IEC 62443-2-1-2010 Industrial communication networks - Network and system security - Part 2-1 Establishing an industrial automation and control system security .pdf

1、 IEC 62443-2-1 Edition 1.0 2010-11 INTERNATIONAL STANDARD NORME INTERNATIONALE Industrial communication networks Network and system security Part 2-1: Establishing an industrial automation and control system security program Rseaux industriels de communication Scurit dans les rseaux et les systmes P

2、artie 2-1: Etablissement dun programme de scurit pour les systmes dautomatisation et de commande industrielles IEC 62443-2-1:2010 colour inside THIS PUBLICATION IS COPYRIGHT PROTECTED Copyright 2010 IEC, Geneva, Switzerland All rights reserved. Unless otherwise specified, no part of this publication

3、 may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from either IEC or IECs member National Committee in the country of the requester. If you have any questions about IEC copyright or have an enquir

4、y about obtaining additional rights to this publication, please contact the address below or your local IEC member National Committee for further information. Droits de reproduction rservs. Sauf indication contraire, aucune partie de cette publication ne peut tre reproduite ni utilise sous quelque f

5、orme que ce soit et par aucun procd, lectronique ou mcanique, y compris la photocopie et les microfilms, sans laccord crit de la CEI ou du Comit national de la CEI du pays du demandeur. Si vous avez des questions sur le copyright de la CEI ou si vous dsirez obtenir des droits supplmentaires sur cett

6、e publication, utilisez les coordonnes ci-aprs ou contactez le Comit national de la CEI de votre pays de rsidence. IEC Central Office Tel.: +41 22 919 02 11 3, rue de Varemb Fax: +41 22 919 03 00 CH-1211 Geneva 20 infoiec.ch Switzerland www.iec.ch About the IEC The International Electrotechnical Com

7、mission (IEC) is the leading global organization that prepares and publishes International Standards for all electrical, electronic and related technologies. About IEC publications The technical content of IEC publications is kept under constant review by the IEC. Please make sure that you have the

8、latest edition, a corrigenda or an amendment might have been published. Useful links: IEC publications search - www.iec.ch/searchpub The advanced search enables you to find IEC publications by a variety of criteria (reference number, text, technical committee,). It also gives information on projects

9、 replaced and withdrawn publications. IEC Just Published - webstore.iec.ch/justpublished Stay up to date on all new IEC publications. Just Published details all new publications released. Available on-line and also once a month by email. Electropedia - www.electropedia.org The worlds leading online

10、 dictionary of electronic and electrical terms containing more than 30 000 terms and definitions in English and French, with equivalent terms in additional languages. Also known as the International Electrotechnical Vocabulary (IEV) on-line. Customer Service Centre - webstore.iec.ch/csc If you wish

11、to give us your feedback on this publication or need further assistance, please contact the Customer Service Centre: csciec.ch. A propos de la CEI La Commission Electrotechnique Internationale (CEI) est la premire organisation mondiale qui labore et publie des Normes internationales pour tout ce qui

12、 a trait llectricit, llectronique et aux technologies apparentes. A propos des publications CEI Le contenu technique des publications de la CEI est constamment revu. Veuillez vous assurer que vous possdez ldition la plus rcente, un corrigendum ou amendement peut avoir t publi. Liens utiles: Recherch

13、e de publications CEI - www.iec.ch/searchpub La recherche avance vous permet de trouver des publications CEI en utilisant diffrents critres (numro de rfrence, texte, comit dtudes,). Elle donne aussi des informations sur les projets et les publications remplaces ou retires. Just Published CEI - webst

14、ore.iec.ch/justpublished Restez inform sur les nouvelles publications de la CEI. Just Published dtaille les nouvelles publications parues. Disponible en ligne et aussi une fois par mois par email. Electropedia - www.electropedia.org Le premier dictionnaire en ligne au monde de termes lectroniques et

15、 lectriques. Il contient plus de 30 000 termes et dfinitions en anglais et en franais, ainsi que les termes quivalents dans les langues additionnelles. Egalement appel Vocabulaire Electrotechnique International (VEI) en ligne. Service Clients - webstore.iec.ch/csc Si vous dsirez nous donner des comm

16、entaires sur cette publication ou si vous avez des questions contactez-nous: csciec.ch. IEC 62443-2-1 Edition 1.0 2010-11 INTERNATIONAL STANDARD NORME INTERNATIONALE Industrial communication networks Network and system security Part 2-1: Establishing an industrial automation and control system secur

