1、Nuclear power plants Instrumentation and control systems Requirements for coordinating safety and cybersecurityBS IEC 62859:2016BSI Standards PublicationWB11885_BSI_StandardCovs_2013_AW.indd 1 15/05/2013 15:06National forewordThis British Standard is the UK implementation of IEC 62859:2016. The UK p
2、articipation in its preparation was entrusted to TechnicalCommittee NCE/8, Instrumentation, Control any IEC National Committee interested in the subject dealt with may participate in this preparatory work. International, governmental and non-governmental organizations liaising with the IEC also part
3、icipate in this preparation. IEC collaborates closely with the International Organization for Standardization (ISO) in accordance with conditions determined by agreement between the two organizations. 2) The formal decisions or agreements of IEC on technical matters express, as nearly as possible, a
4、n international consensus of opinion on the relevant subjects since each technical committee has representation from all interested IEC National Committees. 3) IEC Publications have the form of recommendations for international use and are accepted by IEC National Committees in that sense. While all
5、 reasonable efforts are made to ensure that the technical content of IEC Publications is accurate, IEC cannot be held responsible for the way in which they are used or for any misinterpretation by any end user. 4) In order to promote international uniformity, IEC National Committees undertake to app
6、ly IEC Publications transparently to the maximum extent possible in their national and regional publications. Any divergence between any IEC Publication and the corresponding national or regional publication shall be clearly indicated in the latter. 5) IEC itself does not provide any attestation of
7、conformity. Independent certification bodies provide conformity assessment services and, in some areas, access to IEC marks of conformity. IEC is not responsible for any services carried out by independent certification bodies. 6) All users should ensure that they have the latest edition of this pub
8、lication. 7) No liability shall attach to IEC or its directors, employees, servants or agents including individual experts and members of its technical committees and IEC National Committees for any personal injury, property damage or other damage of any nature whatsoever, whether direct or indirect
9、, or for costs (including legal fees) and expenses arising out of the publication, use of, or reliance upon, this IEC Publication or any other IEC Publications. 8) Attention is drawn to the Normative references cited in this publication. Use of the referenced publications is indispensable for the co
10、rrect application of this publication. 9) Attention is drawn to the possibility that some of the elements of this IEC Publication may be the subject of patent rights. IEC shall not be held responsible for identifying any or all such patent rights. International Standard IEC 62859 has been prepared b
11、y subcommittee 45A: Instrumentation, control and electrical systems of nuclear facilities, of IEC technical committee 45: Nuclear instrumentation. The text of this standard is based on the following documents: FDIS Report on voting 45A/1104/FDIS 45A/1118/RVD Full information on the voting for the ap
12、proval of this standard can be found in the report on voting indicated in the above table. This publication has been drafted in accordance with the ISO/IEC Directives, Part 2. BS IEC 62859:2016IEC 62859:2016 IEC 2016 5 The committee has decided that the contents of this publication will remain uncha
13、nged until the stability date indicated on the IEC website under “http:/webstore.iec.ch“ in the data related to the specific publication. At this date, the publication will be reconfirmed, withdrawn, replaced by a revised edition, or amended. BS IEC 62859:2016 6 IEC 62859:2016 IEC 2016 INTRODUCTION
14、a) Technical background, main issues and organisation of this standard I IAEA guidance on computer security at nuclear facilities; regulatory interpretations for country specific requirements. d) Description of the structure of the IEC SC 45A standard series and relationships with other IEC document
15、s and other bodies documents (IAEA, ISO) The top-level documents of the IEC SC 45A standard series are IEC 61513 and IEC 630461. IEC 61513 provides general requirements for I it covers power supply systems including the supply _ 1In preparation. Stage at the time of publication: IEC ANW 63046:2016.
