Standards & Safety 3 min read

Cyber ​​security of industrial control systems for IEC 62443: patching and maintenance requirements

Technical analysis: Cyber security IEC 62443 for industrial control systems: patching and maintenance

Кібербезпека промислових систем управління за IEC 62443: вимоги до патчингу та технічного обслуговування - UNITEC-D Industrial MRO
Стаття розглядає практичні вимоги стандарту IEC 62443 до патч-менеджменту та технічного обслуговування промислових систем управління на українських підприємствах. Включено чек-лист відповідності, вимо

Introduction: why cyber security of ATS is a maintenance issue

Industrial control systems (ICS/ACU TP) at Ukrainian enterprises operate under conditions of constant cyber threats. According to CERT-UA, in 2023–2024, more than 2,500 incidents targeting critical infrastructure facilities were recorded. The IEC 62443 standard (a series of 14 documents, the last consolidated edition — 2024) defines a systematic approach to the protection of industrial networks at all levels — from components to organizational policies.

For a service engineer, cybersecurity is not an abstract IT task. Every open patch on the controller, every non-updated firmware of the HMI panel, every unprotected Ethernet port on the drive is an attack vector. IEC 62443-2-3:2015 (Patch management in the IACS environment) directly regulates the procedures for updating the software of ACS components as part of scheduled maintenance.

The Law "On Critical Infrastructure" (No. 1882-IX) entered into force in Ukraine on January 1, 2024, which obliges operators of critical infrastructure facilities to implement cyber protection systems in accordance with international standards. DSTU EN IEC 62443 is adopted as a national standard by the confirmation method.

Scope and obligation

Who should be responsible?

  • Operators of critical infrastructure objects (categories A, B, C according to Resolution of the CMU No. 1109)
  • Enterprises with ACS TP connected to corporate networks
  • Production with SCADA, DCS, PLC-systems of levels 0-3 according to the Purdue model
  • Suppliers of ATS components (requirements IEC 62443-4-1 and 4-2)

What equipment is covered by the requirements

  • Programmable logic controllers (PLC) — Siemens S7-1500, Allen-Bradley ControlLogix, ABB AC500
  • Operator panels (HMI) — Siemens Comfort/Unified, Weintek, Schneider Magelis
  • Frequency converters with network interfaces (Profinet, EtherNet/IP, Modbus TCP)
  • Industrial switches and routers (Hirschmann, Moxa, Phoenix Contact)
  • Sensors and transducers with HART/Foundation Fieldbus/IO-Link
  • Industrial PCs, SCADA servers, historian systems

Industries

Energy, water supply, chemical industry, metallurgy, food industry, cement production, mining industry - any production with automated management of technological processes.

Key requirements of the standard

DocumentrequirementImplementation periodresponsible
IEC 62443-2-1:2010+AMD1:2024Cyber Security Management System (CSMS) - Policies, Procedures, Roles12 months from the moment of object categorizationHead of the enterprise
IEC 62443-2-3:2015Patch management procedures for the IACS environment6 months after CSMS implementationEngineer ACS TP / IT-security
IEC 62443-3-3:2013System Level Security Requirements (SL 1-4)When designing / modernizingProject engineer
IEC 62443-4-2:2019Technical requirements for components (SL-C)When purchasing new componentsProcurement Department / MRO
DSTU ISO/IEC 27001:2023Integration of ISMS with CSMSParallel to IEC 62443-2-1CISO / responsible for IS

Impact on maintenance operations

Patching as part of scheduled maintenance

IEC 62443-2-3 requires a formalized software update process for industrial components. This means:

  1. Inventory of all software assets (PLC firmware, HMI OS, SCADA versions)
  2. Monitoring of security bulletins from manufacturers (Siemens ProductCERT, Rockwell Knowledgebase, ABB Cybersecurity Advisory)
  3. Risk assessment before applying the patch (CVSS score ≥ 7.0 — critical, closure period ≤ 30 days)
  4. Patch testing on backup hardware before deploying to production
  5. Documentation of each update in the change log

Changes in procurement of spare parts

The IEC 62443-4-2 standard establishes four component security levels (SL-C 1–4). When replacing the controller, switch or HMI panel, you must:

