Coverage

Requirements coverage IEC-62443-3-3 Supplier ROCKWELL AUTOMATION

Requeriments Capacities Services/Solutions Coverage
SR 1.1 - Identification and authentication of human users Basic user access control
SR 1.1 - RE (1) Identification and unique authentication Access control policy
SR 1.1 - RE (2) Multiple factor authentication for untrusted networks Multi-factor user access control
SR 1.2 - RE (1) identification and unique authentication Access control policy, Role-based access
SR 1.3 - Account Management Access control policy, Role-based access, Account management
SR 1.3 RE (1) Unified Account Management Single Sign On
SR 1.4 - identification management Access control policy, Role-based access, Account management
SR 1.5 - Authentication management Access control policy, Basic user access control, Multi-factor user access control
SR 1.5 RE (1) Security hardware to identify credentials through software processes Hardware Security Keys
SR 1.6 - Wireless Access Management WI-FI control, Network communications control, Physical security in the installation of devices, Account management
OT Network Assestment Partial coverage
Convergent Plant Wide Ethernet IT-OT Network design, including iDMZ Partial coverage
Industrial Data Center Partial coverage
SR 1.6 RE (1) Unique identifier and authenticator Access control policy
SR 1.7 - Strength of password-based authentication Detection of use of default passwords, Account management
SR 1.7 RE (1) Password generation and lifetime restrictions for human users Access control policy
SR 1.7 RE (2) Restrictions on password lifetime for all users Access control policy
SR 1.8 - Public Key Infrastructure Certificates PKI infrastructure, Certificate use policy
SR 1.9 - Strong authentication based on public key Multi-factor user access control, Certificate use policy
SR 1.9 RE (1) Security hardware to authenticate public keys PKI infrastructure
SR 1.10 - Authenticator Feedback User access control with hidden display, Access control policy
SR 1.11 - Failed login attempts Industrial DPI for anomaly detection, Account management, Inspect endpoint logs, Industrial network event log (forensic analysis)
SR 1.12 - System usage notifications Account management, Inspect endpoint logs, Industrial network event log (forensic analysis)
SR 1.13 - Access through non-secure networks Network event correlation analysis, Multi-factor user access control, Network communications control, Industrial network event log (forensic analysis), Network communication visualization
OT Network Assestment Partial coverage
SR 1.13 RE (1) Explicit access approval request Access control policy
SR 1.1 - RE (3) Multiple authentication factor for all networks Role-based access
SR 2.1 - Authorization application Detection of use of default passwords, Account management
SR 2.1 RE (1) Authorization application for all users Use control policy
SR 2.1 RE (2) Mapping permissions to roles Role-based access, Use control policy
SR 2.1 RE (3) Anular supervisor Use control policy
SR 2.1 RE (4) Double Approval Use control policy
SR 2.2 - Wireless usage control WI-FI control, Network communications control, Network integrity control, Network communication visualization
OT Network Assestment Partial coverage
SR 2.2 RE (1) Identify and report unauthorized wireless devices Security log
SR 2.3 - Usage control for portable and mobile devices Role-based access, Network event correlation analysis, Network communications control, Equipment use control, Use control policy, Network communication visualization
OT Network Assestment Partial coverage
SR 2.3 RE (1) Application of the security status of portable and mobile devices Reporting of events and communication to responsible parties
SR 2.4 - Mobile code Role-based access, Software usage control, Use control policy, Upgrade testing support
Industrial Data Center Partial coverage
SR 2.4 RE (1) Mobile code integrity check Verification of integrity of software and hardware code
Industrial Data Center Full coverage
SR 2.5 - Session Lock Account management, Use control policy
SR 2.6 - Remote session termination Account management, Use control policy
SR 2.7 - Control of concurrent sessions Account management, Use control policy
SR 2.8 - Auditable events Whitelist in prevention mode, Activity log policy, Industrial network event log (forensic analysis), Security log, Incident response support
SR 2.8 RE (1) Audit tracks of systems with centralized management SIEM integration
SR 2.9 - Audit storage capacity Equipment protection diagnostics, Centralized management of security policies, Incident response support
