WeOSIEC/ISA 62443-4-2 checklist
Introduction
This checklist is a collection of steps to harden devices related to IEC/ISA 62443-4-2 which is connected to the IEC/ISA 62443-3-3 requirements. This specific checklist is a guidance for utilizing appropriate security capabilities in WeOS related to IEC/ISA 62443-4-2. It does not provide exact guidance since each environment are unique, has different requirements and therefore capabilities. This list could be used as input for the IEC/ISA 62443-3-3 or 62443-2-1 Factory Acceptance Test (FAT) checklist. Administrators are advised to evaluate each option for its potential risk before implementing the option.
As defined in IEC TS 62443-1-1 there are a total of seven foundational requirements (FRs). Each FR have defined requirements named component requirements (CR). Devices running WeOS are classified as a network device (NDR) which include additional requirements on top of all CRs.
Security Level (SL) are defined from 1 to 4 and describes the level of means, resources, skills and motivation that is reflected in the component capability.
- SL 1 – casual.
- SL 2 – simple means with low resources, generic skills and low motivation.
- SL 3 – sophisticated means with moderate resources, IACS specific skills and moderate motivation.
- SL 4 – sophisticated means with extended resources, IACS specific skills and high motivation.
Checklist
Security Level Target (SL-T) of this checklist is up to and including SL 2. Level of achieved SL (SL-A) depends on the implemented security capabilities, selected product and installed environment. (For further read and information, see Product Security Guide and Product Technical Specifications).
Related Foundational Requirement refers to:
- FR 1 - Identification & authentication control (IAC)
- FR 2 - Use control (UC)
- FR 3 - System integrity (SI)
- FR 4 - Data confidentiality (DC)
- FR 5 - Restricted data flow (RDF)
- FR 6 - Timely response to events (TRE)
- FR 7 - Resource availability (RA)
| Related Foundational Requirement | Description | Security Capability | Implemented (YES , NO , N/A) |
|---|---|---|---|
| FR 1 - IAC | For unique human user identification and authentication, remote authentication and/or local users has been configured | AAA | |
| FR 1 - IAC | Default authenticators has been replaced | initial-user-account, | |
| FR 1 - IAC | New user accounts has enforced password expiration | force-password-expiration | |
| FR 1 - IAC | Configuration has been implemented to protect authenticators from unauthorized disclosure | encrypt-secrets | |
| FR 1 - IAC | Configuration has been implemented to enforce password strength | enforce-usage-of-strong-passwords | |
| FR 1 - IAC | Self Signed certificates has been replaced. Certificate based services has a valid certificate. | public-key-infrastructure, replace-self-signed-certificate-for-web | |
| FR 1 - IAC | Revocation check is enabled | public-key-infrastructure, | |
| FR 1 - IAC | Configuration is implemented to enforce a limit on the number of consecutive invalid access attempts. | lockout-users-with-successive-failed-login | |
| FR 1 - IAC | Fail‑delay mechanisms are implemented to slow down repeated invalid attempts. | fail-delays | |
| FR 1 - IAC | Pre-login system use notification banners has been implemented | notification-concent-banners | |
| FR 2 - UC | The configured user role matches the responsibilities in accordance with principle of least privilege, and has been considered for each user | apply-principle-of-least-privilege | |
| FR 2 - UC | Configuration has been implemented to terminate sessions after a time period of inactivity | set-an-acceptable-session-timeout | |
| FR 2 - UC | Selected audit logging categories are enabled | accounting | |
| FR 2 - UC | External media and/or centralized remote logging is configured for archivation of auditable events | centralized-remote-logging | |
| FR 2 - UC | Synchronized system wide time source has been configured | time-management | |
| FR 3 - SI, FR 4 - DC | Secure variants of protocols, which include communication integrity and authentication has been implemented where it is applicable | monitoring-via-snmp, disable-unused-protocols-and-services, remote-authentication, centralized-remote-logging, vpn-and-tunnels | |
| FR 5 - DC | Network segmentation has been considered and implemented which is reflected in VLAN, firewall and VPN configuration | apply-rules-to-packet-flows, vpn-and-tunnels | |
| FR 5 - DC, FR 7 - RA | Firewall is enabled and firewall rules has been configured to block unwanted traffic | apply-rules-to-packet-flows | |
| FR 6 - DC | Auditors have been configured with role to support read-only of audit records | apply-principle-of-least-privilege, centralized-remote-logging | |
| FR 6 - DC, FR 7 - RA | Configuration has been implemented to enable the device to continuously be monitored | monitoring-via-snmp, port-monitoring | |
| FR 7 - RA | Watchdog is enabled | recovery-from-unresponsive-system | |
| FR 7 - RA | Configuration has been implemented to limit the remote management sessions | limit-remote-management-sessions | |
| FR 7 - RA | Broadcast, Multicast and Unknown Unicast is limited where feasible | limit-broadcast-multicast-and-unknown-unicast-traffic | |
| FR 7 - RA | Unused services, ports and users has been disabled | disable-unused-protocols-and-services, disable-unused-physical-ports |
Integration considerations
Restriction of communication
WeOS firewall has capabilities to block IP and defined services individually. For ease-of-use and more granular restriction, consider DNS-blocking, email blocking and other application blocking communications to be handled on a system level.
Protection from unauthorized device access
Consider implementing Port Network Access Control to add protection against unauthorized devices accessing the internal network.