1、BSI Standards Publication Security for industrial automation and control systems Part 2-3: Patch management in the IACS environment PD IEC/TR 62443-2-3:2015National foreword This Published Document is the UK implementation of IEC/TR 62443-2- 3:2015. The UK participation in its preparation was entrus
2、ted to Technical Committee GEL/65, Measurement and control. A list of organizations represented on this committee can be obtained on request to its secretary. This publication does not purport to include all the necessary provisions of a contract. Users are responsible for its correct application. T
3、he British Standards Institution 2015. Published by BSI Standards Limited 2015 ISBN 978 0 580 83544 5 ICS 25.040.40; 35.040; 35.100 Compliance with a British Standard cannot confer immunity from legal obligations. This Published Document was published under the authority of the Standards Policy and
4、Strategy Committee on 31 July 2015. Amendments/corrigenda issued since publication Date Text affected PUBLISHED DOCUMENT PD IEC/TR 62443-2-3:2015 IEC TR 62443-2-3 Edition 1.0 2015-06 TECHNICAL REPORT Security for industrial automation and control systems Part 2-3: Patch management in the IACS enviro
5、nmentINTERNATIONAL ELECTROTECHNICAL COMMISSION ICS : 25.040.40; 35.040; 35.100 ISBN 978-2-8322-2768-8 Registered trademark of the International Electrotechnical Commission Warning! Make sure that you obtained this publication from an authorized distributor. colour inside PD IEC/TR 62443-2-3:2015 2 I
6、EC TR 62443-2-3:2015 IEC 2015 CONTENTS FOREWORD . 5 INTRODUCTION . 7 1 Scope 8 2 Normative references. 8 3 Terms, definitions, abbreviated terms and acronyms 8 3.1 Terms and definitions 8 3.2 Abbreviated terms and acronyms . 9 4 Industrial automation and control system patching 11 4.1 Patching probl
7、ems faced in industrial automation and control systems . 11 4.2 Impacts of poor patch management . 11 4.3 Obsolete IACS patch management mitigation . 12 4.4 Patch lifecycle state 12 5 Recommended requirements for asset owner . 13 6 Recommended requirements for IACS product supplier 14 7 Exchanging p
8、atch information 14 7.1 General . 14 7.2 Patch information exchange format 15 7.3 Patch compatibility information filename convention . 15 7.4 VPC file schema . 15 7.5 VPC file element definitions . 17 Annex A (informative) VPC XSD file format 21 A.1 VPC XSD file format specification 21 A.2 Core com
9、ponent types 23 A.2.1 Overview . 23 A.2.2 CodeType 23 A.2.3 DateTimeType . 24 A.2.4 IdentifierType . 24 A.2.5 IndicatorType . 25 A.2.6 TextType . 25 Annex B (informative) IACS asset owner guidance on patching . 26 B.1 Annex organization . 26 B.2 Overview. 26 B.3 Information gathering 27 B.3.1 Invent
10、ory of existing environment . 27 B.3.2 Tools for manual and automatic scanning . 29 B.3.3 IACS product supplier contact and relationship building 30 B.3.4 Supportability and product supplier product lifecycle . 32 B.3.5 Evaluation and assessment of existing environment 32 B.3.6 Classification and ca
11、tegorization of assets/hardware/software. 33 B.4 Project planning and implementation . 36 B.4.1 Overview . 36 B.4.2 Developing the business case 37 B.4.3 Establishing and assigning roles and responsibilities 38 B.4.4 Testing environment and infrastructure . 40 B.4.5 Implement backup and restoration
12、infrastructure . 41 B.4.6 Establishing product supplier procurement guidelines . 42 PD IEC/TR 62443-2-3:2015IEC TR 62443-2-3:2015 IEC 2015 3 B.5 Monitoring and evaluation . 42 B.5.1 Overview . 42 B.5.2 Monitoring and identification of security related patches 43 B.5.3 Determining patch applicability
13、 . 43 B.5.4 Impact, criticality and risk assessment 44 B.5.5 Decision for installation 45 B.6 Patch testing . 45 B.6.1 Patch testing process . 45 B.6.2 Asset owner qualification of security patches prior to installation . 46 B.6.3 Determining patch file authenticity 46 B.6.4 Review functional and se
14、curity changes from patches . 46 B.6.5 Installation procedure . 47 B.6.6 Patch qualification and validation . 48 B.6.7 Patch removal, roll back, restoration procedures . 48 B.6.8 Risk mitigation alternatives . 49 B.7 Patch deployment and installation . 50 B.7.1 Patch deployment and installation proc
15、ess . 50 B.7.2 Notification of affected parties 50 B.7.3 Preparation 51 B.7.4 Phased scheduling and installation . 51 B.7.5 Verification of patch installation 52 B.7.6 Staff training and drills . 52 B.8 Operating an IACS patch management program . 53 B.8.1 Overview . 53 B.8.2 Change management . 53
16、B.8.3 Vulnerability awareness . 53 B.8.4 Outage scheduling . 54 B.8.5 Security hardening . 54 B.8.6 Inventory and data maintenance . 54 B.8.7 Procuring or adding new devices 55 B.8.8 Patch management reporting and KPIs . 55 Annex C (informative) IACS product supplier / service provider guidance on p
