Security Requirements for IEC 62443-4-2

To secure your system, refer to the following requirements. It is your responsibility to monitor the system periodically to make sure that the security settings function as you configured them.
WARNING: Do not apply any changes that impact the operation of safety-related devices while the controller is in Run mode.
IMPORTANT:
For the controller and redundancy modules, apply security settings to the controller and redundancy module only in the primary chassis. When the redundant chassis synchronizes, security settings crossload to the controller and redundancy module in the secondary chassis.
For the 1756-EN4TR module, see Crossload Behavior for the 1756-EN4TR Module to determine whether you must apply security settings separately to modules in the primary and secondary chassis.
To meet IEC 62443-4-2 requirements in a high availability system, implement the control system with these other security-focused products.
You
must
include compensating countermeasures when you configure a redundancy system to meet IEC-62443-4-2 requirements. The following table lists compensating countermeasures and the minimum versions that are required.
For more information on how the compensating countermeasures are used, see the Configure System Security Features User Manual, publication SECURE-UM001.
Compensating Countermeasure
Required Minimum Version
Active Directory
User configured
ControlFLASH Plus®
2.00
FactoryTalk® Administration Console
6.30
FactoryTalk® AssetCentre
9.00
FactoryTalk® Directory
User configured
FactoryTalk® Linx
6.20
FactoryTalk® Policy Manager
6.60
FactoryTalk® Security
Any version
FactoryTalk® Services Platform
6.30
FactoryTalk® View
(You are not required to use HMI devices or software in your application to meet IEC-62443-4-2 requirements.)
11.00
Firewall
User supplied and configured
Redundancy Module Configuration Tool (RMCT)
User configured
Studio 5000 Logix Designer®
37.00.00
Syslog collector
User supplied and configured

Requirements for Identification and Authorization

System Component
Security Component
Required to Meet IEC-62443-4-2
Details
System
  • FactoryTalk® Security
    software
  • Studio 5000 Logix Designer®
    application
Yes
Configure
FactoryTalk® Security
software to define policies, user groups, and other permission sets.
  • The Logix Designer application enforces the policy based on the access policies that are provided to it by
    FactoryTalk® Security
    for the software authenticated user. Once authenticated, the Logix Designer application acts as your interface to the controller. This applies to all protected
    CIP
    communication to the controller, whether from Ethernet, backplane, or USB.
  • The
    FactoryTalk® Services Platform
    offers feature access control to manage user access to product features such as controller download, project import, project create, and firmware update.
For more information, see the Configure System Security Features User Manual, publication SECURE-UM001.
FactoryTalk® Security
software
Access control to generate and delete the safety signature on safety controllers
May be required based on system design, threat model, and risk assessment.
In the
FactoryTalk® Administration Console
, restrict access to generate and delete the safety signature.
For more information, see the Configure System Security Features User Manual, publication SECURE-UM001.
FactoryTalk® Security
software
Access control to safety-lock and safety-unlock actions on safety controllers
May be required based on system design, threat model, and risk assessment.
In the
FactoryTalk® Administration Console
, restrict access to safety-lock and safety-unlock actions.
For more information, see the Configure System Security Features User Manual, publication SECURE-UM001.
Combination of products
Prevent lockout of essential users
Yes
Essential users are responsible for the high availability of the system and must have continuous physical access to devices, interfaces, and user account access to the
FactoryTalk® Linx
Redundancy Module Configuration Tool (RMCT) and the Logix Designer application and
ControlFLASH Plus®
software. Take steps to prevent the lockout of all essential users and their accounts, including the following:
  • Microsoft Windows®
    accounts
  • FactoryTalk®
    user accounts
For more information, see Prevent Lockout of Essential Users and the Configure System Security Features User Manual, publication SECURE-UM001.
Redundancy module
Enable fiber security
Yes
Verify that fiber security is enabled in the redundancy module to secure communication between partner 1756-RM3 modules. Fiber security is enabled by default.
For more information, see Disable or Re-enable SFP Fiber Ports.
Combination of products
Device authentication
Yes
You must authenticate the interfaces of all
CIP Security
partner devices within the zone of the secured redundancy chassis pair and devices authorized via conduits. This requirement helps to ensure that unauthorized paths cannot be granted from
CIP Security
zone partner devices that are bridged to the network interfaces in the secure high availability system.

