IEC 62443 Control Mapping
This document maps BreachSpider features to IEC 62443 standard requirements. Use it to understand how BreachSpider supports your IEC 62443 compliance and security management system implementation.
IEC 62443-2-1: Security Management System
Section 4.2.3.9 - Patch and Vulnerability Management
Requirement: Establish and maintain a process for identifying, evaluating, and managing security patches and vulnerabilities for IACS components.
BreachSpider support:
- Identification: Continuous CVE monitoring against your declared assets. New vulnerabilities affecting your products are identified within 24 hours of NVD publication.
- Evaluation: SAGE provides ICS-specific analysis for each CVE, including relevance to your specific device types and protocols. BCS scoring prioritizes vulnerabilities by exploitation urgency.
- Management: The finding triage workflow (acknowledge, ticket, remediate, close) provides end-to-end vulnerability management with full audit trail.
- Documentation: The audit log records every action with immutable timestamps, creating the documentation trail Section 4.2.3.9 requires.
The IEC 62443 Report exports your findings and remediation actions mapped to the 4.2.3.9 control requirements.
IEC 62443-2-4: Security for Solution Providers
Supplier Security Requirements
Requirement: Evaluate the security of components and solutions from suppliers.
BreachSpider support: Use the vendor CVE history endpoint to assess vendor security posture:
curl -H "Authorization: Bearer bs_live_..." \
"https://breachspider.com/api/v1/cves/vendor/siemens?severity=CRITICAL&limit=100"
This returns all critical CVEs affecting a vendor's products. Compare vendors side-by-side to inform procurement decisions. A vendor with frequent critical CVEs in your product category represents a higher supply chain risk.
Include vendor CVE analysis in your supplier evaluation process as evidence of supply chain risk assessment.
IEC 62443-3-3: System Security Requirements
IEC 62443-3-3 defines seven foundational requirements (FR) with specific system requirements (SR) under each. BreachSpider supports documentation and compliance evidence for several of these.
FR 1 - Identification and Authentication Control (IAC)
BreachSpider's own authentication: Magic-link authentication with session management, API key controls, and role-based access (admin/member) demonstrates authentication controls in your security tooling. LOGIN, SESSION_REVOKED, and API_KEY events in the audit log provide evidence.
Vulnerability coverage: CVEs classified under CWE-287 (Improper Authentication), CWE-306 (Missing Authentication), and related CWEs map to FR 1 deficiencies in your IACS components.
FR 2 - Use Control (UC)
Vulnerability coverage: CVEs involving privilege escalation (CWE-269), authorization bypass (CWE-862), and access control issues map to FR 2 deficiencies.
FR 3 - System Integrity (SI)
Vulnerability coverage: CVEs involving code injection (CWE-94), buffer overflows (CWE-787), and firmware tampering map to FR 3 deficiencies.
FR 4 - Data Confidentiality (DC)
Vulnerability coverage: CVEs involving information disclosure (CWE-200), cleartext transmission (CWE-319), and encryption weaknesses map to FR 4 deficiencies.
FR 5 - Restricted Data Flow (RDF)
Vulnerability coverage: CVEs affecting network infrastructure, firewalls, and protocol implementations in your OT environment map to FR 5 deficiencies.
FR 6 - Timely Response to Events (TRE)
BreachSpider support: Alert configurations, notification delivery, and the 15-minute KEV ingestion cycle demonstrate timely response capabilities. The audit log provides evidence of response timelines (time from finding generation to acknowledgment).
FR 7 - Resource Availability (RA)
Vulnerability coverage: CVEs with high Availability Impact (CVSS A:H) in your OT environment map to FR 7 deficiencies. For ICS operators, FR 7 is often the most critical foundational requirement because process availability directly impacts safety and operations.
Security Levels
IEC 62443 defines four Security Levels (SL):
| Level | Protection Target |
|---|---|
| SL 1 | Casual or coincidental violation |
| SL 2 | Intentional violation using simple means |
| SL 3 | Intentional violation using sophisticated means |
| SL 4 | Intentional violation using sophisticated means with extended resources |
The IEC 62443 Report assesses your current achieved security level per zone based on:
- Finding count and severity: Many critical findings reduce your achieved SL.
- Patch coverage: High patch coverage supports a higher SL.
- Compensating controls: Documented compensating controls demonstrate risk mitigation.
- Acknowledgment coverage: Full acknowledgment coverage shows systematic vulnerability management.
Use the report to document your current SL, identify gaps, and plan improvements toward your target SL.
Generating the IEC 62443 Report
- Navigate to Reports > Generate Report.
- Select IEC 62443 Report.
- Select the environment(s).
- Set the reporting period.
- Click Generate.
The report maps your findings to IEC 62443 foundational requirements and provides a security level assessment with SAGE-generated recommendations for improvement.