1、 NOTICE OF COPYRIGHT This is a copyright document and may not be copied or distributed in any form or manner without the permission of ISA. This copy of the document was made for the sole use of the person to whom ISA provided it and is subject to the restrictions stated in ISAs license to that pers
2、on. It may not be provided to any other person in print, electronic, or any other form. Violations of ISAs copyright will be prosecuted to the fullest extent of the law and may result in substantial civil and criminal penalties. AMERICAN NATIONAL STANDARD ANSI/ISA-62443-4-1-2018 Security for industr
3、ial automation and control systems Part 4-1: Product security development life-cycle requirements Approved 16 February 2018 ANSI/ISA-62443-4-1-2018 Security for industrial automation and control systems Part 4-1: Product security development life-cycle requirements ISBN: 978-1-945541-82-7 Copyright
4、2018 by ISA. All rights reserved. Not for resale. Printed in the United States of America. ISA 67 T.W. Alexander Drive P. O. Box 12277 Research Triangle Park, NC 27709 USA 16 February 2018 3 ANSI/ISA-62443-4-1-2018 Preface This preface, as well as all footnotes and annexes, is included for informati
5、on purposes and is not part of ANSI/ISA-62443-4-1-2018. This document has been prepared as part of the service of ISA, the International Society for Automation, toward a goal of uniformity in the field of instrumentation. To be of real value, this document should not be static but should be subject
6、to periodic review. Toward this end, the Society welcomes all comments and criticisms and asks that they be addressed to the Secretary, Standards and Practices Board; ISA; 67 T.W. Alexander Drive; P. O. Box 12277; Research Triangle Park, NC 27709; Telephone (919) 549-8411; Fax (919) 549-8288; E-mail
7、: standardsisa.org. The ISA Standards and Practices Department is aware of the growing need for attention to the metric system of units in general, and the International System of Units (SI) in particular, in the preparation of instrumentation standards. The Department is further aware of the benefi
8、ts to U SA users of ISA standards of incorporating suitable references to the SI (and the metric system) in their business and professional dealings with other countries. Toward this end, this Department will endeavor to introduce SI-acceptable metric units in all new and revised standards, recommen
9、ded practices, and technical reports to the greatest extent possible. Standard for Use of the International System of Units (SI): The Modern Metric System, published by the American Society for Testing certifies industry professionals; provides education and training; publishes books and technical a
10、rticles; hosts conferences and exhibits; and provides networking and career development programs for its 40,000 members and 400,000 customers around the world. ISA owns A, a leading online publisher of automation-related content, and is the founding sponsor of The Automation Federation (www.automati
11、onfederation.org), an association of non-profit organizations serving as “The Voice of Automation.“ Through a wholly owned subsidiary, ISA bridges the gap between standards and their implementation with the ISA Security Compliance Institute (www.isasecure.org) and the ISA Wireless Compliance Institu
12、te (www.isa100wci.org). 16 February 2018 5 ANSI/ISA-62443-4-1-2018 The following people served as active members of ISA99 Working Group 04, Task Group 06 in the preparation of this document: Name Company Contributor Reviewer Johan Nye, WG Chair Exxon X Kevin Staggs, WG Chair Honeywell X Michael Medo
13、ff, TG Lead Exida X X Mike Ahmadi Codenomicon, Ltd. X X Shameem Akhter Intel Corporation X X Andreas Backman ABB X X Satish Balasubramanian Yokogawa IA Technologies X X Eric Braun Emerson Process Management X X Fabio Buhrer ABB X Eric Cosman OIT Concepts LLC X Ed Crawford Chevron X John Cusimano AE
14、Solutions X X Emmanuel DelaHostria Consultant X John Feikis Dell X Paul Forney Schneider Electric X X Ken Frische AE Solutions X Dennis Holstein OPUS Consulting Group X Charles Hoover SmartWorks X Dave Johnson Exida X X Pierre Kobes Siemens X John Lellis Berkana Resources Corporation X Mike Lester E
15、merson Process Management X Suzanne Lightman NIST X Roberto Minicucci GE Oil Open Web Application Security Project (OWASP) Comprehensive, Lightweight Application Security Process (CLASP) 35; The Security Development Life-cycle by Michael Howard and Steve Lipner 45; IEC 61508 Functional safety of ele
16、ctrical/electronic/programmable electronic safety-related systems 22, and RCTA DO-178B Software Considerations in Airborne Systems and Equipment Certification 27. Therefore, all these sources can be considered contributing sources to this standard. This document is the part of the ISA-62443 series t