16、BS IEC 62859:2016IEC 62859:2016 IEC 2016 7 systems of the I it adapts them and completes them to fit the nuclear context and coordinates with the IEC 62443 series. At level 2, regarding control rooms, IEC 60964 is the entry document for the IEC SC 45A control rooms standards and IEC 62342 is the ent
17、ry document for the IEC SC 45A ageing management standards. NOTE 1 It is assumed that for the design of I avoid potential conflicts between safety and cybersecurity provisions; aid the identification and the leveraging of the potential synergies between safety and cybersecurity. This document is int
18、ended to be used for designing new NPPs, or modernizing existing NPPs, throughout I Clause 6 focuses on the system level; Clause 7 deals with organizational and operational issues. 2 Normative references The following documents are referred to in the text in such a way that some or all of their cont
19、ent constitutes requirements of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies. BS IEC 62859:2016IEC 62859:2016 IEC 2016 9 IEC 60709:2004, Nuclear power plants Instrumentati
20、on and control systems important to safety Separation IEC 60880:2006, Nuclear power plants Instrumentation and control systems important to safety Software aspects for computer-based systems performing category A functions IEC 61500:2009, Nuclear power plants Instrumentation and control systems impo
21、rtant to safety Data communication in systems performing category A functions IEC 61513:2011, Nuclear power plants Instrumentation and control important to safety General requirements for systems IEC 62138:2004, Nuclear power plants Instrumentation and control important for safety Software aspects f
22、or computer-based systems performing category B or C functions IEC 62340, Nuclear power plants Instrumentation and control systems important to safety Requirements for coping with common cause failure (CCF) IEC 62566:2012, Nuclear power plants Instrumentation and control important to safety Developm
23、ent of HDL-programmed integrated circuits for systems performing category A functions IEC 62645:2014, Nuclear power plants Instrumentation and control systems Requirements for security programmes for computer-based systems 3 Terms and definitions For the purposes of this document, the terms and defi
24、nitions given in IEC 62645, in IEC 61513 and the following apply. NOTE If for a given term, different definitions are provided in these three sources, the definition of the present document applies. ISO and IEC maintain terminological databases for use in standardization at the following addresses:
25、IEC Electropedia: available at http:/www.electropedia.org/ ISO Online browsing platform: available at http:/www.iso.org/obp 3.1 computer-based item item that relies on software instructions running on microprocessors or microcontrollers Note 1 to entry: The term item can be replaced by the terms sys
26、tem, or equipment, or device. Note 2 to entry: A computer-based item is a kind of programmable digital item. Note 3 to entry: This term is equivalent to software-based item. 3.2 cyberattack attempt by digital means to destroy, expose, alter, disable, steal or gain unauthorized access to or make unau
27、thorized use of an asset Note 1 to entry: Cyberattacks include targeted and non-targeted (e.g. malwares) attacks by digital means. Cyberattack is synonymous with digital attack. BS IEC 62859:2016 10 IEC 62859:2016 IEC 2016 3.3 cybersecurity set of activities and measures the objective of which is to
28、 prevent, detect, and react to: malicious disclosures of information (confidentiality) that could be used to perform malicious acts which could lead to an accident, an unsafe situation or plant performance degradation; malicious modifications (integrity) of functions that may compromise the delivery
29、 or integrity of the required service by I malicious withholding or prevention of access to or communication of information, data or resources (incl. loss of view) that could compromise the delivery of the required service by I they allow I the gains and drawbacks in terms of system complexity and i
30、nterfaces. b) Any system feature initially designed for safety reason which has a potential value as a cybersecurity counter-measure (during cybersecurity risk analysis activity for instance) should be re-examined taking into account context-relevant cyberattacks, by staff responsible for cybersecur
31、ity, to confirm its cybersecurity effectiveness. c) The security features of programmable digital systems important to safety should be designed to limit their dependency on updates. BS IEC 62859:2016 16 IEC 62859:2016 IEC 2016 6.3.4 Implementation activities This document does not provide any speci
32、fic requirements or recommendations related to the coordination between safety and cybersecurity for this phase. Refer to IEC 62645 for cybersecurity-related ones, to IEC 60880 and IEC 62138 for software of CB I a dedicated risk analysis shall characterise the risks associated with this decision; BS
