand and apply
313 the related examples of conformance evidence outlined in the table.
314 NOTE 2: For details on the definition of maturity levels ML-1, ML-2, ML-3 and ML-4, see IEC 62443-2-4 Ed. 1.1.
315 6.1 Acceptable evaluation criteria
316 The acceptable evaluation criteria are intended to be an orientation for the evaluator in order
317 to achieve a comparable evaluation result as far as possible. Since the requirements are usually
318 very long and can contain “multiple shalls”, the acceptable evaluation criteria are often divided
319 into several points. This division of the criteria is intended to increase the comprehensibility of
320 the requirement and to achieve an as equal as possible interpretation of the requirement.
321 6.2 Conformance evidence related to maturity level ML-1
322 For maturity level ML-1, the service provider typically performs the service in an ad-hoc and
323 often undocumented (or not fully documented) manner. Therefore, the related project
324 documentation often does not exist or is incomplete and correspondingly other types of
325 evidence have to be considered for e.g. the record from an evaluation interview or a statement
326 of work under contract with the asset owner.
IEC (CD1) TS 62443-6-1 © IEC 2022 – 11 – 65/929/CD
328 For maturity level ML-2, the service provider is required by IEC 62443-2-4 Ed. 1.1 to provide its
329 service process according to repeatable, written policies. Evaluation activities for maturity level
330 ML-2 therefore particularly focus on the examination of the availability and validity of
331 documented processes for those services, and of the availability of training materials and
332 training records demonstrating that the personnel (incl. subcontractors and consultants) follow
333 those processes in a repeatable way, and that they possess the required qualifications. The
334 related documentation is referred to as EoE.
336 According to the specification of maturity level ML-3 in the standard IEC 62443-2-4 Ed. 1.1, and
337 as outlined further in Table 1 below, processes that meet related to a declared maturity level
338 ML-3 are required to have been practiced for an asset owner.
339 For conformity to maturity level ML-3, the conformity of the SuE shall be successfully evaluated
340 to ML-2. In addition, conformance evidence shall show that the ML-2 conform process was
341 performed for at least one asset owner. The related documentation is referred to as PoE.
342 For conformance evidence related to maturity level ML-3, the following aspects are appropriate
343 to be considered:
344 • ML-3 conformance evidence cannot always be internally available at the service provider's
345 organization, but can be under the control of the respective asset owner, or other third
346 parties. For example, the service provider has to respect the NDA conditions of its clients.
347 Hence, availability of such evidence can depend on the consent of its respective owner.
348 • For particular requirements, it cannot be common in service projects to generate artefacts
349 as ML-3 conformance evidence.
350 • Certain requirements depend on the availability of input that is under the responsibility of
351 the asset owner (e.g. written Management-of-Change processes, or asset owner policies
352 which need to be followed). It can be the case that such input from the asset owner's side
353 has not been made available to the service provider or ML-3 conformance evidence is
354 provided in an anonymized or sanitized form.
355 In particular, implicit conformance evidence which can be generated by the service provider
356 itself without dependencies on any third-party that are not involved in the evaluation shall be
357 considered.
359 For conformity to maturity level ML-4, the conformity of the SuE shall be successfully evaluated
360 to ML-3. In addition, conformance evidence shall show:
361 • The specification of the performance indicators or similar metrics for the SuE which are used
362 to measure the delivery, effectiveness and performance related to the standard IEC 62443-
363 2-4 Ed. 1.1
364 • The documented process or procedure specifying the application of those performance
365 indicators or similar metrics for continuous improvement
366 • Conformance evidence demonstrating the continuous improvements related to those
367 performance indicators or metrics over a significant period of time. Such a continuous
368 improvement is determined and documented at a related internal audit or management
369 meeting. The detailed report of those audit/meetings demonstrating the improvement is an
370 acceptable ML-4 conformance evidence.
371
65/929/CD – 12 – IEC (CD1) TS 62443-6-1 © IEC 2022
372 6.6 Table
373 Table 1 – Overview of acceptable evaluation criteria and examples of conformance evidence
A B C D E F G H
Summary Level IEC IEC 62443-2-4 Requirement Acceptable Evaluation Example ML-1 Examples for ML-2 Examples for Examples for additional
62443-2- Criteria Conformance Conformance Evidence additional ML-3 ML-4 Conformance
4 ID Evidence (see Clause 6.3) Conformance Evidence of continuous
(see Clause 6.2) EoE Evidence process improvement
(see Clause 6.4) (see Clause 6.5)
EoE+PoE
Solution Staffing SP.01.01 The service provider shall have 1) The service provider shall Examples of 1) Documented process 1) List of all the Staff 1) KPI: Training coverage
BR the capability to ensure that it have a process that can be Execution that involved in the project statistics
assigns only service provider performed for the asset owner service provider 2) Initial Training who have been security
personnel to Automation Solution to inform and assign has met the materials/records of participation role-based trained 2) periodical review on
related activities who have been personnel to the Automation requirement at (i.e. first participants are trained), training contents
informed of and comply with the Solution least for one automated training logs 2) Solution staffing list
responsibilities, policies, and customer e.g.: matches with trained
procedures required by this 2) The process includes a 3) Security personnel at training
document verification/validation step 1) Project manual/handbook/policy or other record
that only informed personnel documentation documentation that is required
is assigned reading for personnel prior to their
2) Interviews assignment to the Solution
3) The training content shall
include IEC 62443-2-4 topics
4) The service provider

personnel shall accept his/her
responsibility to comply with
the security aspects that
he/she has been informed
IEC (CD1) TS 62443-6-1 © IEC 2022 – 13 – 65/929/CD
A B C D E F G H
EoE+PoE
Solution Staffing SP.01.01 The service provider shall have 1) The service provider shall Examples of 1) Documented process 1) List of all the Staff 1) KPI: Training coverage
RE(1) the capability to ensure that it have a process that can be Execution that involved in the project statistics
assigns only subcontractor or performed for the asset owner service provider 2) Initial Training who have been security
consultant personnel to to inform and assign has met the materials/records of participation role-based trained 2) periodical review on
Automation Solution related subcontractor or consultant requirement at (i.e. first participants are trained), training contents
activities who have been personnel to the Automation least for one automated training logs 2) Solution staffing list
informed of and comply with the Solution customer e.g.: matches with trained
responsibilities, policies, and 3) Security personnel at training
procedures required by this 2) The process includes a 1) Project manual/handbook/policy or other record
document. verification/validation step documentation documentation that is required
that only informed reading for personnel prior to their
subcontractor or consultant 2) Interviews assignment to the Solution
personnel is assigned
3) The training content shall

include IEC 62443-2-4 topics
4) The service provider

subcontractor or consultant
personnel shall accept his/her
responsibility to comply with
the security aspects that
he/she has been informed
65/929/CD – 14 – IEC (CD1) TS 62443-6-1 © IEC 2022
A B C D E F G H
EoE+PoE
Solution Staffing SP.01.02 The service provider shall have The service provider shall Examples of 1) Documented process 1) Participant list /
BR the capability to ensure that it have a process that can be Execution that attestation of personnel
assigns only service provider, performed for the asset owner service provider 2) verification/validation step that for the asset owner 1) The service provider
subcontractor or consultant to: has met the these obtained requirements will required training about agrees with asset owner(s)
personnel to Automation Solution requirement at be respected/followed by the its responsibilities, on a feedback channel on a
related activities who have been 1) determine the asset least for one personnel e.g. checklist template policies and procedures continuous basis.
informed of and comply with the owner's security customer e.g.: for obtaining asset owner’s
security-related responsibilities, requirements, policies and requirements 2) asset owner 2) The service provider
policies, and procedures required procedures 1) Project agreement demonstrates continuous
by the asset owner. documentation improvements related to
2) make its personnel aware 3) policy on subcontractors or 3) subcontractor the feedback from asset
of their responsibilities to 2) Interviews subcontractor agreement agreements owner(s).
comply with these security template
requirements, policies and 4) Completed checklist
procedures 4) Training materials/records for particular
security manual/handbook or automation solution
3) direct its subcontractors other documentation that is
and consultants to comply required reading for personnel
with this requirement prior to their assignment to the
Solution
IEC (CD1) TS 62443-6-1 © IEC 2022 – 15 – 65/929/CD
A B C D E F G H
EoE+PoE
Solution Staffing SP.01.02 The service provider shall have The service provider shall Examples of 1) Record on MoC of 1) The service provider
RE(1) the capability to ensure that it have a process that can be Execution that 1) Documented Process the customer was agrees with asset owner(s)
assigns only service provider, performed for the asset owner service provider followed on a feedback channel
subcontractor or consultant to: has met the 2) Checklists for following related related to MoC and PtW on
personnel to Automation Solution requirement at asset owner(s) processes 2) Record on PtW of a continuous basis.
related activities who have been 1) determine the asset least for one customer was followed
informed of and comply with the owner’s Management of customer e.g.: 3) policy on subcontractors or especially on asset 2) The service provider
asset owner’s Management of Change (MoC) and Permit to subcontractor agreement owner’s site demonstrates continuous
Change (MoC) and Permit To Work (PtW) processes, 1) Project template improvements related to
Work (PtW) processes for documentation 3) subcontractor the feedback based on
changes involving devices, 2) make its personnel aware agreements, if MoC and PtW from asset
workstations, and servers and of their individual 2) Interviews 4) Training materials/records subcontractors were owner(s)
connections between them. responsibilities required to security manual/handbook or involved
support these processes other documentation on MoC and
PtW processes, that is required
3) direct its subcontractors reading for personnel prior to their
and consultants to comply assignment to the Solution
with this requirement.
5) Checklist for obtaining asset
owner’s requirements
Solution Staffing SP.01.03 The service provider shall have The service provider shall Examples of 1) Documented process about 1) NDA stating 1) KPI: amount and severity
BR the capability to ensure that it have a process that can be Execution that confidentiality protection protection of the of detected confidentiality
assigns only service provider performed for the asset owner service provider confidentiality of asset breaches
personnel to Automation Solution to: has met the 2) Data classification policy owner's data
related activities who have been requirement at 2) Confidentiality issues
informed of and comply with the 1) protect the confidentiality of least for one 3) HR related policies and 2) Training records for reach the value “0” over a
policies, procedures, and asset owner’s data customer e.g.: procedures such as training assigned personnel period of time
contractual obligations required materials/record Template, about protection of
to protect the confidentiality of the 2) make its personnel aware 1) Project including process to be used to sensitive data
asset owner's data. on the confidentiality documentation identify and protect sensitive data 3) Satisfaction of Asset
agreements with the asset 3) policy enforcement owner (via feedback) on
owner 2) Interviews 3) Security manual for like work contract for confidentiality protection by
confidentiality requirements assigned personnel service provider
3) direct its personnel to continuously improves
comply with this requirement. 4) Confidentiality agreement
template, e.g. NDA template
65/929/CD – 16 – IEC (CD1) TS 62443-6-1 © IEC 2022
A B C D E F G H
EoE+PoE
Solution Staffing SP.01.03 The service provider shall have The service provider shall Examples of 1) subcontractor agreement 1) NDA between 1) KPI: amount and severity
RE(1) the capability to ensure that it have a process that can be Execution that template including enforcement of service provider and of detected confidentiality
assigns only subcontractors, performed for the asset owner service provider protecting asset owner’s data subcontractor stating breaches by
consultants, and representatives to assign subcontractors or has met the protecting the subcontractors/ consultants
to Automation Solution related consultant personnel to: requirement at 2) Checklists/templates used by confidentiality of asset
activities who have been least for one subcontractors and/or consultants owner's data 2) Confidentiality issues
informed of and comply with the 1) protect the confidentiality of customer e.g.: for protection of asset owner data reach the value “0” over a
policies and procedures required asset owner’s data 2) subcontractor period of time
to protect the confidentiality of the 1) Project agreements like work
asset owner's data. 2) make its personnel aware documentation contracts with 3) Satisfaction of Asset
of the confidentiality confidentiality clauses owner (via feedback) on
agreements with the asset 2) Interviews confidentiality protection by
owner subcontractors/consultants
continuously improves
3) direct its personnel to
comply with this requirement
Solution Staffing SP.01.04 The service provider shall have The service provider shall Examples of 1) Documented process for 1) Background checks 1) Background checks
BR the capability to ensure that it have a process that can be Execution that conducting background checks were performed successfully and
assigns only service provider performed for the asset owner service provider according to the consistently applied for a
personnel to Automation Solution to ensure that assigned has met the 2) Background check template applicable legal significant time frame
related activities who have personnel: requirement at used by the service provider framework and usual
successfully passed security- least for one industry specific rules
related background checks, 1) have successfully passed customer e.g.: 3) Documents like service
where feasible, and to the extent security related background contracts, work contracts etc.
allowed by applicable law. checks 1) Project which include related sections for
documentation background checks
2) Interviews
IEC (CD1) TS 62443-6-1 © IEC 2022 – 17 – 65/929/CD
A B C D E F G H
EoE+PoE
Solution Staffiing SP.01.04 The service provider shall have The service provider shall Examples of 1) Documented Process for 1) Background checks 1) Background checks
RE(1) the capability to ensure that it have a process that can be Execution that conducting background checks were performed successfully and
assigns only subcontractors, performed for the asset owner service provider for according to the consistently applied for a
consultants, and representatives that assigned has met the subcontractor/consultants/represe applicable legal significant time frame for
to Automation Solution related subcontractor/consultants/rep requirement at ntatives framework and usual subcontractor/consultants/r
activities who have successfully resentatives: least for one industry specific rules epresentatives
passed security-related customer e.g.: 2) Background check template for
background checks where 1) have successfully passed used for subcontractor/consultant subcontractor/consultan
feasible, and to the extent security related background 1) Project /representative ts/representatives
allowed by applicable law. checks documentation
3) 3rd party contract for
2) Interviews performing background checks on
subcontractor/consultants/
representatives
4) usage of blacklists for