Requirements for Use Control

System Component
Security Component
Required to Meet IEC-62443-4-2
Details
System
FactoryTalk®
Diagnostics syslog
May be required based on system design, threat model, and risk assessment.
To log the user names that are associated with changes to the 1756-RM3 and 1756-EN4TR modules, enable the syslog collector to store
ControlBus
FactoryTalk®
Diagnostics messages from
FactoryTalk®
-enabled applications.
For more information about how to forward
FactoryTalk®
Diagnostics messages to the syslog collector, see the FactoryTalk Security System Configuration Guide, publication FTSEC-QS001.
System
Studio 5000 Logix Designer®
application
May be required based on system design, threat model, and risk assessment.
Configure the controller project in the Logix Designer application to use the following tag attributes that control access to tag data:
  • The External Access attribute controls how external applications can access tags.
  • The Constant attribute value determines if controller logic can change a tag.
For more information, see Logix 5000 Controllers Security Programming Manual, publication 1756-PM016.
System
  • FactoryTalk® Security
    software
  • Studio 5000 Logix Designer®
    application
Yes
Configure
FactoryTalk® Security
to define policies, user groups, and other permission sets.
  • The Logix Designer application enforces the policy based on the access policies that are provided to it by
    FactoryTalk® Security
    for the software authenticated user. Once authenticated, the Logix Designer application acts as your interface to the controller, including all protected
    CIP
    communication to the controller, whether from Ethernet, backplane, or USB.
  • The
    FactoryTalk® Services Platform
    offers feature access control to manage user access to product features, such as controller download, project import, project create, and firmware update.
  • In
    FactoryTalk® Security
    , define which users can change controller modes and download projects to the controller.
  • Security authority binding restricts the controller to a specific
    FactoryTalk® Security
    instance. This binding reduces the attack surface for security server spoofing because the client software and the security software determine the identity of the security authority responsible for controlling access.
For more information, see the Configure System Security Features User Manual, publication SECURE-UM001.
  • Controller
  • Communication module
Enable Explicit Protection Mode
Optional
Explicit Protection Mode is optional. For defense in depth, you can manually enable Explicit Protection Mode on the redundant controllers and communication modules:
  • Controllers—Place the keyswitch position to RUN mode on both primary and secondary controllers to help prevent unauthorized remote configuration changes to the controller and restrict some communication services. Remove the keyswitch from both running controllers to help prevent modifications to the configuration or program.
  • Communication modules—Place the rotary switches on all primary and secondary communication modules to 900 and then follow the instructions to enable Explicit Protection Mode as described in the ControlLogix EtherNet/IP Network Devices User Manual, publication 1756-UM004.
Communication module
Disable Ethernet ports
May be required based on system design, threat model, and risk assessment.
If communication modules are in a single-port topology, disable the unused Ethernet ports.
For more information, see the following:
  • ControlLogix 5590 Controllers User Manual, publication 1756-UM900
  • ControlLogix EtherNet/IP Network Devices User Manual, publication 1756-UM004
Communication module
Disable Simple Network Management Protocol (SNMP)
May be required based on system design, threat model, and risk assessment.
SNMP is disabled by default. If SNMP has been enabled, disable SNMP on redundant controllers and communication modules if required by the system design, threat model, and risk assessment.
For more information, see the following:
  • ControlLogix 5590 Controllers User Manual, publication 1756-UM900
  • ControlLogix EtherNet/IP Network Devices User Manual, publication 1756-UM004
Communication module
Disable
CIP Security
ports
May be required based on system design, threat model, and risk assessment.
CIP Security
ports 2221 TCP and 44818 UDP can be disabled on devices in the system via the module configuration in
FactoryTalk® Linx
software. Apply this requirement to every device in the chassis that supports the
CIP Security
protocol, but is not configured to use it.
For more information, see the ControlLogix EtherNet/IP Network Devices User Manual, publication 1756-UM004.
  • Controller
  • Communication module
Disable USB ports
May be required based on system design, threat model, and risk assessment.
USB ports are enabled by default. Disable the USB ports on redundant controllers and communication modules if required by the system design, threat model, and risk assessment.
For more information, see the following:
  • ControlLogix 5590 Controllers User Manual, publication 1756-UM900
  • ControlLogix EtherNet/IP Network Devices User Manual, publication 1756-UM004
  • Controller
  • Communication module
Disable SD cards
May be required based on system design, threat model, and risk assessment.
SD cards are enabled by default. Disable the SD cards on redundant controllers and communication modules if required by the system design, threat model, and risk assessment.
IMPORTANT: Disabling the SD card prevents capturing fault dumps, which can make it more difficult for Technical Support to provide support if an assert or major nonrecoverable fault occurs.
For more information, see the following:
  • ControlLogix 5590 Controllers User Manual, publication 1756-UM900
  • ControlLogix EtherNet/IP Network Devices User Manual, publication 1756-UM004
Communication module
Disable webpages
May be required based on system design, threat model, and risk assessment.
Disable the webpages on redundant communication modules via MSG instruction if required by the system design, threat model, and risk assessment.
Webpages are automatically disabled on controllers when redundancy is enabled.
For more information, see ControlLogix EtherNet/IP Network Devices User Manual, publication 1756-UM004.
Communication module
Disable Link Layer Discovery Protocol (LLDP)
May be required based on system design, threat model, and risk assessment.
LLDP is used by network devices to advertise their identity, capabilities, and neighbors on a local area network. Use
FactoryTalk® Linx
Network Browser to disable LLDP on redundant communication modules.
For more information, see the ControlLogix EtherNet/IP Network Devices User Manual, publication 1756-UM004.
  • Controller
  • Communication module
Disable LCD display of non-system messages
Optional
In the
Studio 5000 Logix Designer®
application, you can disable the appearance of non-system messages on the status display of controllers and communication modules.
For more information, see the online Help.

