IEC 62443 Report
The IEC 62443 Report maps your BreachSpider findings and remediation activities to the IEC 62443 standard for industrial automation and control system (IACS) security. This report supports organizations implementing IEC 62443 as part of their security management system.
Who Needs This Report
- Manufacturing organizations implementing IEC 62443 across their automation systems.
- System integrators documenting security compliance for delivered IACS solutions.
- Asset owners performing security assessments against IEC 62443 requirements.
- Organizations in industries where IEC 62443 is referenced by regulation or contract (chemical, pharmaceutical, oil and gas, food and beverage).
IEC 62443 Standard Overview
IEC 62443 is a family of standards addressing IACS security across the entire lifecycle:
- IEC 62443-2-1: Establishing an industrial automation security management system.
- IEC 62443-2-4: Security requirements for IACS solution providers.
- IEC 62443-3-3: System security requirements and security levels.
- IEC 62443-4-2: Technical security requirements for IACS components.
BreachSpider supports documentation for all four parts through its vulnerability management, asset inventory, and audit trail capabilities.
What the Report Contains
Security Level Assessment
IEC 62443 defines four Security Levels (SL 1-4):
| Level | Protection Against |
|---|---|
| SL 1 | Casual or coincidental violation |
| SL 2 | Intentional violation using simple means |
| SL 3 | Intentional violation using sophisticated means |
| SL 4 | Intentional violation using sophisticated means with extended resources |
The report assesses your current achieved security level per zone based on:
- Finding count and severity distribution.
- Patch coverage.
- Compensating controls documented.
- Acknowledgment coverage.
Findings Mapped to IEC 62443 Control Families
Findings are categorized by the IEC 62443-3-3 foundational requirements (FR) they relate to:
- FR 1 - Identification and Authentication Control (IAC): Findings related to authentication bypass, credential issues, session management.
- FR 2 - Use Control (UC): Findings related to authorization, privilege escalation, access control.
- FR 3 - System Integrity (SI): Findings related to code integrity, firmware tampering, software modification.
- FR 4 - Data Confidentiality (DC): Findings related to information disclosure, data exfiltration, encryption.
- FR 5 - Restricted Data Flow (RDF): Findings related to network segmentation, protocol filtering, zone boundary controls.
- FR 6 - Timely Response to Events (TRE): Findings related to logging, monitoring, alerting capabilities.
- FR 7 - Resource Availability (RA): Findings related to denial of service, availability impact, system stability.
Vulnerability Management Documentation
Evidence that your vulnerability management process meets IEC 62443-2-1 Section 4.2.3.9 requirements:
- Continuous CVE monitoring (BreachSpider ingests NVD and multiple authoritative vulnerability feeds).
- Finding triage workflow (acknowledgment, ticketing, remediation tracking).
- Audit log demonstrating documented responses to identified vulnerabilities.
- Compensating controls for vulnerabilities that cannot be patched.
Vendor Security Assessment Support
For IEC 62443-2-4 (solution provider security), the report includes CVE history data for each vendor represented in your asset inventory. This supports your vendor security assessment process.
Recommendations
SAGE-generated recommendations for improving your security level, aligned with IEC 62443 control objectives. Recommendations are specific to your findings and asset types.
Generating the Report
- Navigate to Reports > Generate Report.
- Select IEC 62443 Report.
- Select the environment(s) to include.
- Set the reporting period.
- Click Generate.
Using the Report
Security level documentation: Use the security level assessment to document your current achieved SL and your target SL per zone.
Gap analysis: The findings mapped to control families highlight where your vulnerabilities cluster. A concentration of FR 1 (authentication) findings suggests investment in authentication controls.
Audit support: Present the report as evidence of your vulnerability management process during IEC 62443 certification audits or customer security assessments.
Continuous improvement: Compare reports over time to track progress toward your target security level.