1、 ANSI/ISA6244333 (99.03.03)-2013 Security for industrial automation and control systems Part 3-3: System security requirements and security levels Approved 12 August 2013 ANSI/ISA6244333 (99.03.03)-2013 Security for industrial automation and control systems Part 3-3: System security requirements and
2、 security levels ISBN: 978-0-876640-39-5 Copyright 2013 by ISA. All rights reserved. Not for resale. Printed in the United States of America. ISA 67 Alexander Drive P. O. Box 12277 Research Triangle Park, NC 27709 USA 12 August 2013 3 ANSI/ISA-62443-3-3 (99.03.03)-2013 PREFACE This preface, as well
3、as all footnotes and annexes, is included for information purposes and is not part of ANSI/ISA6244333 (99.03.03)-2013. This document has been prepared as part of the service of ISA, the International Society of Automation, toward a goal of uniformity in the field of instrumentation. To be of real va
4、lue, this document should not be static but should be subject to periodic review. Toward this end, the Society welcomes all comments and criticisms and asks that they be addressed to the Secretary, Standards and Practices Board; ISA; 67 Alexander Drive; P. O. Box 12277; Research Triangle Park, NC 27
5、709; Telephone (919) 549-8411; Fax (919) 549-8288; E-mail: standardsisa.org. The ISA Standards and Practices Department is aware of the growing need for attention to the metric system of units in general and the International System of Units (SI) in particular, in the preparation of instrumentation
6、standards. The Department is further aware of the benefits to USA users of ISA standards of incorporating suitable references to the SI (and the metric system) in their business and professional dealings with other countries. Toward this end, this Department will endeavor to introduce SI-acceptable
7、metric units in all new and revised standards, recommended practices and technical reports to the greatest extent possible. Standard for Use of the International System of Units (SI): The Modern Metric System, published by the American Society for Testing and Materials as IEEE/ASTM SI 10-97, and fut
8、ure revisions, will be the reference guide for definitions, symbols, abbreviations, and conversion factors. It is the policy of ISA to encourage and welcome the participation of all concerned individuals and interests in the development of ISA standards, recommended practices and technical reports.
9、Participation in the ISA standards-making process by an individual in no way constitutes endorsement by the employer of that individual, of ISA or of any of the standar ds, recommended practices and technical reports that ISA develops. CAUTION ISA adheres to the policy of the American National Stand
10、ards Institute with regard to patents. If ISA is informed of an existing patent that is required for use of the standard, it will require the owner of the patent to either grant a royalty-free license for use of the patent by users complying with the standard or a license on reasonable terms and con
11、ditions that are free from unfair discrimination. Even if ISA is unaware of any patent covering this Standard, the user is cautioned that implementation of the standard may require use of techniques, processes or materials covered by patent rights. ISA takes no position on the existence or validity
12、of any patent rights that may be involved in implementing the standard. ISA is not responsible for identifying all patents that may require a license before implementation of the standard or for investigating the validity or scope of any patents brought to its attention. The user should carefully in
13、vestigate relevant patents before using the standard for the users intended application. However, ISA asks that anyone reviewing this standard who is aware of any patents that may impact implementation of the standard notify the ISA Standards and Practices Department of the patent and its owner. Add
14、itionally, the use of this standard may involve hazardous materials, operations or equipment. The standard cannot anticipate all possible applications or address all possible safety issues associated with use in hazardous conditions. The user of this standard must exercise sound professional judgmen
15、t concerning its use and applicability under the users particular circumstances. The user must also consider the applicability of any governmental regulatory limitations and established safety and health practices before implementing this standard. ANSI/ISA-62443-3-3 (99.03.03)-2013 4 12 August 2013