17、atching . 56 C.1 Annex organization . 56 C.2 Discovery of vulnerabilities 56 C.2.1 General . 56 C.2.2 Vulnerability discovery and identification within the product . 57 C.2.3 Vulnerability discovery and identification within externally sourced product components . 57 C.3 Development, verification an
18、d validation of security updates 58 C.4 Distribution of cyber security updates 58 C.5 Communication and outreach 58 Bibliography . 60 Figure 1 Patch state model 13 Figure 2 VPC file schema . 16 Figure 3 VPC file schema diagram format . 17 Figure B.1 IACS patch management workflow . 27 Figure B.2 Pla
19、nning an IACS patch management process . 36 PD IEC/TR 62443-2-3:2015 4 IEC TR 62443-2-3:2015 IEC 2015 Figure B.3 Sample responsibilities chart . 40 Figure B.4 Patch monitoring and evaluation process . 42 Figure B.5 A patch testing process . 45 Figure B.6 A patch deployment and installation process 5
20、0 Table 1 Patch lifecycle states . 12 Table 2 VPC XSD PatchData file elements . 17 Table 3 VPC XSD PatchVendor file elements . 18 Table 4 VPC XSD Patch file elements 18 Table 5 VPC XSD VendorProduct file elements 20 Table A.1 CodeType optional attributes 24 Table A.2 DateTimeType optional attributes
21、 . 24 Table A.3 IdentifierType optional attributes . 25 Table A.4 IndicatorType optional attributes . 25 Table A.5 TextType optional attributes . 25 Table B.1 Sample product supplier profile. 31 Table B.2 Communication capabilities 34 Table B.3 Sample software categorization 35 Table B.4 Responsibil
22、ity assignment definitions 39 Table B.5 Sample severity based patch management timeframes 45 PD IEC/TR 62443-2-3:2015IEC TR 62443-2-3:2015 IEC 2015 5 INTERNATIONAL ELECTROTECHNICAL COMMISSION _ SECURITY FOR INDUSTRIAL AUTOMATION AND CONTROL SYSTEMS Part 2-3: Patch management in the IACS environment
23、FOREWORD 1) The International Electrotechnical Commission (IEC) is a worldwide organization for standardization comprising all national electrotechnical committees (IEC National Committees). The object of IEC is to promote international co-operation on all questions concerning standardization in the
24、 electrical and electronic fields. To this end and in addition to other activities, IEC publishes International Standards, Technical Specifications, Technical Reports, Publicly Available Specifications (PAS) and Guides (hereafter referred to as “IEC Publication(s)”). Their preparation is entrusted t
25、o technical committees; any IEC National Committee interested in the subject dealt with may participate in this preparatory work. International, governmental and non- governmental organizations liaising with the IEC also participate in this preparation. IEC collaborates closely with the Internationa
26、l Organization for Standardization (ISO) in accordance with conditions determined by agreement between the two organizations. 2) The formal decisions or agreements of IEC on technical matters express, as nearly as possible, an international consensus of opinion on the relevant subjects since each te
27、chnical committee has representation from all interested IEC National Committees. 3) IEC Publications have the form of recommendations for international use and are accepted by IEC National Committees in that sense. While all reasonable efforts are made to ensure that the technical content of IEC Pu
28、blications is accurate, IEC cannot be held responsible for the way in which they are used or for any misinterpretation by any end user. 4) In order to promote international uniformity, IEC National Committees undertake to apply IEC Publications transparently to the maximum extent possible in their n
29、ational and regional publications. Any divergence between any IEC Publication and the corresponding national or regional publication shall be clearly indicated in the latter. 5) IEC itself does not provide any attestation of conformity. Independent certification bodies provide conformity assessment
30、services and, in some areas, access to IEC marks of conformity. IEC is not responsible for any services carried out by independent certification bodies. 6) All users should ensure that they have the latest edition of this publication. 7) No liability shall attach to IEC or its directors, employees,
31、servants or agents including individual experts and members of its technical committees and IEC National Committees for any personal injury, property damage or other damage of any nature whatsoever, whether direct or indirect, or for costs (including legal fees) and expenses arising out of the publi
32、cation, use of, or reliance upon, this IEC Publication or any other IEC Publications. 8) Attention is drawn to the Normative references cited in this publication. Use of the referenced publications is indispensable for the correct application of this publication. 9) Attention is drawn to the possibi
33、lity that some of the elements of this IEC Publication may be the subject of patent rights. IEC shall not be held responsible for identifying any or all such patent rights. The main task of IEC technical committees is to prepare International Standards. However, a technical committee may propose the