33、 IEC 62859:2016 18 IEC 62859:2016 IEC 2016 if the risk analysis identifies the need for compensating cybersecurity measures, their implementation shall be approved by the relevant persons accountable for cybersecurity in conjunction with the persons accountable for the involved systems. 6.4.3.2 Othe
34、r software modifications a) Analyses or tests shall be conducted to validate that a software modification, made for safety or other reasons not related to cybersecurity (e.g. reliability, new functionality), does not result in inadequate cybersecurity. b) A software modification identified as degrad
35、ing cybersecurity shall not be implemented on plant I the compensating cybersecurity measures potentially identified by the risk analysis (if any) have been approved by the relevant persons accountable for cybersecurity in conjunction with the persons accountable for the involved systems; these appr
36、oved compensating cybersecurity measures (if any) have been implemented. 6.4.4 Logging and audit capability a) Local record generation, audit reduction and report generation capability intended for cybersecurity should be implemented as much as possible external to systems important to safety. b) Th
37、e failure messages generated by a programmable digital I their resolution in a balanced way is a condition to obtain the maximum benefit from such practices. 7.4 Emergency response management a) Procedures and organisations shall be in place in order to evaluate rapidly and rigorously safety implica
38、tions of cybersecurity attacks on I assessing the impacts of cyberattacks, including in terms of plant safety, involves a global perspective (for instance, a targeted cyberattack on configuration or maintenance tools can lead to consequences on safety, although these tools can be classified as not i
39、mportant to safety). The issue of coordinating safety and cybersecurity is better addressed by considering both I it reflects the fact that this document has not been particularly developed to treat these aspects, which deserve due care but are to be treated mostly by non-nuclear specific provisions
40、. BS IEC 62859:2016IEC 62859:2016 IEC 2016 23 Bibliography Nuclear I&C system specific references MDEP, Common Position No. DICWG08, Common position on the impact of cyber security features on digital I&C safety systems IAEA, Nuclear Security Series No. 17, Reference Manual, Computer security at nuc
41、lear facilities ORNL, report ref. ORNL/NRC/LTR-07/05, Safety and non-safety communications and interactions in international nuclear power plants, 2007 U.S. Nuclear Regulatory Commission, Regulatory Guide 5.71, Cyber security programs for nuclear facilities, January 2010 U.S. Nuclear Regulatory Comm
42、ission, Regulatory Guide 1.152, Criteria for Use of Computers in Safety Systems of Nuclear Power Plants, Rev. 3, 2011 IEEE, Std 7-4.3.2-2010, Standard criteria for digital computers in safety systems of nuclear power generating stations CSA N290.7 Standard, Cyber Security for Nuclear Power Plants an
43、d Small Reactor Facilities, 2014 IAEA Safety Guide SSG-39, Design of instrumentation and control systems in Nuclear Power Plants Interface between nuclear safety and nuclear security IAEA, INSAG-24, The interface between safety and security at nuclear power plants U.S. Nuclear Regulatory Commission,
44、 RG 5.74, Managing the safety-security interface WINS, An integrated approach to nuclear safety and nuclear security, Rev. 1-1 Non-nuclear I&C system specific references ISA TR84.00.09-2013, Security protection layers and considerations related to SIS IEC 62443 (all parts), Security for industrial a
45、utomation and control systems IEC 61508-1, Functional safety of electrical/electronic/programmable electronic safety-related systems Part 1: General requirements IEC 61508-2, Functional safety of electrical/electronic/programmable electronic safety-related systems Part 2: Requirements for electrical
46、/electronic/programmable electronic safety-related systems IEC 61508-3, Functional safety of electrical/electronic/programmable electronic safety-related systems Part 3: Software requirements IEC 61508-4, Functional safety of electrical/electronic/programmable electronic safety-related systems Part
47、4: Definitions and abbreviations BS IEC 62859:2016 24 IEC 62859:2016 IEC 2016 Non I&C-specific IAEA references IAEA, GS-R-3:2006, The management system for facilities and activities IAEA, Safety Guide No, GS-G-3.1:2006, Application of the management System for facilities and activities IAEA, Safety
48、Guide No, GS-G-3.5:2009, Management system for nuclear installations IAEA, Safety Standard Series No. SSR-2/1:2012, Safety of Nuclear Power Plant: Design IAEA, Safety Guide SSG-30, Safety classification of structures, systems and components in Nuclear Power Plants IAEA, Safety Guide SSG-34, Design o
49、f electrical power systems in Nuclear Power Plants IAEA, Safety Glossary, Terminology used in nuclear safety and radiation protection _ BS IEC 62859:2016This page deliberately left blankBSI is the national body responsible for preparing British Standards and other standards-related publications, information and services.BSI is incorporated by Royal Charter. British Standards and other standardization products are published by BSI Standar