17、hat contains security requirements for developers of any automation and control products where security is a concern. Figure 1 illustrates the relationship of the different parts of ISA-62443 that were in existence or planned as of the date of circulation of this document. Those that are normatively
18、 referenced are included in the list of normative references in Clause 2, and those that are referenced for informational purposes or that are in development are listed in the Bibliography. ANSI/ISA-62443-4-1-2018 16 16 February 2018 Figure 1 Parts of the ISA-62443 series Figure 2 Example scope of p
19、roduct life-cycle illustrates how the developed product relates to maintenance and integration capabilities defined in IEC 6244324 5 and to its operation by the asset owner. The product supplier develops products using a process compliant with this standard. Those products may be a single component,
20、 such as an embedded controller, or a group of components working together as a system or subsystem. The products are then integrated together, usually by a system integrator, into an Automation Solution using a process compliant with IEC 6244324. The Automation Solution is then installed at a parti
21、cular site and becomes part of the industrial automation and control system (IACS). Some of these capabilities reference security measures defined in ANSI/ISA-624433 3 (99.03.03) 8 that the service provider ensures are supported in the Automation Solution (either as product features or compensating
22、mechanisms). This standard only addresses the process used for the development of the product; it does not address design, installation or operation of the Automation Solution or IACS. In Figure 2, the Automation Solution is illustrated to contain one or more subsystems and optional supporting compo
23、nents such as advanced control. The dashed boxes indicate that these components are “optional”. NOTE 1 Automation Solutions typically have a single product, but they are not restricted to do so. In some industries, there may be a hierarchical product structure. In general, the Automation Solution is
24、 the set of hardware and software, independent of product packaging, that is used to control a physical process (for example, continuous or manufacturing) as defined by the asset owner. NOTE 2 If a service provider provides products used in the Automation Solution, then the service provider is fulfi
25、lling the role of product supplier in this diagram. NOTE 3 If a service provider provides products used in the Automation Solution, then the service provider is fulfilling the role of product supplier in this diagram. 16 February 2018 17 ANSI/ISA-62443-4-1-2018 Figure 2 Example scope of product life
26、-cycle Configured for intended environment Industrial automation and control system (IACS) Operational and maintenance capabilities (policies and procedures) + Asset Owner Operates (ANSI/ISA-62443 2 1 (99.02.01), IEC 62443 24) System Integrator Integrates (ANSI/ISA-62443 2 1 (99.02.01), ISA-62443 32
27、) Independent of the intended environment Product (ISA-6244342) system, subsystem, or component such as: Embedded devices Network components Host devices Applications Product Supplier Develops (ISA-6244341) Includes a configured instance of the Product Automation Solution (ANSI/ISA-62443 33 (99.03.0
28、3) Subsystem 1 Subsystem 2 Complementary hardware and software components This page intentionally left blank. 16 February 2018 19 ANSI/ISA-62443-4-1-2018 1 Scope This part of ISA-62443 specifies process requirements for the secure development of products used in industrial automation and control sys
29、tems. It defines a secure development life-cycle (SDL) for the purpose of developing and maintaining secure products. This life-cycle includes security requirements definition, secure design, secure implementation (including coding guidelines), verification and validation, defect management, patch m
30、anagement and product end-of-life. These requirements can be applied to new or existing processes for developing, maintaining and retiring hardware, software or firmware for new or existing products. These requirements apply to the developer and maintainer of the product, but not to the integrator o
31、r user of the product. A summary list of the requirements in this standard can be found in Annex B. 2 Normative references The following documents are referred to in the text in such a way that some or all of thei r content constitutes requirements of this document. For dated references, only the ed
32、ition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies. IEC 6244324, Security for industrial automation and control systems Part 2-4: Security program requirements for IACS service providers 5 3 Terms, definitions, abbreviated te
33、rms, acronyms, and conventions 3.1 Terms and definitions For the purposes of this document, the terms and definitions given in ISA-TR62443 1 2 and the following apply. ISO and IEC maintain terminological databases for use in standardization at the following addresses: IEC Electropedia: available at