Requirements for System Integrity

System Component
Security Component
Required to Meet IEC-62443-4-2
Details
System
FactoryTalk® AssetCentre
software
Yes
The
FactoryTalk® AssetCentre
server centrally tracks and manages configuration changes and restricts who can make changes based on
FactoryTalk® Security
settings.
This server functionality assists with diagnostics and troubleshooting and reduces maintenance time for production assets. Configure the Device Monitor - Change Detect operation on the primary controller.
For more information, see the Configure System Security Features User Manual, publication SECURE-UM001.
System
FactoryTalk® Security
software
System
ControlFLASH Plus®
software
Yes
Use
ControlFLASH Plus®
software to update controller firmware. Digitally signed firmware files have a .dmk (device management kit) extension.
ControlFLASH Plus®
software authenticates the origin of a DMK file and validates the file before downloading in the device.
System
Studio 5000 Logix Designer®
application
Yes
You can generate a signature on an Add-On Instruction. This signature seals (encrypts) the Add-On Instruction to help prevent modification.
System
Use certified firmware revisions
Yes
Specific firmware revisions for redundant controllers, redundancy modules, and communications modules include security features intended to align with the IEC 62443-4-2 SL1 standard. To determine whether a specific product, firmware revision, or configuration is certified, refer to the Rockwell Automation Product Certifications website: rok.auto/certifications
If your firmware revision has multiple minor revisions, use the latest revision to include all security fixes:
Safety-enabled controller
Safety signature
Yes
In Logix SIS applications, safety-enabled controllers use a safety signature to verify the integrity of a safety application. The safety signature must be applied on a SIL 2/PLd or SIL 3/PLe safety controller to perform automated background integrity checks on the safety application. We recommend that you record and store the safety signature in a separate location to verify its integrity during audits or when tampering is suspected.
Safety-enabled controller
Safety-lock
May be required based on system design, threat model, and risk assessment.
In Logix SIS applications, we recommend that you safety-lock the controller to help protect safety control components from modification and help prevent the safety signature from being deleted accidentally.
Controller
Input validation
May be required based on system design, threat model, and risk assessment.
The controller accepts all values appropriate for a tag data type. Your program must specify valid ranges and perform validity to check for those ranges. The controller verifies incoming messages for syntax, length, and format.
Controller
User-definable major controller faults
May be required based on system design, threat model, and risk assessment.
If your application requires a major fault and those already monitored by the controller, define a predetermined state with a major fault so that outputs are off.
For more information, see the ControlLogix 5590 Controllers User Manual, publication 1756-UM900.
Redundancy module
Enable fiber security
May be required based on system design, threat model, and risk assessment.
Enable fiber security on the redundancy modules via the
FactoryTalk® Linx
Redundancy Module Configuration Tool (RMCT).
Fiber security is enabled by default.
For more information, see Configure Redundancy Module Options.
Controller
Enable front port crossload security
May be required based on system design, threat model, and risk assessment.
If you enable Front Port Crossload mode, you also must enable front port crossload security in the Logix Designer application.
Front port crossload security is enabled by default when Front Port Crossload mode is enabled.
For more information, see Configure Front Port Crossload Security.
IMPORTANT:
The IEC 62443-4-2 specification does not require you to use Front Port Crossload mode.

