ImageVerifierCode 换一换
格式:PDF , 页数:84 ,大小:1.72MB ,
资源ID:436937      下载积分:10000 积分
快捷下载
登录下载
邮箱/手机:
温馨提示:
如需开发票,请勿充值!快捷下载时,用户名和密码都是您填写的邮箱或者手机号,方便查询和重复下载(系统自动生成)。
如填写123,账号就是123,密码也是123。
特别说明:
请自助下载,系统不会自动发送文件的哦; 如果您已付费,想二次下载,请登录后访问:我的下载记录
支付方式: 支付宝扫码支付 微信扫码支付   
注意:如需开发票,请勿充值!
验证码:   换一换

加入VIP,免费下载
 

温馨提示:由于个人手机设置不同,如果发现不能下载,请复制以下地址【http://www.mydoc123.com/d-436937.html】到电脑端继续下载(重复下载不扣费)。

已注册用户请登录:
账号:
密码:
验证码:   换一换
  忘记密码?
三方登录: 微信登录  

下载须知

1: 本站所有资源如无特殊说明,都需要本地电脑安装OFFICE2007和PDF阅读器。
2: 试题试卷类文档,如果标题没有明确说明有答案则都视为没有答案,请知晓。
3: 文件的所有权益归上传用户所有。
4. 未经权益所有人同意不得将文件中的内容挪作商业或盈利用途。
5. 本站仅提供交流平台,并不能对任何下载内容负责。
6. 下载文件中如有侵权或不适当内容,请与我们联系,我们立即纠正。
7. 本站不保证下载资源的准确性、安全性和完整性, 同时也不承担用户因使用这些下载资源对自己和他人造成任何形式的伤害或损失。

版权提示 | 免责声明

本文(ANSI ISA 62443-3-3-2013 Security for industrial automation and control systems Part 3-3 System security requirements and security levels (99.03.03).pdf)为本站会员(赵齐羽)主动上传,麦多课文库仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对上载内容本身不做任何修改或编辑。 若此文所含内容侵犯了您的版权或隐私,请立即通知麦多课文库(发送邮件至master@mydoc123.com或直接QQ联系客服),我们立即给予删除!

ANSI ISA 62443-3-3-2013 Security for industrial automation and control systems Part 3-3 System security requirements and security levels (99.03.03).pdf

1、 ANSI/ISA6244333 (99.03.03)-2013 Security for industrial automation and control systems Part 3-3: System security requirements and security levels Approved 12 August 2013 ANSI/ISA6244333 (99.03.03)-2013 Security for industrial automation and control systems Part 3-3: System security requirements and

2、 security levels ISBN: 978-0-876640-39-5 Copyright 2013 by ISA. All rights reserved. Not for resale. Printed in the United States of America. ISA 67 Alexander Drive P. O. Box 12277 Research Triangle Park, NC 27709 USA 12 August 2013 3 ANSI/ISA-62443-3-3 (99.03.03)-2013 PREFACE This preface, as well

3、as all footnotes and annexes, is included for information purposes and is not part of ANSI/ISA6244333 (99.03.03)-2013. This document has been prepared as part of the service of ISA, the International Society of Automation, toward a goal of uniformity in the field of instrumentation. To be of real va

4、lue, this document should not be static but should be subject to periodic review. Toward this end, the Society welcomes all comments and criticisms and asks that they be addressed to the Secretary, Standards and Practices Board; ISA; 67 Alexander Drive; P. O. Box 12277; Research Triangle Park, NC 27

5、709; Telephone (919) 549-8411; Fax (919) 549-8288; E-mail: standardsisa.org. The ISA Standards and Practices Department is aware of the growing need for attention to the metric system of units in general and the International System of Units (SI) in particular, in the preparation of instrumentation

6、standards. The Department is further aware of the benefits to USA users of ISA standards of incorporating suitable references to the SI (and the metric system) in their business and professional dealings with other countries. Toward this end, this Department will endeavor to introduce SI-acceptable

7、metric units in all new and revised standards, recommended practices and technical reports to the greatest extent possible. Standard for Use of the International System of Units (SI): The Modern Metric System, published by the American Society for Testing and Materials as IEEE/ASTM SI 10-97, and fut

8、ure revisions, will be the reference guide for definitions, symbols, abbreviations, and conversion factors. It is the policy of ISA to encourage and welcome the participation of all concerned individuals and interests in the development of ISA standards, recommended practices and technical reports.

