Security Requirements for IEC 62443-4-2
To secure your system, refer to the following requirements. It is
your responsibility to monitor the system periodically to make sure that the security
settings function as you configured them.
WARNING:
Do not apply any changes
that impact the operation of safety-related devices while the controller is in Run
mode.
IMPORTANT:
For the controller and redundancy modules, apply security settings to the controller and
redundancy module only in the primary chassis. When the redundant chassis synchronizes,
security settings crossload to the controller and redundancy module in the secondary
chassis.
For the 1756-EN4TR module, see Crossload Behavior for the
1756-EN4TR Module to determine whether you must apply security settings
separately to modules in the primary and secondary chassis.
To meet IEC 62443-4-2 requirements in a high availability system, implement the
control system with these other security-focused products.
You
must
include
compensating countermeasures when you configure a redundancy system to meet IEC-62443-4-2
requirements. The following table lists compensating countermeasures and the minimum
versions that are required.For more information on how the compensating
countermeasures are used, see the Configure System Security Features User Manual,
publication SECURE-UM001.
Compensating Countermeasure | Required Minimum Version |
|---|---|
Active Directory | User configured |
ControlFLASH Plus® | 2.00 |
FactoryTalk® Administration Console | 6.30 |
FactoryTalk® AssetCentre | 9.00 |
FactoryTalk® Directory | User configured |
FactoryTalk® Linx | 6.20 |
FactoryTalk® Policy Manager | 6.60 |
FactoryTalk® Security | Any version |
FactoryTalk® Services Platform | 6.30 |
FactoryTalk® View (You are not required to use HMI devices or software in your application to meet
IEC-62443-4-2 requirements.) | 11.00 |
Firewall | User supplied and configured |
Redundancy Module Configuration Tool (RMCT) | User configured |
Studio 5000 Logix Designer® | 37.00.00 |
Syslog collector | User supplied and configured |
Requirements for Identification and Authorization
System Component | Security Component | Required to Meet IEC-62443-4-2 | Details |
|---|---|---|---|
System |
| Yes | Configure FactoryTalk® Security software to define policies, user groups, and other permission sets.
For more information, see the Configure System Security Features User Manual,
publication SECURE-UM001. |
FactoryTalk® Security software | Access control to generate and delete the safety signature on safety
controllers | May be required based on system design, threat model, and risk assessment. | In the FactoryTalk® Administration Console , restrict access to generate and delete
the safety signature. For more information, see the Configure System Security Features User Manual,
publication SECURE-UM001. |
FactoryTalk® Security software | Access control to safety-lock and safety-unlock actions on safety controllers | May be required based on system design, threat model, and risk assessment. | In the FactoryTalk® Administration Console , restrict access to safety-lock and
safety-unlock actions.For more information, see the Configure System Security Features User Manual,
publication SECURE-UM001. |
Combination of products | Prevent lockout of essential users | Yes | Essential users are responsible for the high availability of the system and must
have continuous physical access to devices, interfaces, and user account access to
the FactoryTalk® Linx Redundancy Module Configuration Tool (RMCT) and the Logix
Designer application and ControlFLASH Plus® software. Take steps to prevent the lockout of all essential users and their
accounts, including the following:
For more information, see Prevent Lockout of Essential Users and the Configure System
Security Features User Manual, publication SECURE-UM001. |
Redundancy module | Enable fiber security | Yes | Verify that fiber security is enabled in the redundancy module to secure
communication between partner 1756-RM3 modules. Fiber security is enabled by
default. For more information, see Disable or Re-enable SFP Fiber Ports. |
Combination of products | Device authentication | Yes | You must authenticate the interfaces of all CIP Security™ partner devices within the zone of the secured redundancy chassis pair and
devices authorized via conduits. This requirement helps to ensure that
unauthorized paths cannot be granted from CIP Security™ zone partner devices that are bridged to the network interfaces in the secure
high availability system. |
Requirements for Use Control
System Component | Security Component | Required to Meet IEC-62443-4-2 | Details |
|---|---|---|---|
System | FactoryTalk® Diagnostics syslog | May be required based on system design, threat model, and risk assessment. | To log the user names that are associated with changes to the 1756-RM3 and
1756-EN4TR modules, enable the syslog collector to store ControlBus™ FactoryTalk® Diagnostics messages from FactoryTalk® -enabled applications. For more information about how to forward FactoryTalk® Diagnostics messages to the syslog collector, see the FactoryTalk Security
System Configuration Guide, publication FTSEC-QS001. |
System | Studio 5000 Logix Designer® application | May be required based on system design, threat model, and risk assessment. | Configure the controller project in the Logix Designer application to use the
following tag attributes that control access to tag data:
For more information, see Logix 5000 Controllers Security Programming Manual,
publication 1756-PM016. |
System |
| Yes | Configure FactoryTalk® Security to define policies, user groups, and other permission
sets.
