DA/SA-311-2022: IEC 62443 security requirements for procuring RTUs and gateways [DRAFT]

This document gives security requirements that grid operators can use in their procurement documents for new remote terminal units (RTUs) and gateways for distribution automation or substation automation. The requirements are based on the IEC 62443-4-2 standard.

Grid operators are increasingly automating their medium voltage substations and lines with distribution automation and high voltage substation with substation automation. The automation increases the possible impact of cyber-attacks. Many grid operators already have thousands of substations and lines automated. If attackers succeed in switching off the power in a large part of those, it can take a lot of time to recover.

Making sure the distribution and substation automation systems are secure is hence critical. Grid operators need to set good security requirements when procuring RTUs and gateways. The requirements should not lead to excessive cost when procuring thousands of RTUs, while still ensuring all security risks can be mitigated.

This document provides a harmonized set of security requirements that grid operators use directly in their procurement documents. The requirements have been designed to allow certification based on the new certification schemes being developed for IEC 62443. Together with the threat analysis for substation automation systems they form a profile for IEC 62443. The profile also meets the requirements for a component context analysis, as defined in the JRC Recommendations for the Implementation of the Industrial Automation & Control Systems Components Cybersecurity Certification Scheme (ICCS).