IEC PAS 62443-3-2008 PDF

Full title and description

St IEC PAS 62443-3:2008 — Security for industrial process measurement and control — Network and system security. This Publicly Available Specification (PAS) establishes a framework and operational guidance for protecting industrial process measurement and control systems (ICS/IACS) networks and the devices on those networks during the operational phase of a plant lifecycle, with emphasis on policies, partitioning and operational security measures for plant owners and operators.

Abstract

IEC PAS 62443-3:2008 provides high-level principles, models and practical measures for network and system security in industrial automation and control environments. It covers threat‑risk relationships, a security life‑cycle approach, partitioning (zones and conduits), access and integrity management, availability considerations and external connectivity controls, aimed at establishing operational security requirements for automation system owners/operators. The document served as a pre‑standard foundation for later IEC 62443 parts addressing risk assessment and technical system requirements.

General information

• Status: Withdrawn (was published as a PAS / pre-standard).
• Publication date: 22 January 2008.
• Publisher: International Electrotechnical Commission (IEC); also published/adopted as national publication(s) (e.g., BSI adoption as DD IEC/PAS 62443-3:2008).
• ICS / categories: 25.040.40; 35.110.
• Edition / version: Edition 1.0 (PAS).
• Number of pages: 53 (base IEC publication record; some national publications list 56 pages).

Information above is drawn from the IEC publication record and national adoption listings for the PAS.

Scope

The scope of IEC PAS 62443-3:2008 is the operational security of industrial process measurement and control systems: it addresses the network and system layer (networks, hosts and deployed devices) rather than product development. The PAS gives guidance on defining operational security policy, threat‑risk modeling for plant operations, defense‑in‑depth through partitioning (zones and conduits), and controls for availability, integrity, logical and physical access, and external interfaces. It is primarily intended to help plant owners/operators and operators of automation systems establish and manage security requirements during plant operation.

Key topics and requirements

• Threat–risk model and relationship between threats, vulnerabilities and risk for ICS environments.
• Security life‑cycle and governance: policies, roles and organizational measures for operational security.
• Reference models and generic configurations for ICS network/host protection and segmentation.
• Defense‑in‑depth principles implemented via partitioning into security zones and conduits.
• Availability management and measures to preserve continuity of control and safety functions.
• Integrity and logical access management (including hardening, authentication and authorization).
• Physical access controls and partition management for hosts and devices.
• External connectivity management and rules for remote access and interactions with enterprise or third‑party networks.
• Operational measures for incident response, monitoring and maintenance consistent with plant constraints.

The list summarizes the PAS’s principal topics and operational requirements for network and system security in industrial control contexts.

Typical use and users

Primary users are plant/asset owners, operations managers, automation system operators and security architects responsible for running and maintaining industrial control systems. System integrators, OT engineers and risk assessors consult the PAS for guidance when defining operational security policies and zone/conduit segmentation; it is also useful for auditors and procurement teams as a baseline operational security reference.

Related standards

IEC PAS 62443-3:2008 is part of the IEC 62443 family (formerly aligned with ISA/IEC 62443/ISA99). Over time the IEC 62443 series expanded into multiple formal parts (for example IEC 62443-3-1, 3-2, 3-3, 4-1, 4-2, and the 2‑series covering program and organizational requirements). The PAS was a pre‑standard publication and much of its operational guidance was carried forward and refined in later IEC 62443 parts (notably parts addressing system security requirements and risk assessment). Users should consult the current IEC 62443 parts for technical requirements and updates.

Keywords

Industrial control systems, IACS, ICS security, OT security, network segmentation, zones and conduits, defense‑in‑depth, operational security, threat‑risk model, availability management, access control, PAS 62443.

FAQ

Q: What is this standard?

A: IEC PAS 62443-3:2008 is a Publicly Available Specification (PAS) titled "Security for industrial process measurement and control — Network and system security" that provided a pre‑standard framework for operational network and system security in industrial automation.

Q: What does it cover?

A: It covers high‑level operational security guidance: threat‑risk modelling, security life‑cycle, policy and governance, network/host protection, partitioning into zones and conduits, availability and integrity measures, logical and physical access controls, and management of external connectivity. It is focused on the operational phase of plant life.

Q: Who typically uses it?

A: Plant owners and operators, OT/ICS engineers, system integrators, risk assessors and security architects — anyone responsible for establishing and running operational security controls for industrial control systems.

Q: Is it current or superseded?

A: IEC PAS 62443-3:2008 was withdrawn (withdrawal date recorded as 10 July 2018) and acted as a pre‑standard that informed later, formal IEC 62443 parts. Much of its guidance has been incorporated into and superseded by subsequent IEC 62443 documents (for example IEC 62443‑3‑3, IEC 62443‑3‑2 and related parts). Users should reference the current IEC 62443 parts for up‑to‑date normative requirements.

Q: Is it part of a series?

A: Yes — PAS 62443-3:2008 belongs to the body of work that became the IEC 62443 series (the international naming aligned with ISA/IEC 62443). The full series includes multiple parts covering terminology, program requirements, system requirements, product development and component technical requirements.

Q: What are the key keywords?

A: ICS/IACS, network and system security, zones and conduits, defense‑in‑depth, operational security, threat‑risk model, availability, access control, PAS 62443.