For more information, see the Configure System Security Features User Manual,
publication SECURE-UM001. |
| Enable Explicit Protection Mode | Optional | Explicit Protection Mode is optional. For defense in depth, you can manually
enable Explicit Protection Mode on the redundant controllers and communication
modules:
|
Communication module | Disable Ethernet ports | May be required based on system design, threat model, and risk assessment. | If communication modules are in a single-port topology, disable the unused
Ethernet ports. For more information, see the following:
|
Communication module | Disable Simple Network Management Protocol (SNMP) | May be required based on system design, threat model, and risk assessment. | SNMP is disabled by default. If SNMP has been enabled, disable SNMP on redundant
controllers and communication modules if required by the system design, threat
model, and risk assessment. For more information, see the following:
|
Communication module | Disable CIP Security™ ports | May be required based on system design, threat model, and risk assessment. | CIP Security™ ports 2221 TCP and 44818 UDP can be disabled on devices in the system via the
module configuration in FactoryTalk® Linx software. Apply this requirement to every device in the chassis that supports
the CIP Security™ protocol, but is not configured to use it. For more information, see the ControlLogix EtherNet/IP Network Devices User
Manual, publication 1756-UM004. |
| Disable USB ports | May be required based on system design, threat model, and risk assessment. | USB ports are enabled by default. Disable the USB ports on redundant controllers
and communication modules if required by the system design, threat model, and risk
assessment. For more information, see the following:
|
| Disable SD cards | May be required based on system design, threat model, and risk assessment. | SD cards are enabled by default. Disable the SD cards on redundant controllers
and communication modules if required by the system design, threat model, and risk
assessment.
IMPORTANT:
Disabling the SD card prevents
capturing fault dumps, which can make it more difficult for Technical Support to
provide support if an assert or major nonrecoverable fault occurs.
For more information, see the following:
|
Communication module | Disable webpages | May be required based on system design, threat model, and risk assessment. | Disable the webpages on redundant communication modules via MSG instruction if
required by the system design, threat model, and risk assessment. Webpages are automatically disabled on controllers when redundancy is
enabled. For more information, see ControlLogix EtherNet/IP Network Devices User Manual,
publication 1756-UM004. |
Communication module | Disable Link Layer Discovery Protocol (LLDP) | May be required based on system design, threat model, and risk assessment. | LLDP is used by network devices to advertise their identity, capabilities, and
neighbors on a local area network. Use FactoryTalk® Linx Network Browser to disable LLDP on redundant communication modules.For more information, see the ControlLogix EtherNet/IP Network Devices User
Manual, publication 1756-UM004. |
| Disable LCD display of non-system messages | Optional | In the Studio 5000 Logix Designer® application, you can disable the appearance of non-system messages on the
status display of controllers and communication modules. For more information, see the online Help. |
Requirements for System Integrity
System Component | Security Component | Required to Meet IEC-62443-4-2 | Details |
|---|---|---|---|
System | FactoryTalk® AssetCentre software | Yes | The FactoryTalk® AssetCentre server centrally tracks and manages configuration
changes and restricts who can make changes based on FactoryTalk® Security settings. This server functionality assists with diagnostics and troubleshooting and
reduces maintenance time for production assets. Configure the Device Monitor -
Change Detect operation on the primary controller. For more information, see the Configure System Security Features User Manual,
publication SECURE-UM001. |
System | FactoryTalk® Security software | ||
System | ControlFLASH Plus® software | Yes | Use ControlFLASH Plus® software to update controller firmware. Digitally signed firmware files have a
.dmk (device management kit) extension. ControlFLASH Plus® software authenticates the origin of a DMK file and validates the file before
downloading in the device. |
