BS DD IEC PAS 62443-3-2008 Security for industrial process measurement and control - Network and system security《工业过程的测量和控制安全 网络和系统安全》.pdf

1、DRAFT FOR DEVELOPMENTDD IEC/PAS 62443-3:2008Security for industrial process measurement and control Part 3: Network and system securityICS 25.040.40; 35.040; 35.110g49g50g3g38g50g51g60g44g49g42g3g58g44g55g43g50g56g55g3g37g54g44g3g51g40g53g48g44g54g54g44g50g49g3g40g59g38g40g51g55g3g36g54g3g51g40g53g4

2、8g44g55g55g40g39g3g37g60g3g38g50g51g60g53g44g42g43g55g3g47g36g58DD IEC/PAS 62443-3:2008This Draft for Development was published under the authority of the Standards Policy and Strategy Committee on 29 August 2008 BSI 2008ISBN 978 0 580 62208 3National forewordThis Draft for Development is the UK imp

3、lementation of IEC/PAS 62443-3:2008.This publication is not to be regarded as a British Standard.It is being issued in the Draft for Development series of publications and is of a provisional nature. It should be applied on this provisional basis, so that information and experience of its practical

4、application can be obtained.A PAS is a Technical Specification not fulfilling the requirements for a standard, but made available to the public and established in an organization operating under a given procedure.A review of this Draft for Development will be carried out not later than three years a

5、fter its publication.Notification of the start of the review period, with a request for the submission of comments from users of this Draft for Development, will be made in an announcement in the appropriate issue of Update Standards. According to the replies received, the responsible BSI Committee

6、will judge whether the validity of the PAS should be extended for a further three years or what other action should be taken and pass their comments on to the relevant international committee.Observations which it is felt should receive attention before the official call for comments will be welcome

7、d. These should be sent to the Secretary of the responsible BSI Technical Committee at British Standards House, 389 Chiswick High Road, London W4 4AL.The UK participation in its preparation was entrusted to Technical Committee AMT/7, Industrial communications: process measurement and control, includ

8、ing fieldbus.A list of organizations represented on this committee can be obtained on request to its secretary.This publication does not purport to include all the necessary provisions of a contract. Users are responsible for its correct application.Amendments/corrigenda issued since publicationDate

9、 CommentsIEC/PAS 62443-3Edition 1.0 2008-01PUBLICLY AVAILABLE SPECIFICATIONPRE-STANDARD Security for industrial process measurement and control Network and system security DD IEC/PAS 62443-3:2008CONTENTS INTRODUCTION.3 1 Scope.4 2 Normative references .4 3 Terms, definitions, symbols, abbreviated te

10、rms and conventions 5 3.1 Terms and definitions 5 3.2 Symbols and abbreviated terms.11 4 Introduction and compliance.12 5 Principles and reference models.12 5.1 General .12 5.2 Threat-risk model 13 5.3 Security life cycle 15 5.4 Policy 16 5.5 Generic reference configurations.19 5.6 Protection models

11、 .22 6 ICS security policy Overview .27 7 ICS security policy Principles and assumptions .29 7.1 ICS security policy Principles .29 7.2 ICS security policy Assumptions and exclusions.30 7.3 ICS security policy Organization and management. 32 8 ICS security policy Measures.36 8.1 Availability managem

12、ent36 8.2 Integrity management38 8.3 Logical access management .41 8.4 Physical access management44 8.5 Partition management .45 8.6 External access management46 Annex A Projected new edition of IEC 62443 50 Bibliography52 Figure 1 Threat-risk relationship 13 Figure 2 Security life cycle.15 Figure 3

13、 Policy levels.17 Figure 4 Industrial control system (ICS) .20 Figure 5 GPH reference configuration: Generic ICS host with external devices 21 Figure 6 Device protection: Hardening and access management22 Figure 7 Defense-in-depth through partitioning 24 Figure 8 Example: ICS partitioning.25 Figure

14、9 Generic external connectivity .26 DD IEC/PAS 62443-3:2008 2 INTRODUCTION The increasing degree of public networking of formerly isolated automation systems increases the exposure of such systems to attack. Standard IT security protection mechanisms have protection goals and strategies that may be

15、inappropriate for automation systems. This PAS addresses the topic of securing access to and within industrial systems while assuring timely response which may be critical to plant operation. For safety applications and applications in the pharmaceutical or other highly specialized industries, addit

16、ional standards, guidelines, definitions and stipulations may apply, for example, IEC 61508, GAMP (ISPE), for GMP Compliance 21 CFR (FDA) and the Standard Operating Procedure of the European Medicines Agency (SOP/INSP/2003). DD IEC/PAS 62443-3:2008 3 SECURITY FOR INDUSTRIAL PROCESS MEASUREMENT AND C

17、ONTROL NETWORK AND SYSTEM SECURITY 1 Scope This PAS establishes a framework for securing information and communication technology aspects of industrial process measurement and control systems including its networks and devices on those networks, during the operational phase of the plants life cycle.

