Kostenloses Tool · IEC 62443-2-1 / IEC 62443-3-3

ICS Cybersicherheits-Reifebewertung

Bewerten Sie Ihr industrielles Steuerungssystem gegen IEC 62443-2-1 und IEC 62443-3-3. 32 Fragen in 8 Sicherheitsdomänen. Output: Reifebewertung 0–100, Abschnittsdiagramm, Gap-Liste mit Klauselreferenzen.

1. Ziel-Sicherheitsniveau
4 Fr.
IEC 62443-2-1 §4.2
Security Level (SL 0–4) formally defined for the target system
IEC 62443-3-3 §5.2
Consequence analysis performed to justify target SL
IEC 62443-3-3 §5.3
Industry sector / asset type aligns with IEC 62443 SL targets
IEC 62443-2-1 §4.3
SL justification documented and signed off by asset owner
2. Firmware & Änderungsmanagement
4 Fr.
IEC 62443-3-3 SR 7.4
All firmware is digitally signed by the vendor
IEC 62443-3-3 SR 7.5
Firmware authenticity verified before installation (hash/Sig check)
IEC 62443-2-1 §4.5.3
Formal change-control procedure for firmware updates exists
IEC 62443-2-1 §4.5.4
Updates tested in staging/isolation environment before production
3. Netzwerksegmentierung
5 Fr.
IEC 62443-3-3 SR 3.1
OT network divided into zones (e.g., field, supervisory, corporate)
IEC 62443-3-3 SR 3.2
Data flows between zones documented as conduits
IEC 62443-3-3 SR 3.3
Demilitarised zone (DMZ) separates corporate IT from OT
IEC 62443-2-1 §4.6.2
Firewall rules reviewed and updated at least annually
IEC 62443-3-3 SR 3.4
IDS/IPS or equivalent monitoring at zone boundaries
4. Zugriffskontrolle
5 Fr.
IEC 62443-3-3 SR 1.4
Multi-factor authentication enforced for all remote access
IEC 62443-3-3 SR 1.5
Role-Based Access Control (RBAC) implemented for operator accounts
IEC 62443-3-3 SR 1.6
Least-privilege principle applied (default deny, need-to-know)
IEC 62443-2-1 §4.7.3
Credentials rotated on a defined schedule (≤180 days for privileged)
IEC 62443-3-3 SR 1.7
Inactive sessions timeout automatically (<30 min)
5. Protokollierung & Monitoring
5 Fr.
IEC 62443-2-1 §4.8.2
Centralised SIEM or log aggregation platform deployed
IEC 62443-2-1 §4.8.4
Logs retained for ≥6 months (security incident investigation)
IEC 62443-3-3 SR 5.2
Automated alerting thresholds defined and active
IEC 62443-3-3 SR 5.3
Log integrity protected (tamper-evident, immutable write-once)
IEC 62443-2-1 §4.8.5
Logs reviewed proactively (not only after an incident)
6. Vorfallreaktion
4 Fr.
IEC 62443-2-1 §4.9.2
Documented incident-response playbooks exist for ICS-specific scenarios
IEC 62443-2-1 §4.9.4
Recovery plan defined with RTO/RPO targets for critical systems
IEC 62443-2-1 §4.9.6
Incident-response exercises performed at least annually (tabletop or live)
IEC 62443-3-3 SR 5.1
Defined escalation paths and contact list accessible 24/7
7. Physische Sicherheit
3 Fr.
IEC 62443-2-1 §4.10.2
Control cabinet access restricted (key/card, audit trail)
IEC 62443-2-1 §4.10.3
CCTV or equivalent surveillance on critical OT areas
IEC 62443-2-1 §4.10.5
Perimeter barriers (fencing, locked rooms) prevent casual physical access
8. Asset-Inventar
3 Fr.
IEC 62443-2-1 §3.4.2
OT asset inventory current (updated within 12 months)
IEC 62443-3-3 SR 2.1
Assets tagged with unique identifiers and network coordinates
IEC 62443-3-3 SR 3.1
Asset inventory informs network segmentation decisions
Verwandte Tools
ICS Cybersicherheits-Risikoregister (FMEA) SCADA/ICS Netzwerktopologie Builder Unterstationenschutz