1、 AMERICAN NATIONAL STANDARD ANSI/ISA62443-1-1 (99.01.01)2007 (formerly designated as ANSI/ISA-99.00.01-2007) Security for Industrial Automation and Control Systems Part 1-1: Terminology, Concepts, and Models Approved 29 October 2007 ANSI/ISA62443-1-1 (99.01.01)2007 (formerly designated as ANSI/ISA-9
2、9.00.01-2007) Security for Industrial Automation and Control Systems Part 1-1: Terminology, Concepts, and Models ISBN: 978-1-934394-37-3 Copyright 2007 by ISA. All rights reserved. Not for resale. Printed in the United States of America. No part of this publication may be reproduced, stored in a ret
3、rieval system, or transmitted in any form or by any means (electronic mechanical, photocopying, recording, or otherwise), without the prior written permission of the Publisher. ISA 67 Alexander Drive P. O. Box 12277 Research Triangle Park, NC 27709 USA 3 ANSI/ISA62443-1-1 (99.01.01)2007 Copyright 20
4、07 ISA. All rights reserved. Preface This preface, as well as all footnotes and annexes, is included for information purposes and is not part of ANSI/ISA62443-1-1 (99.01.01)2007. This document has been prepared as part of the service of ISA, toward a goal of uniformity in the field of instrumentatio
5、n. To be of real value, this document should not be static but should be subject to periodic review. Toward this end, the Society welcomes all comments and criticisms and asks that they be addressed to the Secretary, Standards and Practices Board; ISA; 67 Alexander Drive; P. O. Box 12277; Research T
6、riangle Park, NC 27709; Telephone (919) 549-8411; Fax (919) 549-8288; E-mail: standardsisa.org. It is the policy of ISA to encourage and welcome the participation of all concerned individuals and interests in the development of ISA standards, recommended practices, and technical reports. Participati
7、on in the ISA standards-making process by an individual in no way constitutes endorsement by the employer of that individual, of ISA, or of any of the standards, recommended practices, and technical reports that ISA develops. CAUTION ISA adheres to the policy of the American National Standards Insti
8、tute with regard to patents. If ISA is informed of an existing patent that is required for use of the standard, it will require the owner of the patent to either grant a royalty-free license for use of the patent by users complying with the standard or a license on reasonable terms and conditions th
9、at are free from unfair discrimination. Even if ISA is unaware of any patent covering this standard, the user is cautioned that implementation of the standard may require use of techniques, processes, or materials covered by patent rights. ISA takes no position on the existence or validity of any pa
10、tent rights that may be involved in implementing the standard. ISA is not responsible for identifying all patents that may require a license before implementation of the standard or for investigating the validity or scope of any patents brought to its attention. The user should carefully investigate
11、 relevant patents before using the standard for the users intended application. However, ISA asks that anyone reviewing this standard who is aware of any patents that may impact implementation of the standard notify the ISA Standards and Practices Department of the patent and its owner. Additionally
12、, the use of this standard may involve hazardous materials, operations or equipment. The standard cannot anticipate all possible applications or address all possible safety issues associated with use in hazardous conditions. The user of this standard must exercise sound professional judgment concern
13、ing its use and applicability under the users particular circumstances. The user must also consider the applicability of any governmental regulatory limitations and established safety and health practices before implementing this standard. ANSI/ISA62443-1-1 (99.01.01)2007 4 Copyright 2007 ISA. All r
14、ights reserved. The following participated as voting members of ISA99 in the development of this standard: NAME COMPANY B. Singer, Chair Fluid IQs R. Webb, Managing Director Consultant E. Cosman, Lead Editor The Dow Chemical Co. R. Bhojani Bayer Technology Services M. Braendle ABB D. Brandl BR a pro
15、cess by which use of system resources is regulated according to a security policy and is permitted by only authorized entities (users, programs, processes, or other systems) according to that policy 11. 3.2.3 accountability property of a system (including all of its system resources) that ensures th
16、at the actions of a system entity may be traced uniquely to that entity, which can be held responsible for its actions 11. 3.2.4 application software program that performs specific functions initiated by a user command or a process event and that can be executed without access to system control, mon