16、 The following served as active members of ISA99 Working Group 4, Task Group 2 in developing this standard: Name Company Contributor Reviewer Jeff Potter, TG Chair Emerson X Adedotun Adeyemi Quaddynamics Nigeria Ltd X Leandro Pfleger de Aguiar Chemtech - Siemens X Raghu Avali Westinghouse Electric C
17、orp X Satishkumar Balasubramanian Yokogawa IA Technologies X Rahul Bhojani Bayer X Wayne Boyer US Idaho National Laboratory X Antony Capel Comgate Engineering Ltd. X Penny Chen Yokogawa Corp. of America X Eric Cosman The Dow Chemical Co. X John Cusimano Exida X Kelli Dean Okonite X Aris Espejo Syncr
18、ude Canada Ltd. X Dean Ford Glenmount Global Solutions X Donald Fraser Jacobs X James Gilsinn Kenexis X Thomas Good DuPont X Vic Hammond US Argonne National Laboratory X Jean-Pierre Hauet KB Intelligence X Dennis Holstein Opus Consulting Group X Charles Hoover Rockwell Automation X Bob Huba Emerson
19、X Freemon Johnson US State Department X Pierre Kobes Siemens X Sinclair Koelemij Honeywell Industrial IT Solutions X Erwin Kruschitz Anapur AG X Tyson Macaulay Bell Business Markets (Bell Canada) X Pete MacLeod Engenuity Consulting X Wayne Manges US Oak Ridge National Laboratory X William Miller MaC
20、T USA X Kevin Minnick GE Energy X Ajay Mishra Invensys - Triconex X Olav Mo ABB AS X John Munro US Oak Ridge National Laboratory X Johan Nye ExxonMobil X NorAzuwa Binti Pahri CyberSecurity Malaysia X Tom Phinney Consultant X Ragnar Schierholz ABB AG X 12 August 2013 5 ANSI/ISA-62443-3-3 (99.03.03)-2
21、013 Graham Speake Yokogawa X Kevin Staggs Honeywell X Herman Storey Herman Storey Consulting X Tatsuaki Takabe Yokogawa X Steven Tom US Idaho National Laboratory X Gerd Wartmann Endress + Hauser X Vernon Williams Patria Group X This page intentionally left blank. 12 August 2013 7 ANSI/ISA-62443-3-3
22、(99.03.03)-2013 CONTENTS PREFACE 3 FOREWORD 10 0 Introduction 11 0.1 Overview . 11 0.2 Purpose and intended audience 12 0.3 Usage within other parts of the ISA62443 series . 12 1 Scope 15 2 Normative references . 15 3 Terms, definitions, abbreviated terms, acronyms, and conventions 15 3.1 Terms and
23、definitions 15 3.2 Abbreviated terms and acronyms 21 3.3 Conventions 23 4 Common control system security constraints 24 4.1 Overview . 24 4.2 Support of essential functions . 24 4.3 Compensating countermeasures . 24 4.4 Least privilege 25 5 FR 1 Identification and authentication control 25 5.1 Purpo
24、se and SL-C(IAC) descriptions . 25 5.2 Rationale 25 5.3 SR 1.1 Human user identification and authentication 25 5.4 SR 1.2 Software process and device identification and authentication 27 5.5 SR 1.3 Account management . 28 5.6 SR 1.4 Identifier management 28 5.7 SR 1.5 Authenticator management . 29 5
25、.8 SR 1.6 Wireless access management 30 5.9 SR 1.7 Strength of password-based authentication 31 5.10 SR 1.8 Public key infrastructure (PKI) certificates 32 5.11 SR 1.9 Strength of public key authentication 33 5.12 SR 1.10 Authenticator feedback . 34 5.13 SR 1.11 Unsuccessful login attempts . 34 5.14
26、 SR 1.12 System use notification . 35 5.15 SR 1.13 Access via untrusted networks 35 6 FR 2 Use control . 36 6.1 Purpose and SL-C(UC) descriptions 36 6.2 Rationale 36 6.3 SR 2.1 Authorization enforcement 37 6.4 SR 2.2 Wireless use control . 38 6.5 SR 2.3 Use control for portable and mobile devices .
27、39 6.6 SR 2.4 Mobile code 39 ANSI/ISA-62443-3-3 (99.03.03)-2013 8 12 August 2013 6.7 SR 2.5 Session lock . 40 6.8 SR 2.6 Remote session termination . 40 6.9 SR 2.7 Concurrent session control . 41 6.10 SR 2.8 Auditable events . 41 6.11 SR 2.9 Audit storage capacity 42 6.12 SR 2.10 Response to audit p
28、rocessing failures 43 6.13 SR 2.11 Timestamps 43 6.14 SR 2.12 Non-repudiation 44 7 FR 3 System integrity 45 7.1 Purpose and SL-C(SI) descriptions . 45 7.2 Rationale 45 7.3 SR 3.1 Communication integrity . 45 7.4 SR 3.2 Malicious code protection . 46 7.5 SR 3.3 Security functionality verification 47
29、7.6 SR 3.4 Software and information integrity 48 7.7 SR 3.5 Input validation . 49 7.8 SR 3.6 Deterministic output 49 7.9 SR 3.7 Error handling. 50 7.10 SR 3.8 Session integrity . 50 7.11 SR 3.9 Protection of audit information 51 8 FR 4 Data confidentiality . 52 8.1 Purpose and SL-C(DC) descriptions
30、52 8.2 Rationale 52 8.3 SR 4.1 Information confidentiality . 52 8.4 SR 4.2 Information persistence 53 8.5 SR 4.3 Use of cryptography . 54 9 FR 5 Restricted data flow 55 9.1 Purpose and SL-C(RDF) descriptions 55 9.2 Rationale 55 9.3 SR 5.1 Network segmentation 55 9.4 SR 5.2 Zone boundary protection .