subcontractors/consultants/repres
entatives
65/929/CD – 18 – IEC (CD1) TS 62443-6-1 © IEC 2022
A B C D E F G H
EoE+PoE
Solution Staffing SP.01.05 The service provider shall have The service provider shall Examples of 1) Role description including 1) Solution organization 1) No. of projects with
BR the capability to assign a security have a process that can be Execution that related support by the chart showing this allocated security contact is
contact in its organization to the performed for the asset owner service provider management position 100% for a longer period of
Automation Solution who is that security contacts have has met the time
responsible and accountable for been assigned and qualified. requirement at 2) Documented process for 2) Role assignment
the following activities. This includes defined role(s) least for one selecting a qualified individual letter and acceptance 2) Role description for
1) Acting as liaison with the asset meeting the items 1) to 4) of customer e.g.: (e.g. Management or Human of the person in the security contact is
owner, as appropriate, about the the requirement. Resources policy for staffing project organization in continuously improved
service provider's and the The security contact shall 1) Project positions) the form of a meeting based on experiences from
Automation Solution's adherence accept its responsibility. documentation protocol or a projects, discussions and
to the Part 2-4 requirements that declaration of consent feedback from asset owner
are required by the asset owner. 2) Interviews
2) Communicating the service 3) Increasing and
provider’s point-of-view on IACS maintaining the capability of
security to the asset owner's the security contact like
staff. keeping up to date with
3) Ensuring that tenders to the security issues
asset owner are aligned and in
compliance with the Part 2-4
requirements specified as
required by the asset owner and
the service provider’s internal
IACS security requirements.
4) Communicating to the asset
owner deviations from, or other
issues not conforming with, the
Part 2-4 requirements that are
required by the asset owner. This
includes deviations between
these requirements and the
service provider's internal
requirements.
IEC (CD1) TS 62443-6-1 © IEC 2022 – 19 – 65/929/CD
A B C D E F G H
EoE+PoE
Solution Staffiing SP.01.06 The service provider shall have The service provider shall Examples of 1) Documented role description 1) Solution organization 1) No. of projects with
BR documented minimum IACS have a process that can be Execution that including minimum IACS cyber- chart showing this allocated security leads is
cyber-security qualifications for performed for the asset owner service provider security qualifications position 100% for a longer period of
security lead positions and the that security leads for has met the time
capability to assign security leads automation solution are requirement at 2) Documented process for 2) Role assignment
to Automation Solutions who assigned and are qualified for least for one selecting a qualified individual letter 2) Increase of cyber
meet these qualifications. this role. customer e.g.: (e.g. Management or Human security expertise of
Resources policy for staffing security leads for example
1) Project positions) by experiences, trainings
documentation and certifications
3) Appointment letter template
2) Interviews including checks of qualification 3) Role description for
security lead is
continuously improved
based on experiences from
projects, including feedback
from asset owner
Solution Staffiing SP.01.07 The service provider shall have The service provider shall Examples of 1) Documented process for 1) Completed form for 1) KPI: Execution time until
BR the capability to notify the asset have a process that can be Execution that promptly notifying the asset personnel change Asset owner is informed
owner of changes in service performed for the asset owner service provider owner about the change of notification about change of personnel
provider, subcontractor, or to inform the asset owner of has met the personnel
consultant personnel who have changes to: requirement at 2) Central repository of
access to the least for one 2) Documented process agreed personnel with access
Automation Solution. 1) New personnel who needs customer e.g.: with the asset owner which to the automation
to get access to the solution personnel changes require solution for example
1) Project notification ticketing system
2) Personnel who no longer documentation
needs access to the solution 3) Form/Template for personnel 3) Secure e-mail
2) Interviews change notification notifications
65/929/CD – 20 – IEC (CD1) TS 62443-6-1 © IEC 2022
A B C D E F G H
EoE+PoE
Assurance SP.02.01 The service provider shall have The service provider shall Examples of 1) Risk analysis procedure to 1) Security certificates 1) KPI: Continuous
BR the capability to provide have a process that can be Execution that identify critical components and for secure components improvement of security
documentation that verifies that performed for the asset owner service provider their level of risk, or obtain them test results for components
Automation Solution components to identify: has met the from the asset owner 2) Security testing
identified by the asset owner (e.g. requirement at results 2) Continuous risk
as result of a security 1) The documentation that it least for one 2) One or more of the following: mitigation related to
assessment, threat analysis, has or that it can generate customer e.g.: a) Component artefacts, such as 2) Performed security components of automation
and/or security testing) have (e.g via a risk assessment - security requirements, defence- assessments such as solution
adequate security for their level see SP.03.01BR) to confirm 1) Project in-depth designs risk assessments,
of risk. that components have documentation threat analysis or
adequate security for their b) Description of compensating vulnerability
intended use in the asset 2) Interviews counter measures used to bring assessments that
owner's Automation Solution. the component to the adequate indicate an acceptable
security for their risk level as risk for a component
applicable.
Assurance SP.02.02 The service provider shall have The service provider shall Examples of 1) Process of recommending 1) A list of tools that the 1) Maintenance and
BR the capability to recommend have a process that can be Execution that security analysis tools including service provider has continuous update of the
security analysis tools (e.g. performed for the asset service provider the creation and maintenance of approved for use for an list of approved security
network scanning tools) for use owner: has met the documentation for point 1 to 3 of automation solution analysis tools, when
with the Automation Solution and: requirement at the requirement applicable also based on
1) Provide instructions on how to 1) To identify security least for one 2) Documentation experiences from identified
use them, analysis tools that it has customer e.g.: 2) List of recommended security including how identified adverse effects
2) Identify any known adverse validated and is prepared to analysis tools for particular adverse effects have
effects they may have on the be used 1) Project reference architecture been avoided 2) List of approved security
Automation Solution's documentation analysis tools are always
performance, 2) To create and maintain the 3) User manuals or references to 3) Tool approval by the state of the art
3) Provide recommendations for associated documentation 2) Interviews online user manuals asset owner
how to avoid adverse effects. that describes how to use 3) KPI: No. and severity of
them safely 4) Descriptions of potential occurred adverse effects
adverse effects, including
The documentation shall instructions for avoiding these
include the points covered in adverse effects.
1) to 3) of the requirement
IEC (CD1) TS 62443-6-1 © IEC 2022 – 21 – 65/929/CD
A B C D E F G H
EoE+PoE
Assurance SP.02.02 The service provider shall have The service provider shall Examples of 1) Documented process for 1) Documented 1) KPI: No. of tool usages
RE(1) the capability ensure that it have a process that can be Execution that obtaining asset owner’s approval approval/ agreement without the prior approval of
obtains approval from the asset performed for the asset owner service provider between service the asset owner
owner prior to using security that security analysis tools has met the 2) Checklist for obtaining asset provider and asset
analysis tools (e.g. network are used only with asset requirement at owner’s approval used by this owner for using security
scans) at the asset owner's site. owner approval least for one process analysis tool at asset
customer e.g.: owner's site
3) Approval template for the asset
1) Project owner 2) Completed related
documentation checklists or templates
2) Interviews
Assurance SP.02.02 The service provider shall have The service provider shall Examples of 1) Documented process to 1) live demo of the 1) KPI: No. of identified
RE(2) the capability to schedule and have a process that can be Execution that identify security analysis tools security analysis tools undocumented or
use security analysis tools to performed for the asset service provider that can be used to discover during conformity unauthorized systems
discover undocumented and/or owner: has met the hidden devices and TCP/UDP assessment
unauthorized systems or requirement at ports 2) KPI: No. of identified
vulnerabilities in the 1) To identify security least for one 2) asset owner vulnerabilities
Automation Solution. This analysis tools that can be customer e.g.: 2) Process directing solution approval for compliance
capability shall include the ability used to discover hidden personnel to use these tools only with its standard
to use these tools in accordance devices (IP addresses) 1) Project at the times approved by the operating procedures
with the asset owner’s standard documentation asset owner
operating procedures. 2) To identify the security
analysis tools that it can use 2) Interviews 3) Process directing solution
to discover vulnerabilities for personnel to ensure the use of
example undocumented open these tools does not interfere with
TCP/UDP ports asset owner practices and
standard operating procedures
3) To ensure that these tools
can be used only at times
approved by the asset owner
and in a way that is consistent
with asset owner practices
65/929/CD – 22 – IEC (CD1) TS 62443-6-1 © IEC 2022
A B C D E F G H
EoE+PoE
Assurance SP.02.02 The service provider shall have 1) The service provider shall Examples of 1) Defined normal 1) Security certificates 1) KPI: Test results for
RE(3) the capability to ensure the have a process that can be Execution that operation/essential control for secure components, control system components
control system components used performed for the asset owner service provider system function for the related fuzz testing, for robustness are verified
in the Automation Solution have for selecting and using control has met the Automation Solution communications periodically
the ability to maintain operation of system components requirement at robustness, etc.
essential control system functions for solution or particular least for one 2) Process to implement technical 2) Continuous improvement
in the presence of system and/or reference architecture which customer e.g.: test cases for verification to 2) System or network on the methods to ensure
network scans during normal can withstand scanning by withstand scanning by system or scan test results as robustness
operation. system or network scans 1) Project network scans under normal they relate to the
documentation operation component, 3) Improvement continuous
2) The service provider shall monitoring of the test
specify which criteria applies 2) Interviews 3) Applicable product results
for normal operation of its supplier test results
components in a solution or 4) Improvement on
particular reference identifying and mitigation of
architecture vulnerabilities that might
affect robustness
Assurance SP.02.03 The service provider shall have The service provider shall Examples of Process which includes for Checking of hardening 1) KPI: Continuous
BR the capability to provide have a process that can be Execution that instance one or more of the documentation as built improvement on attack
documentation to the asset performed for the asset owner service provider following: for a project, including surface reduction
owner that describes how to to create and maintain has met the 1) Hardening guide, implementation of
harden the Automation Solution. hardening documentation for requirement at defense-in-depth
the Automation Solution, least for one 2) Reference defense-in-depth configuration strategy
that is based on hardening customer e.g.: architecture with configuration (firewall rules, least
documentation for the instructions privilege, least
included control system/ 1) Project functionality, etc.)
components documentation 3) Recommended
component/system security
2) Interviews configurations
IEC (CD1) TS 62443-6-1 © IEC 2022 – 23 – 65/929/CD
A B C D E F G H
EoE+PoE
Assurance SP.02.03 The service provider shall have The service provider shall Examples of 1) Procedures for validation 1) Completed checklist 1) KPI: Completeness of
RE(1) the capability to verify that its have a process that can be Execution that completion of hardening activities about completed performed hardening
security hardening guidelines and performed for the asset owner service provider e.g. during FAT/SAT hardening activities activities
procedures are followed during to verify that its hardening has met the
Automation Solution related guidelines are followed requirement at 2) Verification checklist to be 2) Hardening report 2) KPI: Hardening issues
activities. least for one completed during hardening reach the value “0” for a
customer e.g.: activities significant period of time.
Examples of hardening
1) Project issue are:
documentation • Undocumented
identified TCP/UDP
2) Interviews ports,
• unintended accessible
services
65/929/CD – 24 – IEC (CD1) TS 62443-6-1 © IEC 2022
A B C D E F G H
EoE+PoE
Solution SP.03.01 The service provider shall have 1) The service provider shall Examples of 1) Written procedures for 1) Risk assessment 1) Continuous
Hardening BR the capability to conduct a have a process that can be Execution that conducting risk assessments report improvements of risk
security risk assessment of the performed for the asset owner service provider including definition of risk, impact assessment methodology
Automation Solution or contribute for conducting a risk has met the and level of acceptable risk 2) Documented
to (participate in) a security risk assessment and defined requirement at including: cooperation with asset 2) Improvement of the
assessment conducted by the triggers when to do. least for one • Training courses for risk owner on risk expertise of staff related to
asset owner or its agent. customer e.g.: assessment assessment risk assessment
NOTE 1 The asset owner may 2) The service provider shall
additionally require the service have personnel (employees, 1) Project 3) Positive feedbacks from
provider to document its consultants, documentation • Written templates for risk asset owners on risk
assessment. The “Doc?” column contractors/subcontractors) assessments assessment co-operations
is set to “No” because this is a capable of leading or actively 2) Interviews
requirement to have the participating in a risk 2) Process for using asset owner
capability to perform the assessment of the Solution risk assessment methodologies
assessment and not a
requirement to provide 3) The service provider shall 3) Personnel with expertise in risk
documentation. have a process that can be assessments: resumes, training
performed for the asset owner records
to obtain the risk parameters
from the asset owner
Example of such risk
parameters are:
• Possible Financial
damage on unavailability
of the automation
solution
• Compromises of integrity
and confidentiality of
automation solution data
• Breaches of regulatory
requirements
IEC (CD1) TS 62443-6-1 © IEC 2022 – 25 – 65/929/CD
A B C D E F G H
EoE+PoE
Solution SP.03.01 The service provider shall inform 1) The service provider shall Examples of 1) Process for reviewing and 1) Reported risk 1) Positive feedbacks from
Hardening RE(1) the asset owner of the results of have a process that can be Execution that reporting risk assessments, assessment results e.g. asset owners on
security risk assessments that it performed for the asset owner service provider • Completed communication about risk
performs on the to report risk assessment has met the 2) Policies for using asset owner communication assessment
Automation Solution, including results (including risk requirement at risk assessment methodologies template
risk mitigation mechanisms and mitigation least for one
procedures. mechanisms/procedures and customer e.g.: 3) Training courses for risk 2) Documentation of
not mitigated residual risks) to assessment review and reporting risk mitigation
the asset owner 1) Project mechanisms and
documentation 4) Templates for communication procedures for asset
of risk assessment results owner
2) Interviews
Solution SP.03.01 The service provider shall have The service provider shall Examples of 1) Process for obtaining a 3rd 1) 3rd party 1) Monitoring of third-party
Hardening RE(2) the capability to verify that have a process that can be Execution that party assessment assessment performance
security architecture reviews performed for the asset owner service provider report/results
and/or security assessment to verify to the asset owner has met the 2) Process to select third party
and/or threat analysis of the that a security requirement at
control system used in the assessment/threat analysis least for one 3) List of potential third parties
Automation Solution have been was conducted by a third customer e.g.:
conducted by a third party. party on the control system
used in the Automation 1) Project
Solution documentation
2) Interviews
65/929/CD – 26 – IEC (CD1) TS 62443-6-1 © IEC 2022
A B C D E F G H
EoE+PoE
Network Security SP.03.02 The service provider shall have The service provider shall Examples of 1) Process for the implementation 1) network 1) KPI: Network
BR the capability to ensure that the have a process that can be Execution that of the approved network segmentation segmentation architectures
physical network segmentation performed for the asset owner service provider segmentation architecture and design/architecture, meeting design
architecture used in the that approved network has met the the configuration of its network requirement of the asset
Automation Solution, including its segmentation is implemented requirement at security devices and related 2) Completed owner
use of network security devices and verified according to the least for one checklist Checklists/ test records
or equivalent mechanisms, is Automation Solution design customer e.g.: 2) Network security devices
implemented according to the approved by the asset owner 2) Security test cases that verify 3) as-built drawings of or equivalent mechanisms
Automation Solution design 1) Project the network segmentation e.g. network segmentation used in the network
approved by the asset owner. documentation during FAT/SAT segmentation are always
state of the art
2) Interviews 3) verification process/checklist to
ensure that changes do not 3) Positive feedback from
negatively impact the approved asset owner on accordance
network segmentation of network segment
architecture with approved
design for the automation
solution
4) Feedback from project

member personnel is
continuously integrated into
network segmentation
architecture
Network Security SP.03.02 The service provider shall have 1) The service provider shall Examples of 1) Process identifies and 1) documentation of 1) Continuous improvement
RE(1) the capability to identify and have a process that can be Execution that documents network segments network segments of process to determine
document the network segments performed for the asset owner service provider and the interfaces between them, including interfaces and interfaces as trusted or
of the Automation Solution and to identify and document the has met the including the criteria it uses for designation of trusted untrusted
their interfaces to other network segmentation requirement at determining which interfaces of or untrusted
segments, including external architecture for the Solution least for one the Solution are considered 2) Feedback from project
networks, and for each interface customer e.g.: untrusted 2) as-build drawings of member personnel is
designate whether it is trusted or 2) The service provider shall network segmentation continuously integrated into
untrusted. have a process that can be 1) Project 2) Reference architecture network segmentation
performed for the asset owner documentation documentation and architecture for trusted or
to identify interfaces as procedures/checklist for adapting untrusted interfaces
trusted or untrusted e.g. by 2) Interviews it to the asset owner's Automation
risk assessments Solution
3) Checklist for identification of

network segments and interfaces,
IEC (CD1) TS 62443-6-1 © IEC 2022 – 27 – 65/929/CD
A B C D E F G H
EoE+PoE
and for determination of
trustworthiness
65/929/CD – 28 – IEC (CD1) TS 62443-6-1 © IEC 2022
A B C D E F G H
EoE+PoE
Network Security SP.03.02 The service provider shall have 1) The service provider shall Examples of 1) Documented process for Risk 1) used protection 1) The mechanisms used
RE(2) the capability to ensure that have a process that can be Execution that assessment to protect untrusted mechanisms on for protection of untrusted
interfaces of the performed for the asset owner service provider interfaces, at least covering the untrusted interfaces as- interfaces are reviewed and
Automation Solution that have to conduct has met the interfaces of 1) to 5) of the built improved periodically
been identified as untrusted are risk assessment to verify that requirement at requirement
protected by network security identified untrusted network least for one 2) record on 2) Maintenance and
devices or equivalent interfaces have adequate customer e.g.: 2) Process for the configuration and continuous improvement of
mechanisms, with documented protection implementation, configuration, testing of these suitable reference
and maintained security rules. At 1) Project and test of identified protection mechanisms architectures
a minimum, the following shall be 2) The protection documentation mechanisms
protected: mechanisms shall be 3) Documented security 3) Firewalls and configured
1) External interfaces documented and their 2) Interviews 3) Template for security rules on rules on used network rules are always state of
2) Level 2/Level 3 interfaces (see effectiveness shall be used network security devices security devices and/or the art
NOTE 2 below) ensured. and/or equivalent mechanisms equivalent mechanisms
3) Interfaces between the BPCS e.g. firewall configurations
and the SIS 3) The process shall as a
4) Interfaces connecting wired minimum ensure protection 4) Checklist used for
and wireless BPCS networks related to 1) to 5) of the implementation, configuration and
5) Interfaces connecting the requirement test
BPCS to data warehouses (e.g.
enterprise historians) NOTE The term "Level" in
NOTE 1 For some, point 2) of the requirement
responsibility for maintaining refers to the position in the
firewall rules and documentation Purdue Reference Model as
transfers to the asset owner prior standardized by ISA 95 and
to or at Automation Solution IEC 62264-1 (see clause 5.3).
turnover. In this case, the service
provider’s role may be, as
required by the asset owner, only
to support verification that the
firewall rules are accurate and
up-to-date.
NOTE 2 Depending on the
Automation Solution, Level
2/Level 3 interfaces may be
“External” interface.
IEC (CD1) TS 62443-6-1 © IEC 2022 – 29 – 65/929/CD
A B C D E F G H
EoE+PoE
Solution SP.03.03 The service provider shall have 1) The service provider shall Examples of 1) Process for vulnerability 1) Reports on identified 1) KPI: Effectiveness of
Hardening BR capabilities for handling have a process that can be Execution that handling including who (by and handled vulnerability handling
vulnerabilities that affect the performed for the asset owner service provider role/position) in the organization vulnerabilities mechanisms including
Automation Solution, including its to describe its vulnerability has met the is responsible for handling them reaction time
related policies and procedures. handling process. requirement at including defined evaluation if 2) Remediation
These capabilities shall address: least for one Automation Solution is affected solutions for
1) The handling of vulnerabilities 2) The handling of customer e.g.: vulnerabilities
newly discovered in the vulnerabilities from newly 2) Monitoring process to identify
Automation Solution or in its discovered and publicly 1) Project publicly disclosed vulnerabilities
related policies and procedures disclosed shall be included. documentation that may affect the automation
for which the service provider is solution, including list of identified
responsible, and 2) Interviews sources of information being
2) The handling of publically monitored e.g.
disclosed vulnerabilities affecting https://cve.mitre.org/cve/
the Automation Solution.
65/929/CD – 30 – IEC (CD1) TS 62443-6-1 © IEC 2022
A B C D E F G H
EoE+PoE
Network Security SP.03.03 The service provider shall have 1) The service provider shall Examples of 1) Documented process on 1) Documentation as 1) Positive feedback from
RE(1) the capability to provide have a process that can be Execution that analysing and identifying approved by the asset asset owner about the
documentation to the asset performed for the asset owner service provider weaknesses in communication owner describing the quality of the
owner that describes how to to reduce the impact of has met the protocols (e.g by robustness implemented documentation on the
mitigate security weaknesses communications protocols requirement at tests), and on mitigating those mitigations and mitigation of the security
inherent in the design and/or that are vulnerable to attack least for one weaknesses and on documenting weaknesses for the weaknesses related to
implementation of communication or how it can protect them customer e.g.: them communication communication protocols
protocols used in the from being attacked protocols
Automation Solution that were 1) Project 2) Documented process on the
known prior to 2) The service provider shall documentation communication with the asset 2) Robustness testing
Automation Solution integration have a process that can be owner related to communication results for a specific
or maintenance activities. performed for the asset owner 2) Interviews protocol risks and weaknesses, solution
to communicate the including related
weaknesses and associated recommendations for protection
mitigation result with the measures
asset owner
3) Robustness testing results and
their mitigation for a reference
architecture
Network Security SP.03.04 The service provider shall have For the solution or used Examples of 1) Description and/or diagram 1) Documentation and 1) Up to date usage and
BR the capability to ensure that time reference architecture The Execution that that illustrates the security of the test record of the used integration of commonly
distribution/synchronization for service provider: service provider time source time accepted protocol over a
the Automation Solution is 1) shall describe that time has met the distribution/synchroniza period of time
performed from a secure and synchronization is performed requirement at 2) Identification of the tion
accurate source that uses a from a reliable source least for one recommended time distribution 2) KPI: No. of timing-related
protocol that is commonly customer e.g.: protocol and explanation of its 2) Documentation of issues in deployed
accepted by both the security and 2) shall identify the time reliability approval of the used solutions
industrial automation distribution protocol used 1) Project time
communities. documentation 3) Procedure for selecting and distribution/synchroniza
3) show that it is commonly approving time distribution tion by communities or
accepted by the security and 2) Interviews protocol asset owner
industrial automation
communities 4) Evidence (articles, papers,
studies) showing that the protocol
is commonly accepted and
current, and not obsolete or
unacceptable
IEC (CD1) TS 62443-6-1 © IEC 2022 – 31 – 65/929/CD
Solution SP.03.05 The service provider shall have The service provider shall Examples of 1) Documented process that 1) Test record that 1) The service provider
Hardening BR the capability to ensure that only have a process that can be Execution that verifies/validates the unnecessary software demonstrates continuous
software and hardware features performed for the asset service provider implementation of the least applications and improvements related to
required by the owner: has met the functionality principle services, USB ports, the attack surface reduction
Automation Solution or approved requirement at USB devices etc. are of the points 1) to 5) of the
by the asset owner are enabled 1) To reduce the attack least for one 2) Hardening guidelines including disabled, requirement related to the
in the Automation Solution. At a surface of customer e.g.: least functionality of point 1), 3) used components/systems
minimum, this includes ensuring components/devices used in and 4) of requirement and related 2) Authorization of
that: the Solution at least 1) Project installation software/procedures network addresses by 2) KPI: No. of cases of
1) unnecessary software according to the points 1) to documentation asset owner unnecessary software
applications and services (e.g. 5) of the requirement 3) Documented process to obtain applications, ports and
email, office applications, games) 2) Interviews approval of network addresses 3) Installation records services identified by
and their associated 2) To ensure that the initial like logs/reports that asset owner or third parties
communication access points reduction of the attack 4) Documented process for reflects the reduced
(e.g. TCP/.UDP ports), USB surface is not weakened retaining the hardening state attack surface
devices (e.g. mass storage), during maintenance during maintenance
Bluetooth and wireless procedures 4) Records showing
communications are disabled 5) Maintenance manual that required functions
and/or removed unless required enabled for
by the Automation Solution. maintenance activities
2) network addresses in use are were disabled after
authorized, maintenance to ensure
3) physical and logical access to initial reduction of
diagnostic and configuration ports attack surface
is protected from unauthorized
access and use.
4) unused ports on network
devices (e.g. switches and
routers) are configured to prevent
unauthorized access to the
Automation Solution's network
infrastructure.
5) maintenance processes
maintain the hardened state of
the Automation Solution during its
lifetime.
65/929/CD – 32 – IEC (CD1) TS 62443-6-1 © IEC 2022
A B C D E F G H
EoE+PoE
Solution SP.03.05 The service provider's hardening The service provider shall Examples of 1) Documented process that 1) Documented needed 1) KPI: No. of cases of
Hardening RE(1) guidelines and procedures shall have a process that can be Execution that identifies needed (CA) certificates (CA) certificates unnecessary, unauthorized
ensure that only necessary, performed for the asset owner service provider or undocumented (CA)
authorized, and documented that: has met the 2) Documented process that 2) Validation activity certificates identified by
digital certificates for certificate requirement at require and verifies removal of result that unused asset owner or third parties
authorities (CAs) are installed. 1) digital certificates pre- least for one unused digital (CA) certificates digital certificate have
installed or installed customer e.g.: been removed from the
automatically by the 3) Documented process to use automation solution
component are removed if 1) Project protection against or prevent prior to or during
they are not necessary documentation installation of unnecessary installation
certificates
2) digital certificates are 2) Interviews
removed when they are no 4) Checklist for verification
longer used by the solution
3) only necessary, authorized