17、itoring, or administrative privileges 9. 3.2.5 area subset of a sites physical, geographic, or logical group of assets. NOTE: An area may contain manufacturing lines, process cells, and production units. Areas may be connected to each other by a site local area network and may contain systems relate
18、d to the operations performed in that area. 3.2.6 asset physical or logical object owned by or under the custodial duties of an organization, having either a perceived or actual value to the organization. NOTE: In the case of industrial automation and control systems the physical assets that have th
19、e largest directly measurable value may be the equipment under control. 3.2.7 association cooperative relationship between system entities, usually for the purpose of transferring information between them 11. 3.2.8 assurance attribute of a system that provides grounds for having confidence that the
20、system operates such that the system security policy is enforced. ANSI/ISA62443-1-1 (99.01.01)2007 20 Copyright 2007 ISA. All rights reserved. 3.2.9 attack assault on a system that derives from an intelligent threat i.e., an intelligent act that is a deliberate attempt (especially in the sense of a
21、method or technique) to evade security services and violate the security policy of a system 11. NOTE: There are different commonly recognized classes of attack: An “active attack“ attempts to alter system resources or affect their operation. A “passive attack“ attempts to learn or make use of inform
22、ation from the system but does not affect system resources. An “inside attack“ is an attack initiated by an entity inside the security perimeter (an “insider“) i.e., an entity that is authorized to access system resources but uses them in a way not approved by those who granted the authorization. An
23、 “outside attack“ is initiated from outside the perimeter, by an unauthorized or illegitimate user of the system (including an insider attacking from outside the security perimeter). Potential outside attackers range from amateur pranksters to organized criminals, international terrorists, and hosti
24、le governments. 3.2.10 attack tree formal, methodical way of finding ways to attack the security of a system. 3.2.11 audit independent review and examination of records and activities to assess the adequacy of system controls, to ensure compliance with established policies and operational procedures
25、, and to recommend necessary changes in controls, policies, or procedures (See “security audit”) 9. NOTE: There are three forms of audit. (1) External audits are conducted by parties who are not employees or contractors of the organization. (2) Internal audit are conducted by a separate organization
26、al unit dedicated to internal auditing. (3) Controls self assessments are conducted by peer members of the process automation function. 3.2.12 authenticate verify the identity of a user, user device, or other entity, or the integrity of data stored, transmitted, or otherwise exposed to unauthorized
27、modification in an information system, or to establish the validity of a transmission. 3.2.13 authentication security measure designed to establish the validity of a transmission, message, or originator, or a means of verifying an individuals authorization to receive specific categories of informati
28、on 9. 3.2.14 authorization right or a permission that is granted to a system entity to access a system resource 11. 3.2.15 automated vehicle mobile device that includes a control system allowing it to operate either autonomously or under remote control. 3.2.16 availability probability that an asset,
29、 under the combined influence of its reliability, maintainability, and security, will be able to fulfill its required function over a stated period of time, or at a given point in time. 3.2.17 border edge or boundary of a physical or logical security zone. 3.2.18 botnet collection of software robots
30、, or bots, which run autonomously. NOTE: A botnets originator can control the group remotely, possibly for nefarious purposes. 3.2.19 boundary software, hardware, or other physical barrier that limits access to a system or part of a system 9. 21 ANSI/ISA62443-1-1 (99.01.01)2007 Copyright 2007 ISA. A
31、ll rights reserved. 3.2.20 channel specific communication link established within a communication conduit (See “conduit”). 3.2.21 ciphertext data that has been transformed by encryption so that its semantic information content (i.e., its meaning) is no longer intelligible or directly available. 3.2.
