ISA/IEC 62443-4-2 defines the technical cybersecurity capabilities individual IACS components must provide. Where Part 4-1 covers how products are developed securely, Part 4-2 covers what security functions those products must offer when claiming a component Security Level Capability (SL-C).
Requirements are expressed as Component Requirements (CRs) and Requirement Enhancements (REs), derived from the System Requirements in ISA/IEC 62443-3-3. The same Foundational Requirements (FR 1–7) and Security Levels (0–4) model is used at component level.
Reference: ISA/IEC 62443-4-2 — Technical security requirements for IACS components
Related:
IEC 62443-4-1 Product Security Lifecycle
|
IEC 62443-3-3 Foundational Requirements
|
IACS Cybersecurity Roles
|
Security Levels (SL-T / SL-C / SL-A)
| Role | How they use Part 4-2 |
|---|---|
| System integrators | Help procure components; specify the component SL-C needed; choose products that can support the Target Security Level (SL-T) for each zone. |
| Product suppliers | Understand which capabilities a component must provide for a claimed SL-C, and document how to integrate the component so a system can meet a stated SL-T. |
| Category | Prefix | Examples | Detail page |
|---|---|---|---|
| Software application | SAR | SCADA applications, data historians | Clause 12 |
| Embedded device | EDR | PLC, IED, remote controllers | Clause 13 |
| Host device | HDR | Operator / engineering workstations, industrial servers | Clause 14 |
| Network device | NDR | Switches, routers, VPN gateways, industrial firewalls | Clause 15 |
CR = common component requirement (all types). Category-specific refinements use SAR / EDR / HDR / NDR. Representative device examples are in Annex A.
The sections below summarise each AEBOK page that unpacks Part 4-2. Use this map as the index; open the linked pages for requirement-level teaching notes.
Cross-cutting rules for every CR claim: support essential functions; document compensating countermeasures when a CR cannot be met inside the component; support least privilege where required; and develop/support the component under Part 4-1. Page: IEC 62443-4-2 Clause 4 – Common Component Security Constraints
Each FR mirrors Part 3-3 and lists component requirements (CRs) plus REs used for higher SL-C:
| FR | Clause | Theme | Page |
|---|---|---|---|
| FR 1 – IAC | 5 | Identification and authentication control | IEC 62443-4-2 Clause 5 – Identification and Authentication Control |
| FR 2 – UC | 6 | Use control (authorisation, sessions, audit…) | IEC 62443-4-2 Clause 6 – Use Control |
| FR 3 – SI | 7 | System / component integrity | IEC 62443-4-2 Clause 7 – System Integrity |
| FR 4 – DC | 8 | Data confidentiality | IEC 62443-4-2 Clause 8 – Data Confidentiality |
| FR 5 – RDF | 9 | Restricted data flow | IEC 62443-4-2 Clause 9 – Restricted Data Flow |
| FR 6 – TRE | 10 | Timely response to events | IEC 62443-4-2 Clause 10 – Timely Response to Events |
| FR 7 – RA | 11 | Resource availability | IEC 62443-4-2 Clause 11 – Resource Availability |
Adds or refines capabilities that only make sense for certain product types (for example mobile code handling, boot integrity, wireless on network devices).
Informative examples (PLC, IED, switch, VPN terminator, operator workstation, historian, …) that illustrate each category. Page: Annex A
Informative mapping of CRs, REs and category-specific requirements to SL 1–4 columns for each FR — the component counterpart to Part 3-3’s Annex B style table. Page: Annex B
ISCI’s Component Security Assurance (CSA) path certifies off-the-shelf components against Part 4-2 capabilities developed under a Part 4-1 (SDLA) programme. Robustness testing themes commonly include fuzz testing, network traffic load testing and vulnerability scanning. ISASecure does not assess integrator site engineering practice or asset-owner O&M programmes.
Further information: ISASecure.org