9、Participation in the ISA standards-making process by an individual in no way constitutes endorsement by the employer of that individual, of ISA or of any of the standar ds, recommended practices and technical reports that ISA develops. CAUTION ISA adheres to the policy of the American National Stand

10、ards Institute with regard to patents. If ISA is informed of an existing patent that is required for use of the standard, it will require the owner of the patent to either grant a royalty-free license for use of the patent by users complying with the standard or a license on reasonable terms and con

11、ditions that are free from unfair discrimination. Even if ISA is unaware of any patent covering this Standard, the user is cautioned that implementation of the standard may require use of techniques, processes or materials covered by patent rights. ISA takes no position on the existence or validity

12、of any patent rights that may be involved in implementing the standard. ISA is not responsible for identifying all patents that may require a license before implementation of the standard or for investigating the validity or scope of any patents brought to its attention. The user should carefully in

13、vestigate relevant patents before using the standard for the users intended application. However, ISA asks that anyone reviewing this standard who is aware of any patents that may impact implementation of the standard notify the ISA Standards and Practices Department of the patent and its owner. Add

14、itionally, the use of this standard may involve hazardous materials, operations or equipment. The standard cannot anticipate all possible applications or address all possible safety issues associated with use in hazardous conditions. The user of this standard must exercise sound professional judgmen

15、t concerning its use and applicability under the users particular circumstances. The user must also consider the applicability of any governmental regulatory limitations and established safety and health practices before implementing this standard. ANSI/ISA-62443-3-3 (99.03.03)-2013 4 12 August 2013

16、 The following served as active members of ISA99 Working Group 4, Task Group 2 in developing this standard: Name Company Contributor Reviewer Jeff Potter, TG Chair Emerson X Adedotun Adeyemi Quaddynamics Nigeria Ltd X Leandro Pfleger de Aguiar Chemtech - Siemens X Raghu Avali Westinghouse Electric C

17、orp X Satishkumar Balasubramanian Yokogawa IA Technologies X Rahul Bhojani Bayer X Wayne Boyer US Idaho National Laboratory X Antony Capel Comgate Engineering Ltd. X Penny Chen Yokogawa Corp. of America X Eric Cosman The Dow Chemical Co. X John Cusimano Exida X Kelli Dean Okonite X Aris Espejo Syncr

18、ude Canada Ltd. X Dean Ford Glenmount Global Solutions X Donald Fraser Jacobs X James Gilsinn Kenexis X Thomas Good DuPont X Vic Hammond US Argonne National Laboratory X Jean-Pierre Hauet KB Intelligence X Dennis Holstein Opus Consulting Group X Charles Hoover Rockwell Automation X Bob Huba Emerson

19、X Freemon Johnson US State Department X Pierre Kobes Siemens X Sinclair Koelemij Honeywell Industrial IT Solutions X Erwin Kruschitz Anapur AG X Tyson Macaulay Bell Business Markets (Bell Canada) X Pete MacLeod Engenuity Consulting X Wayne Manges US Oak Ridge National Laboratory X William Miller MaC

20、T USA X Kevin Minnick GE Energy X Ajay Mishra Invensys - Triconex X Olav Mo ABB AS X John Munro US Oak Ridge National Laboratory X Johan Nye ExxonMobil X NorAzuwa Binti Pahri CyberSecurity Malaysia X Tom Phinney Consultant X Ragnar Schierholz ABB AG X 12 August 2013 5 ANSI/ISA-62443-3-3 (99.03.03)-2

21、013 Graham Speake Yokogawa X Kevin Staggs Honeywell X Herman Storey Herman Storey Consulting X Tatsuaki Takabe Yokogawa X Steven Tom US Idaho National Laboratory X Gerd Wartmann Endress + Hauser X Vernon Williams Patria Group X This page intentionally left blank. 12 August 2013 7 ANSI/ISA-62443-3-3

22、(99.03.03)-2013 CONTENTS PREFACE 3 FOREWORD 10 0 Introduction 11 0.1 Overview . 11 0.2 Purpose and intended audience 12 0.3 Usage within other parts of the ISA62443 series . 12 1 Scope 15 2 Normative references . 15 3 Terms, definitions, abbreviated terms, acronyms, and conventions 15 3.1 Terms and