SR 2.9 RE (1) Warn when capacity threshold has been reached in audit logs Activity log policy
SR 2.10 - Respond to failures in the audit process Network event correlation analysis, SIEM integration, Activity log policy
SR 2.11 - Timestamps Equipment protection diagnostics, Industrial network event log (forensic analysis), Security log, Reporting of events and communication to responsible parties
SR 2.11 RE (1) Internal time synchronization Activity log policy
SR 2.11 RE (2) Protection in the integrity of the time source Activity log policy
SR 2.12 - No repudiation Network event correlation analysis, Equipment protection diagnostics, Centralized management of security policies, Inspect endpoint logs, Industrial network event log (forensic analysis)
SR 2.12 RE (1) Non-repudiation for all users Activity log policy
SR 3.1 - Integrity in communications Network event correlation analysis, WI-FI control, Network communications control, Advanced detection of anomalies in the IP layer, Network communication visualization
OT Network Assestment Partial coverage
SR 3.1 RE (1) Use cryptography to protect integrity Network integrity control
OT Network Assestment Full coverage
SR 3.2 - Protection against malicious code Reliable updates, Host-based firewall, Whitelist in prevention mode, Notify only protection mode, Upgrade testing support, Verify PLC integrity
Industrial Data Center Partial coverage
SR 3.2 RE (1) Protection against malicious code at entry and exit points Advanced antimalware
SR 3.2 RE (2) Centralized management for protection against malicious code Centralized management of security policies
SR 3.3 - Verification of security functionalities Reliable updates, Certification of the main ICS providers, Cybersecurity assessment
Industrial Data Center Partial coverage
SR 3.3 RE (1) Automatic mechanisms to verify security functionalities Centralized management of security policies
SR 3.3 RE (2) Verification of safety functionalities during normal operation Use control policy
SR 3.4 - Software and information integrity Reliable updates, White list in discovery mode, Access control policy, File integrity monitoring, Verification of integrity of software and hardware code
Industrial Data Center Partial coverage
SR 3.4 RE (1) Automatic notifications on integrity violations Centralized management of security policies
SR 3.5 - Validation of entries Network event correlation analysis, Host-based firewall, Industrial DPI for anomaly detection, Whitelist in prevention mode, Advanced process control rules
SR 3.6 - Deterministic Outputs Software usage control, Industrial DPI for anomaly detection, Advanced process control rules
SR 3.7 - Error handling Industrial DPI for anomaly detection, Detect attacks on industrial networks (signature-based) , Centralized management of security policies, Inspect endpoint logs, Activity log policy
SR 3.8 - Session integrity Network communications control, Industrial DPI for anomaly detection, Detect attacks on industrial networks (signature-based) , Industrial network event log (forensic analysis)
OT Network Assestment Partial coverage
SR 3.8 RE (1) Invalidate session IDs once the session was terminated Activity log policy
SR 3.8 RE (2) Generation of unique session IDs Activity log policy
SR 3.8 RE (3) Randomness of session IDs Activity log policy
SR 3.9 - Protection of audit information Network event correlation analysis, Centralized management of security policies, Activity log policy, Incident response support
SR 3.9 RE (1) Audit records in single write media Role-based access, SIEM integration
SR 4.1 - Confidentiality of information Account management, Access control policy, Data Protection
SR 4.1 RE (1) Protection of the confidentiality of information hosted or in transit through unreliable networks Use control policy
SR 4.1 RE (2) Protection of confidentiality across zone boundaries Use control policy
SR 4.2 - Persistence of information Use control policy
SR 4.2 RE (1) Purge shared memory resources Data Protection
SR 4.3 - Use of cryptography Multi-factor user access control, Network communications control, Use control policy
OT Network Assestment Partial coverage
SR 5.1 - Network Segmentation WI-FI control, Network communications control, Network integrity control, Industrial network event log (forensic analysis), Network communication visualization
OT Network Assestment Partial coverage
SR 5.1 RE (1) Physical network segmentation Secure network design
OT Network Assestment Full coverage
Convergent Plant Wide Ethernet IT-OT Network design, including iDMZ Full coverage