18、 This PAS provides guidance on a plants operational security requirements and is primarily intended for automation system owners/operators (responsible for ICS operation) Furthermore, the operational requirements of this PAS may interest ICS stakeholders such as: a) automation system designers; b) m

19、anufacturers (vendors) of devices, subsystems, and systems; c) integrators of subsystems and systems. The PAS allows for the following concerns: graceful migration/evolution of existing systems; meeting security objectives with existing COTS technologies and products; assurance of reliability/availa

20、bility of the secured communications services; applicability to systems of any size and risk (scalability); coexistence of safety, legal and regulatory and automation functionality requirements with security requirements. NOTE 1 Plants and systems may contain safety critical components and devices.

21、Any safety-related security components may be subject to certification based on IEC 61508 and according to the SILs therein. This PAS does not guarantee that its specifications are all or in part appropriate or sufficient for the security of such safety critical components and devices. NOTE 2 This P

22、AS does not include requirements for security assurance evaluation and testing. NOTE 3 The measures provided by this PAS are rather process-based and general in nature than technically specific or prescriptive in terms of technical countermeasures and configurations. NOTE 4 The procedures of this PA

23、S are written with the plant owner/operators mind set. NOTE 5 This PAS does not cover the concept, design and implementation live cycle processes, i.e. requirements on control equipment manufacturers future product development cycle. NOTE 6 This PAS does not cover the integration of components and s

24、ubsystems into a system. NOTE 7 This PAS does not cover procurement for integration into an existing system, i.e. procurement requirements for owner/operators of a plant. NOTE 8 This PAS will be extended into a 3-part International Standard to cover most of the restrictions expressed in the previous

25、 notes; for the planned scope of the extended standards, refer to Annex A. 2 Normative references The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referen

26、ced document (including any amendments) applies. ISO/IEC 15408 (all parts), Information technology Security techniques Evaluation criteria for IT security ISO/IEC 27002:2005, Information technology Security techniques Code of practice for IT security management DD IEC/PAS 62443-3:2008 4 ISO/IEC Guid

27、e 73:2002, Risk management Vocabulary Guidelines for use in standards 3 Terms, definitions, symbols, abbreviated terms and conventions 3.1 Terms and definitions For the purposes of this document, the following terms and definitions apply. 3.1.1 access control prevention of unauthorized use of a rest

28、ricted resource, including its use in an unauthorized manner ISO/IEC 18028-2:2006, modified 3.1.2 adversary entity that attacks, or is a threat to, a system RFC 2828 3.1.3 alert instant indication that an information system and network may be under attack, or in danger because of accident, failure o

29、r people error ISO/IEC 18028-1:2006 3.1.4 asset anything that has value to the organization ISO/IEC 13335-1:2004 3.1.5 assurance performance of appropriate activities or processes to instil confidence that a deliverable meets its security objectives ISO/IEC/TR 15443-1 3.1.6 attack attempts to destro

30、y, expose, alter, or disable an information system and/or information within it or otherwise reach the security policy ISO/IEC 18043 3.1.7 attack surface set of system resources exposed directly and indirectly to potential attack. 3.1.8 audit formal inquiry, formal examination, or verification of fa

31、cts against expectations, for compliance and conformity ISO/IEC 18028-1 3.1.9 authenticate, authentication provision of assurance of the claimed identity of an entity ISO/IEC 19792 DD IEC/PAS 62443-3:2008 5 3.1.10 availability property of being accessible and usable upon demand by an authorized enti

32、ty ISO/IEC 7498-2 3.1.11 commercial off-the shelf (COTS) items which are manufactured and distributed commercially for multiple usages and/or customers; may be tailored for specific usage NOTE COTS is in contrast to custom products designed entirely and uniquely for the specific application. 3.1.12

33、compromise unauthorized use, disclosure, modification, or substitution, respectively, of data, programs or systems configuration, i.e., by and after intrusion. 3.1.13 confidentiality property that information is not made available or disclosed to unauthorized individuals, entities, or processes ISO/