23、definitions 15 3.2 Abbreviated terms and acronyms 21 3.3 Conventions 23 4 Common control system security constraints 24 4.1 Overview . 24 4.2 Support of essential functions . 24 4.3 Compensating countermeasures . 24 4.4 Least privilege 25 5 FR 1 Identification and authentication control 25 5.1 Purpo

24、se and SL-C(IAC) descriptions . 25 5.2 Rationale 25 5.3 SR 1.1 Human user identification and authentication 25 5.4 SR 1.2 Software process and device identification and authentication 27 5.5 SR 1.3 Account management . 28 5.6 SR 1.4 Identifier management 28 5.7 SR 1.5 Authenticator management . 29 5

25、.8 SR 1.6 Wireless access management 30 5.9 SR 1.7 Strength of password-based authentication 31 5.10 SR 1.8 Public key infrastructure (PKI) certificates 32 5.11 SR 1.9 Strength of public key authentication 33 5.12 SR 1.10 Authenticator feedback . 34 5.13 SR 1.11 Unsuccessful login attempts . 34 5.14

26、 SR 1.12 System use notification . 35 5.15 SR 1.13 Access via untrusted networks 35 6 FR 2 Use control . 36 6.1 Purpose and SL-C(UC) descriptions 36 6.2 Rationale 36 6.3 SR 2.1 Authorization enforcement 37 6.4 SR 2.2 Wireless use control . 38 6.5 SR 2.3 Use control for portable and mobile devices .

27、39 6.6 SR 2.4 Mobile code 39 ANSI/ISA-62443-3-3 (99.03.03)-2013 8 12 August 2013 6.7 SR 2.5 Session lock . 40 6.8 SR 2.6 Remote session termination . 40 6.9 SR 2.7 Concurrent session control . 41 6.10 SR 2.8 Auditable events . 41 6.11 SR 2.9 Audit storage capacity 42 6.12 SR 2.10 Response to audit p

28、rocessing failures 43 6.13 SR 2.11 Timestamps 43 6.14 SR 2.12 Non-repudiation 44 7 FR 3 System integrity 45 7.1 Purpose and SL-C(SI) descriptions . 45 7.2 Rationale 45 7.3 SR 3.1 Communication integrity . 45 7.4 SR 3.2 Malicious code protection . 46 7.5 SR 3.3 Security functionality verification 47

29、7.6 SR 3.4 Software and information integrity 48 7.7 SR 3.5 Input validation . 49 7.8 SR 3.6 Deterministic output 49 7.9 SR 3.7 Error handling. 50 7.10 SR 3.8 Session integrity . 50 7.11 SR 3.9 Protection of audit information 51 8 FR 4 Data confidentiality . 52 8.1 Purpose and SL-C(DC) descriptions

30、52 8.2 Rationale 52 8.3 SR 4.1 Information confidentiality . 52 8.4 SR 4.2 Information persistence 53 8.5 SR 4.3 Use of cryptography . 54 9 FR 5 Restricted data flow 55 9.1 Purpose and SL-C(RDF) descriptions 55 9.2 Rationale 55 9.3 SR 5.1 Network segmentation 55 9.4 SR 5.2 Zone boundary protection .

31、 56 9.5 SR 5.3 General purpose person-to-person communication restrictions . 57 9.6 SR 5.4 Application partitioning . 58 10 FR 6 Timely response to events 58 10.1 Purpose and SL-C(TRE) descriptions 58 10.2 Rationale 59 10.3 SR 6.1 Audit log accessibility . 59 10.4 SR 6.2 Continuous monitoring 59 11

32、FR 7 Resource availability . 60 11.1 Purpose and SL-C(RA) descriptions 60 11.2 Rationale 61 11.3 SR 7.1 Denial of service protection 61 11.4 SR 7.2 Resource management . 61 11.5 SR 7.3 Control system backup . 62 12 August 2013 9 ANSI/ISA-62443-3-3 (99.03.03)-2013 11.6 SR 7.4 Control system recovery

33、and reconstitution 62 11.7 SR 7.5 Emergency power . 63 11.8 SR 7.6 Network and security configuration settings 63 11.9 SR 7.7 Least functionality 64 11.10 SR 7.8 Control system component inventory 64 Annex A (informative) Discussion of the SL vector 67 A.1 Introduction . 67 A.2 Security levels 67 A.