32、22 client device or application receiving or requesting services or information from a server application 12. 3.2.23 communication path logical connection between a source and one or more destinations, which could be devices, physical processes, data items, commands, or programmatic interfaces. NOTE
33、: The communication path is not limited to wired or wireless networks, but includes other means of communication such as memory, procedure calls, state of physical plant, portable media, and human interactions. 3.2.24 communication security (1) measures that implement and assure security services in
34、 a communication system, particularly those that provide data confidentiality and data integrity and that authenticate communicating entities. (2) state that is reached by applying security services, in particular, state of data confidentiality, integrity, and successfully authenticated communicatio
35、ns entities 11. NOTE: This phrase is usually understood to include cryptographic algorithms and key management methods and processes, devices that implement them, and the life-cycle management of keying material and devices. However, cryptographic algorithms and key management methods and processes
36、may not be applicable to some control system applications. 3.2.25 communication system arrangement of hardware, software, and propagation media to allow the transfer of messages (ISO/IEC 7498 application layer service data units) from one application to another. 3.2.26 compromise unauthorized disclo
37、sure, modification, substitution, or use of information (including plaintext cryptographic keys and other critical security parameters) 13. 3.2.27 conduit logical grouping of communication assets that protects the security of the channels it contains. NOTE: This is analogous to the way that a physic
38、al conduit protects cables from physical damage. 3.2.28 confidentiality assurance that information is not disclosed to unauthorized individuals, processes, or devices 9. 3.2.29 control center central location used to operate a set of assets. NOTE: Infrastructure industries typically use one or more
39、control centers to supervise or coordinate their operations. If there are multiple control centers (for example, a backup center at a separate site), they are typically connected together via a wide area network. The control center contains the SCADA host computers and associated operator display de
40、vices plus ancillary information systems such as a historian. NOTE: In some industries the term “control room” may be more commonly used. 3.2.30 control equipment class that includes distributed control systems, programmable logic controllers, SCADA systems, associated operator interface consoles, a
41、nd field sensing and control devices used to manage and control the process. ANSI/ISA62443-1-1 (99.01.01)2007 22 Copyright 2007 ISA. All rights reserved. NOTE: The term also includes field bus networks where control logic and algorithms are executed on intelligent electronic devices that coordinate
42、actions with each other, as well as systems used to monitor the process and the systems used to maintain the process. 3.2.31 control network time-critical network that is typically connected to equipment that controls physical processes (See “safety network”). NOTE: The control network can be subdiv
43、ided into zones, and there can be multiple separate control networks within one company or site. 3.2.32 cost value of impact to an organization or person that can be measured. 3.2.33 countermeasure action, device, procedure, or technique that reduces a threat, a vulnerability, or an attack by elimin
44、ating or preventing it, by minimizing the harm it can cause, or by discovering and reporting it so that corrective action can be taken 11. NOTE: The term “Control” is also used to describe this concept in some contexts. The term countermeasure has been chosen for this standard to avoid confusion wit
45、h the word control in the context of “process control.” 3.2.34 cryptographic algorithm algorithm based upon the science of cryptography, including encryption algorithms, cryptographic hash algorithms, digital signature algorithms, and key agreement algorithms. 3.2.35 cryptographic key input paramete
46、r that varies the transformation performed by a cryptographic algorithm 11. NOTE: Usually shortened to just “key.“ 3.2.36 data confidentiality property that information is not made available or disclosed to any unauthorized system entity, including unauthorized individuals, entities, or processes 7.
47、 3.2.37 data integrity property that data has not been changed, destroyed, or lost in an unauthorized or accidental manner 11. NOTE: This term deals with constancy of and confidence in data values, not with the information that the values represent or the trustworthiness of the source of the values.
48、 3.2.38 decryption process of changing cipher text into plaintext using a cryptographic algorithm and key (See “encryption”) 11. 3.2.39 defense in depth provision of multiple security protections, especially in layers, with the intent to delay if not prevent an attack. NOTE: Defense in depth implies
49、 layers of security and detection, even on single systems, and provides the following features: a. attackers are faced with breaking through or bypassing each layer without being detected b. a flaw in one layer can be mitigated by capabilities in other layers c. system security becomes a set of layers within the overall network security. 3.2.40 demilitarized zone perimeter network segment that is logically between internal and external networks 9. 23 ANSI/ISA62443-1-1 (99.01.01)2007 Copyright 2007 ISA.
