DD IEC PAS 62443-3 pdf download – Security for industrial process measurement and control — Part 3: Network and system security

DD IEC PAS 62443-3 pdf download – Security for industrial process measurement and control — Part 3: Network and system security

DD IEC PAS 62443-3 pdf download – Security for industrial process measurement and control — Part 3: Network and system security
1 scope
This PAS establishes a framework for securing information and communication technologyaspects of industrial process measurement and control systems including its networks anddevices on those networks,during the operational phase of the plant’s life cycle.
This PAS provides guidance on a plant’s operational security requirements and is primarilyintended for automation system owners/operators (responsible for ics operation)
Furthermore, the operational requirements of this PAS may interest ICS stakeholders such as:a) automation system designers;
b) manufacturers (vendors) of devices, subsystems, and systems;c) integrators of subsystems and systems.
The PAS allows for the following concerns:
.graceful migration/evolution of existing systems;
. meeting security objectives with existing coTS technologies and products;
assurance of reliability/availability of the secured communications services;applicability to systems of any size and risk (scalability);
coexistence of safety, legal and regulatory and automation functionality requirements withsecurity requirements.
NOTE 1 Plants and systems may contain safety critical components and devices. Any safety-related securitycomponents may be subject to certification based on IEC 61508 and according to the SILs therein. This PAS doesnot guarantee that its specifications are all or in part appropriate or sufficient for the security of such safety criticalcomponents and devices.
NOTE 2 This PAS does not include requirements for security assurance evaluation and testing.
NOTE 3 The measures provided by this PAS are rather process-based and general in nature than technicallyspecific or prescriptive in terms of technical countermeasures and configurations.
NOTE 4 The procedures of this PAS are written with the plant owner/operator’s mind set.
NOTE 5 This PAS does not cover the concept, design and implementation live cycle processes,i.e. requirementson control equipment manufacturer’s future product development cycle.
NOTE 6 This PAS does not cover the integration of components and subsystems into a system.
NOTE 7 This PAS does not cover procurement for integration into an existing system, .e. procurementrequirements for ownerloperators of a plant.
NOTE 8 This PAS will be extended into a 3-part International Standard to cover most of the restrictions expressedin the previous notes; for the planned scope of the extended standards, refer to AnnexA.
Normative references
The following referenced documents are indispensable for the application of this document.For dated references, only the edition cited applies. For undated references, the latest editionof the referenced document (including any amendments) applies.
ISO/IEC15408(all parts), Information technology – Security techniques – Evaluation criteriafor lT security
ISOIEC 27002:2005,Information technology – Security techniques – Code of practice for lTsecurity management
ISO/IEC Guide 73:2002,Risk management – Vocabulary – Guidelines for use in standardsTerms, definitions, symbols,abbreviated terms and conventions
3.1Terms and definitions
For the purposes of this document, the following terms and definitions apply.
access control
prevention of unauthorized use of a restricted resource,including its use in an unauthorizedmanner
[ISO/IEC 18028-2:2006,modified]
entity that attacks, or is a threat to, a system[RFC 2828]
instant indication that an information system and network may be under attack,or in dangerbecause of accident, failure or people error
[ISO/IEC 18028-1:2006]
anything that has value to the organization[ISO/IEC 13335-1:2004]
performance of appropriate activities or processes to instil confidence that a deliverablemeets its security objectives
[ISO/IEC/TR 15443-1]
attempts to destroy,expose, alter,or disable an information system and/or information withinit or otherwise reach the security policy
[ISO/IEC 18043}
attack surface
set of system resources exposed directly and indirectly to potential attack.3.1.8
formal inquiry, formal examination, or verification of facts against expectations, for complianceand conformity
[ISO/IEC 18028-1]
4 Introduction and compliance Use of IT security methods and standards have become common place in the office environment in the form of the ubiquitous code of practice for information security management (ISO/IEC 27002, previously known as ISO/IEC 1 7799), for operational security, and the evaluation criteria for IT security (ISO/IEC 1 5408), for product development. Now the internet and wireless networks have arrived on the shop floor. Security problems in automation systems are increasingly making headlines in the specialized press; but commonly acknowledged practice and related standards are lagging, and this despite the higher stakes involved in automation systems, with possible physical production losses and impact on health, human life and environment.