IEC 62443-4:2018 pdf free download
IEC 62443-4:2018 pdf free download.Security for industrial automation and control systems
The secondary goal of these requirements is to align the development process with the elevated security needs of product users of Industrial Automation and Control Systems (for example,providers of IEC 62443-2-4 capabilities such as integrators and maintenance contractors). This means that the process needs to generate items such as well-documented security configurations and patch management policies and procedures, as well as providing clear and succinct communications about security vulnerabilities uncovered in the product.
Figure 3 illustrates how secure by design principles in this document contribute to a defense in depth strategy for the product. The security management practice is shown on the outermost circle because it is applied throughout all the other practices to ensure that the practices are being followed and managed. The other practices, shown on the second circle are applied throughout the development life-cycle, often in an iterative pattern. These practices each contribute to the overall defense in depth strategy which is shown as the center of the circle because it represents the key result of following the security development life-cycle. The defect management and security update management provide verified repairs to the secure implementation, and fall under the category of overall security management in the diagram.
4.2 Maturity model
There is a range of methods by which a product supplier could comply with the requirements specified in this document. The maturity model sets benchmarks for meeting these requirements.
These benchmarks are defined by maturity levels as shown in Table 1. The maturity levels are based on the Capability Maturity Model Integration (CMMI) for Development (CMMI-DEV) model [42]. Table 1 shows the relationship to the CMMI-DEV in the description column.
Maturity levels provide more details on how thoroughly a supplier has met these requirements .Therefore, these levels can be used by system integrators and asset owners to assess the level of rigor used to develop products.
The purpose of the maturity levels described in this subclause is to provide an organization a benchmark to define their readiness to use their processes and procedures to design and implement a secure product. Using these benchmarks, it is possible that an organization will discover that it is not ready to implement all requirements to the same level of maturity.