34、http:/www.electropedia.org/ ISO Online browsing platform: available at http:/www.iso.org/obp 3.1.1 abuse case test case used to perform negative operations of a use case Note 1 to entry: Abuse case tests are simulated attacks often based on the threat model. An abuse case is a type of complete inter
35、action between a system and one or more actors where the results of the interaction are intentionally intended to be harmful to the system, one of the actors or one of the stakeholders in the system. 3.1.2 access control protection of system resources against unauthorized access 3.1.3 access control
36、 process by which use of system resources is regulated according to a security policy and is permitted by only authorized users according to that policy Note 1 to entry: Access control includes identification and authentication requirements specified in other parts of the ISA-62443 series. 3.1.4 adm
37、inistrator users who have been authorized to manage security policies/capabilities for a product or system ANSI/ISA-62443-4-1-2018 20 16 February 2018 3.1.5 asset physical or logical object owned by or under the custodial duties of an organization, having either a perceived or actual value to the or
38、ganization Note 1 to entry: In this specific case, an asset is an object that is part of an IACS. 3.1.6 asset owner individual or organization responsible for one or more IACSs 3.1.7 attack surface physical and functional interfaces of a system that can be accessed and, therefore, potentially exploi
39、ted by an attacker 3.1.8 audit log event log that requires a higher level of integrity protection than provided by typical event logs Note 1 to entry: Audit logs are used to protect against claims that repudiate responsibility for an action. 3.1.9 authentication provision of assurance that a claimed
40、 characteristic of an identity is correct Note 1 to entry: Not all credentials used to authenticate an identity are created equally. The trustworthiness of the credential is determined by the configured authentication mechanism. Hardware or software-based mechanisms can force users to prove their id
41、entity before accessing data on a device. A typical example is proving the identity of a user usually through an identity provider. Note 2 to entry: Authentication includes verifying human users as well as non-human users such as devices or processes. 3.1.10 Automation Solution control system and an
42、y complementary hardware and software components that have been installed and configured to operate in an IACS Note 1 to entry: Automation Solution is used as a proper noun in this part of the ISA-62443 series. Note 2 to entry: The difference between the control system and the Automation Solution is
43、 that the control system is incorporated into the Automation Solution design (for example, a specific number of workstations, controllers and devices in a specific configuration), which is then implemented. The resulting configuration is referred to as the Automation Solution. Note 3 to entry: The A
44、utomation Solution can be comprised of components from multiple suppliers including the product supplier of the control system. 3.1.11 banned function software method that is no longer recommended to be used in software because more secure versions exist with less propensity for misuse Note 1 to ent
45、ry: Banned functions are sometimes called banned methods or banned Application Programming Interfaces (APIs). 3.1.12 best practices guidelines for securely designing, developing, testing, maintaining or retiring products that the supplier has determined are commonly recommended by both the security
46、and industrial automation communities EXAMPLE Least privilege, economy of mechanism and least common mechanism. 16 February 2018 21 ANSI/ISA-62443-4-1-2018 3.1.13 component one of the parts that make up a product or system. A component may be hardware or software and may be subdivided into other com
47、ponents 3.1.14 configuration management discipline of identifying the components of an evolving system for the purposes of controlling changes to those components and maintaining continuity and traceability throughout the life-cycle 3.1.15 defense in depth an approach to defend the system against an
48、y particular attack using several independent methods Note 1 to entry: Defense in depth implies layers of security and detection, even on single systems, and provides the following features: is based on the idea that any one layer of protection, may and probably will be defeated; attackers are faced
49、 with breaking through or bypassing each layer without being d etected; a flaw in one layer can be mitigated by capabilities in other layers; system security becomes a set of layers within the overall network security; and each layer should be autonomous and not rely on the same functionality nor have the same failure modes as the other layers 3.1.16 dependent component component external to the product on which the product depends Note 1 to entry: This includes both hardwar