System | Studio 5000 Logix Designer® application | Yes | You can generate a signature on an Add-On Instruction. This signature seals
(encrypts) the Add-On Instruction to help prevent modification. |
System | Use certified firmware revisions | Yes | Specific firmware revisions for redundant controllers, redundancy modules, and
communications modules include security features intended to align with the IEC
62443-4-2 SL1 standard. To determine whether a specific product, firmware
revision, or configuration is certified, refer to the Rockwell Automation Product
Certifications website: rok.auto/certifications If your firmware revision has multiple minor revisions, use the latest revision
to include all security fixes:
|
Safety-enabled controller | Safety signature | Yes | In Logix SIS applications, safety-enabled controllers use a safety signature to
verify the integrity of a safety application. The safety signature must be applied
on a SIL 2/PLd or SIL 3/PLe safety controller to perform automated background
integrity checks on the safety application. We recommend that you record and store
the safety signature in a separate location to verify its integrity during audits
or when tampering is suspected. |
Safety-enabled controller | Safety-lock | May be required based on system design, threat model, and risk assessment. | In Logix SIS applications, we recommend that you safety-lock the controller to
help protect safety control components from modification and help prevent the
safety signature from being deleted accidentally. |
Controller | Input validation | May be required based on system design, threat model, and risk assessment. | The controller accepts all values appropriate for a tag data type. Your program
must specify valid ranges and perform validity to check for those ranges. The
controller verifies incoming messages for syntax, length, and format. |
Controller | User-definable major controller faults | May be required based on system design, threat model, and risk assessment. | If your application requires a major fault and those already monitored by the
controller, define a predetermined state with a major fault so that outputs are
off. For more information, see the ControlLogix 5590 Controllers User Manual,
publication 1756-UM900. |
Redundancy module | Enable fiber security | May be required based on system design, threat model, and risk assessment. | Enable fiber security on the redundancy modules via the FactoryTalk® Linx Redundancy Module Configuration Tool (RMCT).Fiber security is enabled by default. For more information, see Configure Redundancy Module Options. |
Controller | Enable front port crossload security | May be required based on system design, threat model, and risk assessment. | If you enable Front Port Crossload mode, you also must enable front port
crossload security in the Logix Designer application. Front port crossload security is enabled by default when Front Port Crossload
mode is enabled. For more information, see Configure Front Port Crossload Security. IMPORTANT: The IEC 62443-4-2 specification does not require you to use
Front Port Crossload mode. |
Requirements for Data Confidentiality
System Component | Security Component | Required to Meet IEC-62443-4-2 | Details |
|---|---|---|---|
System | FactoryTalk® Security software | Yes | Configure FactoryTalk® Security to define policies, user groups, and other permission sets:
For more information, see the Configure System Security Features User Manual,
publication SECURE-UM001. |
System | FactoryTalk® Policy Manager | Yes | Use FactoryTalk® Policy Manager software version 6.60 or later to define a secure data transport over an EtherNet/IP™ network to the controller.For more information, see the Configure System Security Features User Manual,
publication SECURE-UM001. |
Controller | Access to tag data | May be required based on system design, threat model, and risk assessment. | Configure the following attributes in the Logix Designer application to control
access to tag data:
|
Requirements for Restricted Data Flow
System Component | Security Component | Required to Meet IEC-62443-4-2 | Details |
|---|---|---|---|
System | CIP Security™ | Yes | Use FactoryTalk® Policy Manager software to define zones and conduits where only CIP Security™ -enabled modules and workstations are allowed to communicate.For more information, see the CIP Security with Rockwell Automation Products
Application Technique, publication SECURE-AT001. |
System | Certificate-based authentication | Yes | Use the certificate-based authentication method to meet IEC-62443-4-2