and documented digital
certificates are permitted to
be installed
IEC (CD1) TS 62443-6-1 © IEC 2022 – 33 – 65/929/CD
A B C D E F G H
EoE+PoE
Solution SP.03.06 The service provider shall have For the solution or used Examples of 1) Checklist that workstations 1) record of session 1) KPI: No. of cases of
Hardening BR the capability to support the use reference architecture the Execution that used in automation solution have locking validation missing or non-
of session locking for service provider shall have a service provider session locking mechanism implemented session
Automation Solution workstations process that can be has met the 2) log/record of session locking mechanisms
as required by the asset owner. performed for the asset owner requirement at 2) Description of the session locking enforcement by identified by asset owner or
This requirement applies only to to describe its session locking least for one locking mechanism (or operating system third parties
the workstations for which the mechanism or equivalent and customer e.g.: compensating controls) and how configuration
service provider is responsible. how to use it. If the session to use it (this may be used by 2) Positive feedback from
Session locking: locking mechanism is 1) Project web applications or other asset owner about the
1) prevents information on the provided by the operating documentation applications to which a user session locking
logged on user's display device system, then the service connects) implementation for
from being viewed, and provider needs only to specify 2) Interviews workstations in the
2) blocks input from the user’s which operating system is 3) Operating system reference to responsibility of the service
input device (e.g. keyboard, used and that it provides session locking capability provider
mouse) until unlocked by the session locking
session user or an administrator.
NOTE Locking the user input
device means that the user at the
workstation is not able to use the
keyboard except for unlocking the
keyboard.
65/929/CD – 34 – IEC (CD1) TS 62443-6-1 © IEC 2022
A B C D E F G H
EoE+PoE
Solution SP.03.07 The service provider shall have 1) For the solution or used Examples of 1) Reference architecture 1) Test records/ reports 1) KPI: No of circumvented
Hardening BR the capability to ensure that wired reference architecture the Execution that drawings/descriptions that identify related to performed access controls of
and wireless workstations, service provider shall have a service provider access paths and/or controls that verification activities for automation solutions
including handhelds, used for process that can be has met the enforce specified access paths access control
maintenance and engineering of performed for the asset owner requirement at
wired and wireless to describe the access control least for one 2) Documented process to verify 2) Application of 2) KPI: No. of circumvented
control/instrumentation devices mechanisms of workstations customer e.g.: restriction of access paths, so documents outlined for network security
do not circumvent the: and handhelds used for that access paths are blocked ML-2 within projects safeguards of automation
1) Automation Solution’s access maintenance and 1) Project which would circumvent the solutions
controls for these devices, engineering. documentation access control
2) network security safeguards
(e.g. network security devices) at 2) The service provider shall 2) Interviews 3) Documents (e.g. design
the Automation Solution's particularly make sure that documents, user manuals,
boundary with Level 3. these mechanisms prevent installation manuals, hardening
NOTE 1 Direct access to these unauthorized access to the guide, etc) that describe how
devices by handhelds that control devices by engineering and maintenance
bypass access controls of the workstations and handhelds. workstations are able to access
Automation Solution is prohibited. the control system and/or its
NOTE 2 Direct access by a components and not able to
handheld to a wireless device in bypass user access controls of
Level 3 that bypasses the Level the Solution
2/3 network security device is
prohibited.
IEC (CD1) TS 62443-6-1 © IEC 2022 – 35 – 65/929/CD
A B C D E F G H
EoE+PoE
Solution SP.03.07 The service provider shall have For the solution or used Examples of 1) Description of the multi-factor 1) Verification of 1) Positive feedback from
Hardening RE(1) the capability to support the use reference architecture service Execution that authentication mechanism and application of multi asset owner about the
of multi-factor authentication for provider shall have a process service provider how it is used factor authentication in multifactor authentication
Automation Solution workstations that can be performed for the has met the project for workstations in the
as required by the asset owner. asset owner to describe its requirement at 2) Operating system reference to responsibility of the service
This requirement applies only to process for least for one multi-factor authentication feature 2) Asset owner provider
the workstations for which the applying/integrating/configurin customer e.g.: approvals of multi factor
service provider is responsible. g multifactor authentication 3) Checklist that records authentication 2) KPI: No. of identified
according to the requirements 1) Project configuration of multi-factor mechanisms including workstations without multi
of asset owners documentation authentication for workstations key management factor authentication
mechanisms (target = 0
2) Interviews over a certain period of
time)
Network Security SP.03.08 The service provider shall have The service provider shall Examples of 1) Documented process that 1) Documentation of 1) KPI: No. of identified
BR the capability to ensure that least have a process that can be Execution that describe the usage and validation application of least violations of least privilege
privilege is used for the performed for the asset owner service provider of least-privilege for the privilege concepts in in projects (target = 0 over
administration of network devices to: has met the administration of network devices projects a certain period of time)
for which the service provider is requirement at
responsible. 1. Identify the mechanisms least for one 2) Description of validated least- 2) Implementation and
used to enforce least privilege customer e.g.: privilege mechanisms test record e.g. role-
(e.g. role-based access based access controls
controls) in network devices 1) Project 3) Reference to application
documentation concepts for network device 3) Completed validation
2. Configure and validate least-privilege mechanisms (e.g. checklist for least
least privilege for the 2) Interviews group accounts) privilege mechanisms
administration of network for a project
devices 4) Validation checklist for least
privilege mechanisms
65/929/CD – 36 – IEC (CD1) TS 62443-6-1 © IEC 2022
A B C D E F G H
EoE+PoE
Network Security SP.03.08 The service provider shall have For the solution or used Examples of 1) Documented process for role- 1) Completed 1) KPI: No. of identified
RE(1) the capability to ensure that reference architecture the Execution that based access control templates or checklists issues related to roles-
access controls used for the service provider shall have a service provider on the application of based access control in
administration of network devices process that can be has met the 2) Documentation and role-based access projects (target = 0 over a
and wireless networks include performed for the asset requirement at checklists/templates that describe control in projects certain period of time)
role-based access controls. owner: least for one the implementation and
NOTE Normally network 1) To support role-based customer e.g.: verification of role-based access 2) Records of 2) FAT/SAT task approvals
devices are only accessed by access controls for network control for the administration of configuration, and/or positive feedback
administrators so it is necessary devices and wireless 1) Project network devices and wireless verification, validation from asset owner about the
to define only a single role for networks documentation networks and testing of role- configuration and
them. However, if the asset based access control of verification of role-based
owner’s operating procedures 2) To configure, validate, 2) Interviews network devices and access control for network
allow access to the network verify and test network wireless networks devices and wireless
devices by administrators and devices and wireless according to the networks in the
others, then multiple roles can be networks to use role-based documented process responsibility of the service
defined. access control as required provider
IEC (CD1) TS 62443-6-1 © IEC 2022 – 37 – 65/929/CD
A B C D E F G H
EoE+PoE
Network Security SP.03.08 The service provider shall have For the solution or used Examples of 1) Template that Identifies the 1) Documentation on 1) The cryptographic
RE(2) the capability to ensure that reference architecture the Execution that types of data used for identified types of data mechanisms used are
encryption is used to protect service provider shall have a service provider administration of network devices requiring and always state of the art over
data, whether in transit or at rest, process that can be has met the (e.g. credentials, config data safeguarding and the a period of time
that is used in the administration performed for the asset owner requirement at identified as sensitive data) to be applied protection
of network device (e.g. to: least for one protected and the cryptographic mechanisms in a 2) Continuous improvement
passwords, configuration data) customer e.g.: mechanisms used to protect them project of the applied protection
that is identified as data requiring 1) Identify the cryptographic mechanisms e.g.:
safeguarding (see SP.03.10 BR mechanisms used to protect 1) Project 2) Procedures/ templates/ 2) Documentation of • more efficiency by
and its REs). data used in the documentation checklists for the use of implementation (e.g. automation
NOTE See SP.03.10 RE(3) for administration of network cryptographic mechanisms to screenshots) of • timely updates of the
cryptographic requirements. devices. 2) Interviews protect data used for the cryptographic mechanisms used for
administration of network devices. mechanisms to protect protection
2) Protect sensitive data in these data (e.g.
transit or at rest; for e.g. to passwords) in a project
use cryptographic hashes to
protect passwords
Note: If cryptographic
mechanisms are not
supported by the
components, the service
provider shall describe
compensating controls that
are used to protect the data.
65/929/CD – 38 – IEC (CD1) TS 62443-6-1 © IEC 2022
A B C D E F G H
EoE+PoE
Network Security SP.03.08 The service provider shall have For the solution or used Examples of 1) Documented process of the 1) Documentation of 1) The mutual
RE(3) the capability to ensure that reference architecture, Execution that mutual authentication mechanism application of mutual authentication mechanisms
access controls used for the service provider shall have a service provider and how it is used, including use authentication used are always state of
administration of network devices process that can be has met the of HTTPS or TLS if applicable mechanisms in a the art over a period of time
include mutual authentication. performed for the asset owner requirement at project e.g. use of
to: least for one 3) Validation activity e.g. checklist techniques like 2) Continuous improvement
customer e.g.: that records configuration of Challenge/response, of the applied mutual
1) apply mutual authentication mutual authentication for user password/device authentication mechanisms
mechanisms for 1) Project administration of network devices certificate, and e.g.:
administration of the network documentation Kerberos (RFC 1510) • more efficiency by
devices 3) Documented concept of the etc. automation
2) Interviews application of mutual • timely updates of the
2) configure, validate, verify authentication features provided 2) Validation records of mechanisms used for
and test its mutual by operating system/applications their correctness and access control
authentication mechanisms effectiveness in the
solution
Note: If this mechanism is
provided by the operating
system or an application,
such as a web server via
HTTPS, then the service
provider needs to specify
which operating
system/application is used,
that it provides mutual
authentication, and if provided
by HTTPS or TLS, how the
certificates for the server are
generated and installed.
IEC (CD1) TS 62443-6-1 © IEC 2022 – 39 – 65/929/CD
A B C D E F G H
EoE+PoE
Data Protection SP.03.09 The service provider shall have For the solution or used Examples of 1) Documented procedure to Test records of 1) KPI: No of identified
BR the capability to ensure that the reference architecture The Execution that identify and verify commands/ application of the control actions and data
Automation Solution is configured service provider shall have a service provider data flows and their validity, documented procedure flows violating point 1) to 3)
to verify that all control actions process that can be has met the authorizations, compliance and e.g. that the identified of the requirement (target =
and data flows in the performed for the asset owner requirement at approved directions data flows have been 0 over a certain period of
Automation Solution (e.g. describing that data and least for one protected according to time)
between workstations and commands are properly customer e.g.: 2) Documented procedure that ML2 evidence 2a, 2b,
controllers), including validated, authorized and verify that control actions and 2c 2) Positive FAT/SAT
configuration changes, are: transferred in a protected 1) Project data flows of the automation deviation reviews related to
1) valid, manner over approved documentation solution implements: control actions and data
2) initiated or approved by an connections in the approved flows over a period of time
authorized user, and directions. 2) Interviews 2a) verification of control actions
3) transferred over an approved and data flows e.g. DMZ, data 3) Continuous improvement
connection in the approved This process shall include diodes on the method of the
direction. configuration, verification and related verification
testing for: 2b) verification of user procedures e.g. related to
1) Account authentication authorization for that action automations, efficiency
2) Account authorization
3) Integrity of commands 2c) verification that the action is
and/or data received from the right source
4) Access control at network
or application layer
5) Data flows only occurring
over approved connections in
the approved directions
65/929/CD – 40 – IEC (CD1) TS 62443-6-1 © IEC 2022
A B C D E F G H
EoE+PoE
Data Protection SP.03.10 The service provider shall have The service provider shall Examples of 1) Documented process for 1) Documentation of 1) Positive feedback from
BR the capability to ensure that data have a process that can be Execution that identifying/obtaining asset identified data requiring asset owner about
storage points and data flows performed for the asset owner service provider owner’s data and defining their safeguarding and their documentation and
within the Automation Solution to: has met the security requirements. protection mechanisms protection of data requiring
that require safeguarding, as requirement at in a project safeguarding
defined or approved by the asset 1) Identify data requiring least for one 2) Documented process to create
owner, are documented, safeguarding inherent to the customer e.g.: and maintain automation 2) Documentation of 2) Continuous improvement
including the security automation solution and/or solution/reference architecture related communication on the method of the
requirements for their associated reference 1) Project documentation that identifies its with asset owner on the related documentation and
safeguarding (e.g. confidentiality, architecture and documentation data requiring safeguarding, and definition and/or protection of data requiring
integrity). defines their security approval safeguarding procedures
2) Identify the asset owner's 2) Interviews requirements e.g. related to automations,
data requiring safeguarding, 3) Completed related efficiency
and 3) Related checklist used by the checklist used by the
process process 3) KPI: No. of identified
3) Determine the security compromises of
requirements for the data confidentiality, integrity of
requiring safeguarding, and data requiring safeguarding
(target = 0 over a certain
4) Obtain related asset period of time)
owner’s approval
Data Protection SP.03.10 The service provider shall have For the automation solution or Examples of 1) Documented process 1) Documentation of 1) KPI: No. of identified
RE(1) the capability to ensure that data used reference architecture Execution that describing the protection applied data protection unauthorized disclosures or
within the Automation Solution the service provider shall service provider mechanisms used in the mechanisms and their modifications of data
requiring safeguarding, as have a process that can be has met the automation solution or reference verification of requiring safeguarding
described in SP 03.10 BR, is performed for the asset owner requirement at architecture to ensure implementation in a (target = 0 over a certain
protected from unauthorized to protect data requiring least for one confidentiality and integrity of project period of time)
disclosure or modification, safeguarding against customer e.g.: data at rest and data in transit
whether at rest or in transit. disclosure or modification 2) Completed related 2) The applied mechanisms
(confidentiality or integrity) 1) Project 2) Documented mechanisms for checklist used by the for confidentiality and
documentation configuring and verifying the process integrity protection are all
automation solution or reference state of the art over a
2) Interviews architecture to protect period of time, particularly
confidentiality and integrity of related to the applied
data requiring safeguarding cryptography
3) Related checklist used by the

process
IEC (CD1) TS 62443-6-1 © IEC 2022 – 41 – 65/929/CD
A B C D E F G H
EoE+PoE
Data Protection SP.03.10 The service provider shall have The service provider shall Examples of 1) Documented process for 1) Documentation 1) Positive feedback from
RE(2) the capability to provide have a process that can be Execution that creating the documentation of provided to an asset asset owner about
documentation to the asset performed for the asset owner service provider data retention capabilities and for owner describing data documentation and
owner that describes the to: has met the transferring it to the asset owner retention capabilities handover process of data
retention capabilities provided by requirement at including used capacity, retention capabilities
the Automation Solution for 1) create and maintain least for one pruning and purging
storing/archiving sensitive data. documentation on the data customer e.g.: 2) Documentation of resources functions or retention 2) Increased level of detail
This documentation includes retention capabilities of the (capacities/data volumes) and of timeouts and/or improved structure
capacities, pruning and purging Solution that can be used to 1) Project functionalities for storing and of the documentation about
functions, retention timeouts, etc. store/archive sensitive data documentation maintaining data, including data retention capabilities
pruning and purging functions, and its functionality
2) Interviews retention timeouts, etc.
2) make sure that this 3) Continuously improved
documentation includes 3) Process to keep process to keep
capacities, pruning and documentation up-to-date and to documentation up-to-date
purging functions, retention keep the asset owner informed
timeouts, etc. about the latest document
3) provide this documentation

