prEN IEC 63208:2024

This document applies to the main functions of switchgear, controlgear and their assemblies, called equipment, in the context of operational technology (OT 3.1.31). It is applicable to equipment with wired or wireless data communication means and their physical accessibility, within their limits of environmental conditions. It is intended to achieve the appropriate physical and cybersecurity mitigation against vulnerabilities to security threats.
This document provides requirements on the appropriate:
– security risk assessment to be developed including the attack levels, the typical threats, the impact assessment and the relationship with safety;
– levels of exposure of the communication interface and the determination of the equipment security level;
– assessment of the exposure level of the communication interfaces;
– assignment of the required security measures for the equipment;
– countermeasures for the physical access and the environment derived from ISO/IEC 27001:2013;
– countermeasures referring to IEC 62443-4-2 with their criteria of applicability;
– user instructions for installation, operation and maintenance;
– conformance verification and testing, and
– security protection profiles by family of equipment (Annex E to Annex I).
In particular, it focuses on potential vulnerabilities to threats resulting in:
– unintended operation, which can lead to hazardous situations;
– unavailability of the protective functions (overcurrent, earth leakage, etc.);
– other degradation of main function.
It also provides guidance on the cybersecurity management with the:
– roles and responsibilities (Table 4);
– typical architectures (Annex A)
– use cases (Annex B)
– development methods (Annex C)
– recommendations to be provided to users and for integration into an assembly (Annex D)
– bridging references to cybersecurity management systems (Annex K)
This document does not cover security requirement for
– information technology (IT),
– industrial automation and control systems (IACS), engineering workstations and their software applications,
– critical infrastructure or energy management systems,
– network device (communication network switch or virtual private network terminator), or
– data confidentiality other than for critical security parameters
– design lifecycle management. For this aspect, see IEC 62443-4-1, ISO/IEC 27001 or other security lifecycle management standards.
This document, as a product security publication, follows IEC Guide 12