Device Cybersecurity (IEC-62443) - Webinar Q&A

Q1: Where can we get a copy of the IEC 62443 standard?

A1: IEC-62443 is a series of standards that are in various stages of development. Current standards
is available through either the ISA or IEC websites. The IEC-62443-4-2 standard is currently in
draft form. A copy of this standard can be found at: http://isa99.isa.org/Public/Documents/ISA-
62443-4-2-WD.pdf

Q2: Do you have any information as to when the PT Line will upgrade to this technology?
A2: The PT series feature set is specific to the Power industry, which has adopted NERC-CIP
standards for North America or IEC-61850 for other areas around the world. While there is a lot
of overlap in functionality, the PT line will continue to conform to the standards of the Power
industry.

Q3: Are other switch manufacturers selling IEC-62443 compliant devices?

A3: We haven’t seen anyone else advertising compliance but believe that leading switch
manufacturers like Cisco and Hirschman do have the software features to comply with the
standards, however, configuring them properly takes a fair amount of expertise. (To configure a
Cisco switch, you would need extensive Command Line Interface expertise). Moxa’s security
features in MXstudio are unique though. Nobody has anything like security wizard and security
view to simplify and verify proper configuration to the standards.

Q4: What are some of the main capabilities that were added to the switches with Turbo Pack 3?
A4: Good question. Here is a list of the major enhancements:
Security functions
1. System Notification: Definable Successful/Failed Login Notification.
2. Password Policy: Password Strength Can Be Set.
3. Account Lockout Policy: Failure Threshold and Lockout Time Can Be Set.
4. Log Management: Full Log Handling.
5. Remote Access Interface Enable/Disable.
6. Configuration Encryption with Password.
7. Support SSL Certification Import.
8. Support MAC Authentication Bypass via RADIUS Authentication.
9. MAC Address Access Control List or MAC Address Filtering.
10. Protect Against MAC Flooding Attack by MAC Address Sticky.
11. NTP Authentication to Prevent NTP DDoS Attack.
12. Login Authentication: Support Primary & Backup Database Servers (RADIUS / TACACS+
/ Local Account).
13. Login Authentication via RADIUS Server: Support Challenge Handshake Authentication
Protocol (CHAP) Authentication Mechanism.
14. RADIUS Authentication: Support EAP-MSCHAPv2 (For Windows7).
15. MXview Security View Feature Support* (with MXstudio v2.4).
Redundancy
1. Turbo Ring v1/v2, Turbo Chain Support Port Trunking.
2. Layer2 V-On Support.
Enhancement(s)
1. CLI: Support Multiple Sessions (up to six).
2. SMTP Supports Transport Layer Security (TLS) Protocol and Removes SSL v2/v3.
3. SNMPv3 Traps and Informs.
4. Fixed Display Issue with Java Applet.
 5. Fiber Check: Add Threshold Alarm.
6. Static Port Lock with IVL Mode.
7. Serial Number: 12 Digital S/N Display.
8. When GbE Port Speed is [Auto], MDI/MDIX is [Auto] Fixed.
9. Web UI/CLI Command Enhancement and Modification.
Vulnerabilities Addressed
1. Drown Attack Issue Fixed.
2. ICS-VU-951212 Vulnerabilities Fixed.
3. Nessus Vulnerability Fixed.

Q5: Do you have details around the exact specifications for IEC-62443-4-2?
A5: Yes, we have a compliance matrix that outlines the specific requirements for each level. We do
not plan to publish this table but it is available through Product Marketing if you need to respond
to RFP/RFQ’s.
Q6: Will the EDS-400 series be IEC-62443-4-2 compliant?
A6: There are no plans at this time. The EDS-400 series is an entry-level switch that conforms to the
base level security requirements adopted by the industry. Customers looking for more advanced
security features need to be looking at the EDS-500E series. Here is a chart showing the major
differences:
Security Feature EDS-408A EDS-510E
Username/Password O O
Multiple admin/user accounts X O
Configurable password policy X O

Configurable number of login attempts X O

HTTPS X O
SSH X O
SSL X O
SNMPv3 O O
IEEE 802.1X X O
MAC-based port access control X O
IP-based port access control X O
RADIUS X O
TACACS+ X O
Security event logging X O