34、3 SL vector 72 Annex B (informative) Mapping of SRs and REs to FR SL levels 1-4 75 B.1 Overview . 75 B.2 SL mapping table 75 BIBLIOGRAPHY . 80 Figure 1 ISA62443 Work Products . 13 Figure A.1 High-level process-industry example showing zones and conduits 69 Figure A.2 High-level manufacturing example

35、 showing zones and conduits . 70 Figure A.3 Schematic of correlation of the use of different SL types 71 Table B.1 Mapping of SRs and REs to FR SL levels 1-4 75 ANSI/ISA-62443-3-3 (99.03.03)-2013 10 12 August 2013 FOREWORD This standard is part of a multipart series of standards that address the iss

36、ue of security for industrial automation and control systems (IACS). It has been developed by Working Group 4, Task Group 2 of the ISA99 committee in cooperation with IEC TC65 Working Group 10. This standard prescribes the security requirements for control systems related to the seven foundational r

37、equirements defined in ISA6244311 (99.01.01) 11 and assigns system security levels (SLs) to the system under consideration (SuC). 1 Numbers in brackets indicate references in the Bibliography on page 73. 12 August 2013 11 ANSI/ISA-62443-3-3 (99.03.03)-2013 0 Introduction NOTE The format of this docu

38、ment follows the ISO/IEC requirements discussed in ISO/IEC Directives, Part 2 13. These directives specify the format of the document as well as the use of terms like “shall”, “should”, and “may”. The requirements specified in normative clauses use the conventions discussed in Appendix H of the Dire

39、ctives document. 0.1 Overview Industrial automation and control system (IACS) organizations increasingly use commercial -off-the-shelf (COTS) networked devices that are inexpensive, efficient and highly automated. Control systems are also increasingly interconnected with non-IACS networks for valid

40、business reasons. These devices, open networking technologies and increased connectivity provide an increased opportunity for cyber attack against control system hardware and software. That weakness may lead to health, safety and environmental (HSE), financial and/or reputational consequences in dep

41、loyed control systems. Organizations deploying business information technology (IT) cyber security solutions to address IACS security may not fully comprehend the results of this decision. While many business IT applications and security solutions can be applied to IACS, they need to be applied in a

42、n appropriate way to eliminate inadvertent consequences. For this reason, the approach used to define system requirements needs to be based on a combination of functional requirements and risk assessment, often including an awareness of operational issues as well. IACS security measures should not h

43、ave the potential to cause loss of essential services and functions, including emergency procedures. (IT security measures, as often deployed, do have this potential.) IACS security goals focus on control system availability, plant protection, plant operations (even in a degraded mode) and time-crit

44、ical system response. IT security goals often do not place the same emphasis on these factors; they may be more concerned with protecting information rather than physical assets. These different goals need to be clearly stated as security objectives regardless of the degree of plant integration achi

45、eved. A key step in risk assessment, as required by ISA6244321 (99.02.01)2 5, should be the identification of which services and functions are truly essential for operations. (For example, in some facilities engineering support may be determined to be a non-essential service or function.) In some ca

46、ses, it may be acceptable for a security action to cause temporary loss of a non -essential service or function, unlike an essential service or function that should not be adversely affected. This document assumes that a security program has been established and is being operated in accordance with

47、ISA6244321 (99.02.01). Furthermore, it is assumed that patch management is implemented consistent with the recommendations detailed in ISATR6244323 (TR99.02.03) 7 utilizing the appropriate control system requirements and requirement enhancements as described in this document. In addition, ISA6244332

48、 (99.03.02) 10 describes how a project defines risk-based security levels (SLs) which then are used to select products with the appropriate technical security capabilities as detailed in this document. Key input to this document included ISO/IEC 27002 14 and NIST SP800-53, rev 3 26 (see Clause 2 and

49、 the Bibliography for a more complete listing of source material). The primary goal of the ISA62443 series is to provide a flexible framework that facilitates addressing current and future vulnerabilities in IACS and applying necessary mitigations in a systematic, defensible manner. It is important to understand that the intention of the ISA62443 series is to build extensions

copyright@ 2008-2019 麦多课文库(www.mydoc123.com)网站版权所有
备案/许可证编号:苏ICP备17064731号-1