IEC 62443 Compliance Mapping
Breakwater is designed to help organizations meet the requirements of IEC 62443 (Industrial Automation and Control Systems Security). This document maps Breakwater features to specific IEC 62443-3-3 system requirements.
Security Requirements Mapping
FR 1 — Identification and Authentication Control
| Requirement | Description | Breakwater Feature |
|---|---|---|
| SR 1.1 | Human user identification and authentication | Clerk auth with email/password + OAuth |
| SR 1.1 RE 1 | Unique identification and authentication | Per-user Clerk accounts, no shared credentials |
| SR 1.2 | Software process identification and authentication | Gateway tunnel certificates, Collector site tokens |
| SR 1.3 | Account management | Clerk user management, role assignment |
| SR 1.5 | Authenticator management | Clerk handles password policies, MFA tokens |
| SR 1.7 | Strength of password-based authentication | Configurable via Clerk password policies |
| SR 1.9 | Strength of public key authentication | Curve25519 keypairs |
| SR 1.13 | Access via untrusted networks | Encrypted tunnel for all remote access |
FR 2 — Use Control
| Requirement | Description | Breakwater Feature |
|---|---|---|
| SR 2.1 | Authorization enforcement | RBAC (Admin, Engineer, Vendor, Auditor, Operator) |
| SR 2.2 | Wireless use control | N/A (encrypted tunnels) |
| SR 2.5 | Session lock | Configurable inactivity timeout on Channel sessions |
| SR 2.6 | Remote session termination | Admin can terminate any active session |
| SR 2.8 | Auditable events | Full session recording + audit log |
| SR 2.8 RE 1 | Centrally managed audit | Cloud-centralized audit log across all sites |
| SR 2.9 | Audit storage protection | Immutable log shipping, write-once recording storage |
| SR 2.12 | Non-repudiation | Session recordings tied to authenticated user identity |
FR 3 — System Integrity
| Requirement | Description | Breakwater Feature |
|---|---|---|
| SR 3.1 | Communication integrity | Encrypted tunnel (Poly1305 MAC) + TLS 1.3 |
| SR 3.2 | Malicious code protection | Coastal IDS with OT rulesets |
| SR 3.3 | Security functionality verification | Gateway heartbeat monitoring, health checks |
| SR 3.4 | Software and information integrity | Firmware version tracking in Manifest |
FR 5 — Restricted Data Flow
| Requirement | Description | Breakwater Feature |
|---|---|---|
| SR 5.1 | Network segmentation | Gateway enforces Purdue-level boundaries |
| SR 5.2 | Zone boundary protection | Channel proxy router restricts lateral movement |
| SR 5.3 | General purpose person-to-person communication restrictions | Channel only permits configured protocols per device |
| SR 5.4 | Application partitioning | Modular architecture (Helm, Manifest, Lookout, etc.) |
FR 7 — Resource Availability
| Requirement | Description | Breakwater Feature |
|---|---|---|
| SR 7.1 | Denial of service protection | Rate limiting, Tunnel anti-replay |
| SR 7.2 | Resource management | Concurrent session limits per device |
| SR 7.6 | Network and security configuration settings | Centralized policy management in Channel |
Compliance Reporting
Breakwater can generate compliance reports showing:
- Active access policies and their IEC 62443 mapping
- Session history with recording status
- Audit log summaries for review periods
- Device inventory with vulnerability status
Contact support@techgonecoastal.com for custom compliance report templates.