31、 56 9.5 SR 5.3 General purpose person-to-person communication restrictions . 57 9.6 SR 5.4 Application partitioning . 58 10 FR 6 Timely response to events 58 10.1 Purpose and SL-C(TRE) descriptions 58 10.2 Rationale 59 10.3 SR 6.1 Audit log accessibility . 59 10.4 SR 6.2 Continuous monitoring 59 11
32、FR 7 Resource availability . 60 11.1 Purpose and SL-C(RA) descriptions 60 11.2 Rationale 61 11.3 SR 7.1 Denial of service protection 61 11.4 SR 7.2 Resource management . 61 11.5 SR 7.3 Control system backup . 62 12 August 2013 9 ANSI/ISA-62443-3-3 (99.03.03)-2013 11.6 SR 7.4 Control system recovery
33、and reconstitution 62 11.7 SR 7.5 Emergency power . 63 11.8 SR 7.6 Network and security configuration settings 63 11.9 SR 7.7 Least functionality 64 11.10 SR 7.8 Control system component inventory 64 Annex A (informative) Discussion of the SL vector 67 A.1 Introduction . 67 A.2 Security levels 67 A.
34、3 SL vector 72 Annex B (informative) Mapping of SRs and REs to FR SL levels 1-4 75 B.1 Overview . 75 B.2 SL mapping table 75 BIBLIOGRAPHY . 80 Figure 1 ISA62443 Work Products . 13 Figure A.1 High-level process-industry example showing zones and conduits 69 Figure A.2 High-level manufacturing example
35、 showing zones and conduits . 70 Figure A.3 Schematic of correlation of the use of different SL types 71 Table B.1 Mapping of SRs and REs to FR SL levels 1-4 75 ANSI/ISA-62443-3-3 (99.03.03)-2013 10 12 August 2013 FOREWORD This standard is part of a multipart series of standards that address the iss
36、ue of security for industrial automation and control systems (IACS). It has been developed by Working Group 4, Task Group 2 of the ISA99 committee in cooperation with IEC TC65 Working Group 10. This standard prescribes the security requirements for control systems related to the seven foundational r
37、equirements defined in ISA6244311 (99.01.01) 11 and assigns system security levels (SLs) to the system under consideration (SuC). 1 Numbers in brackets indicate references in the Bibliography on page 73. 12 August 2013 11 ANSI/ISA-62443-3-3 (99.03.03)-2013 0 Introduction NOTE The format of this docu
38、ment follows the ISO/IEC requirements discussed in ISO/IEC Directives, Part 2 13. These directives specify the format of the document as well as the use of terms like “shall”, “should”, and “may”. The requirements specified in normative clauses use the conventions discussed in Appendix H of the Dire
39、ctives document. 0.1 Overview Industrial automation and control system (IACS) organizations increasingly use commercial -off-the-shelf (COTS) networked devices that are inexpensive, efficient and highly automated. Control systems are also increasingly interconnected with non-IACS networks for valid
40、business reasons. These devices, open networking technologies and increased connectivity provide an increased opportunity for cyber attack against control system hardware and software. That weakness may lead to health, safety and environmental (HSE), financial and/or reputational consequences in dep
41、loyed control systems. Organizations deploying business information technology (IT) cyber security solutions to address IACS security may not fully comprehend the results of this decision. While many business IT applications and security solutions can be applied to IACS, they need to be applied in a
42、n appropriate way to eliminate inadvertent consequences. For this reason, the approach used to define system requirements needs to be based on a combination of functional requirements and risk assessment, often including an awareness of operational issues as well. IACS security measures should not h
43、ave the potential to cause loss of essential services and functions, including emergency procedures. (IT security measures, as often deployed, do have this potential.) IACS security goals focus on control system availability, plant protection, plant operations (even in a degraded mode) and time-crit
44、ical system response. IT security goals often do not place the same emphasis on these factors; they may be more concerned with protecting information rather than physical assets. These different goals need to be clearly stated as security objectives regardless of the degree of plant integration achi
45、eved. A key step in risk assessment, as required by ISA6244321 (99.02.01)2 5, should be the identification of which services and functions are truly essential for operations. (For example, in some facilities engineering support may be determined to be a non-essential service or function.) In some ca
46、ses, it may be acceptable for a security action to cause temporary loss of a non -essential service or function, unlike an essential service or function that should not be adversely affected. This document assumes that a security program has been established and is being operated in accordance with
47、ISA6244321 (99.02.01). Furthermore, it is assumed that patch management is implemented consistent with the recommendations detailed in ISATR6244323 (TR99.02.03) 7 utilizing the appropriate control system requirements and requirement enhancements as described in this document. In addition, ISA6244332
48、 (99.03.02) 10 describes how a project defines risk-based security levels (SLs) which then are used to select products with the appropriate technical security capabilities as detailed in this document. Key input to this document included ISO/IEC 27002 14 and NIST SP800-53, rev 3 26 (see Clause 2 and
49、 the Bibliography for a more complete listing of source material). The primary goal of the ISA62443 series is to provide a flexible framework that facilitates addressing current and future vulnerabilities in IACS and applying necessary mitigations in a systematic, defensible manner. It is important to understand that the intention of the ISA62443 series is to build extensions