  • Check for ISASecure certificate (EDSA/SSA/SDLA) or Declaration of Conformity IEC 62443-4-2
  • Make sure that the firmware supports a secure update (signed firmware update)
  • Request documentation on hardening guidelines from the supplier
  • Maintain supply chain integrity — purchase only from authorized distributors

Documentation

Each maintenance procedure related to cyber-physical systems must contain:

  • Asset ID and current firmware version
  • List of applied patches with dates
  • Integrity check results (hash sums, digital signatures)
  • Signature of a responsible person with qualifications (GICSP certificate, ISA/IEC 62443 Cybersecurity Certificate)

Component requirements and certification

Components with mandatory cyber security certification

Component typeRequirement IEC 62443-4-2Minimum SL-CExamples of certified solutions
PLC / Safety PLCFR 1–7 (identification, authorization, data integrity, auditing)SL-C 2 (typical production), SL-C 3 (critical infrastructure)Siemens S7-1500 (TÜV SÜD certified), Allen-Bradley GuardLogix 5580
Industrial switchesFR 1, FR 2, FR 5 (restriction of data flows)SL-C 2Hirschmann EAGLE40, Phoenix Contact FL MGUARD
HMI panelsFR 1, FR 3, FR 4 (confidentiality, integrity)SL-C 2Siemens Unified Comfort Panels (V18+)
Frequency converters with EthernetFR 1, FR 7 (availability of resources)SL-C 1ABB ACS880, Siemens G120 with CU250S-2
Industrial routers / firewallsFR 1–7 (full set)SL-C 3Fortinet FortiGate Rugged, Cisco IE-3400

Mechanical and electrical components

Cyber security requirements do not cancel classic certifications. For components operating in an ACS TP environment, the following are still mandatory:

  • CE marking (Directive 2014/35/EU for low-voltage equipment)
  • UkrSEPRO certificate for equipment subject to mandatory certification in Ukraine
  • Compliance with DSTU EN 60529 (degree of IP protection) for automation cabinets
  • DSTU EN 61439-1:2017 for low-voltage complete devices
  • Bearings, seals, connectors — compliance with ISO 9001 and specific standards (ISO 15:2017 for rolling bearings)

Compliance Checklist for the Service Manager

  1. A complete inventory of the software assets of the automatic control system (PLC, HMI, SCADA, network equipment) was carried out - firmware versions were documented
  2. A register of assets has been created with classification by security zones (zones) and communication channels (conduits) in accordance with IEC 62443-3-2
  3. A target security level (SL-T) is defined for each zone
  4. Appointed person responsible for patch management of ACS TP (not a general purpose IT department)
  5. Signed on the safety bulletin of all manufacturers of the installed equipment
  6. A risk assessment procedure has been developed before applying the patch (risk assessment template)
  7. A staging environment has been created to test patches before production
  8. The maximum terms for closing vulnerabilities are defined: CVSS ≥ 9.0 — 14 days, CVSS 7.0–8.9 — 30 days, CVSS 4.0–6.9 — 90 days
  9. Implemented a backup procedure for PLC/HMI configurations before each update
  10. Physical protection of programming ports (USB, serial ports) is provided - plugs, cabinet locks
  11. Checked for IEC 62443-4-2 certificates for all recently purchased components
  12. Implemented network segmentation (VLANs, firewalls) between zones of levels 0-3 and the corporate network
  13. Logging of security events with centralized collection (syslog/SIEM) is configured
  14. Maintenance personnel were trained in the basics of cyber hygiene (changing default passwords, banning USB drives)
  15. An incident response plan was developed with the definition of the roles of maintenance personnel
  16. Contracts with spare parts suppliers were checked for supply chain integrity requirements
  17. An audit of legacy systems was conducted — compensatory measures were determined for systems without patch support
  18. All remote connections to ACS TP (VPN, modems) are documented — minimized to the required minimum
  19. Change management is implemented - no update without an approved change request
  20. An annual compliance audit of IEC 62443 with the involvement of an external auditor is planned

Typical inconsistencies identified by auditors

1. Lack of patch management as a process

At 78% of Ukrainian enterprises (according to the estimate of DSSZZI, 2023), the PLC firmware update is not carried out at all or is carried out only during major repairs. Controllers run on firmware 5–10 years old with known vulnerabilities (CVE).