to the asset owner
Data Protection SP.03.10 The service provider shall have For the solution or used Examples of 1) Description/diagrams of where 1) documentation of 1) Zero outdated
RE(3) the capability to ensure that the reference architecture The Execution that cryptographic mechanisms are used implementations cryptographic mechanisms
cryptographic mechanisms used service provider shall have a service provider used, and their identity, such as of cryptographic in the components of
in the Automation Solution, process that can be has met the a) Operating system software, mechanisms in a automation solutions over a
including algorithms and key performed for the asset owner requirement at such as COM and WCF, that project period of time
management/distribution/protecti to be able to: least for one contain built-in cryptographic
on, are commonly accepted by customer e.g.: mechanisms 2) Provided evidence 2) Regular review of the
both the security and industrial 1) identify the cryptographic b) Open source cryptographic (e.g. articles in acceptance of
automation communities. mechanisms used in the 1) Project mechanisms embedded into the trustworthy media, cryptographic mechanisms
Automation Solution or that documentation Automation Solution scientific papers, integrated in automation
can be configured studies, security solutions over the lifecycle
2) Interviews 2) Process to ensure that institutions like NIST)
2) Show that they are cryptographic mechanisms used showing the 3) Systematic and
commonly accepted and not in the automation solution are implementation of the comprehensive review of
self-developed or obscure or accepted by the industry as cryptographic the state of the art of
obsolete or compromised or current and not obsolete or mechanisms as current cryptographic mechanisms
insecure. unacceptable and not obsolete or
unacceptable.
65/929/CD – 42 – IEC (CD1) TS 62443-6-1 © IEC 2022
A B C D E F G H
EoE+PoE
Data Protection SP.03.10 The service provider shall have The service provider shall Examples of 1) Documented process that 1) Completed checklist 1) Continuous improvement
RE(4) the capability to ensure that when have a process that can be Execution that verify/validate that sensitive data stating of the mechanisms to
it removes a component from the performed for the asset owner service provider in devices/components that are decommissioned validate and test the
Automation Solution, all data in to permanently destroy all has met the removed from the automation component and deletion of sensitive data in
the component requiring data requiring safeguarding requirement at solution are permanently destruction of data components being removed
safeguarding, as described in SP from the devices/components least for one destroyed from an automation solution
03.10 BR, is permanently that it removes from service customer e.g.: 2) Documentation of
destroyed/deleted. 2) Checklist used by the process applied mechanisms for 2) Continuous automation
1) Project to verify permanent destruction of data clearance and and improvement of the
documentation sensitive data after uninstallation destroying memory in a efficiency of the
of component from the project mechanisms applied for
2) Interviews Automation Solution data deletion
IEC (CD1) TS 62443-6-1 © IEC 2022 – 43 – 65/929/CD
Wireless SP.04.01 The service provider shall have The service provider shall Examples of 1) Documented process for the Evidence that related 1) Systematic and
BR the capability to ensure that its have a process that can be Execution that installation/maintenance of processes and comprehensive review of
Automation Solution architecture performed for the asset owner service provider wireless systems and their documentation have the state of the art of
documentation describing to describe: has met the configured security mechanisms been applied in projects architecture documentation
wireless systems is current in its requirement at e.g.: describing wireless
description of the following. 1) Its process to document least for one 2) Documented process to ensure 1) Architectures systems over a significant
1) Data exchange between a the architecture of its wireless customer e.g.: that the architecture period of time
Level 1 network and wireless networks and data flows documentation of the wireless 2) Flow Diagrams
instrumentation, according to topics 1) and 2) 1) Project networks is kept current e.g. 2) Continuous improvement
2) Data exchange between a of the requirement, and to documentation addition/deletion of devices 3) Security Design of the zones and conduits
Level 2 network and a Level 3 keep the documentation concepts used in the
network through a secure current. 2) Interviews 3) Documentation of the security 4) Network Design architecture documentation
wireless link, mechanism to prevent bypass of associated with wireless
3) Security mechanisms that 2) Its implemented security specified access restrictions to access to wired
prevent an intruder from gaining mechanisms or to prevent the Automation Solution e.g. devices/workstations in the
access to the intrusion or bypass of Wireless bridges, Wireless Automation Solution
Automation Solution using the specified access restrictions handhelds
wireless system, to the Automation Solution via
4) Security mechanisms that wireless devices, according to 4) checklists for documenting new
restrict access within the topics 3) to 5) of the installations and changes related
Automation Solution by workers requirement to topics 1) to 5) of the
with handheld wireless devices, requirement
5) Where required, security
mechanisms that provide
protection for remote
management of wireless
systems.
NOTE 1 The term "Level" refers
to the position in the Purdue
Reference Model as standardized
by ISA 95 and IEC 62264-1 (see
clause 5.3).
65/929/CD – 44 – IEC (CD1) TS 62443-6-1 © IEC 2022
A B C D E F G H
EoE+PoE
Wireless SP.04.02 The service provider shall have For the solution or used Examples of 1) Documented procedures that 1) Documentation of 1) Regular review of the
BR the capability to ensure that reference architecture the Execution that include configuration and applied commonly acceptance of
access to wireless devices is service provider shall have a service provider verification for the applied accepted authentication authentication and access
protected by authentication and process that can be has met the authentication and access control and access control control mechanisms
access control mechanisms that performed for the asset owner requirement at technology mechanisms to wireless integrated in automation
are commonly accepted by both to be able to: least for one devices in a project solutions over the lifecycle
the security and industrial customer e.g.: 2) Process to ensure that
automation communities. 1) Ensure that authentication authentication and access control 2) Documentation of 2) Systematic and
and access control 1) Project mechanisms used for wireless successful verification comprehensive review of
mechanisms are used to documentation devices in the automation solution that applied the state of the art of
protect its wireless devices are accepted by the industry as authentication and authentication and access
2) Interviews current and not weak or access control control mechanisms
2) Show that the applied unacceptable mechanisms are
mechanisms are commonly commonly accepted
accepted and strong according to the state
according to the state of the of the art in a project
art
Wireless SP.04.02 The service provider shall have For the solution or used Examples of 1) Documented procedure that 1) Documentation of 1) Zero outdated
RE(1) the capability to ensure that reference architecture The Execution that include configuration and used implementations cryptographic mechanisms
wireless communications are service provider shall have a service provider verification for the cryptographic of cryptographic for wireless communication
protected by cryptographic process that can be has met the mechanisms used to protect mechanisms for in the components of
mechanisms that are commonly performed for the asset requirement at communications wireless communication automation solutions over a
accepted by both the security and owner: least for one in a project period of time
industrial automation customer e.g.: 2) Process to ensure that
communities. 1) to configure, validate, verify cryptographic mechanisms used 2) Provided evidence 2) Regular review of the
and test cryptographic 1) Project for wireless devices (e.g. (e.g. articles in acceptance of
mechanisms to protect its documentation Wireless bridges, Wireless trustworthy media, cryptographic mechanisms
wireless devices handhelds, used protocols) in the scientific papers, for wireless communication
2) Interviews automation solution are accepted studies, security integrated in automation
2)Show that they are by the industry as current and not institutions like NIST) solutions over the lifecycle
commonly accepted weak or unacceptable showing the
implementation of the 3) Systematic and
cryptographic comprehensive review of
mechanisms for the state of the art of
wireless cryptographic mechanisms
communications as for wireless communication
current and not
obsolete or
unacceptable
IEC (CD1) TS 62443-6-1 © IEC 2022 – 45 – 65/929/CD
A B C D E F G H
EoE+PoE
Wireless SP.04.03 The service provider shall have For the solution or used Examples of 1) Documented process to select, 1) Provided evidence 1) Continuous improvement
BR the capability to ensure that reference architecture The Execution that configure and apply wireless (e.g. articles in of the process to verify
wireless protocols used in the service provider shall have a service provider protocols trustworthy media, compliance of wireless
Automation Solution are process that can be has met the scientific papers, protocols with standards
compliant with standards performed for the asset owner requirement at 2) Documented process to test, studies, security and regulations e.g.
commonly used within the to be able to: least for one verify and validate compliance of institutions like NIST) • Optimization of the
industrial security community and 1) Ensure that wireless customer e.g.: the wireless protocols with showing used wireless verification process
with applicable regulations. protocols and its configured applicable standard and local protocols were like automation and
security mechanisms are 1) Project regulations according to standards acceleration
compliant with commonly documentation used in the OT security • Improved mechanisms
accepted standards 3) Template for wireless protocols community and with to detect deviations
2) Interviews showing compliance with applicable regulations and/or to apply related
2) Ensure that the wireless commonly used standards and corrections
protocols used are compliant regulations 2)Documentation list of
with applicable local used wireless protocols
regulations implemented in an
automation solution and
related verifications of
compliance
3) Completed template
for wireless protocols
showing compliance
with commonly used
standards and
regulations
Wireless SP.04.03 The service provider shall have The service provider shall Examples of 1) Documented 1) Completed 1) KPI: No. of issues
RE(1) the capability to ensure that have a process that can be Execution that process/checklists/templates for checklists/templates for related to wireless network
unique, Automation Solution- performed for the asset owner service provider creating wireless identifiers (the creating wireless identifiers e.g.
specific identifiers are used for to make sure that its rules for has met the rules for the value of the identifiers duplicated/disclosing SSIDs
wireless networks and that all naming wireless network requirement at identifiers and the process for (target = 0 over a certain
wireless identifiers are descriptive identifiers provide unique least for one creating them) 2) Records or protocols period of time))
acronyms that are not obviously identifiers and prevent an customer e.g.: on the cooperation
associated with the asset owner's easy identification of the 2) Documented process of review activities with asset 2) Positive feedback from
site. associated site or function 1) Project of identifiers with the asset owner owners related to asset owner about
documentation wireless identifiers cooperation related to
wireless identifiers
2) Interviews
65/929/CD – 46 – IEC (CD1) TS 62443-6-1 © IEC 2022
A B C D E F G H
EoE+PoE
Wireless SP.04.03 The service provider shall ensure For the solution or used Examples of 1) Documented process for 1) Completed 1) Continuous improvement
RE(2) that the Automation Solution's reference architecture the Execution that verifying that IP addresses to checklists/template of of the process to verify
wireless devices that have IP service provider shall have a service provider wireless devices assigned are assigned IP addresses allocation of addresses for
addresses use static addressing process that can be has met the static of wireless devices wireless devices
and have dynamic address performed for the asset requirement at
assignment mechanisms (e.g. owner: least for one 2) Checklists/template of 2) KPI: No. of identified
DHCP) disabled. customer e.g.: assigned IP addresses of 2) Verification records dynamically allocated IP
1) for assigning static IP wireless devices showing that dynamic addresses for wireless
addresses to wireless devices 1) Project address assignment is devices (target = 0 over a
documentation 3) Documented process to check disabled certain period of time)
2) to disable dynamic IP that dynamic address assignment
addressing 2) Interviews is disabled
SIS SP.05.01 The service provider shall have The service provider shall Examples of 1) Documented process that can 1) Record on security 1) Continuous improvement
BR the capability to verify that have a process that can be Execution that include checklists and have a architecture review on the detection and
security architecture reviews performed for the asset owner service provider verification step that including SIS mitigation of security risks
and/or security risk assessments that communications of SIS is has met the communication of SIS is related to SIS
of the communications of the SIS considered and addressed requirement at addressed during risk 2) Risk assessment communications in
used in the Automation Solution during risk assessment and least for one assessment report including SIS automation solution
have been conducted and security architecture reviews customer e.g.: communication review
addressed. 2) Improvement of the
1) Project 2) Template of SIS expertise of staff related to
documentation communications/ data flows and risk assessment
checklist of related risk
2) Interviews assessment
IEC (CD1) TS 62443-6-1 © IEC 2022 – 47 – 65/929/CD
A B C D E F G H
EoE+PoE
SIS SP.05.02 The service provider shall have For the solution or used Examples of 1) Design/architecture documents 1) Completed 1) Continuous improvement
BR the capability to ensure that SIS reference architecture the Execution that that describe segmentation checklists/templates for of network architectures
safety communications and SIS service provider shall have a service provider between the SIS and other verifying that SIS and protection concepts for
safety functions are protected process that can be has met the communications safety-critical SIS safety
from the BPCS or any other performed for the asset owner requirement at communications are communication/functions
Automation Solution to make sure that SIS safety- least for one 2) SIS certification that addresses protected from other
communications. critical communications: customer e.g.: this security requirement communications 2) KPI: No. of critical safety
NOTE This requirement does functions/communication
not require that communications 1) are protected from other 1) Project 3) Checklists/Templates for being impacted by
not critical to safety functions communications documentation verifying that SIS safety-critical 2) Documentation of interfering other
between the SIS and the BPCS communications are protected applied network communications (target = 0
(e.g. configuration downloads, 2) is not subject to 2) Interviews from other communications architecture with over a certain period of
status monitoring, logging) be interference by non-safety separation and time)
shielded from other critical communications protection of SIS
Automation Solution
communications.
BR the capability to ensure that reference architecture the Execution that that show how SIS operations are Design/architecture of network architectures for
communications external to the service provider shall have a service provider protected from interference from documents protection of SIS against
Automation Solution, including process that can be has met the external communications, interference by external
remote access communications, performed for the asset owner requirement at including which external 2) Completed communications/remote
are not able to interfere with the to describe the protection of least for one communications are not to be checklists/templates access communications
operation of the SIS. SIS functions from customer e.g.: allowed
interference: 2) KPI: No. of interferences
1) Project of SIS by external
1) by communications documentation 2) SIS certification that addresses communications (target = 0
originating and/or terminating this requirement over a certain period of
external to the Automation 2) Interviews time)
Solution 3) Checklists/Templates that
prohibit configurations that allow
2) by remote access external communications from
communications interfering with SIS operations.
65/929/CD – 48 – IEC (CD1) TS 62443-6-1 © IEC 2022
A B C D E F G H
EoE+PoE
BR the capability to ensure that reference architecture the Execution that that describe logical and/or Design/architecture of protection of SIS-
applications, (e.g. control system service provider shall have a service provider physical segmentation between documents communications against
applications) external to the SIS process that can be has met the the SIS and the BPCS SIS-external applications
are not able to participate in or performed for the asset owner requirement at 2) Completed
disrupt or otherwise interfere with to protect SIS safety-critical least for one 2) SIS certification that addresses checklists/templates 2) KPI: No. of interferences
SIS communications that are communications e.g. from customer e.g.: this requirement, of SIS communications by
critical to safety functions. external applications SIS-external applications
1) Project 3) Checklists/Templates for (target = 0 over a certain
Note: SP.05.03 BR addresses documentation verifying that SIS safety-critical period of time)
protecting SIS operations and communications cannot be
this requirement addresses 2) Interviews impacted by SIS-external
protecting SIS applications
communications.
BR the capability to ensure that SIS reference architecture The Execution that showing that: Design/architecture of protection of SIS EWSs
EWSs that reside outside the SIS service provider shall have a service provider • Level 2 and Level 3 are documents against interfering
(external to SIS interface with the process and mechanisms that has met the segmented using a network communications from Level
control system) cannot be can be performed for the requirement at security device, 2) Completed 3 and above
compromised by communications asset owner to make sure least for one checklists/template
from Level 3 or above. that SIS EWSs which are customer e.g.: • that there are no 2) KPI: No. of identified
NOTE The term "Level" refers external to the SIS are unauthorized 3) Documentation of compromises of SIS EWSs
to the position in the Purdue protected through a network 1) Project communications paths the network security by interfering
Reference Model as standardized security device or equivalent documentation around it device (including communications from Level
by ISA 95 and IEC 62264-1 (see mechanisms against applied protection 3 and above
5.3). communications to/from 2) Interviews • that show the SIS EWS in rules) which has been (target = 0 over a certain
devices/workstations form Level 2 used in an automation period of time)
Level 3 and above. solution or reference
2) Design/architecture documents architecture to ensure
that show how SIS EWSs the protection of
communication from
external to SIS are protected from
unauthorized communications Level 3 and above
from Level 3 and Level 4
devices/workstations
3) Checklists/templates that verify

