🏭
← Back to Standards Certifiable

IEC 62443-4-1

Security for industrial automation and control systems - Part 4-1: Secure product development lifecycle requirements

Organization: IEC Category: Product Security
6
Related Articles
15
Articles with Obligations
12
Key Sections
8
Coverage Areas

Overview

Defines requirements for a secure development lifecycle for products used in industrial automation and control systems. Covers security requirements for development processes, including security by design, threat modeling, and secure coding practices.

Applicability

Product development processes and lifecycle security

Relevance to Cyber Resilience Act (CRA)

Primary standard for CRA essential cybersecurity requirements and secure development obligations

Key Coverage Areas

1
Secure development lifecycle (SDL)
2
Security requirements specification
3
Threat modeling and risk assessment
4
Secure design principles
5
Secure implementation and coding
6
Security testing and validation
7
Vulnerability management
8
Security maintenance and updates

Standard Sections & Chapters

4.2

Security development lifecycle requirements

4.2.1

Security requirements specification

4.2.2

Secure by design

4.2.3

Security implementation

4.2.4

Security verification and validation

SR-1

Identification and authentication control

SR-2

Use control

SR-3

System integrity

SR-4

Data confidentiality

SR-5

Restricted data flow

SR-6

Timely response to events

SR-7

Resource availability

Related Cyber Resilience Act (CRA) Articles

Article I: ESSENTIAL CYBERSECURITY REQUIREMENTS

View Article →
Sections: SR-1, SR-2, SR-3, SR-4, SR-5, SR-6, SR-7

Security requirements for development lifecycle

Implementation Guidance:

Address all security requirement categories throughout product development

Article 13: Obligations of manufacturers

View Article →
Sections: 4.2.1, 4.2.2, SR-3, SR-4

Secure development lifecycle and security requirements specification

Implementation Guidance:

Implement SDL with security gates, threat modeling, and secure design principles

Mapped Obligations:

  • Conduct and document cybersecurity risk assessments
  • Keep security updates available for 10+ years
  • Keep technical documentation for 10+ years

Article 14: Reporting obligations of manufacturers

View Article →
Sections: 4.2.3, 4.2.4

Security implementation, verification and validation

Implementation Guidance:

Implement security testing, validation processes and maintain security documentation

Article 15: Voluntary reporting

View Article →
Sections: 4.2.1, 4.2.4

Security documentation requirements

Implementation Guidance:

Create comprehensive security documentation including threat models, security architecture, and test results

Article 17: Other provisions related to reporting

View Article →
Sections: 4.2.4, SR-3

Security maintenance and lifecycle support

Implementation Guidance:

Define security support period and commit to security updates throughout product lifecycle

Article 24: Obligations of open-source software stewards

View Article →
Sections: 4.2.1

Security requirements and risk assessment

Implementation Guidance:

Perform threat modeling and security risk assessment during development

Mapped Obligations:

  • Further to a reasoned request from a market surveillance authority, open-source software stewards shall provide that authority, in a language which can be easily understood by that authority, with the documentation referred to in paragraph 1, in paper or electronic form

Quick Information

Organization
IEC
Category
Product Security
Certification
✓ Available

Related Pages

← All Cyber Resilience Act (CRA) Standards View All Articles Compliance Guide
Get Implementation Help

🤝 Still Feeling Overwhelmed?

EU cybersecurity laws can be complex. Our free tools and guides work great for most people, but if you're dealing with something particularly challenging or have tight deadlines, we're here to help.

Talk to an expert → or Browse all our free resources →