17、ity program Rseaux industriels de communication Scurit dans les rseaux et les systmes Partie 2-1: Etablissement dun programme de scurit pour les systmes dautomatisation et de commande industrielles INTERNATIONAL ELECTROTECHNICAL COMMISSION COMMISSION ELECTROTECHNIQUE INTERNATIONALE XH ICS 25.040.40;

18、 33.040 PRICE CODE CODE PRIX ISBN 978-2-88912-037-6 Registered trademark of the International Electrotechnical Commission Marque dpose de la Commission Electrotechnique Internationale Warning! Make sure that you obtained this publication from an authorized distributor. Attention! Veuillez vous assur

19、er que vous avez obtenu cette publication via un distributeur agr. colour inside 2 62443-2-1 IEC:2010 CONTENTS FOREWORD . 5 0 INTRODUCTION 7 0.1 Overview . 7 0.2 A cyber security management system for IACS . 7 0.3 Relationship between this standard and ISO/IEC 17799 and ISO/IEC 27001 . 7 1 Scope . 9

20、 2 Normative references . 9 3 Terms, definitions, abbreviated terms, acronyms, and conventions . 9 3.1 Terms and definitions 9 3.2 Abbreviated terms and acronyms 14 3.3 Conventions 16 4 Elements of a cyber security management system 16 4.1 Overview . 16 4.2 Category: Risk analysis . 18 4.2.1 Descrip

21、tion of category 18 4.2.2 Element: Business rationale 18 4.2.3 Element: Risk identification, classification and assessment . 18 4.3 Category: Addressing risk with the CSMS 20 4.3.1 Description of category 20 4.3.2 Element group: Security policy, organization and awareness . 20 4.3.3 Element group: S

22、elected security countermeasures . 25 4.3.4 Element group: Implementation . 32 4.4 Category: Monitoring and improving the CSMS 36 4.4.1 Description of category 36 4.4.2 Element: Conformance 36 4.4.3 Element: Review, improve and maintain the CSMS 37 Annex A (informative) Guidance for developing the e

23、lements of a CSMS . 39 Annex B (informative) Process to develop a CSMS 140 Annex C (informative) Mapping of requirements to ISO/IEC 27001 148 Bibliography 156 Figure 1 Graphical view of elements of a cyber security management system 17 Figure 2 Graphical view of category: Risk analysis. 18 Figure 3

24、Graphical view of element group: Security policy, organization and awareness 20 Figure 4 Graphical view of element group: Selected security countermeasures 25 Figure 5 Graphical view of element group: Implementation 32 Figure 6 Graphical view of category: Monitoring and improving the CSMS . 36 Figur

25、e A.1 Graphical view of elements of a cyber security management system . 40 Figure A.2 Graphical view of category: Risk analysis . 40 Figure A.3 Reported attacks on computer systems through 2004 (source: CERT) 44 Figure A.4 Sample logical IACS data collection sheet 57 Figure A.5 Example of a graphic

26、ally rich logical network diagram 59 62443-2-1 IEC:2010 3 Figure A.6 Graphical view of element group: Security policy, organization, and awareness 66 Figure A.7 Graphical view of element group: Selected security countermeasures. 82 Figure A.8 Reference architecture alignment with an example segmente

27、d architecture. 90 Figure A.9 Reference SCADA architecture alignment with an example segmented architecture. 93 Figure A.10 Access control: Account administration . 95 Figure A.11 Access control: Authentication 98 Figure A.12 Access control: Authorization 103 Figure A.13 Graphical view of element gr

28、oup: Implementation . 106 Figure A.14 Security level lifecycle model: Assess phase. 109 Figure A.15 Corporate security zone template architecture 112 Figure A.16 Security zones for an example IACS . 113 Figure A.17 Security level lifecycle model: Develop and implement phase . 116 Figure A.18 Securit

29、y level lifecycle model: Maintain phase 120 Figure A.19 Graphical view of category: Monitoring and improving the CSMS 133 Figure B.1 Top level activities for establishing a CSMS 140 Figure B.2 Activities and dependencies for activity: Initiate CSMS program . 142 Figure B.3 Activities and dependencie

30、s for activity: High-level risk assessment . 143 Figure B.4 Activities and dependencies for activity: Detailed risk assessment 144 Figure B.5 Activities and dependencies for activity: Establish security policy, organization and awareness . 144 Figure B.6 Training and assignment of organization respo

31、nsibilities . 145 Figure B.7 Activities and dependencies for activity: Select and implement countermeasures 146 Figure B.8 Activities and dependencies for activity: Maintain the CSMS . 147 Table 1 Business rationale: Requirements . 18 Table 2 Risk identification, classification and assessment: Requi