requirements. For more information, see the Configure System Security Features User Manual,
publication SECURE-UM001. |
Communication module | CIP™ Bridging Control | Yes | Use FactoryTalk® Policy Manager software to configure the zone where the redundant chassis pair is located to
allow only secure traffic for inbound CIP™ bridging.For more information about CIP™ Bridging Control and zone configuration, see the CIP Security with
Rockwell Automation Products Application Technique, publication SECURE-AT001. |
System | Firewall | May be required based on system design, threat model, and risk assessment. | If your system has a converged I/O network, we require that you configure an
industrial control system that is protected by a firewall. If your system has a
non-converged I/O network, we recommend that you use a firewall for defense in
depth. For more information about firewall configurations, see the following:
For more information about enforcing a trust zone around the redundant chassis
pair, see Trust Zone Requirements. |
System | Trusted IP on conduits | May be required based on system design, threat model, and risk assessment. | When a non-converged I/O network is used without a firewall, the CIP Security™ zone where the secure redundant 1756-EN4TR module is located
must not use Trusted IP conduits. Any devices that do not support CIP Security™ must be in the physically isolated I/O network. If you decide
to add Trusted IP addresses, then a firewall is required to protect those
assets. |
Controller | Trusted slots on the controller | Optional | Trusted slots are optional. A Trusted slot is not configured by default. To mitigate threats of access to the controller via unsecured modules in the
chassis, configure Trusted Slots on the controller to allow communication only
from CIP Security-enabled communication modules on the backplane. The Trusted
Slots feature blocks access only to the programming and configuration interfaces
of the controller. I/O communication can still occur via paths that are marked untrusted. For more information, see the ControlLogix 5590 Controllers User Manual,
publication 1756-UM900. |
Requirements for Timely Response to Events
System Component | Security Component | Required to Meet IEC-62443-4-2 | Details |
|---|---|---|---|
System | FactoryTalk® AssetCentre software | Yes | Configure and use the following:
For more information, see the following:
|
Communication module | Syslog collector | Yes | The communication module supports syslog event logging. Choose a syslog collector that meets the following requirements:
IMPORTANT:
See the following resources:
|
Controller | Controller change detection | Yes | Configure and use the Change Detection feature on the controller to track changes
to the controllers and generate an audit value when a monitored change occurs. For more information, see the following:
|
Controller | Controller component tracking | May be required based on system design, threat model, and risk assessment. | Enable component tracking to monitor configurable program components to determine
whether they change. Component tracking is not enabled by default. For more information, see the ControlLogix 5590 Controllers User Manual,
publication 1756-UM900. |
Controller | Disabled controller log auto-write | Yes | The controller log stores security-related events that can be accessed via FactoryTalk® AssetCentre software.To help prevent the potential loss of controller logs before FactoryTalk® AssetCentre can access them, follow these guidelines:
By default, the controller log auto-write is disabled. For more information, see the ControlLogix 5590 Controllers User Manual,
publication 1756-UM900. |
Redundancy module | Redundancy Module Configuration Tool (RMCT) event logging | Yes | Logging is automatically configured in the RMCT and enabled by default. To view logs of redundancy module events, see the Event Log tab in the RMCT as
described View the Event Log. |
Requirements for Resource Availability
System Component | Security Component | Required to Meet IEC-62443-4-2 | Details |
|---|---|---|---|
System | FactoryTalk® AssetCentre software | Yes | Configure and use the following:
For more information, see Configure System Security Features User Manual,
publication SECURE-UM001. |
System | UPS | Yes | Provide your own UPS with a separate battery unit and redundant power supplies.
Size the UPS so that is correctly supports the system and provides enough power to
shut down servers and workstations properly. |
Provide Feedback