DANSK DSF/FPREN 62443-4-1 PDF

This international standard specifies process requirements for the secure development of products used in industry automation and control systems. It defines a secure development life-cycle (SDL) including security requirements definition, secure design, secure implementation (including coding guidelines), verification and validation, defect management, patch management and product end-of-life. These requirements can be applied to new or existing processes for developing, maintaining and retiring hardware, software or firmware for new or existing products. These requirements apply to the developer and maintainer of the product, but not to the user of the product. NOTE – This standard does not address security of manufacturing processes. Figure 2 illustrates how the developed product relates to maintenance and integration capabilities defined in IEC 62443‑2‑4 [7] and to its operation by the asset owner. The product supplier develops products using a process compliant with this standard. Those products may be a single component, such as an embedded controller, or a group of components working together as a system or subsystem. The products are then integrated together, usually by a system integrator, into an automation solution using a process compliant with IEC 62443‑2‑4. The automation solution is then installed at a particular site and becomes part of the industrial automation and control system (IACS). Some of these capabilities reference security measures defined in IEC 62443‑3‑3 [10] that the service provider ensures are supported in the automation solution (either as product features or compensating mechanisms). This standard only addresses the process used for the development of the product; it does not address design, installation or operation of the automation solution or IACS.