34、IEC 13335-3 3.1.14 credentials means of proving that it is the one who claim to be, the abstract can be an IT account to access an information service or resource ISO/IEC 24760 3.1.15 demilitarized zone (DMZ) security host or small network (also known as a screened sub-net) inserted as a neutral zon

35、e between networks ISO/IEC 18028-3 NOTE It forms a security buffer zone (ISO/IEC 18028-3). 3.1.16 denial of service (attack) attack against a system to deter its availability ISO/IEC 18028-4 3.1.17 event occurrence in a system that is relevant to the security of the system RFC 2828, modified 3.1.18

36、exposed, exposure evident state of being vulnerable and exposed to attack 3.1.19 external outside of, or at the external border of the security perimeter of the ICN, i.e. relating to an external organizational or public network DD IEC/PAS 62443-3:2008 6 3.1.20 external connectivity gateway (ECG) ded

37、icated security gateway (SGW) at the external border of the security perimeter of the ICN, typically with additional functionality to meet specific requirements, i.e. for the connectivity of external devices 3.1.21 external network (EN) network external to the ICN and either part of the organization

38、 to which the ICN belongs, belonging to a third party or public, i.e., the Internet 3.1.22 forensic post-incident effort to explain an event in a formal and verifiable manner to attribute responsibilities in a consecutive and logical manner 3.1.23 gateway, security gateway (SGW) point of connection

39、between networks, or from a network to subnetworks and external networks, intended to protect a network or subnetwork according to a specified security policy ISO/IEC 18028-3, modified NOTE A security gateway comprises more than only firewalls; the term includes routers and switches which provide th

40、e functionality of access control and optionally encryption (ISO/IEC 18028-3). 3.1.24 harden, hardening removing unnecessary functionality to reduce physical, logical and/or organizational vulnerabilities 3.1.25 human-machine-interface (HMI) equipment function designed to present information output

41、to, and to accept information input from the operator to make a human, as operator, integral part of a process 3.1.26 incident security event, or a combination of multiple security events, that constitutes a security 3.1.27 industrial control network (ICN) network connecting ICS equipment; different

42、 ICNs may coexist within one plant and may be connected to remote equipment and resources outside the plant 3.1.28 industrial control system (ICS) system consisting of computing and industrial control hosts, devices and equipment, that are integrated together to control an industrial production, tra

43、nsmission, or distribution process NOTE In the context of this PAS, the term ICS stands for automation systems in general, including supervisory control and data acquisition (SCADA). 3.1.29 insider, inside, internal (entity) inside the security perimeter; insider is an entity authorized to access sy

44、stem resources NOTE An insider attack refers to use of system resources in an unauthorized manner. 3.1.30 integrity safeguarding the accuracy and completeness of information and processing methods ISO/IEC 21827 DD IEC/PAS 62443-3:2008 7 NOTE Integrity may apply specifically to data (data integrity)

45、or to the integrity of the operational ICS as system integrity. 3.1.31 intranet computer network, especially one based on public network technology, that an organization uses for its own internal, and usually private, purposes and that is closed to outsiders 3.1.32 intrusion incident in which an una

46、uthorized entity, i.e. an attacker, gains or evidently attempts to gain, access to restricted system resources RFC 2828, modified 3.1.33 intrusion detection security service that monitors and analyses system events for the purpose of finding, and providing real-time or near real-time warning of, att

47、empts to access system resources in an unauthorized manner RFC 2828 3.1.34 (cryptographic or physical) key device, media or plaintext associated with authentication or cryptographic methods or access control privileges. 3.1.35 log, logging gathering of data on information security events for the pur

48、pose of review and analysis, and ongoing monitoring ISO/IEC 18028-1 3.1.36 malware malicious software, such as a virus or a trojan, designed specifically to damage or disrupt a system ISO/IEC 18028-1 3.1.37 (counter-) measure action, device, procedure, or technique that reduces a threat, a vulnerabi

49、lity, or an incident by eliminating or preventing it, by minimizing the harm it can cause, or by discovering and reporting it so that corrective action can be taken RFC 2828 3.1.38 message ordered series of octets (or bits) intended to convey information ISO/IEC 2382, modified 3.1.39 monitor observe real-time actions and events to provide evidence about what was observed ISO/IEC 13888-1, modified DD IEC/PAS 62443-3:2008 8 3.1.40 non-repud