2.1 How to Comply to ISA/IEC 62443-4-2
The qualitative definition of Security Levels is provided in The ISA/IEC 62443 Approach to Security.
A quantitative evaluation of a product’s SL-C (Capability Security Level) needs to be performed to assign a specific level to the product. This quantitative evaluation is based on a list of Component Requirements (CRs) and associated Requirement Enhancements (REs), which are grouped in categories that are called Foundational Requirements.
The standard defines seven Foundational Requirements (FR1-to-7):
| FR1 | Identification and Authentication Control (IAC) |
| FR2 | Use Control (UC) |
| FR3 | System Integrity (SI) |
| FR4 | Data Confidentiality (DC) |
| FR5 | Restricted Data Flow (RDF) |
| FR6 | Timely Response to Events (TRE) |
| FR7 | Resource Availability (RA) |
Each Foundational Requirement is simply a logical grouping of individual sets each made up of one Component Requirement and, eventually, some Requirement Enhancements.
The standard provides tables that illustrate which CRs/REs are needed to reach each SL.
The table below provides a quantitative evaluation example based on requirement number 7 (strength of password-based authentication) of the first foundational requirement category (Identification and Authentication Control).
There are two REs associated with this CR. The tick marks appearing in the table indicate whether the CR or RE is needed to reach a given SL.
| SL1 | SL2 | SL3 | SL4 | |
|---|---|---|---|---|
| CR1.7 – Strength of Password-Based Authentication | ✔ | ✔ | ✔ | ✔ |
| RE1.7.1 – Password Generation and Lifetime Restrictions for Human Users | ✔ | ✔ | ||
| RE1.7.2 – Password Lifetime Restrictions for All Users | ✔ |
As an example evaluation:
- If the component does not satisfy the base CR, its SL will be 0.
- If the component satisfies only the base CR, its SL will be 2.
- If the component satisfies the base CR and the first RE(1), its SL will be 3.
- If the component satisfies the base CR, both RE(1) and RE(2), its SL will be 4.
This evaluation must be repeated across all CR/RE groups belonging to each FR category. The total SL for the product under consideration is the minimum SL achieved over all these evaluations. In conclusion, to meet a targeted security level (SL), all the requirements must be met.