Requirements for Data Confidentiality

System Component
Security Component
Required to Meet IEC-62443-4-2
Details
System
FactoryTalk® Security
software
Yes
Configure
FactoryTalk® Security
to define policies, user groups, and other permission sets:
  • The
    FactoryTalk® Services Platform
    offers feature access control to manage user access to product features such as controller download, project import, project create, and firmware update.
  • In
    FactoryTalk® Security
    , define which users can change controller modes and download projects to the controller.
  • Security authority binding restricts the controller to a specific
    FactoryTalk® Security
    instance. This binding reduces the attack surface for security server spoofing because the client software and the security software determine the identity of the security authority responsible for controlling access.
For more information, see the Configure System Security Features User Manual, publication SECURE-UM001.
System
FactoryTalk® Policy Manager
Yes
Use
FactoryTalk® Policy Manager
software version 6.60 or later to define a secure data transport over an
EtherNet/IP
network to the controller.
For more information, see the Configure System Security Features User Manual, publication SECURE-UM001.
Controller
Access to tag data
May be required based on system design, threat model, and risk assessment.
Configure the following attributes in the Logix Designer application to control access to tag data:
  • External Access attribute—Controls how external applications can access tags.
  • Constant attribute—Determines if controller logic can change a tag.

Requirements for Restricted Data Flow

System Component
Security Component
Required to Meet IEC-62443-4-2
Details
System
CIP Security
Yes
Use
FactoryTalk® Policy Manager
software to define zones and conduits where only
CIP Security
-enabled modules and workstations are allowed to communicate.
For more information, see the CIP Security with Rockwell Automation Products Application Technique, publication SECURE-AT001.
System
Certificate-based authentication
Yes
Use the certificate-based authentication method to meet IEC-62443-4-2 requirements.
For more information, see the Configure System Security Features User Manual, publication SECURE-UM001.
Communication module
CIP
Bridging Control
Yes
Use
FactoryTalk® Policy Manager
software to configure the zone where the redundant chassis pair is located to allow only secure traffic for inbound
CIP
bridging.
For more information about
CIP
Bridging Control and zone configuration, see the CIP Security with Rockwell Automation Products Application Technique, publication SECURE-AT001.
System
Firewall
May be required based on system design, threat model, and risk assessment.
If your system has a converged I/O network, we require that you configure an industrial control system that is protected by a firewall. If your system has a non-converged I/O network, we recommend that you use a firewall for defense in depth.
For more information about firewall configurations, see the following:
  • PlantPAx Distributed Control System Configuration and Implementation User Manual, publication PROCES-UM100
  • Deploying Industrial Firewalls within a Converged Plantwide Ethernet Architecture Design and Implementation Guide, publication ENET-TD002
For more information about enforcing a trust zone around the redundant chassis pair, see Trust Zone Requirements.
System
Trusted IP on conduits
May be required based on system design, threat model, and risk assessment.
When a non-converged I/O network is used without a firewall, the
CIP Security
zone where the secure redundant 1756-EN4TR module is located
must not
use Trusted IP conduits. Any devices that do not support
CIP Security
must be in the physically isolated I/O network. If you decide to add Trusted IP addresses, then a firewall is required to protect those assets.
Controller
Trusted slots on the controller
Optional
Trusted slots are optional. A Trusted slot is not configured by default.
To mitigate threats of access to the controller via unsecured modules in the chassis, configure Trusted Slots on the controller to allow communication only from CIP Security-enabled communication modules on the backplane. The Trusted Slots feature blocks access only to the programming and configuration interfaces of the controller.
I/O communication can still occur via paths that are marked untrusted.
For more information, see the ControlLogix 5590 Controllers User Manual, publication 1756-UM900.