34、 publication of a technical report when it has collected data of a different kind from that which is normally published as an International Standard, for example “state of the art“. Technical Report IEC 62443-2-3 has been prepared by ISA Technical Committee 99 in partnership with IEC technical commi
35、ttee 65: Industrial-process measurement, control and automation. The text of this standard is based on the following documents: Enquiry draft Report on voting 65/554/DTR 65/564/RVC Full information on the voting for the approval of this technical report can be found in the report on voting indicated
36、 in the above table. PD IEC/TR 62443-2-3:2015 6 IEC TR 62443-2-3:2015 IEC 2015 This publication has been drafted in accordance with the ISO/IEC Directives, Part 2. A list of all parts in the IEC 62443 series, published under the general title Security for industrial automation and control systems, c
37、an be found on the IEC website. The committee has decided that the contents of this publication will remain unchanged until the stability date indicated on the IEC website under “http:/webstore.iec.ch“ in the data related to the specific publication. At this date, the publication will be reconfirmed
38、, withdrawn, replaced by a revised edition, or amended. A bilingual version of this publication may be issued at a later date. IMPORTANT The colour inside logo on the cover page of this publication indicates that it contains colours which are considered to be useful for the correct understanding of
39、its contents. Users should therefore print this document using a colour printer. PD IEC/TR 62443-2-3:2015IEC TR 62443-2-3:2015 IEC 2015 7 INTRODUCTION Cyber security is an increasingly important topic in modern organizations. Many organizations involved in information technology (IT) and business ha
40、ve been concerned with cyber security for many years and have well-established information security management systems (ISMS) in place as defined by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), in ISO/IEC 27001 and ISO/IEC 27002. T
41、hese management systems provide an organization with a well-established method for protecting its assets from cyber-attacks. Industrial Automation and Control Systems (IACS) suppliers and owners are using commercial-off-the-shelf (COTS) technology developed for business systems in their everyday pro
42、cesses. This provides an increased opportunity for cyber-attack against the IACS equipment, since COTS systems are more widely known and used. There has also been new interest in ICS security research that has uncovered numerous device vulnerabilities as well. Successful attacks against industrial s
43、ystems may lead to health, safety and environmental (HSE) consequences. Organizations may try to use the business cyber security strategy to address security for IACS without understanding the consequences. While many of these solutions can be applied to IACS, they need to be applied in the correct
44、way to eliminate inadvertent consequences. This technical report addresses the patch management aspect of IACS cyber security. Patch management is part of a comprehensive cyber security strategy that increases cyber security through the installation of patches, also called software updates, software
45、 upgrades, firmware upgrades, service packs, hotfixes, basic input output system (BIOS) updates and other digital electronic program updates that resolve bugs, operability, reliability and cyber security vulnerabilities. This technical report introduces to the reader many of the problems and industr
46、y concerns associated with IACS patch management for asset owners and IACS product suppliers. It also describes the impacts poor patch management can have on the reliability and/or operability of the IACS. PD IEC/TR 62443-2-3:2015 8 IEC TR 62443-2-3:2015 IEC 2015 SECURITY FOR INDUSTRIAL AUTOMATION A
47、ND CONTROL SYSTEMS Part 2-3: Patch management in the IACS environment 1 Scope This part of IEC 62443, which is a Technical Report, describes requirements for asset owners and industrial automation and control system (IACS) product suppliers that have established and are now maintaining an IACS patch
48、 management program. This Technical Report recommends a defined format for the distribution of information about security patches from asset owners to IACS product suppliers, a definition of some of the activities associated with the development of the patch information by IACS product suppliers and
49、 deployment and installation of the patches by asset owners. The exchange format and activities are defined for use in security related patches; however, it may also be applicable for non-security related patches or updates. The Technical Report does not differentiate between patches made available for the operating systems (OSs), applications or devices. It does not differentiate between the product suppliers that supply the infrastructure components or the IACS a