2. Default passwords

Siemens S7-300/400 without password protection, HMI panels with admin/admin login, switches with factory default credentials. Violation of FR 1 (Identification and Authentication Control) IEC 62443-4-2.

3. Lack of network segmentation

PLC and corporate network in the same VLAN. No DMZ between layers 3 and 4. Direct violation of IEC 62443-3-3, SR 5.1 (Network segmentation).

4. Inconsistency of purchased components

Replacing a failed switch with a household (non-managed) switch without ACL, VLAN, 802.1X support. Purchasing counterfeit or unauthorized components without documentation.

5. Lack of changelogs

Inability to track who, when and what changed in the PLC program. Lack of project versioning.

Liability and sanctions

Administrative responsibility

The Law of Ukraine "On Critical Infrastructure" (Article 27) provides:

  • Fine for non-compliance with cyber protection requirements — from 3,400 to 51,000 UAH (100–1,500 NMDH) for officials
  • Fine for legal entities — up to 2% of annual turnover (by analogy with NIS2 Directive 2022/2555 upon integration into the European market)

Criminal liability

Article 363-1 of the Criminal Code of Ukraine (interference in the work of information systems) — if inaction led to an incident with serious consequences: up to 5 years of imprisonment.

Insurance consequences

Insurance companies refuse to pay out in case of proven non-compliance with cyber security standards. A typical loss from a cyber attack on an industrial enterprise is between EUR 500,000 and EUR 5,000,000 (data from the Allianz Global Industrial Report 2024).

Contract risks

European customers require confirmation of compliance with IEC 62443 as a condition of the contract. Non-compliance = loss of export contracts.

Practical recommendations for implementation

Step 1: Current status audit (1-2 months)

Inventory of all components of ACS TP. Determination of the current security level (SL-A — achieved). Identification of the gap between SL-A and target SL-T.

Step 2: Policy development (2-3 months)

Creation of a patch management procedure for IEC 62443-2-3. Integration with the existing scheduled maintenance system (CMMS). Definition of roles and responsibilities.

Step 3: Technical implementation (3–6 months)

Network segmentation. Replacement of equipment that does not support safety requirements. Monitoring settings. Implementation of secure remote access.

Step 4: Purchasing the appropriate components

In the case of planned replacement or modernization - the selection of components with confirmed compliance IEC 62443-4-2. Industrial switches, controllers, frequency converters, sensors with network interfaces - everything must have documentation describing the implemented security functions (Security Features).

Result

Cyber ​​security of industrial control systems is not an optional IT initiative. This is a mandatory component of technical maintenance, established by the legislation of Ukraine and international standards. IEC 62443-2-3 directly defines patching as a maintenance procedure. Each replacement of an ACS TP component must take into account cyber security requirements along with electrical and mechanical characteristics.

UNITEC-D GmbH ensures the supply of certified industrial components - from bearings and seals to network equipment and automation system elements - with full documentation of conformity to CE, ISO and industry standards. Use UNITEC-D E-Catalog to select components that meet your security level requirements.

List of regulatory documents

  • IEC 62443-2-1:2010+AMD1:2024 — Security for industrial automation and control systems — Part 2-1: Establishing an IACS security program
  • IEC 62443-2-3:2015 - Patch management in the IACS environment
  • IEC 62443-3-2:2020 — Security risk assessment for system design
  • IEC 62443-3-3:2013 - System security requirements and security levels
  • IEC 62443-4-1:2018 — Secure product development lifecycle requirements
  • IEC 62443-4-2:2019 — Technical security requirements for IACS components
  • Law of Ukraine "On Critical Infrastructure" No. 1882-IX dated November 16, 2021
  • CMU Resolution No. 1109 of October 9, 2020 "On Approval of the Procedure for Forming a List of Critical Infrastructure Objects"
  • DSTU ISO/IEC 27001:2023 (ISO/IEC 27001:2022, IDT)
  • Directive (EU) 2022/2555 (NIS2) — for enterprises with European contracts
  • NIST SP 800-82 Rev. 3 (2023) — Guide to OT Security (reference)

Related Articles