the design/architecture ensuring
that all communications between
the SIS engineering workstation
and Level 3 (and above)
IEC (CD1) TS 62443-6-1 © IEC 2022 – 49 – 65/929/CD
A B C D E F G H
EoE+PoE
applications pass through a
network security device
RE(1) the capability to ensure that the reference architecture, the Execution that showing that Design/architecture of protection of SIS EWSs
Automation Solution's SIS EWS service provider shall have a service provider remote access paths to internal documents against exploitation via
that reside within the SIS (internal process that can be has met the SIS EWSs are blocked or remote access connections
to SIS interface with the control performed for the asset owner requirement at disabled 2) Documentation
system) cannot be compromised to make sure that the SIS least for one showing that remote 2) KPI: No. of identified
by remote access (e.g. RDP). EWSs that are internal to the customer e.g.: 2) Process/architecture access has been compromises of SIS EWSs
SIS are protected from documents showing that remote disabled for SIS EWSs by exploitation of remote
compromise by remote 1) Project access has to be disabled (not in a project access connections
access communications documentation accessible (target = 0 over a certain
3) Results/report of period of time)
2) Interviews 3) Risk assessment methodology related risk assessment
addressing the risks of SIS EWSs in a project
being compromised by remote
access to the SIS EWSs
65/929/CD – 50 – IEC (CD1) TS 62443-6-1 © IEC 2022
A B C D E F G H
EoE+PoE
BR the capability to ensure that all reference architecture, the Execution that showing the mediating Design/architecture of mediation and
access to the service provider shall have a service provider component e.g. gateway documents authorization solution for
Automation Solution's SIS from process that can be has met the the access to the SIS
outside the SIS is mediated and performed for the asset owner requirement at 2) Checklists/templates for 2) Completed
authorized at the interface to the to make sure that all least for one installation, configuration, and/or Checklists/templates 2) KPI: No. of identified
SIS. connections to the SIS are customer e.g.: maintenance of the mediating unauthorized accesses to
mediated (e.g. via a firewall, component 3) Documentation SIS
gateway, or something 1) Project showing that SIS was (target = 0 over a certain
similar) documentation 3) Documentation showing that only physically period of time)
SIS is physically connected only connected to SIS
2) Interviews to SIS EWSs EWSs in a project or
automation solution
SIS SP.05.07 The service provider shall have For the solution or used Examples of 1) Design documents that show 1) Specifications of SIS 1) Continuous improvement
BR the capability to ensure that SIS reference architecture, the Execution that that the SIS EWS is configured to EWSs used in a and update of
functions performed by the service provider shall have a service provider perform only SIS functions project, including their specifications against other
Automation Solution's SIS EWS process that can be has met the least functionality SIS EWSs software that
are protected from compromise performed for the asset owner requirement at 2) Descriptions of mechanisms concept could intentionally or
by other SIS EWS software. to protect the SIS EWS safety least for one that prohibit the SIS EWS from inadvertently cause harm to
software from other software customer e.g.: being configured to perform non- 2) Completed the SIS
running in the SIS EWS (least SIS functions Checklists/template
functionality concept) 1) Project 2) Continuous improvement
documentation 3) Checklists/templates that 3) Documentation of of mechanisms for isolation
prohibit the SIS EWS from being applied mechanisms and protection of SIS EWS
2) Interviews configured to perform non-SIS that isolate and protect software from other
functions SIS EWS software from software running in the SIS
other software running EWS
4) Descriptions of mechanisms in the SIS EWS
that isolate and protect SIS EWS 3) KPI: No. of identified
software from other software compromises of SIS EWSs
running in the SIS EWS. by other SIS EWSs
software
period of time)
IEC (CD1) TS 62443-6-1 © IEC 2022 – 51 – 65/929/CD
A B C D E F G H
EoE+PoE
SIS SP.05.08 The service provider shall have The service provider shall Examples of 1) Process to document design 1) Documentation of 1) Continuous improvement
BR the capability to verify that have a process that can be Execution that showing that unauthorized application of and update of mechanisms
unauthorized wireless devices performed for the asset owner service provider wireless devices are not mechanisms to identify for identification and
are not used as an integral part of to prevent unauthorized has met the permitted in the operation of SIS and authorize wireless authorization of the access
SIS safety functions. wireless devices from requirement at functions devices for SIS of wireless devices to SIS
participating in SIS safety least for one functions in a project safety functions
functions customer e.g.: 2) Description of mechanisms to
identify and authorize wireless 2) Documentation of 2) Continuous improvement
1) Project devices for SIS safety functions applied protection of protection concept for
documentation concept for SIS safety SIS safety functions against
3) Checklists/templates that functions against unauthorized wireless
2) Interviews prohibit unauthorized wireless unauthorized wireless devices
devices from being used as part devices
of SIS functions in the guideline
3) Completed
Checklists/template
SIS SP.05.09 The service provider shall have For the solution or used Examples of 1) Process and documentation 1) Documentation of 1) Continuous improvement
BR the capability to ensure that SIS reference architecture, the Execution that describing how to lock the SIS application of and update of mechanisms
configuration mode can be service provider shall have a service provider interface mechanisms to to enable and disable SIS
enabled and disabled. While process that can be has met the lock/unlock the SIS configuration
disabled, this interface shall performed for the asset owner requirement at 2) Checklists/templates for configuration interface
prohibit the SIS from being to make sure that its SIS least for one ensuring that once SIS interface in a project 2) Ensuring that protection
configured. interface can be locked to customer e.g.: is locked, configuration mode is concepts e.g. software
NOTE This interface will prevent SIS from being disabled 2) Documentation of controlled locks are always
typically prevent configuration configured. 1) Project application of protection state of the art over a
messages from being delivered documentation 3) Documentation of mechanism concepts against period of time
to the SIS. used to prevent SIS from being unintended/
2) Interviews configured in disabled mode unauthorized
configurations in
disabled mode (e.g
software-controlled
locks)
3) Completed
Checklists/template
65/929/CD – 52 – IEC (CD1) TS 62443-6-1 © IEC 2022
A B C D E F G H
EoE+PoE
SIS SP.05.09 The service provider shall have For the solution or used Examples of 1) User documentation that 1) Documentation of 1) Continuous improvement
RE(1) the capability to provide a reference architecture, the Execution that describes hardware application of and update of physical
hardware implementation of the service provider shall have a service provider implementation to lock the SIS mechanisms to locking mechanisms to
configuration mode interface process that can be has met the interface to prevent configuration physically lock/unlock enable and disable SIS
required by SP.05.09 BR and to performed for the asset owner requirement at changes from being made in the SIS configuration configuration
ensure that this hardware that its SIS interface can be least for one disabled mode interface in a project
implementation is capable of locked by a physical switch or customer e.g.: 2) Ensuring that protection
being physically locked while equivalent physical 2) Documentation of concepts using physical
configuration mode is disabled. mechanism to prevent SIS 1) Project 2) Process and documentation application of protection key switches are always
from being configured in documentation describing on how to use the concepts against state of the art over a
disabled mode physical locking mechanism used unintended/ period of time
2) Interviews to prevent unintended unauthorized
configuration changes at the SIS configurations in
interface disabled mode by
physical key switches
3) Checklists/templates for
locking/disabling hardware 3) Completed
configuration mode Checklists/template
SIS SP.05.09 The service provider shall have The service provider shall Examples of 1) Documented process for 1) Application of 3rd 1) Positive feedback from
RE(2) the capability to have an have a process that can be Execution that having independent 3rd parties to party verification independent 3rd party
independent 3rd party verify that performed for the asset owner service provider verify that the locking mechanism process in a project about the cooperation on
it is not possible to change the to appoint and cooperate with has met the operates as intended the verification of
configuration of the SIS when the independent 3rd parties to requirement at 2) Audit reports or configuration locking
hardware interface described in verify its configuration mode least for one certifications from mechanisms
SP.05.09 RE(1) is locked in the locking mechanism customer e.g.: 2) Documentation of certification independent 3rd party
"disable" configuration mode. process performed by 2) KPI: No of identified
1) Project independent 3rd party for this unintended configuration
documentation requirement changes of the SIS in
disabled mode (target = 0
2) Interviews over a certain period of
time)
IEC (CD1) TS 62443-6-1 © IEC 2022 – 53 – 65/929/CD
A B C D E F G H
EoE+PoE
Configuration SP.06.01 The service provider shall have The service provider shall Examples of 1) Documented process on the 1) Application of the 1) Systematic and
management BR the capability to provide accurate have a process that can be Execution that generation, delivery, and documentation of the comprehensive review of
logical and physical infrastructure performed for the asset owner service provider maintenance of the network network architecture of the state of the art of
drawings/documentation of the to generate, deliver, and has met the architecture representing the a specific automation architecture documentation
Automation Solution, including its maintain requirement at automation solution, including solution over a significant period of
network devices, internal drawings/descriptions of the least for one physical and logical network time
interfaces, and external Solution's network customer e.g.: infrastructure 2) Completed
interfaces. The documentation infrastructure that clearly checklists/template 2) Continuous improvement
and drawings shall be maintained identifies internal and external 1) Project 2) Checklists/templates to ensure of the zones and conduits
as an accurate representation of interfaces to which devices documentation the correctness and 3) Detailed network concepts used in the
the Automation Solution. can be connected (e.g. completeness of the architecture drawings architecture documentation
switches, routers, firewalls, 2) Interviews physical/logical infrastructure including interfaces, in the Automation Solution
network interface cards) drawings of the automation addresses and
solution segmentations by 3) KPI: Accurateness and
zones and conduits completeness of the
infrastructure drawings/
network architecture
documentation. Target: No.
of missing elements (e.g.
Interfaces) or errors in the
architecture drawings=0
over a certain period of
time
Configuration SP.06.01 The service provider shall have The service provider shall Examples of 1) Documented process which 1) Documentation that Continuous improvement
management RE(1) the capability to keep the as-built have a process that can be Execution that ensures that configuration of all connection and of the applied updating
and installed equipment performed for the asset owner service provider equipment and network configuration process to keep the
connection and configuration to make sure that the has met the connections - as built and documents were documentation current,
documents current. architecture drawings, requirement at installed - is documented and updated according to e.g.:
connection diagrams, and least for one kept current related changes in the • more efficiency by
configuration file (as-built) customer e.g.: automation solution automation
documentation always reflect 2) Related checklists/templates • timeliness of updates
the current operational 1) Project 2) Completed of the documentation
equipment and their network documentation checklists/templates according to the
connections related changes in the
2) Interviews automation solution
65/929/CD – 54 – IEC (CD1) TS 62443-6-1 © IEC 2022
A B C D E F G H
EoE+PoE
Configuration SP.06.02 The service provider shall have The service provider shall Examples of 1) Documented process to 1) Inventory register 1) KPI: Accurateness and
management BR the capability to create and have a process that can be Execution that establish and maintain and used in a project completeness of the
maintain an inventory register, performed for the asset owner service provider inventory register and keep it inventory register. Target:
including version numbers and to make sure that all installed has met the current including version numbers 2) Completed No. of missing inventory
serial numbers, of all devices and equipment and the software requirement at and serial numbers of all devices checklists/templates information (e.g. version
their software components in the (if any) that runs on them are least for one and software components numbers or serial numbers)
Automation Solution for which the documented as required by customer e.g.: or errors in the inventory
service provider is responsible. this requirement 2) Checklists/template of register =0 over a certain
1) Project inventory register period of time
documentation
2) Continuous improvement
2) Interviews of the establishment of the
inventory register, e.g.:
• more efficiency of the
establishment by
automation
• cooperation between
inventory register and
patch management
particularly to use the
inventory to check
which components
have to be patched
• timeliness of patching
based on information
from the inventory
Configuration SP.06.03 The service provider shall have The service provider shall Examples of 1) Documented process used for 1) Applied process 1) KPI: No. of unauthorized
management BR the capability to verify that wired have a process that can be Execution that verification of field device verification of field or erroneous configuration
and wireless devices used for performed for the asset owner service provider configuration device configuration in changes in wired/wireless
control and instrumentation have to make sure that field has met the a project devices (target = 0 over a
been configured correctly with devices retrieve correct requirement at 2) Related checklists/templates certain period of time)
their approved values. configuration parameters with least for one 2) Completed
approved values customer e.g.: checklists/templates 2) Continuous improvement
downloaded/written to the of concepts to ensure
device 1) Project integrity of device
documentation configurations e.g.
• efficiency of
2) Interviews cooperation with
related workstation
IEC (CD1) TS 62443-6-1 © IEC 2022 – 55 – 65/929/CD
A B C D E F G H
EoE+PoE
• automation of
verification of
configuration values
Remote Access SP.07.01 The service provider shall have The service provider shall Examples of 1) Documented process to 1) Documentation of 1) Zero outdated remote
BR the capability to ensure that all have a process that can be Execution that identity the remote access applied remote access access applications in
remote access applications used performed for the asset service provider applications that it is prepared to applications (e.g. RDP) automation solutions over a
in the Automation Solution are owner: has met the use in Solutions in a project and their period of time
commonly accepted by both the 1) To identify remote access requirement at security verifications
security and industrial automation applications that it has least for one 3) Documented process to verify 2) Regular review of the
communities. approved for use in its customer e.g.: that selected and planned remote 2) Provided evidence acceptance of remote
Solutions, access applications are (e.g. articles in access applications used in
1) Project commonly accepted by both the trustworthy media, automation solutions over
2) To systematically select documentation security and industrial automation scientific papers, the lifecycle
and approve them communities studies, security
2) Interviews institutions like NIST) 3) Systematic and
3) To verify that they are showing the comprehensive review of
commonly accepted. implementation of the the state of the art of
remote access remote access applications
applications being state
of the art
65/929/CD – 56 – IEC (CD1) TS 62443-6-1 © IEC 2022
A B C D E F G H
EoE+PoE
Remote Access SP.07.02 The service provider shall have For each remote access Examples of 1) Documented process to create, 1) Documentation of 1) Positive feedbacks from
BR the capability to provide detailed application in the Solution or Execution that maintain and provide the installed and configured asset owners on
instructions for the installation, reference architecture, the service provider appropriate documentation remote access cooperation about remote
configuration, operation, and service provider shall have a has met the connections in a project access applications
termination of the remote access process that can be requirement at 2) Documented process to according to the related
applications used in the performed for the asset owner least for one provide instructions to the asset process 2) Systematic and
Automation Solution. for providing/referencing a customer e.g.: owner on the termination of comprehensive review of
user manual that includes the remote access connections 2) Documentation of reaching a state of the art
description to 1) Project cooperation with asset level of protection to the
install/configure, operate, and documentation 3) Related checklists/templates owners on the automation solution
terminate the remote access installation and provided by remote access
application 2) Interviews configuration of remote applications (e.g. by
access applications applied risk analysis and
related verifications)
3) Completed
checklists/templates
Remote Access SP.07.03 The service provider shall have The service provider shall Examples of 1) Documented process to list all 1) Documentation of 1) Continuous and Positive
BR the capability to provide have a process that can be Execution that proposed remote access installed and configured feedbacks from asset
information about all proposed performed for the asset owner service provider connections to the asset owner remote access owners on cooperation
remote access connections to the to identify and describe each has met the containing information as stated connection at asset about remote access
asset owner that includes, for remote access connection requirement at in the requirement owner’s site connections
each connection: proposed for the Solution least for one
1) its purpose, covering all points of the customer e.g.: 2) Related checklists/template of 2) Completed
2) the remote access application requirement all proposed remote access checklists/templates
to be used, 1) Project connections including points 1-4
3) how the connection will be documentation of the requirement
established (e.g. via the Internet
through a VPN), and 2) Interviews
4) the location and identity of the
remote client.
IEC (CD1) TS 62443-6-1 © IEC 2022 – 57 – 65/929/CD
A B C D E F G H
EoE+PoE
Remote Access SP.07.04 The service provider shall have The service provider shall Examples of 1) Documented process to obtain 1) Completed checklists1) Continuous and Positive
BR the capability ensure that it have a process that can be Execution that asset owner’s approval prior to feedbacks from asset
obtains approval from the asset performed for the asset owner service provider the use of remote access 2) Signed Templates by owners on approval
owner prior to using each and to make sure that each has met the connections asset owners process related to remote
every remote access connection. remote access connection requirement at access connections
proposed for the Solution is least for one 2) Related checklists
approved by the asset owner customer e.g.:
3) Template for approval about
1) Project remote access connection by
documentation asset owner
2) Interviews
Remote Access SP.07.04 The service provider shall have The service provider shall Examples of 1) Documented process for 1) Documentation of 1) Systematic and
RE(1) the capability to ensure that all have a process that can be Execution that assurance that remote access application of comprehensive review of
remote access connections performed for the asset owner service provider connections that use public authentication and the state of the art of
conducted over the Internet or to make sure that each has met the communications networks are encryption mechanisms authentication and
over other publicly accessible remote access connection requirement at authenticated and encrypted for remote access encryption mechanisms
media that are used to support using public communication least for one connections in a project used for remote access
remote access to the networks is authenticated and customer e.g.: 2) Related checklists/ templates e.g. lists of related connections
Automation Solution by the encrypted applied mechanisms
service provider (e.g. from a 1) Project 3) Documented process to select
service provider facility) are documentation suitable authentication and 2) Completed
authenticated and encrypted. encryption mechanisms for checklists/template
2) Interviews remote access
65/929/CD – 58 – IEC (CD1) TS 62443-6-1 © IEC 2022
A B C D E F G H
EoE+PoE
Event SP.08.01 The service provider shall have The service provider shall Examples of 1) Documented process defining 1) Successful and 1) Successful handling and
management BR capabilities for handling cyber- have a process that can be Execution that criteria to manage security comprehensive dry run closing of security incidents
security incidents that affect the performed for the asset owner service provider incidents and to filter and of incident over a period of time
Automation Solution that include: to describe its: has met the prioritize a security incident management process
1) detecting cyber-security requirement at 2) Continuous and Positive
compromises and incidents, 1) incident handling process least for one 2) Documented process that 2) Documentation of feedbacks from asset
2) reporting cyber-security customer e.g.: describe how it detects, reports, handled security owners on cooperation on
incidents to the asset owner, 2) criteria for analysis of and responds to cyber-security incidents in an security incidents
3) responding to cyber-security incidents and 1) Project incidents and compromises, automation solution
compromises and incidents, resulting/applied actions, documentation according to related 3) Continuous improvement
including supporting an incident particularly for those incidents 3) Description of how its response process of the applied incident
response team. that could adversely affect the 2) Interviews to cyber-security incidents and handling mechanisms e.g.:
NOTE 1 Logging of security- automation solution compromises supports an 3) Completed checklists • more efficiency by
related events is addressed by incident response team automation
SP.08.02 BR. 3) reporting of incidents to the • transparency of
NOTE 2 Logging and reporting asset owner 4) Checklists and related actions incident handling
of alarms and events is to be performed in case of a activities for the asset
addressed by SP.08.03 BR. 4) supporting of an incident security incident owners
response team
IEC (CD1) TS 62443-6-1 © IEC 2022 – 59 – 65/929/CD
A B C D E F G H
EoE+PoE
Event SP.08.01 The service provider shall have For the solution or used Examples of 1) Documented process on the 1) List of 1) Regular review of the
management RE(1) the capability to ensure that reference architecture, The Execution that communication interface with the communications quality and acceptance of
security compromises that have service provider shall have a service provider asset owner, which also interfaces that were the communication
been automatically detected can process that can be has met the describes how these interfaces used for automatically interface solution used for
be reported through a performed for the asset owner requirement at can be used by the asset owner detected compromises the incident reporting over
communications interface that is to identify and verify: least for one to obtain information about the the period of time
accessible to the asset owner customer e.g.: security incidents 2) Provided evidence
and that is commonly accepted 1) communications interfaces (e.g. articles in 2) Systematic and
by both the security and industrial that can be used to report 1) Project 2) Documented process to verify trustworthy media, comprehensive review of
automation communities. automatically detected documentation that planned communication scientific papers, the state of the art of
security compromises to the interfaces are commonly studies) showing that communication interface
asset owner, 2) Interviews accepted and current, and not applied communication solution
obsolete or unacceptable (e.g. interfaces are
2) agreed procedures with the based on state of the art SIEM commonly accepted 3) Continuous and Positive
asset owners on how to use solutions) and current, and not feedbacks from asset
them obsolete or owners on the accessibility
unacceptable of the communication
3) that they are commonly interface and the related
accepted cooperation with the
service provider
Event SP.08.02 The service provider shall have For the solution or used Examples of 1) Documented Process for 1) Audit logs which 1) Continuous verification
management BR the capability to ensure that the reference architecture the Execution that identifying security-related events have been created/ of effectiveness of
Automation Solution is configured service provider shall have a service provider and the audit logs to which they compiled in automation configuration of automation
to write all security-related process that can be has met the will be written solutions according to solution to detect and log
events, including user activities performed for the asset owner requirement at the related process all security related events
and account management to: least for one 2) Checklists/templates to verify
activities, to an audit log that is customer e.g.: the related configuration of 2) Completed 2) Continuous and positive
kept for the number of days 1) identify all security-related automation solutions checklists/template feedback from the asset
specified by the asset owner. events 1) Project owner on the applied audit
NOTE Logging and reporting of documentation 3) Documented process and 3) Completed forensics logging solutions
process-related events, such as 2) write them to audit logs criteria to select audit logging analysis based on audit
setpoint changes and other 2) Interviews solutions logs
operational/configuration data 2) configure their retention
changes, is addressed by capabilities as specified by
SP.08.03 BR. the asset owner
65/929/CD – 60 – IEC (CD1) TS 62443-6-1 © IEC 2022
A B C D E F G H
EoE+PoE
Event SP.08.02 The service provider shall have For the solution or used Examples of 1) Documented process for: 1) Provided evidence of 1) Regular review of the
management RE(1) the capability to ensure that reference architecture The Execution that acceptable interfaces quality and acceptance of
security-related data and events service provider shall have a service provider • selection of access (e.g. articles in the interfaces solution used
can be accessed through one or process that can be has met the interfaces for security trustworthy media, for event logging and
more interfaces that is/are performed for the asset owner requirement at related data and events, scientific papers, reporting over the period of
commonly accepted by both the to: least for one studies) showing that time
security and industrial automation customer e.g.: • verification that the they are commonly
communities. 1) identify the interfaces interfaces are commonly accepted and current, 2) Systematic and
supported by the Automation 1) Project accepted and current, and and not obsolete or comprehensive review of
Solution that particularly asset documentation not obsolete or unacceptable the state of the art of the
owners can use to obtain unacceptable related interface solution
security-related data and 2) Interviews 2) Completed
events checklists/templates
2) Checklists/templates to
ensure that security-related
2) show that they are
data and events can be
commonly accepted
accessed
Event SP.08.02 The service provider shall have The service provider shall Examples of 1) Documented process to verify 1) Documentation of 1) Continuous improvement
management RE(2) the capability to verify that, using have a process that can be Execution that that simulated security-related performed related of the related simulation
a simulated security-related event performed for the asset owner service provider event/data is written in an audit simulations approved process e.g.:
approved by the asset owner, to simulate a security event has met the log by asset owner in a • more efficiency by
security-related events can be and to write security related requirement at project automation
written to an audit log. data to an audit log least for one 2) Training process for simulating • cooperation with the
according to a scenario customer e.g.: a security-event and writing 2) Completed related asset owner on the
selected by an asset owner security data to an audit log trainings related simulation
1) Project according to requirements of an process
documentation asset owner • accuracy of simulation
to reflect event logging
2) Interviews mechanisms in
operational
automation solutions
2) Continuous and positive

feedback from the asset
owner on the applied
simulations
IEC (CD1) TS 62443-6-1 © IEC 2022 – 61 – 65/929/CD
A B C D E F G H
EoE+PoE
Event SP.08.03 The service provider shall have For the solution or used Examples of 1) Training process for 1) Completed related 1) Continuous and positive
management BR the capability to ensure that the reference architecture, the Execution that configuring process-related training feedback from the operator
Automation Solution is configured service provider shall have a service provider events to be logged and reported and the asset owner on the
to log and notify the operator of process that can be has met the to the operator 2) Event log files and event reporting and alarm
process-related events as performed for the asset owner requirement at documentation of notification solution
required by the asset owner. The to configure process-related least for one 2) Checklists/templates for the reporting used in a
types of events include state events to be logged and customer e.g.: used technology project 2) KPI: No. of security
changes/operating condition notified to the operator related event which have
changes/configuration changes according to the details of the 1) Project 3) Completed been reported to operators
that may be due to manual or requirement documentation checklists/templates (target = 100% over a
automated (those without human certain period of time)
intervention) operation. 2) Interviews
NOTE 1 Logging of security-
related events is addressed by
SP.08.02 BR.
Event SP.08.03 The service provider shall have For the solution or used Examples of 1) Documented risk assessment 1) Provided evidence 1) Regular review of the
management RE(1) the capability to ensure that reference architecture, the Execution that procedure to ensure that all on the security of quality and acceptance of
alarms/alerts/events can be service provider shall have a service provider relevant alarms/alerts/events applied reporting the security of the reporting
securely reported through an process that can be has met the requiring safeguarding are interfaces (e.g. articles interfaces used for event
interface that is commonly performed for the asset owner requirement at protected in transfer via a secure in trustworthy media, logging and reporting over
accepted by both the security and to: least for one reporting interface scientific papers, a period of time
industrial automation customer e.g.: studies) showing that
communities. 1) verify that 2) Documented process and they are commonly 2) Systematic and
alarms/alerts/events can be 1) Project criteria to verify effectiveness of accepted and current, comprehensive review of
reported via secure interfaces documentation safeguarding and not obsolete or the state of the art of the
supported by the Automation unacceptable related reporting interface
Solution 2) Interviews 3) Documented process showing solution
that the reporting interface is 2) Related risk
2) show that these are commonly accepted and current, assessment report
commonly accepted. and not obsolete or unacceptable.
65/929/CD – 62 – IEC (CD1) TS 62443-6-1 © IEC 2022
A B C D E F G H
EoE+PoE
Event SP.08.04 The service provider shall have For the solution or used Examples of 1) Documented process of 1) Related test 1) Continuous improvement
management BR the capability to document the reference architecture, the Execution that conducting tests (e.g. robustness report/results/certificatio of applied testing
Automation Solution’s ability to service provider shall have a service provider test, stress test) at an automation n for particular methodology for the
withstand the near-simultaneous process that can be has met the solution to verify that it withstands Automation Solution robustness of Automation
occurrence of large numbers of performed for the asset owner requirement at event storms Solutions against event
events, typically referred to as to verify and document that least for one 2) Related risk storms
event storms. an automation solution is able customer e.g.: 2) Evaluation concept/procedure assessment report for
to withstand event storms for architectural features particular Automation
1) Project (including rate-limiting network Solution
documentation devices) of an Automation
Solution with regard to their
2) Interviews capabilities to protect against
event storms
3) Risk assessment procedure

