← Home

IEC 62443-4-2 Technical Security Requirements for IACS Components

ISA/IEC 62443-4-2 defines the technical cybersecurity capabilities individual IACS components must provide. Where Part 4-1 covers how products are developed securely, Part 4-2 covers what security functions those products must offer when claiming a component Security Level Capability (SL-C).

Requirements are expressed as Component Requirements (CRs) and Requirement Enhancements (REs), derived from the System Requirements in ISA/IEC 62443-3-3. The same Foundational Requirements (FR 1–7) and Security Levels (0–4) model is used at component level.

Teaching note: Content paraphrases ISA training material and ISA/IEC 62443-4-2 for learning. Always refer to the published standard for normative CR/RE text and Annex B mappings.

Reference: ISA/IEC 62443-4-2 — Technical security requirements for IACS components
Related: IEC 62443-4-1 Product Security Lifecycle | IEC 62443-3-3 Foundational Requirements | IACS Cybersecurity Roles | Security Levels (SL-T / SL-C / SL-A)

IEC 62443-4-2 Technical Security Requirements overview
Figure – Developing secure products and systems using ISA/IEC 62443, highlighting Part 4-2 (technical security requirements for IACS components) in the Component group of the series.

Learning objectives


Audiences

Role How they use Part 4-2
System integrators Help procure components; specify the component SL-C needed; choose products that can support the Target Security Level (SL-T) for each zone.
Product suppliers Understand which capabilities a component must provide for a claimed SL-C, and document how to integrate the component so a system can meet a stated SL-T.

Four component categories

Category Prefix Examples Detail page
Software application SAR SCADA applications, data historians Clause 12
Embedded device EDR PLC, IED, remote controllers Clause 13
Host device HDR Operator / engineering workstations, industrial servers Clause 14
Network device NDR Switches, routers, VPN gateways, industrial firewalls Clause 15

CR = common component requirement (all types). Category-specific refinements use SAR / EDR / HDR / NDR. Representative device examples are in Annex A.


Document map (summarised overview)

The sections below summarise each AEBOK page that unpacks Part 4-2. Use this map as the index; open the linked pages for requirement-level teaching notes.

Clause 4 – Common Component Security Constraints (CCSC)

Cross-cutting rules for every CR claim: support essential functions; document compensating countermeasures when a CR cannot be met inside the component; support least privilege where required; and develop/support the component under Part 4-1. Page: IEC 62443-4-2 Clause 4 – Common Component Security Constraints

Clauses 5–11 – Foundational Requirements (FR 1–7) and CRs

Each FR mirrors Part 3-3 and lists component requirements (CRs) plus REs used for higher SL-C:

FR Clause Theme Page
FR 1 – IAC 5 Identification and authentication control IEC 62443-4-2 Clause 5 – Identification and Authentication Control
FR 2 – UC 6 Use control (authorisation, sessions, audit…) IEC 62443-4-2 Clause 6 – Use Control
FR 3 – SI 7 System / component integrity IEC 62443-4-2 Clause 7 – System Integrity
FR 4 – DC 8 Data confidentiality IEC 62443-4-2 Clause 8 – Data Confidentiality
FR 5 – RDF 9 Restricted data flow IEC 62443-4-2 Clause 9 – Restricted Data Flow
FR 6 – TRE 10 Timely response to events IEC 62443-4-2 Clause 10 – Timely Response to Events
FR 7 – RA 11 Resource availability IEC 62443-4-2 Clause 11 – Resource Availability

Clauses 12–15 – Category-specific requirements

Adds or refines capabilities that only make sense for certain product types (for example mobile code handling, boot integrity, wireless on network devices).

Annex A – Device categories

Informative examples (PLC, IED, switch, VPN terminator, operator workstation, historian, …) that illustrate each category. Page: Annex A

Annex B – CR / RE to FR SL mapping

Informative mapping of CRs, REs and category-specific requirements to SL 1–4 columns for each FR — the component counterpart to Part 3-3’s Annex B style table. Page: Annex B


ISASecure® component certification

ISCI’s Component Security Assurance (CSA) path certifies off-the-shelf components against Part 4-2 capabilities developed under a Part 4-1 (SDLA) programme. Robustness testing themes commonly include fuzz testing, network traffic load testing and vulnerability scanning. ISASecure does not assess integrator site engineering practice or asset-owner O&M programmes.

Further information: ISASecure.org


Key takeaways


Standards references