IEC 62443-3-3-2013 PDF

Full title and description

St IEC 62443-3-3-2013 — Security for industrial automation and control systems (IACS). Part 3-3: System security requirements and security levels. Specifies detailed technical security requirements and defines security levels for control system components and zones to achieve comprehensive protection of industrial control systems.

Abstract

This standard defines system-level technical security requirements for industrial automation and control systems (IACS). It translates risk-based system design principles into concrete security capability requirements grouped in foundational requirement categories (such as identification and authentication, access control, data integrity, and more). It also defines security levels (SL1–SL4) to describe incremental protection against increasing attacker sophistication and resources. The document is intended to be used by asset owners, system integrators and product suppliers to design, assess and implement secure IACS architectures.

General information

• Status: Published standard (2013)
• Publication date: 2013
• Publisher: IEC (jointly developed with ISA / ISA99 community)
• ICS / categories: Industrial automation and control systems security; network and system security
• Edition / version: Edition 1.0 (2013)
• Number of pages: Approximately 64 pages (varies by publisher format)

Scope

IEC 62443-3-3:2013 specifies system-level technical security requirements for IACS and provides a set of security requirements grouped into seven foundational requirement categories. It addresses security at the system and zone level rather than on individual products, and defines security levels (SL1–SL4) to indicate the required capability to resist different attacker profiles. The standard applies to new and existing control system installations and supports assessment, design, and validation of system security countermeasures.

Key topics and requirements

• Definition of seven foundational requirement (FR) categories: Identification and Authentication Control, Use Control, System Integrity, Data Confidentiality, Restricted Data Flow, Timely Response to Events, and Resource Availability.
• Detailed technical requirements for each FR, with requirement IDs and descriptions that can be assigned a target security level.
• Security Level concept (SL0–SL4) describing increasing resistance to attackers from casual/accidental to advanced/persistent attackers.
• System zone and conduit concept for segmentation and boundary protection.
• Guidance on how to apply security requirements when designing and assessing IACS architectures and components.
• Requirement statements suitable for inclusion in procurement, design and validation documentation.

Typical use and users

Used by asset owners/operators, control system engineers, system integrators, security architects, product vendors and assessors. Common uses include: specifying security requirements in procurement, designing secure control system architectures (zones and conduits), performing system-level security assessments, and mapping product capabilities to system requirements and security levels.

Related standards

Part of the IEC/ISA 62443 series. Closely related documents include: IEC 62443-1-1 (terminology, concepts), IEC 62443-2-1 and 2-4 (policies and procedures, security program), IEC 62443-3-1 (network and system security requirements and security levels — framework), IEC 62443-4-1 and 4-2 (secure product development lifecycle and component security requirements). It should be used together with organizational and product-level parts of the 62443 family for complete coverage.

Keywords

IEC 62443, IACS security, industrial control systems, system security requirements, security levels, zones and conduits, access control, system integrity, data confidentiality, resource availability, foundational requirements

FAQ

Q: What is this standard?

A: IEC 62443-3-3:2013 is a system-level standard that specifies technical security requirements and defines security levels for industrial automation and control systems.

Q: What does it cover?

A: It covers detailed technical requirements grouped into foundational categories (identification/authentication, access/use control, integrity, confidentiality, restricted data flow, response to events, availability) and defines security levels to indicate the degree of protection required against attacker capabilities.

Q: Who typically uses it?

A: Asset owners, control system engineers, system integrators, security architects, product vendors and auditors use it to design, specify, assess and procure secure IACS solutions.

Q: Is it current or superseded?

A: The 2013 edition is the original Part 3‑3 release. Users should verify whether a later edition or corrigenda exist and consider newer or companion 62443 parts for comprehensive coverage; organizations often reference the latest applicable edition when applying requirements.

Q: Is it part of a series?

A: Yes. It is part of the IEC/ISA 62443 series on industrial automation and control systems security, which includes organizational, system and product level standards.

Q: What are the key keywords?

A: IACS security, IEC 62443, system security requirements, security levels, zones and conduits, foundational requirements, access control, data integrity, availability