that considers event storms and
include proper protection
Account SP.09.01 The service provider shall have For the solution or used Examples of 1) Documented process to select 1) Applied and verified 1) Continuous improvement
management BR the capability to ensure that the reference architecture, the Execution that account management account management of the related applied
Automation Solution supports: service provider shall have a service provider application(s) satisfying 1) to 4) applications in an account management
1) the use of a single, integrated process that can be has met the points of the requirement (e.g. Automation Solution applications e.g.:
data base, which may be performed for the asset owner requirement at Windows Active Directory or an • more efficiency by
distributed or redundant, for to ensure that account least for one LDAP product) centralization of
defining and managing user and management supports the customer e.g.: account management
service accounts, , points 1) to 4) of the 2) Documentation of evaluation functions
2) restricted management of requirement 1) Project criteria related to 1) to 4) of the • Simplifications of
accounts to authorized users, documentation requirement for account account management
3) decentralized access to this management applications in the by administrators
data base for the management of 2) Interviews Automation Solution • Efficiency and
accounts, automation of
4) decentralized enforcement of evaluation method of
the account settings (e.g. account management
passwords, operating system solutions
privileges, and access control
lists) defined in this data base.
IEC (CD1) TS 62443-6-1 © IEC 2022 – 63 – 65/929/CD
A B C D E F G H
EoE+PoE
Account SP.09.02 The service provider shall have For the solution or used Examples of 1) Documented process to select 1) Applied account 1) KPI: No. of users for
management BR the capability to ensure that reference architecture, the Execution that unique user accounts for each management with which no unique account is
unique accounts can be created service provider shall have a service provider user of an Automation Solution unique user accounts provided (only shared
and maintained for users. process that can be has met the for each user of an account available - target =
performed for the asset owner requirement at 2 Documentation of evaluation Automation Solution 0 over a certain period of
for creating and maintaining a least for one criteria to verify that unique user time)
unique user account for each customer e.g.: accounts are provided in an
Automation Solution user automation solution
1) Project
documentation
2) Interviews
Account SP.09.02 The service provider shall provide The service provider shall Examples of 1) Documented process on: 1) Documentation of 1) Continuous and positive
management RE(1) documentation to the asset have a process that can be Execution that • the identification of default related application for a feedback from the asset
owner that: performed for the asset owner service provider accounts solution: owners on documentation
1) identifies all default user and for generating a list of all user has met the • list of users on all of user and service
service accounts, and service accounts and requirement at • on the tools and procedures devices accounts
2) describes the tools and providing instructions to the least for one to set/reset password • reference to
procedures used to set/reset asset owner that describes customer e.g.: description to
passwords for all default user and how to change their set/reset password
service accounts. passwords 1) Project • on the relate reporting to the
asset owner • description to
documentation set/reset
passwords
2) Interviews 2) Cooperation procedures with
asset owners to ensure that there
are no hidden accounts nor are
there passwords that cannot be
changed
Account SP.09.02 The service provider shall have For the solution or used Examples of 1) Documented process of 1) Documentation of 1) KPI: No. of identified
management RE(2) the capability to ensure that if an reference architecture, the Execution that selection of related account accepted and applied cases where same
account/password is service provider shall have a service provider management application(s) account management password is generated for
automatically generated for a process that can be has met the application(s) in an multiple user accounts
user, other than operators and performed for the asset owner requirement at 2) Documented process to ensure Automation Solution (target = 0 over a certain
service groups, both the to least for one that the account management period of time)
generated account and password ensure the automatic customer e.g.: solution does not generate the
are unique. generation of unique same password for two different
passwords for users, other 1) Project users and that each generated
than operators and service documentation user account is unique and has a
groups unique identifier
2) Interviews
65/929/CD – 64 – IEC (CD1) TS 62443-6-1 © IEC 2022
A B C D E F G H
EoE+PoE
Account SP.09.02 The service provider shall have For the solution or used Examples of 1) Documented process to ensure 1) Documentation of 1) KPI: No. of identified
management RE(3) the capability to ensure that reference architectureThe Execution that that essential permanent verification/validation essential accounts which
service, auto-login and operator service provider shall have a service provider accounts in the record on identified have expired or being
accounts, and other accounts process that can be has met the Automation Solution are accounts deleted unintendedly
required for essential functions performed for the asset owner requirement at configured to not expire or (target = 0 over a certain
and/or continuous operations, or to prevent these essential least for one become automatically disabled or 2) Completed period of time)
as required by the asset owner accounts from expiring or customer e.g.: deleted. checklists/templates
have been configured so that automatic disabling
they never expire nor become 1) Project 2) Related checklists/templates
disabled automatically. documentation for accounts and their lifetime and
their retention procedures
2) Interviews
3) Related documented
verification/validation step for the
implementation/configuration
Account SP.09.02 The service provider shall have The service provider shall Examples of 1) Documented process ensuring 1) Documentation of 1) Continuous improvement
management RE(4) the capability to ensure that the have a process that can be Execution that the protection of administrator applied of the protection concept
built-in administrator account is performed for the asset owner service provider account against unauthorized use verification/validation in related to the administrator
disabled, and if that is not to disable the administrator has met the or exploitation a project that account over a period of
possible, that it is renamed or account or otherwise protect it requirement at administrator accounts time
otherwise made difficult to from exploitation least for one 2) Related checklists/templates were disabled or
exploit. customer e.g.: protected against
exploitation 2) KPI: No. of identified
1) Project 3) Related documented cases of attackers gaining
documentation verification/validation steps that 2) Completed administrative privileges
built-in administrator accounts are checklists/templates using the built-in
2) Interviews disabled if possible administrator account
period of time)
Account SP.09.03 The service provider shall have The service provider shall Examples of 1) Documented process on the 1) Documentation of 1) Continuous improvement
management BR the capability to ensure that have a process that can be Execution that identification and applied of the applied
unused system default accounts performed for the asset owner service provider disabling/removing of unused verification/validation in removal/disabling
have been removed or disabled. to identify and remove/disable has met the system default accounts a project that unused mechanisms e.g.:
the unused system default requirement at system default • more efficiency by
accounts least for one 2) Related accounts were automation
customer e.g.: checklists/templates/trainings identified and
disabled/removed 2) KPI: No. of identified
1) Project 3) Related documented cases of attackers gaining
documentation verification/validation steps that
IEC (CD1) TS 62443-6-1 © IEC 2022 – 65 – 65/929/CD
A B C D E F G H
EoE+PoE
unused system default accounts 2) Completed access to the
2) Interviews are removed or disabled checklists/templates/trai Automation Solution
nings through unused system
default accounts (target = 0
over a certain period of
time)
Account SP.09.04 The service provider shall have The service provider shall Examples of 1) Documented process on the 1) Documentation of 1) Continuous improvement
management BR the capability to ensure that all have a process that can be Execution that identification and applied of the applied
user accounts are removed once performed for the asset owner service provider disabling/removing of user verification/validation in removal/disabling
they are no longer needed. This identify and remove/disable has met the accounts that are no longer a project for the mechanisms e.g.:
includes: the user accounts that are no requirement at needed removal of user • more efficiency by
1) temporary accounts under the longer needed least for one accounts that are no automation
control of the service provider, customer e.g.: 2) Related longer needed
such as those used for checklists/templates/trainings 2) KPI: No. of identified
integration or maintenance, 1) Project 2) Completed cases of attackers gaining
2) user accounts for service documentation 3) Related documented checklists/templates/trai access to the
provider personnel who are no verification/validation steps for the nings Automation Solution
longer assigned to the 2) Interviews removal of user accounts that are through outdated user
Automation Solution (see no longer needed accounts (target = 0 over a
SP.01.07 BR for notifying the certain period of time)
asset owner of the removal of
service provider personnel from
the Automation Solution.
65/929/CD – 66 – IEC (CD1) TS 62443-6-1 © IEC 2022
A B C D E F G H
EoE+PoE
Account SP.09.04 The service provider shall have The service provider shall Examples of 1) Documented process for 1) Generated log file for 1) Continuous improvement
management RE(1) the capability to generate an have a process that can be Execution that generating audit logs entries recording the of the applied
audit log report after the performed for the asset owner service provider removal of accounts removal/disabling
completion of to generate audit log that has met the 2) Related checklists/templates mechanisms e.g.:
integration/maintenance activities contains the entries for the requirement at 2) Completed • more efficiency by
that shows that accounts used to removed user accounts that least for one 3) Documented process for checklists/templates of automation
support these activities have are no longer needed customer e.g.: patching of an Automation removed
been removed from the Solution according to IEC 62443- integration/maintenanc 2) KPI: No. of identified
Automation Solution if they are 1) Project 2-3 which includes the related e accounts cases of attackers gaining
no longer needed. documentation audit log functions access to the
3) Related Patch report Automation Solution
2) Interviews through outdated
integration/maintenance
accounts (target = 0 over a
certain period of time)
Account SP.09.05 The service provider shall have For the solution or used Examples of 1) Documented process for 1) Verification/validation 1) Regular review of the
management BR the capability to ensure that reference architecture, The Execution that setting the related password record policy of this quality and acceptance of
password policies can be set to service provider shall have a service provider policy process e.g. application password policies
achieve a minimum complexity process that can be has met the of tools to verify
commonly accepted by both the performed for the asset requirement at 2) Documented process for minimum complexity of 2) Systematic and
security and industrial automation owner: least for one selection of and acceptance of passwords comprehensive review of
communities. customer e.g.: account management the state of the art of the
NOTE At the time of this writing, • to identify the account application(s), such as Windows 2) List of used account related minimum password
minimal password complexity is: management 1) Project Domains, that supports this management complexity
1) at least eight characters in application(s) used to documentation requirement application(s) in a
length and set password policies project
2) a combination of at least three that meet this 2) Interviews
of the following four character requirement 3) Provided evidence
3) Documented process showing
sets: lowercase, uppercase, on the applied minimum
that used password policy is
numeric digit, and special • show that they are complexity policy for
commonly accepted and current,
characters (e.g.% and #). commonly accepted passwords (e.g. articles
and not obsolete or unacceptable.
in trustworthy media,
scientific papers,
studies) showing that
they are commonly
accepted and current,
and not obsolete or
unacceptable
IEC (CD1) TS 62443-6-1 © IEC 2022 – 67 – 65/929/CD
A B C D E F G H
EoE+PoE
Account SP.09.06 The service provider shall have For the solution or used Examples of 1) Documented process on the 1) verification/validation 1) Continuous and positive
management BR the capability to ensure that reference architecture, The Execution that configuration of password expiry record on feedback from the asset
passwords for local and system- service provider shall have a service provider policies to meet this requirement implementation of this owners on applied
wide (e.g. domain) user accounts process that can be has met the policy password policy
are configured to automatically performed for the asset owner requirement at 2) Related checklists/templates
expire after they have been in to: least for one 2) Documentation of 2) KPI: No. of identified
use for a period of time specified customer e.g.: 3) Documented process of successful cooperation passwords which have not
by the asset owner. • retrieve the expiry period verification/validation step for this with asset owner on expired after their identified
requirements from the 1) Project requirement password expiries in a time period of usage (target
asset owner documentation project = 0 over a certain period of
• configure password time)
expiry to meet those 2) Interviews 3) completed related
requirements checklists/templates
Note: Defining an expiration

period to “infinite” (no expiry)
is a possible choice for the
asset owner
Account SP.09.06 The service provider shall have For the solution or used Examples of 1) Documented process on the 1) verification/validation 1) Continuous and positive
management RE(1) the capability to ensure that reference architecture, The Execution that configuration of password expiry record on feedback from the asset
password policies are set to service provider shall have a service provider policies to meet this requirement implementation of this owners on applied user
prompt users to change process that can be has met the policy prompting
passwords N days before they performed for the asset owner requirement at 2) Related checklists/templates
expire, where N is specified by to: least for one 2) completed related 2) KPI: No. of users which
the asset owner. This customer e.g.: 3) Documented process of checklists/templates have not been prompted N
requirement does not apply to • retrieve the number of verification/validation step for this days before password
passwords that are not set to days for prompting users 1) Project requirement 3) Documentation of expiry (target = 0 over a
expire. before password expiry documentation successful cooperation certain period of time)
from the asset owner with asset owner on
• configure password 2) Interviews user prompting
expiry to meet that
requirement
Account SP.09.07 The service provider shall have The service provider shall Examples of 1) Documented process on the 1) Documentation of 1) Continuous and positive
management BR the capability to ensure that have a process that can be Execution that identification and changing of applied feedback from the asset
default passwords are changed performed for the asset owner service provider default passwords verification/validation in owners on the cooperation
as required by the asset owner. to identify and change the has met the a project that default related to applied default
default passwords according requirement at 2) Related passwords were password changes
to the requirements of the least for one checklists/templates/trainings changed according to
asset owner customer e.g.: the requirements of the 2) KPI: No. of identified
3) Related documented asset owner default passwords which
have not been changed
65/929/CD – 68 – IEC (CD1) TS 62443-6-1 © IEC 2022
A B C D E F G H
EoE+PoE
1) Project verification/validation steps that 2) Completed according to the
documentation default passwords are changed checklists/templates/trai requirements of the asset
nings owners (target = 0 over a
2) Interviews certain period of time)
Account SP.09.08 The service provider shall have For the solution or used Examples of 1) Documented process on the 1) Documentation of 1) Continuous and positive
management BR the capability to ensure that reference architecture, The Execution that prevention of password reuses applied feedback from the asset
password policies are set to service provider shall have a service provider verification/validation in owners on the cooperation
prevent users from reusing their process that can be has met the 2) Related a project that password related to password reuse
last N passwords, where N is performed for the asset owner requirement at checklists/templates/trainings re-usages are prevention
specified by the asset owner to: least for one prevented according to
customer e.g.: 3) Related documented the requirements of the 2) KPI: No. of identified re-
• retrieve the number “N” verification/validation steps that asset owner usages of passwords from
of passwords from the 1) Project previous ”N” passwords are not the last “N” passwords
asset owner documentation reused 2) Completed which were not detected
• configure password checklists/templates/trai (target = 0 over a certain
reuse to meet the 2) Interviews nings period of time)
related requirements
Account SP.09.08 The service provider shall have For the solution or used Examples of 1) Documented process on the 1) Documentation of 1) Continuous and positive
management RE(1) the capability to ensure that reference architecture, The Execution that prevention of password changes applied feedback from the asset
password policies are set to service provider shall have a service provider verification/validation in owners on the cooperation
prevent users from changing their process that can be has met the 2) Related a project that related to password change
passwords more frequently than performed for the asset owner requirement at checklists/templates/trainings passwords are not prevention
once every N days, where N is to: least for one changed more than
specified by the asset owner. customer e.g.: 3) Related documented once every ”N” days 2) KPI: No. of identified
• retrieve the number “N” verification/validation steps that changes of passwords
of days from the asset 1) Project passwords are not changed more 2) Completed more than once in “N” days
owner documentation than once every ”N” days checklists/templates/trai (target = 0 over a certain
• configure password nings period of time)
changing to meet the 2) Interviews
related requirements
Note: Defining the number “N”