SR 5.1 RE (2) Independence of networks without control systems Secure network design
OT Network Assestment Full coverage
Convergent Plant Wide Ethernet IT-OT Network design, including iDMZ Full coverage
SR 5.1 RE (3) Logical and physical isolation of critical networks Secure network design
OT Network Assestment Full coverage
Convergent Plant Wide Ethernet IT-OT Network design, including iDMZ Full coverage
SR 5.2 - Zone boundary protection WI-FI control, Network communications control, Network integrity control, Industrial network event log (forensic analysis), Network communication visualization
OT Network Assestment Partial coverage
SR 5.2 RE (1) Deny by default, allow by exception Secure network design
OT Network Assestment Full coverage
Convergent Plant Wide Ethernet IT-OT Network design, including iDMZ Full coverage
SR 5.2 RE (2) Island mode Secure network design
OT Network Assestment Full coverage
Convergent Plant Wide Ethernet IT-OT Network design, including iDMZ Full coverage
SR 5.2 RE (3) Closure on failure Secure network design
OT Network Assestment Full coverage
Convergent Plant Wide Ethernet IT-OT Network design, including iDMZ Full coverage
SR 5.3 - Restriction on person-to-person communications for general purposes WI-FI control, Network communications control, Industrial DPI for anomaly detection, Industrial network event log (forensic analysis), Network communication visualization
OT Network Assestment Partial coverage
SR 5.3 RE (1) Prohibit all general purpose person-to-person communications Secure network design
OT Network Assestment Full coverage
Convergent Plant Wide Ethernet IT-OT Network design, including iDMZ Full coverage
SR 5.4 - Application Partitioning WI-FI control, Network communications control, Secure network design
OT Network Assestment Partial coverage
Convergent Plant Wide Ethernet IT-OT Network design, including iDMZ Partial coverage
SR 6.1 - Audit accessibility to logs Equipment protection diagnostics, Industrial network event log (forensic analysis), Security log, Reporting of events and communication to responsible parties
SR 6.1 RE (1) Scheduled access to audit logs SIEM integration
SR 6.2 - Continuous monitoring Industrial DPI for anomaly detection, Detect attacks on industrial networks (signature-based) , White list in discovery mode, Industrial network event log (forensic analysis), File integrity monitoring, Network communication visualization
SR 7.1 - Denial of Service Protection Network event correlation analysis, Industrial network event log (forensic analysis), Reporting of events and communication to responsible parties
SR 7.1 RE (1) Manage communication load Network communications control
OT Network Assestment Full coverage
SR 7.1 RE (2) Limit the effects of a denial of service to other systems or networks Use control policy
SR 7.2 - Resource Management Network communications control, Equipment use control, Device control, Monitor USB access, Use control policy, Advanced process control rules, Verify PLC integrity
Convergent Plant Wide Ethernet IT-OT Network design, including iDMZ Partial coverage
Industrial Data Center Partial coverage
SR 7.3 - System backup control Backup system
Industrial Data Center Full coverage
SR 7.3 RE (1) Backup verification Backup Policy
Industrial Data Center Full coverage
SR 7.3 RE (2) Backup automation Backup Policy
Industrial Data Center Full coverage
SR 7.4 - Restoration and reconstitution of the control system Backup Policy, Backup system
Industrial Data Center Full coverage
SR 7.5 - Emergency power Physical security in the installation of devices, Redundancy system
Convergent Plant Wide Ethernet IT-OT Network design, including iDMZ Partial coverage
Industrial Data Center Partial coverage
SR 7.6 - Network settings and security configurations Network event correlation analysis, Network communications control, Network integrity control, Equipment use control, Network communication visualization
OT Network Assestment Partial coverage
SR 7.6 RE (1) Machine readable current security settings reports Activity log policy
SR 7.7 - Less functionalities WI-FI control, Network communications control, Equipment use control, Software usage control, Device control, Whitelist in prevention mode
OT Network Assestment Partial coverage
Convergent Plant Wide Ethernet IT-OT Network design, including iDMZ Partial coverage
Industrial Data Center Partial coverage
SR 7.8 - Inventory of control system components Hardware and software inventory
Convergent Plant Wide Ethernet IT-OT Network design, including iDMZ Full coverage