32、rements 19 Table 3 CSMS scope: Requirements 21 Table 4 Organizing for security: Requirements . 22 Table 5 Staff training and security awareness: Requirements 22 Table 6 Business continuity plan: Requirements 23 Table 7 Security policies and procedures: Requirements . 24 Table 8 Personnel security: R

33、equirements . 26 Table 9 Physical and environmental security: Requirements 27 Table 10 Network segmentation: Requirements . 28 Table 11 Access control Account administration: Requirements 29 Table 12 Access control Authentication: Requirements . 30 Table 13 Access control Authorization: Requirements

34、 . 31 Table 14 Risk management and implementation: Requirements . 33 Table 15 System development and maintenance: Requirements 33 Table 16 Information and document management: Requirements 34 Table 17 Incident planning and response: Requirements . 35 4 62443-2-1 IEC:2010 Table 18 Conformance: Requir

35、ements . 37 Table 19 Review, improve and maintain the CSMS: Requirements . 38 Table A.1 Typical likelihood scale 52 Table A.2 Typical consequence scale 54 Table A.3 Typical risk level matrix 55 Table A.4 Example countermeasures and practices based on IACS risk levels 107 Table A.5 Example IACS asset

36、 table with assessment results 110 Table A.6 Example IACS asset table with assessment results and risk levels 110 Table A.7 Target security levels for an example IACS 114 Table C.1 Mapping of requirements in this standard to ISO/IEC 27001 references . 148 Table C.2 Mapping of ISO/IEC 27001 requireme

37、nts to this standard 152 62443-2-1 IEC:2010 5 INTERNATIONAL ELECTROTECHNICAL COMMISSION _ INDUSTRIAL COMMUNICATION NETWORKS NETWORK AND SYSTEM SECURITY Part 2-1: Establishing an industrial automation and control system security program FOREWORD 1) The International Electrotechnical Commission (IEC)

38、is a worldwide organization for standardization comprising all national electrotechnical committees (IEC National Committees). The object of IEC is to promote international co-operation on all questions concerning standardization in the electrical and electronic fields. To this end and in addition t

39、o other activities, IEC publishes International Standards, Technical Specifications, Technical Reports, Publicly Available Specifications (PAS) and Guides (hereafter referred to as “IEC Publication(s)”). Their preparation is entrusted to technical committees; any IEC National Committee interested in

40、 the subject dealt with may participate in this preparatory work. International, governmental and non- governmental organizations liaising with the IEC also participate in this preparation. IEC collaborates closely with the International Organization for Standardization (ISO) in accordance with cond

41、itions determined by agreement between the two organizations. 2) The formal decisions or agreements of IEC on technical matters express, as nearly as possible, an international consensus of opinion on the relevant subjects since each technical committee has representation from all interested IEC Nat

42、ional Committees. 3) IEC Publications have the form of recommendations for international use and are accepted by IEC National Committees in that sense. While all reasonable efforts are made to ensure that the technical content of IEC Publications is accurate, IEC cannot be held responsible for the w

43、ay in which they are used or for any misinterpretation by any end user. 4) In order to promote international uniformity, IEC National Committees undertake to apply IEC Publications transparently to the maximum extent possible in their national and regional publications. Any divergence between any IE

44、C Publication and the corresponding national or regional publication shall be clearly indicated in the latter. 5) IEC itself does not provide any attestation of conformity. Independent certification bodies provide conformity assessment services and, in some areas, access to IEC marks of conformity.

45、IEC is not responsible for any services carried out by independent certification bodies. 6) All users should ensure that they have the latest edition of this publication. 7) No liability shall attach to IEC or its directors, employees, servants or agents including individual experts and members of i

46、ts technical committees and IEC National Committees for any personal injury, property damage or other damage of any nature whatsoever, whether direct or indirect, or for costs (including legal fees) and expenses arising out of the publication, use of, or reliance upon, this IEC Publication or any ot

47、her IEC Publications. 8) Attention is drawn to the Normative references cited in this publication. Use of the referenced publications is indispensable for the correct application of this publication. 9) Attention is drawn to the possibility that some of the elements of this IEC Publication may be th

48、e subject of patent rights. IEC shall not be held responsible for identifying any or all such patent rights. International Standard IEC 62443-2-1 has been prepared by IEC technical committee 65: Industrial-process measurement, control and automation. This bilingual version (2012-04) corresponds to t

49、he monolingual English version, published in 2010-11. The text of this standard is based on the following documents: FDIS Report on voting 65/457/FDIS 65/461/RVD Full information on the voting for the approval of this standard can be found in the report on voting indicated in the above table. 6 62443-2-1 IEC:2010