Requirements for Timely Response to Events

System Component
Security Component
Required to Meet IEC-62443-4-2
Details
System
FactoryTalk® AssetCentre
software
Yes
Configure and use the following:
  • Audit log accessibility
  • Continuous monitoring
For more information, see the following:
  • Configure System Security Features User Manual, publication SECURE-UM001.
  • System Security Design Guidelines Reference Manual, publication SECURE-RM001
Communication module
Syslog collector
Yes
The communication module supports syslog event logging.
Choose a syslog collector that meets the following requirements:
  • RFC-5424 syslog protocol
  • Ability to receive messages from the communication module
  • Ability to restrict access to logs
  • Log files must be ready-only to prevent modification or deletion
IMPORTANT:
  • The syslog workstation must have enough disk space to accommodate the syslog collector,
    FactoryTalk® AssetCentre
    software, and the Redundancy Module Configuration Tool (RMCT).
  • The syslog collector must have enough memory to store all events that are generated, and it must be installed in a secure location to prevent access from unauthorized users.
  • The communication module must be connected to the same network as the syslog collector.
  • To set the IP address of the syslog collector, use
    FactoryTalk® Policy Manager
    software.
  • Sequencing must be enabled in the syslog via
    FactoryTalk® Policy Manager
    software.
See the following resources:
  • To use syslog with
    CIP Security
    -capable devices, see the CIP Security with Rockwell Automation Products Application Technique, publication SECURE-AT001.
  • To view a list of syslog messages and their descriptions, see the Syslog Status Messages Reference Data, publication SYSLOG-RD001.
  • To learn more about the Rockwell Automation implementation of the Syslog protocol and its functions, see the Syslog Technology Reference Manual, publication SYSLOG-RM001.
Controller
Controller change detection
Yes
Configure and use the Change Detection feature on the controller to track changes to the controllers and generate an audit value when a monitored change occurs.
For more information, see the following:
  • For more information, see the ControlLogix 5590 Controllers User Manual, publication 1756-UM900.
  • Logix 5000 Controller Information and Status Programming Manual, publication 1756-PM015.
Controller
Controller component tracking
May be required based on system design, threat model, and risk assessment.
Enable component tracking to monitor configurable program components to determine whether they change. Component tracking is not enabled by default.
For more information, see the ControlLogix 5590 Controllers User Manual, publication 1756-UM900.
Controller
Disabled controller log auto-write
Yes
The controller log stores security-related events that can be accessed via
FactoryTalk® AssetCentre
software.
To help prevent the potential loss of controller logs before
FactoryTalk® AssetCentre
can access them, follow these guidelines:
  • Do not use a Message to Self (MSG with a Path of THIS) to auto-write controller logs to the SD card.
  • Do not manually force a write of controller logs to the SD card.
By default, the controller log auto-write is disabled.
For more information, see the ControlLogix 5590 Controllers User Manual, publication 1756-UM900.
Redundancy module
Redundancy Module Configuration Tool (RMCT) event logging
Yes
Logging is automatically configured in the RMCT and enabled by default.
To view logs of redundancy module events, see the Event Log tab in the RMCT as described View the Event Log.

Requirements for Resource Availability

System Component
Security Component
Required to Meet IEC-62443-4-2
Details
System
FactoryTalk® AssetCentre
software
Yes
Configure and use the following:
  • Asset inventory
  • Control system backup
  • Disaster recovery
For more information, see Configure System Security Features User Manual, publication SECURE-UM001.
System
UPS
Yes
Provide your own UPS with a separate battery unit and redundant power supplies. Size the UPS so that is correctly supports the system and provides enough power to shut down servers and workstations properly.
Provide Feedback
Have questions or feedback about this documentation? Please submit your feedback here.
Normal