days as “zero” (no restriction
on frequency of change) is a
IEC (CD1) TS 62443-6-1 © IEC 2022 – 69 – 65/929/CD
A B C D E F G H
EoE+PoE
possible choice for the asset
owner
Account SP.09.09 The service provider shall have The service provider shall Examples of 1) Documented process to ensure 1) Documentation of 1) Continuous and positive
management BR the capability to ensure that have a process that can be Execution that secure handling and application of protection feedback from the asset
accounts whose passwords have performed for the asset owner service provider documentation of shared of shared passwords in owners on the cooperation
been approved by the asset to: has met the passwords a project (e.g. related to shared
owner to be shared with the requirement at encrypted archive or passwords
service provider are securely • retrieve passwords least for one 2) Related checklists/templates database of password
documented and maintained. approved for sharing customer e.g.: manager) 2) Continuous improvement
from the asset owner 3) Description of used password of the applied password
1) Project management tools and criteria for 2) Completed protection mechanisms
• document and maintain documentation their selection and maintenance checklists/templates e.g.:
retrieved passwords • more efficiency by
securely 2) Interviews automation
• strong encryption of
stored passwords
• improved logging of
password usages
Account SP.09.09 The service provider shall have The service provider shall Examples of 1) Documented process for 1) Documentation of 1) Continuous and positive
management RE(1) the capability to report to the have a process that can be Execution that identifying passwords that need application of password feedback from the asset
asset owner passwords that were performed for the asset owner service provider to be changed and reporting them management process owners on the cooperation
1) shared and no longer need to to: has met the to the asset owner (identification, reporting related to password
be shared, requirement at and changing) in a management
2) knowingly divulged, or • report to the asset owner least for one project
3) knowingly compromised, about outdated, divulged customer e.g.: 2) Documented process for 2) Continuous improvement
and to support the asset owner in or compromised cooperating with the asset owner 2) Records of related of the applied password
changing passwords as passwords 1) Project related to password management cooperation with asset management mechanisms
necessary. documentation according to the requirement owner e.g.:
• change related • more efficiency by
passwords in 2) Interviews 3) Related checklists/templates 3) Completed automation
cooperation with the checklists/templates • timeliness of reaction
asset owner and resolution in case
of outdated, divulged
or compromised
passwords
65/929/CD – 70 – IEC (CD1) TS 62443-6-1 © IEC 2022
A B C D E F G H
EoE+PoE
Malware SP.10.01 The service provider shall have For the solution or used Examples of 1) Documented process for 1) Documentation of 1) Continuous improvement
protection BR the capability to provide the asset reference architecture, The Execution that delivering the relevant application of of the applied malware
owner with documented service provider shall have a service provider documentation and for related installation and protection mechanisms
instructions for the proper process that can be has met the cooperation with the asset owner maintenance of e.g.:
installation, configuration and performed for the asset owner requirement at malware protection • more efficiency by
update of malware protection to: least for one 2) Related checklists/templates mechanisms in a automation
mechanisms that are tested and customer e.g.: project • compatibility with the
verified for the • Provide instructions to 3) Training program for the Automation Solution
Automation Solution. the asset owner for the 1) Project service provider regarding 2) Completed
use and maintenance of documentation malware protection testing and checklists/templates 2) Malware protection
anti-malware verification mechanisms are always
mechanisms that it uses 2) Interviews 3) Completed related state of the art over a
in the Solution 4) Control system documentation trainings period of time
• Ensure that related from supplier for anti-malware
mechanisms were mechanisms delivered with the 3) Continuous and positive
verified and tested Solution that describes how to feedback from the asset
• Document how they maintain them and how they were owners on the cooperation
were verified and tested verified related to malware
(e.g. by the control protection mechanisms
system supplier or by
the service provider
itself)
IEC (CD1) TS 62443-6-1 © IEC 2022 – 71 – 65/929/CD
A B C D E F G H
EoE+PoE
Malware SP.10.02 The service provider shall have The service provider shall Examples of 1) Documented process for related 1)Documentation of 1) Malware protection
protection BR the capability to ensure that: have a process that can be Execution that installation/ configuration / application of pattern mechanisms are always
1) malware protection performed for the asset owner service provider maintenance of anti-malware update log during state of the art over a
mechanisms have been correctly to make sure that: has met the mechanisms integration or period of time
installed/updated and properly 1) correct installation and requirement at maintenance in a
configured in accordance with the configuration of malware least for one 2) Training program for the service project 2) Continuous and positive
service provider's approved protection mechanisms customer e.g.: provider regarding malware feedback from the asset
procedures, protection 2) time frame owners on the cooperation
2) malware definition files are 2) maintenance and update of 1) Project installation/configuration/maintenan agreement for related to malware
installed within the time period the installed malware documentation ce maintenance service protection mechanisms
agreed to with the asset owner, protection mechanisms (e.g. with the asset owner particularly to time period
3) malware configurations are keeping malware definition 2) Interviews 3) Related checklists/template (e.g. for related
maintained and kept current. files current) in cooperation final verification step that 3) Completed installation/maintenance
with asset owner configuration and definitions file are checklists/templates
up-to-date)
4) Completed related
4) Documented process for trainings
updating configuration and
definition files including time frame
agreement with asset owner
65/929/CD – 72 – IEC (CD1) TS 62443-6-1 © IEC 2022
Malware SP.10.02 The service provider shall create The service provider shall Examples of 1) Documented process for use of 1) Established 1) Continuous improvement
protection RE(1) and maintain the documentation have a process that can be Execution that malware protection mechanism of documentation of used of the documentation of
that describes the use of malware performed for the asset owner service provider each component in an malware protection malware protection
protection mechanisms in the to document and maintain the has met the Automation Solution, fulfilling mechanisms in a mechanisms e.g.:
Automation Solution for which the antimalware software status requirement at points 1)-4) of requirement project
service provider is responsible. for each component of the least for one • Continuous timely
This documentation shall include Automation Solution customer e.g.: 2) Documented process for 2) Complete updating of
for each component used in the according points 1) to 4) of alternative mitigation measures checklists/templates documentation
Automation Solution: the requirement 1) Project where malware protection • Quality and
1) the installation state of documentation mechanisms are not 3) Documentation of comprehensiveness of
malware protection mechanisms feasible/available/applicable applied other mitigation documentation related
or a statement that it is not 2) Interviews mechanisms according to points 1)-4) of the
technically possible to install to point 4) of the requirement
malware protection mechanisms 3) Related checklists/templates requirement
on the component,
2) the current configuration
settings of the installed malware
protection mechanism,
3) the current status of malware
definition files approved for
installation on the component,
4) the use of other mitigating
features and functions used to
reduce the risk of infection and/or
mitigate the effect of infections
(e.g. isolating infections, reporting
infections).
IEC (CD1) TS 62443-6-1 © IEC 2022 – 73 – 65/929/CD
A B C D E F G H
EoE+PoE
Malware SP.10.03 The service provider shall have For the solution or used Examples of 1) Documented process on the 1) Documentation of 1) Malware protection
protection BR the capability to verify that reference architecture, The Execution that verification proper malware application of the verification mechanisms
malware, other than zero-day service provider shall have a service provider operation verification of malware are always state of the art
malware, can be detected and process that can be has met the protection mechanisms and current over a period of
properly handled by the installed performed for the asset owner requirement at 2) Related checklists/templates in a project (e.g. time
malware protection mechanisms. to verify the correct operation least for one EICAR, IDS/IPS,
of the antimalware customer e.g.: whitelisting tests, 2) Continuous improvement
mechanisms at the security gateway) of the verification of
component, systems and 1) Project malware protection
solution level (e.g. documentation 2) Completed mechanisms and the
configuration, detection, checklists/templates associated process e.g.:
mitigation, logging/, 2) Interviews
notifications) to provide • Timeliness of testing
protection against known and verification
malware • Cooperation with
antimalware vendors
related to malware
definitions and
updates
65/929/CD – 74 – IEC (CD1) TS 62443-6-1 © IEC 2022
A B C D E F G H
EoE+PoE
Malware SP.10.04 The service provider shall have The service provider shall Examples of 1) Process to create 1) documentation of 1) Continuous and positive
protection BR the capability to provide to the have a process that can be Execution that documentation about approval of applied verification of feedback from the asset
asset owner documentation that performed for the asset owner service provider malware definition files and new malware definition owners on the cooperation
describes: to: has met the reporting of the status to the files related to malware
1) how malware definition files for requirement at asset owner definition files and related
the Automation Solution are • document and maintain least for one 2) reporting agreement reporting process
evaluated and approved, the information about customer e.g.: 2) Related checklists/template for with asset owner
2) reporting the status of malware malware definition files reporting on the approval stage 2) Continuous improvement
definition files to the asset owner 1) Project 3) Completed of the documentation on
within N days after release of the • inform the asset owner documentation checklists/templates malware definition files and
files by the manufacturer, where of the related results reporting process to asset
N has been agreed to by the within a mutually agreed 2) Interviews owner e.g.:
service provider and asset owner. time period after their
This status includes the release by the anti- • Continuous timely
applicability (e.g. component and malware software updating of
version) and approval state (e.g. manufacturer. documentation
approved, installed, disapproved, • Quality and
etc.) for each malware definition • Inform the asset owner comprehensiveness of
file. about the applicability documentation
and approval state of the • Efficiency of approval
new malware definition process for new
file malware definition
files
Malware SP.10.05 The service provider shall have The service provider shall Examples of 1) Documented process ensuring 1) Malware scan logs 1) Continuous improvement
protection BR the capability to ensure that all have a process that can be Execution that that components/workstations are for all of technical competence
devices, including workstations, performed for the asset owner service provider scanned for malware prior to components/workstatio related to malware scans
supplied to the to make sure that has met the integrating it into the Automation ns performed in a over period of time
Automation Solution by the components/workstations are requirement at Solution project
service provider are free of free of known malware when least for one 2) KPI: No. of identified
known malware prior to use in the integrated into the Automation customer e.g.: 2) Related checklists/templates 2) agreement with malware in
Automation Solution. Solution suppliers components/workstations
1) Project 3) Related training process for integrated in an Automation
documentation service provider 3) Completed Solution (target = 0 over a
checklists/trainings certain period of time)
2) Interviews 4) Documented process for
Supply chain assurances from 4) Completed trainings
component suppliers that the
components delivered to the
IEC (CD1) TS 62443-6-1 © IEC 2022 – 75 – 65/929/CD
A B C D E F G H
EoE+PoE
Automation Solution are free of
known malware
Malware SP.10.05 The service provider shall have The service provider shall Examples of 1) Documented process requiring 1) Documentation of 1) KPI: No. of identified
protection RE(1) the capability to ensure that for have a process that can be Execution that that portable media that the applied process for portable media used in an
portable media that it uses for performed for the asset owner service provider service provider uses in the using portable media in Automation Solution being
system testing, commissioning, to make sure portable media has met the Automation Solution is not used a project infected with malware
and/or maintenance, it uses this is used only for its intended requirement at for any other purpose (target = 0 over a certain
portable media for this purpose purpose least for one 2) Test report on period of time)
only. customer e.g.: 2) Documented process of using effectiveness of
automated mechanisms that automated mechanism
1) Project recognize service provider in a project
documentation portable media and restrict its use
to authorized uses 3) Related framework
2) Interviews agreement with the
asset owner
3) Documented process of
cooperation with the asset owner
about usage of portable media for
testing, commissioning or
maintenance
Malware SP.10.05 The service provider shall have The service provider shall Examples of 1) Documented process ensuring 1) Documented results 1) KPI: No. of identified
protection RE(2) the capability to ensure that all have a process that can be Execution that that portable media are scanned of antimalware scans of malware-infected portable
portable media used in or performed for the asset owner service provider for malware prior to use in the portable media media being used in an
connected to the to make sure that portable has met the Automation Solution Automation Solution (target
Automation Solution by the media are free of malware requirement at 2) Completed = 0 over a certain period of
service provider is free of known when used in the Automation least for one 2) Related checklists/templates checklist/templates time)
malware prior to use in the Solution customer e.g.:
Automation Solution. 3) Automated mechanisms that
1) Project recognize portable media and
documentation allow its use only if free of known
malware
2) Interviews
65/929/CD – 76 – IEC (CD1) TS 62443-6-1 © IEC 2022
A B C D E F G H
EoE+PoE
Patch SP.11.01 The service provider shall have The service provider shall Examples of 1) Documented process that 1) Related 1) Continuous and positive
Management BR the capability to provide have a process that can be Execution that ensure evaluation and approval of documentation on feedback from the asset
documentation to the asset performed for the asset owner service provider security patches for use in the evaluation and approval owners on the cooperation
owner that describes how to document its evaluation has met the Automation Solution. of patches which was related to patch
security patches for and approval of security requirement at provided to the asset management
Automation Solution software for patches that are applicable to least for one 2) Documentation that describes owner
which it is responsible are the Automation Solution. customer e.g.: how security patches are 2) Continuous improvement
evaluated and approved. evaluated and approved for use 2) Completed of the documentation on
NOTE 1 In this standard, Note: This process often 1) Project in the Automation Solution checklists/templates evaluation and approval of
firmware upgrades are regarded requires cooperation with the documentation security patches and
as software patches. supplier of the control system 3) Related checklists/templates 3) Successful reporting process to asset
NOTE 2 In this standard, patch or component 2) Interviews for evaluation and approval of conformity owner e.g.:
installation refers to installation of patches assessments related to
patches to the IEC 62443-2-3 covering • Continuous timely
Automation Solution. that requirement updating of
documentation
• Quality and
comprehensiveness of
documentation
• Criteria for assessing
compatibility of
patches to the
Automation Solution
Patch SP.11.01 The service provider shall have The service provider shall Examples of 1) Documented process for 1) Documentation of 1) Continuous improvement
Management RE(1) the capability to review, as a have a process that can be Execution that reviewing and updating the application of change of of the modification process
result of changes in security risks, performed for the asset owner service provider process used to evaluate and patch evaluation for evaluation e.g.:
how it evaluates and approves to make sure that security has met the approve security patches for use method due to • Automation and
security patches for patch management process is requirement at in the Automation Solution changing risks and/or efficiency of reacting
Automation Solution software for reviewed and updated least for one according to changing risks threat landscape and/or to changing risks
which it is responsible. according to changing risks customer e.g.: potential impact and/or threat
2) Related checklists/templates landscape and/or
1) Project 2) Successful dry run of potential impact
documentation changing patch
evaluation method
2) Interviews
3) Completed
IEC (CD1) TS 62443-6-1 © IEC 2022 – 77 – 65/929/CD
A B C D E F G H
EoE+PoE
Patch SP.11.02 The service provider shall have The service provider shall Examples of 1) Documented process for 1) Documentation of 1) Continuous and positive
Management BR the capability to make have a process that can be Execution that creating patch lists, including the applied related feedback from the asset
documentation available to the performed for the asset service provider when they are created and their process in a project owners on the
asset owner that describes owner: has met the contents (that meet this including agreed time documentation related to
security patches/updates. The requirement at requirement), and also including security patches/updates
description of each patch shall be 1) to create and describe least for one remediation plans for those 2) Example on patch
available to the asset owner patch lists covering the points customer e.g.: patches which are not approved lists delivered within the 2) Continuous improvement
within an agreed time frame after 1) to 5) of the requirement agreed time frame of the documentation of
the release of a patch by its 1) Project 2) Checklists/templates for patch security patches and
manufacturer, and shall include: 2) To provide those lists to documentation lists related to point 1) to 5) of the 3) Completed reporting process to asset
1) security patches that are the asset owner within an requirement checklists/templates owner e.g.:
applicable to components of the agreed time frame (either 2) Interviews
Automation Solution for which the specific by contract or by 4) Delivered • Continuous timely
service provider is responsible, default policy) remediation plan for not updating of
2) the approval status/lifecycle approved patches documentation
state (see IEC TR 62443-2-3) of Note: This process often • Quality and
each; i.e., approved, not requires cooperation with the comprehensiveness of
approved, not applicable, in test, supplier of the control system documentation
3) a warning if the application of or component.
an approved patch requires or 3) KPI: No. of violations
causes a re-start of the system, and delay (no of days) on
4) the reason for those that are agreed time frames to
not approved or not applicable, document and report
5) a plan for the remediation for security patches to the
those that are applicable but not asset owner (target = 0
approved. over a certain period of
time)
65/929/CD – 78 – IEC (CD1) TS 62443-6-1 © IEC 2022
A B C D E F G H
EoE+PoE
Patch SP.11.02 The service provider shall have The service provider shall Examples of 1) List of communication 1) Example of provided 1) Continuous and positive
Management RE(1) the capability to make available have: Execution that interfaces used to meet this patch list including feedback from the asset
to the asset owner, through an service provider requirement and references to points 1) to 3) from the owners on the interface
interface commonly accepted by 1) the capability to select and has met the their documentation requirement used for the provision of
the industrial and security use a communication requirement at patch lists
communities, a patch list that interface for reporting patch least for one 2) Documented process that 2) Provided Evidence
identifies: lists which is accepted by the customer e.g.: ensures that patch lists are (articles, papers, 2) Continuous improvement
1) approved security patches industrial and security provided through these interfaces studies) showing that on the reporting of patch
applicable to Automation Solution communities 1) Project in the agreed time frame the used lists to the asset owner
software for which the service documentation communication e.g.:
provider is responsible (e.g. 2) a process that can be 3) Checklists/templates for interfaces were
control system and component performed for the asset owner 2) Interviews verifying that the provided patch commonly accepted • Continuous timely
software, operating system to use this communications list satisfies the points 1)-3) of the and current, and not updating of interface
software, and 3rd party software interfaces to report patch lists requirement obsolete or documentation
applications), to the asset owner which unacceptable • Timely provision of the
2) which of the applicable comply to 1)-3) points of the 4) Documented process showing patch lists
security patches have been requirement that used communication 3) Completed
approved for use in the interfaces are commonly checklists/templates 3) KPI: No. of violations
Automation Solution, 3) a process that can be accepted and current, and not and delay (no of days) on
3) the version numbers of the performed for the asset owner obsolete or unacceptable. agreed time frames to
software to which the approved for making this list available provide patch lists over the
patches apply. within an agreed time frame agreed interface to the
This list shall be available to the (either specific by contract or asset owner (target = 0
asset owner within an agreed by default policy) over a certain period of
timeframe after the release of a time)
patch by the manufacturer.
IEC (CD1) TS 62443-6-1 © IEC 2022 – 79 – 65/929/CD
A B C D E F G H
EoE+PoE
Patch SP.11.02 The service provider shall have The service provider shall Examples of 1) Documented process to 1) Documentation of 1) Continuous and positive
Management RE(2) the capability to: have a process that can be Execution that review patches that were implementation of feedback from the asset
1) recommend a mitigation plan performed for the asset owner service provider approved by service provider but mitigation plan related owners on the
when requested by the asset to: has met the not by the asset owner and to to applicable patches recommended mitigation
owner for security patches that requirement at create a related mitigation and not approved by asset plans and their
were applicable and approved by 1) create mitigation plans for least for one implementation plan for them owners implementations
the service provider, but that applicable patches that were customer e.g.:
were not approved by the asset not approved by the asset 2) Related checklists/templates 2) Successful and 2) Continuous improvement
owner, for example, because owner 1) Project for obtaining asset owner comprehensive dry run of the quality of the
they could impact operations or documentation approval for implementation of on the implementation developed and applied
performance (see SP 11.05 BR), 2) obtain asset owner’s mitigation plans of a related mitigation mitigation plans
2) implement the mitigation plan approval for their 2) Interviews plan
after approval by the asset implementation 3) KPI: No. of mitigations
owner. 3) Completed which negatively impacted
3) implement the agreed checklists/templates the operations or
mitigation plan performance of the
Automation Solution (target
= 0 over a certain period of
time)
Patch SP.11.03 The service provider's The service provider shall Examples of 1) Documented Process 1) Documentation of 1) KPI: No. of applied
Management BR management of patches shall have a process that can be Execution that for obtaining security patches application of patch patches which are:
provide for: performed for the asset service provider from the patch manufacturer, retrieval process in a
1) patches to be obtained by the owner: has met the project • Not received via an
asset owner directly from the requirement at 2) Documented process for the authorized channel, or
patch's manufacturer, and/or 1) to ensure that asset owner least for one redistribution of patches from the 2) License agreements • Infected or invalid
2) redistribution of patches by the obtains security patches in a customer e.g.: patch manufacturer that includes with patch
service provider only if approved reliable way, by selecting one gaining approval from both the manufacturers (target = 0 over a certain
by the asset owner and permitted of the two points of the 1) Project patch manufacturer and the asset period of time)
by the patch manufacturer. requirement or both documentation owner
2) The quality of the related
2) to obtain approval from the 2) Interviews patch management process
asset owner and patch is always state of the art
manufacturer when point 2) over a period of time
from the requirement is
selected., e.g. via license
agreement with patch
manufacturer
65/929/CD – 80 – IEC (CD1) TS 62443-6-1 © IEC 2022
A B C D E F G H
EoE+PoE
Patch SP.11.04 The service provider shall have The service provider shall Examples of 1) Process to create/maintain 1) Completed 1) Continuous and positive
Management BR the capability to provide have a process that can be Execution that documentation that describes documentation on how feedback from the asset
documentation to the asset performed for the asset service provider how patches are installed, to use patch owners on the
owner that describes how to owner: has met the and that describes how to obtain management server in documentation related to
perform patching both manually requirement at status reports resulting from the a project the patching methods
and via a patch management • to describe installation of least for one patching activity
server and how to obtain patches from portable customer e.g.: 2) Completed 2) Continuous improvement
patching status reports. media and/or from a 2) documentation how to use documentation on how of the quality of the
1) When using a patch patch management 1) Project patch management server to patch manually from provided patching
management server, server documentation solution media in a project documentation over a
documentation shall be provided period of time
to show how to use the server to • making sure that point 1) 2) Interviews 3) documentation how to patch
install patches. is satisfied in case of manually from media
2) For manual patching using patch management
portable media, documentation server or that point 2) is
shall be provided that describes satisfied in case of
how to install patches from the manual patching
media.
• to describe the methods
for obtaining a report of
the results
Patch SP.11.05 The service provider shall have The service provider shall Examples of 1) Documented process to obtain 1) Record of 1) Continuous and positive
Management BR the capability ensure that it have a process that can be Execution that approval from the asset owner for completeness of feedback from the asset
obtains approval from the asset performed for the asset owner service provider patch installation installation approvals owners on the patching
owner for installing each and to obtain the approval for has met the for all patches in a approval cooperation
every security patch. installing patches from the requirement at 2) Checklists to validate approval project
asset owner least for one of the asset owner for each patch 2) KPI: No. of patches
customer e.g.: installation 2) Completed related which were installed
checklist without the approval from
1) Project 3) Related template for the asset owner (target = 0
documentation signing/approval by asset owner 3) Completed template over a certain period of
of approval time)
2) Interviews
4) Cooperation
agreement with asset
owner related to patch
installation approval
IEC (CD1) TS 62443-6-1 © IEC 2022 – 81 – 65/929/CD
A B C D E F G H
EoE+PoE
Patch SP.11.06 The service provider shall have The service provider shall Examples of 1) Documented process to obtain 1) agreement with the 1) Continuous and positive
Management BR the capability to ensure that if the have a process that can be Execution that the requirement from the asset asset owner about the feedback from the asset
asset owner requests the service performed for the asset service provider owner about which patches shall installation of patches owners on the patch
provider to install security owner: has met the be installed at the agreed time installation cooperation
software patches (including requirement at
firmware upgrades), the service 1) to obtain the requirement least for one 2) Documented process that 2) example of patch 2) KPI: No. of patches
provider installs them at a time from the asset owner about customer e.g.: patches are installed at a time installation record which were not installed at
specified by the asset owner. which patches shall be specified by the asset owner the agreed time (target = 0
installed by the service 1) Project 3) Completed over a certain period of
provider documentation 3) Related checklists/templates checklists/templates time)
2) to ensure that related 2) Interviews

security patches are installed
at a time specified by the
asset owner
Patch SP.11.06 The service provider shall have The service provider shall Examples of 1) Documented process to ensure 1) Documentation of 1) KPI: No of implemented
Management RE(1) the capability to ensure that the have a process that can be Execution that that the hardening level is not application of related patches which degraded
security hardening level of the performed for the asset owner service provider degraded by patch installations process in a project the hardening status of an
Automation Solution is retained to make sure that patch has met the Automation Solution found
after patch installation, e.g. by installation does not degrade requirement at 2) Documentation of expertise 2) verification/validation after completion of patching
reinstalling software or changing the hardening level of the least for one and achieved training in regards record (target = 0 over a certain
system configuration settings. Automation Solution customer e.g.: of hardening period of time)
3) Completed
1) Project 3) Related checklists/templates checklists/templates 2) Continuous improvement
documentation e.g.: of the secure patch
• list of temporary deactivated installation capabilities, e.g.
2) Interviews hardening measures for • Limiting the impact on
patch installation the operation of the
Automation Solution
• temporarily applied
configuration changes • Limiting required
reduction of hardening
during patch installation
level during patching
process
• Verification/validation step of • Automation of
former hardening level after capturing and
patch installation restoration of the
applied hardening
level
65/929/CD – 82 – IEC (CD1) TS 62443-6-1 © IEC 2022
A B C D E F G H
EoE+PoE
Patch SP.11.06 The service provider shall have The service provider shall Examples of 1) Documentation of controls 1) verification/validation 1) Applied integrity and
Management RE(2) the capability to ensure that, for have a process that can be Execution that which are used to ensure record that related authenticity mechanisms
devices that support installation performed for the asset owner service provider authenticity and integrity of controls were in place are always state of the art
of software/firmware over the to make sure the integrity and has met the patches and their source in a project over a period of time
network, the update process authenticity of patches being requirement at
ensures the authenticity and provided over the network least for one 2) Documentation describing 2) Documentation of 2) KPI: No. of
integrity of the device customer e.g.: mechanisms that ensure that used mechanisms to unauthenticated or
software/firmware. devices do not install patches that ensure integrity and corrupted patches being
1) Project have been modified from their authenticity of patches installed in an Automation
documentation original version (as produced by in a project Solution (target = 0 over a
the patch manufacturer), certain period of time)
2) Interviews
3) Process that provide for
verification of patch files after
installation (e.g. dump of the
patch from the patched device or
of the checksum calculated by the
device),
4) Process/technology that
ensures access to the network by
attackers is not possible during
patch installation
Patch SP.11.06 The service provider shall have The service provider shall Examples of 1) Documented process 1) Inventory register 1) KPI: No. of identified
Management RE(3) the capability to determine the have a process that can be Execution that for obtaining the patch status of a that contains the status patch installation not
installation status of all security performed for the asset owner service provider device of patch installation for matching with the status in
patches applicable to the to determine the security has met the all devices (manually or the inventory register
Automation Solution for which the patch status of all devices for requirement at 2) Related checklists/templates automatically (target = 0 over a certain
service provider is responsible. which it is responsible least for one on the installation status of the generated) period of time)
customer e.g.: security patches, based on
related inventory register
1) Project
documentation 3) Description of the technology
used to automatically query
2) Interviews devices for their patch status
IEC (CD1) TS 62443-6-1 © IEC 2022 – 83 – 65/929/CD
A B C D E F G H
EoE+PoE
Backup/Restore SP.12.01 The service provider shall have The service provider shall Examples of 1) Documented process to 1) Created backup 1) Continuous and positive
BR the capability to provide have a process that can be Execution that create/maintain backup instructions meeting feedback from the asset
documentation for recommended performed for the asset owner service provider instructions related to points 1)-4) points 1) to 4) of owners on the provided
backup procedures for the to provide instructions for has met the of the requirement requirements for a documentation related to
Automation Solution that backing up the Automation requirement at project backup
includes, but is not limited to the Solution (or its components) least for one 2) Identification of conditions that capabilities/procedures
following: covering the points 1)-4) of customer e.g.: may interfere with successful 2) Completed related
1) Instructions on how to make a the requirement restoration, or a statement that no template 2) Continuous improvement
full backup of the 1) Project such conditions exist of the quality of the
Automation Solution, and partial documentation provided documentation on
backups if applicable, using at 3) Related template for backup backup instructions
least one of the following 2) Interviews documentation/instruction, e.g.:
methods 3) Continuous improvement
a) proprietary backup architecture • Backup of all needed of the backup process,
on removable media, components and data types e.g related to:
b) single system backup • Automation and
architecture on removable media, • Backup media efficiency
c) distributed back-up considerations • Cooperation with
architecture in which each asset owner
backup system backs up a • Off-site storage of backups
subset of the service provider's
Automation Solutions at the asset
owner's site, or • Ensuring integrity of
d) centralized back-up backups
architecture using one backup
system for all fo the service
provider's Automation Solutions
at the asset owner's site.
2) Provisions to back-up the
following types of data
a) operation system files and
cryptographic data (e.g. keying
material),
b) applications(including
middleware, such as tunneling
software),
c) configuration data, database
files,
d) log files, electronic log book,
e) unconventional file types
including, but not limited to
65/929/CD – 84 – IEC (CD1) TS 62443-6-1 © IEC 2022
A B C D E F G H
EoE+PoE
network equipment settings,
control system controller settings
(tuning parameters, set points,
alarm levels),
f) field instrumentation
parameters, and
g) directory information
h) other files identified by the
service provider that are required
to create a complete backup of
the Automation Solution,
3) Recommendations for offsite
storage of backup media,
4) Provisions to ensure changes
to the Automation Solution that
could affect the integrity of a
backup are not made while a
backup is in progress
NOTE Examples of partial
restores include operating
system, application software,
databases, and configuration
files.
IEC (CD1) TS 62443-6-1 © IEC 2022 – 85 – 65/929/CD
A B C D E F G H
EoE+PoE
Backup/Restore SP.12.02 The service provider shall have The service provider shall Examples of 1) Documented process to 1) Restore instructions 1) Continuous and positive
BR the capability to provide have a process that can be Execution that create/maintain backup/restore for the as-built feedback from the asset
documented instructions to the performed for the asset owner service provider instructions to the asset owner Automation Solution owners on the provided
asset owner for restoring the to provide instructions for has met the e.g. partial or full documentation related to
Automation Solution or its restoring the Automation requirement at 2) Backup/restore user restoration restore
components to normal operation. Solution (or its components) least for one manuals/instructions ensuring capabilities/procedures
from a backup, including any customer e.g.: that all Automation Solution 2) Provided statement
conditions that could interfere components are included in the and verification that 2) Continuous improvement
with the success of restore 1) Project instructions for the restoration interferences did not of the quality of the
operations documentation process exist in a project provided documentation on
restore instructions
2) Interviews 3) Documentation of identification 3) Successful and
of conditions that may interfere comprehensive dry run 3) Continuous improvement
with successful restoration and of restoration process of the restoration process,
activities to prevent such to show no interference e.g. related to:
interference, or a statement and • Automation and
clarification that no such efficiency
conditions exist • Cooperation with
asset owner
Backup/Restore SP.12.03 The service provider shall have The service provider shall Examples of 1) Documented process to 1) Documented 1) Continuous and positive
BR the capability to provide have a process that can be Execution that provide documentation to the instructions for the feedback from the asset
documentation to the asset performed for the asset owner service provider asset owner to handle removable asset owner as used in owners on the provided
owner that describes how to to provide instructions for has met the backup media securely an as-built Automation documentation related to
control and securely manage securely handling removable requirement at Solution removable backup media
removable backup media. backup media e.g. off-site least for one 2) Backup/restore user
storage of the media, data at customer e.g.: manuals/instructions containing 2) Application of the 2) Continuous improvement
rest or data streamed information about securing concept for secure of the quality of the
1) Project removable backup media management of using provided documentation on
documentation removable backup removable backup media
3) Description of best practices media as applied in a
2) Interviews for handling removable backup project 3) Continuous improvement
media of the management
process for removable
backup media, e.g. related
to:
• Automation and
efficiency
• Cooperation with
asset owner
65/929/CD – 86 – IEC (CD1) TS 62443-6-1 © IEC 2022
A B C D E F G H
EoE+PoE
Backup/Restore SP.12.04 The service provider shall have The service provider shall Examples of 1) Documented process to 1) Documented 1) Continuous and positive
BR the capability to provide have a process that can be Execution that provide documentation to asset instructions for the feedback from the asset
documentation to the asset performed for the asset owner service provider owner verify successful system asset owner as used in owners on the provided
owner that describes how to to provide instructions for has met the backup; e.g. an as-built Automation documentation related to
verify successful system backup. verifying that a backup was requirement at • backup integrity verification Solution regarding verification of successful
successful e.g. least for one • ensuring that all the backup integrity system backup
• backup integrity customer e.g.: components from the verification
verification inventory register are 2) Continuous improvement
1) Project included 2) Record of applied of the verification of
• ensuring that all the documentation backup including successful system backup,
components from the 2) Backup/restore user system integrity e.g. related to:
inventory register are 2) Interviews manuals/instructions including verification for all • Methodology
included verification of system backup components • Verification of
completeness (all
3) Description of best practices components included)
for verifying successful system • Verification of Integrity
backup • Automation and
efficiency
• Cooperation with
asset owner
Backup/Restore SP.12.05 The service provider shall have For the solution or used Examples of 1) Test case to perform a full 1) Performed backup 1) Continuous improvement
BR the capability to verify that: reference architecture, the Execution that backup and restore cycle for all of the verification of
1) it is possible to perform a service provider shall have a service provider devices including completeness of backup
complete back-up of the process that can be has met the 2) Test case to perform a restore performed verification and restore, e.g. related to:
Automation Solution, and performed for the asset owner requirement at based on that backup and to get of completeness and • Methodology
2) it is possible to restore a fully to verify its ability to: least for one the full functionality of the full functionality • Verification of
functioning Automation Solution • Perform a full backup customer e.g.: Automation Solution completeness (all
from this back-up. • Perform a restore based 2) Successful and components included)
on that backup and to 1) Project comprehensive dry run • Verification of Integrity
get the full functionality documentation of related backup and • Automation and
of the Automation restore process efficiency
Solution 2) Interviews
IEC (CD1) TS 62443-6-1 © IEC 2022 – 87 – 65/929/CD
A B C D E F G H
EoE+PoE
Backup/Restore SP.12.06 The service provider shall have The service provider shall Examples of 1) Documented process to 1) Documentation of 1) Continuous and positive
BR the capability to perform a have a process that can be Execution that incorporate asset owner backup application of related feedback from the asset
backup of the performed for the asset owner service provider and restore schedules and process including owners on the alignment of
Automation Solution in to ensure that its backup and has met the objectives e.g. for defining the alignment with asset the backup with its
accordance with the asset restore operations are requirement at scope of backup and its possible owner’s schedules and schedules and objectives
owner's backup schedules and performed in accordance with least for one impact objectives
data restore and disaster the asset owner schedules customer e.g.: 2) Continuous improvement
recovery objectives. and objectives 2) Related checklists/templates 2) backup schedule of the integration of backup
1) Project for alignment with asset owner’s approval from the asset activities into the framework
documentation backup schedule owner of the asset owner, e.g.
related to automation and
2) Interviews 3) Completed efficiency
Backup/Restore SP.12.07 The service provider shall have For the solution or used Examples of 1) Documented process to 1) Verification results 1) Continuous improvement
BR the capability to ensure that the reference architecture, the Execution that identify what constitutes normal that backup has been of the verification activities
Automation Solution is able to service provider shall have a service provider operation (e.g. essential functions performed during that the Automation
continue normal operation during process that can be has met the defined in the risk assessment) normal operation Solution is not affected by
a backup. performed for the asset owner requirement at and how this might be affected by without interference, backup, e.g. related to
to: least for one backup/restore activities e.g. screenshots, test automation and efficiency
customer e.g.: reports
• Identify what is 2) Documented process to verify
considered normal 1) Project that backup can be performed 2) A description of what
operation and related to documentation during normal operation without constitutes normal
recovery objectives from adversely affecting normal operation during
the requirement 2) Interviews operation, backup in a project
SP.12.06 BR
3) Related Backup/restore user
• assure that backup manuals/instructions
operations do not
adversely affect the
normal operation
65/929/CD – 88 – IEC (CD1) TS 62443-6-1 © IEC 2022
A B C D E F G H
EoE+PoE
Backup/Restore SP.12.08 The service provider shall have The service provider shall Examples of 1) Documented process to 1) Documentation from 1) Continuous improvement
BR the capability to provide have a process that can be Execution that create/maintain instructions for an as-built Automation of the documentation for
documentation to the asset performed for the asset owner service provider capturing audit log entries for Solution on how to managing audit logs for
owner that describes how to to provide: has met the backup/restore generate and maintain backup/restore activities,
generate and maintain audit logs requirement at audit logs of all e.g. related to automation
of all backup and restore 1) instructions for configuring least for one 2) Documented configuration backup/restore and efficiency
activities. backup/restore operations to customer e.g.: instructions for having activities
be logged in an audit log, backup/restore operations written
1) Project to an audit log
2) a description of how to documentation
maintain those audit logs.
2) Interviews
Backup/Restore SP.12.09 The service provider shall have The service provider shall Examples of 1) Documented process for 1) Documented disaster 1) Continuous improvement
BR the capability to document a have a process that can be Execution that developing a disaster recovery recovery plan for an as- of the quality of the
recommended disaster recovery performed for the asset owner service provider plan covering at least points 1)-3) built Automation documentation of disaster
plan that includes, but is not to establish and recommend has met the of the requirement Solution recovery plan, e.g. related
limited to the following: a disaster recovery plan requirement at to:
1) Description of various disaster covering at least points 1)-3) least for one 2) Template of a recommended 2) Completed • automation and
scenarios and their impact on the of the requirement for the customer e.g.: disaster recovery plan for an comprehensive drill (or efficiency
Automation Solution, Automation Solution Automation Solution that includes simulation) for • comprehensiveness of
2) Step-by-step instructions for 1) Project step-by-step instructions and executing disaster documentation
restoring, restarting, failed documentation minimum required tools, data, etc. recovery plan • variety of disaster
components and integrating them which can be prepared in scenarios covered
into the Automation Solution, 2) Interviews advance 3) Completed related
3) Minimum architecture template applied in a
requirement for restoring the project
entire Automation Solution.
374
IEC (CD1) TS 62443-6-1 © IEC 2022 – 89 – 65/929/CD
375 Annex A Legend for Maturity Levels

376 (informative)
377 The following legend is cited from IEC 62443-2-4 Ed. 1.1.
378 ML-1: At this level, the models are the fundamentally the same. Service providers
379 typically perform the service in an ad-hoc and often undocumented (or not fully documented)
380 manner. Requirements for the service are typically specified in a statement of work under
381 contract with the asset owner. As a result, consistency across projects may not be able to
382 be shown.
383 NOTE “Documented” in this context refers to the procedure followed in performing this
384 service (e.g. detailed instructions to service provider personnel), not to the results of
385 performing the service. In most asset owner settings, all changes resulting from the
386 performance of a services task are documented.
387 ML-2: At this level, the models are the fundamentally the same, with the exception that
388 IEC 62443-2-4 recognizes that there may be a significant delay between defining a service
389 and executing (practicing) it. Therefore, the execution related aspects of the CMMI-SVC
390 Level 2 are deferred to Level 3. At this level, the service provider has the capability to
391 manage the delivery and performance of the service according to written policies (including
392 objectives). The service provider also has evidence to show that personnel have the
393 expertise, are trained, and/or are capable of following written procedures to perform the
394 service.
395 The service discipline reflected by Maturity Level 2 helps to ensure that service practices
396 are repeatable, even during times of stress. When these practices are in place, their
397 execution will be performed and managed according to their documented plans.
398 ML-3: At this level, the models are the fundamentally the same, with the exception that the
399 execution related aspects of the CMMI-SVC Level 2 are included here. Therefore, a service
400 at Level 3 is a Level 2 service that the service provider has practiced for an asset owner at
401 least once.
402 The performance of a Level 3 service can be shown to be repeatable across the service
403 provider’s organization. Level 3 services may be tailored for individual projects based upon
404 the contract and statement of work from the asset owner.
405 ML-4: At this level, Part 2-4 combines CMMI-SVC levels 4 and 5. Using suitable process
406 metrics, service providers control the effectiveness and performance of the service and
407 demonstrate continuous improvement in these areas, such as more effective procedures or
408 the installation of system capabilities with higher security levels (see IEC 62443-3-3). This
409 results in a security program that improves the service through
410 technological/procedural/management changes. See IEC 62443-1-3 for a discussion of
411 metrics.
412 Bibliography
413 [1] ISO/IEC 12207:2017, Systems and software engineering – Software life cycle processes
414 [2] ISO/IEC 17000:2020, Conformity assessment – Vocabulary and general principles
415 [3] ISO/IEC 18045:2008, Information technology – Security techniques – Methodology for
416 IT security evaluation
417 [4] ISO/IEC 25000:2014, Systems and software engineering — Systems and software
418 Quality Requirements and Evaluation (SQuaRE) — Guide to SQuaRE
419 [5] ISO/IEC 20547-3:2020, Information technology – Big data reference architecture – Part
420 3: Reference architecture
421 [6] ISO 9000:2015, Quality management systems - Fundamentals and vocabulary
65/929/CD – 90 – IEC (CD1) TS 62443-6-1 © IEC 2022
422 [7] ISO 18788:2015, Management system for private security operations- requirements with
423 guidance for use
424

1st CD 62443-6-1

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

1st CD 62443-6-1

Uploaded by

Copyright:

Available Formats

65/929/CD

COMMITTEE DRAFT (CD)

IEC TS 62443-6-1 ED1

D ATE OF CIRCULATION : C LOSING DATE FOR COMMENTS :

IEC TC 65 : I NDUSTRIAL - PROCESS MEASUREMENT , CONTROL AND AUTOMATION

France Mr Didier GIARRATANO

O F INTEREST TO THE FOLLOWING COMMITTEES :

N OTE FROM TC/SC OFFICERS :

25 Table 1 – Overview of acceptable evaluation criteria and examples of conformance

30 INTERNATIONAL ELECTROTECHNICAL COMMISSION

72 The text of this Technical Specification is based on the following documents:

Draft Report on voting

122 SECURITY FOR INDUSTRIAL AUTOMATION AND CONTROL SYSTEMS –

136 2 Normative references

147 3 Terms, definitions, abbreviated terms, and acronyms

148 3.1 Terms and definitions

152 • IEC Electropedia: available at https://www.electropedia.org/

157 [SOURCE: ISO/IEC 25000:2014, 4.10]

164 [SOURCE: ISO/IEC 12207:2008, 4.12]

173 [SOURCE: ISO/IEC 18045:2008, 3.7]

181 [SOURCE: ISO 18788:2015]

189 [SOURCE: ISO 9000:2015]

204 [SOURCE: ISO/IEC 20547-3:2020, 3.2]

211 EXAMPLE 1 processes.

212 EXAMPLE 2 systems.

213 EXAMPLE 3 solutions.

214 EXAMPLE 4 components.

221 [SOURCE: IEC 62443-2-4 Ed 1.1:2017, 3.1.18]

222 3.2 Abbreviated terms and acronyms

EoE Evidence of Existence

223 4 Document description

224 This document contains two parts:

233 5 Methodology for the Evaluation

234 5.1 Scoping of the subject under evaluation (SuE)

254 5.2 Content of conformity statements and conformance evidence

260 For requirements not in scope:

261 • they shall be marked accordingly and

269 5.3 Evaluation of conformity statement and conformance evidence

288 5.4 Particular Requirements for Evaluations related to ML-4

297 6 Table used for evaluation

315 6.1 Acceptable evaluation criteria

321 6.2 Conformance evidence related to maturity level ML-1

327 6.3 Conformance evidence related to maturity level ML-2

335 6.4 Conformance evidence related to maturity level ML-3

358 6.5 Conformance evidence related to maturity level ML-4

4) The service provider

3) The training content shall

4) The service provider

4) usage of blacklists for

4) Feedback from project

3) Checklist for identification of

3) only necessary, authorized

3) Related checklist used by the

3) provide this documentation

3) Checklists/templates that verify

2) Continuous and positive

3) Risk assessment procedure

Note: Defining an expiration

Note: Defining the number “N”

2) to ensure that related 2) Interviews

375 Annex A Legend for Maturity Levels

You might also like