Security for industrial automation and control systems. Implementation Guidance for and IACS Security Management System...
THIS COPY OF A FULL OR ABRIDGED ISA PUBLICATION IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS. IT MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
Copyright © by the International Society of Automaton. All rights reserved. Not for resale. Printed in the United States of America. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), without the prior written permission of the Publisher. ISA 67 Alexander Drive P. O. Box 12277 Research Triangle Park, North Carolina 27709 USA
This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
FOR USE AND REVIEW ONLY BY MEMBERS OF ISA99 AND APPROVED PARTIES:
This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
This page intentionally left blank
ISA‑62443-2-2, D1E4, April 2013
–3–
ISA99, WG02, TG02
1
3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
ISA‑62443-2-2 Security for industrial automation and control systems Implementation Guidance for and IACS Security Management System Draft 1, Edit 4 April 2013
Text appearing red italics should be considered editorial comments, provided as an aid in the preparation of the document. It will be removed before the draft is completed.
This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
2
ISA
67 Alexander Drive
P. O. Box 12277
Research Triangle Park, NC 27709 USA
–4–
ISA
Security for industrial automation and control systems
ISBN: -to-be-assigned-
Copyright © 2011 by ISA. All rights reserved. Not for resale. Printed in the United States of America. This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
ISA‑62443-2-2, D1E4, April 2013 ISA99, WG02, TG02
21
22
23
–5–
ISA99, WG02, TG02
24
PREFACE
25 26
This preface, as well as all footnotes and annexes, is included for information purposes and is not part of ISA-62443.02.02.
27 28 29 30 31 32
This document has been prepared as part of the service of ISA, the International Society of Automation, toward a goal of uniformity in the field of instrumentation. To be of real value, this document should not be static but should be subject to periodic review. Toward this end, the Society welcomes all comments and criticisms and asks that they be addressed to the Secretary, Standards and Practices Board; ISA; 67 Alexander Drive; P. O. Box 122 77; Research Triangle Park, NC 27709; Telephone (919) 549-8411; Fax (919) 549-8288; E-mail:
[email protected].
33 34 35 36 37 38 39 40 41 42
The ISA Standards and Practices Department is aware of the growing need for attention to the metric system of units in general and the Internatio nal System of Units (SI) in particular, in the preparation of instrumentation standards. The Department is further aware of the benefits to USA users of ISA standards of incorporating suitable references to the SI (and the metric system) in their business and professional dealings with other countries. Toward this end, this Department will endeavor to introduce SI-acceptable metric units in all new and revised standards, recommended practices and technical reports to the greatest extent possible. Standard f or Use of the International System of Units (SI): The Modern Metric System, published by the American Society for Testing and Materials as IEEE/ASTM SI 10-97, and future revisions, will be the reference guide for definitions, symbols, abbreviations, and co nversion factors.
43 44 45 46 47
It is the policy of ISA to encourage and welcome the participation of all concerned individuals and interests in the development of ISA standards, recommended practices and technical reports. Participation in the ISA standards-making process by an individual in no way constitutes endorsement by the employer of that individual, of ISA or of any of the standards, recommended practices and technical reports that ISA develops.
48 49 50 51 52
CAUTION – ISA adheres to the policy of the American National Standa rds Institute with regard to patents. If ISA is informed of an existing patent that is required for use of the standard, it will require the owner of the patent to either grant a royalty -free license for use of the patent by users complying with the standard or a license on reasonable terms and conditions that are free from unfair discrimination.
53 54 55 56 57 58 59 60
Even if ISA is unaware of any patent covering this Standard, the user is cautioned that implementation of the standard may require use of techniques, processes or materials covered by patent rights. ISA takes no position on the existence or validity of any patent rights that may be involved in implementing the standard. ISA is not responsible for identifying all patents that may require a license before implementati on of the standard or for investigating the validity or scope of any patents brought to its attention. The user should carefully investigate relevant patents before using the standard for the user’s intended application.
61 62 63
However, ISA asks that anyone reviewing this standard who is aware of any patents that may impact implementation of the standard notify the ISA Standards and Practices Department of the patent and its owner.
64 65 66 67 68 69 70
Additionally, the use of this standard may involve hazardous materials, operat ions or equipment. The standard cannot anticipate all possible applications or address all possible safety issues associated with use in hazardous conditions. The user of this standard must exercise sound professional judgment concerning its use and applic ability under the user’s particular circumstances. The user must also consider the applicability of any governmental regulatory limitations and established safety and health practices before implementing this standard.
71
This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
ISA‑62443-2-2, D1E4, April 2013
ISA‑62443-2-2, D1E4, April 2013 72 73
–6–
ISA99, WG02, TG02
The following people served as active members of ISA99, Working Group 02, Task Group 02 for the preparation of this document: Name
Company
Contributor
, WG/TG Chair
X
, Lead Editor
X
Reviewer
74 75 76
This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
ISA‑62443-2-2, D1E4, April 2013
–7–
ISA99, WG02, TG02
CONTENTS
77
79
PREFACE ............................................................................................................................... 5
80
FORWORD ........................................................................................................................... 12
81
INTRODUCTION ................................................................................................................... 13
82 83 84
1
Context ........................................................................................................................... 13 Audience ........................................................................................................................ 13 Scope ............................................................................................................................. 15
85
2
Normative references ..................................................................................................... 15
86
3
Terms, definitions, abbreviated terms, acronyms, and conventions ................................. 16
4
3.1 Terms and definitions ............................................................................................ 16 3.2 Abbreviated terms and acronyms ........................................................................... 18 3.3 Conventions .......................................................................................................... 19 Overview ........................................................................................................................ 21
87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119
4.1 4.2
5
Structure ............................................................................................................... 21 Information security management in IACS ............................................................. 21 4.2.1 Goal .......................................................................................................... 21 4.2.2 IACS assets to be protected ...................................................................... 21 4.2.3 Establishment of information security management.................................... 22 Security Policy ................................................................................................................ 23 5.1
6
Introduction ........................................................................................................... 23 5.1.1 {Requirement} ........................................................................................... 23 Organization of Security ................................................................................................. 23 6.1 6.2
7
Introduction ........................................................................................................... 23 Internal Organization ............................................................................................. 23 6.2.1 {Requirement} ........................................................................................... 23 6.3 External Parties ..................................................................................................... 23 6.3.1 {Requirement} ........................................................................................... 23 Asset Management ......................................................................................................... 24 7.1 7.2
8
Introduction ........................................................................................................... 24 Responsibility for Assets ....................................................................................... 24 7.2.1 {Requirement} ........................................................................................... 24 7.3 Information Classification ...................................................................................... 24 7.3.1 {Requirement} ........................................................................................... 24 Human Resources Security ............................................................................................ 24 8.1
8.2
Prior to Employment .............................................................................................. 24 8.1.1 Roles and responsibilities .......................................................................... 24 8.1.2 Screening .................................................................................................. 25 8.1.3 Terms and conditions of employment ......................................................... 26 During Employment ............................................................................................... 27 8.2.1 Management responsibilities ...................................................................... 27 8.2.2 Information security awareness, education, and training ............................ 28 8.2.3 Disciplinary process ................................................................................... 29
This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
78
ISA‑62443-2-2, D1E4, April 2013
ISA99, WG02, TG02
8.3
9
Termination or Change of Employment .................................................................. 29 8.3.1 Termination responsibilities ....................................................................... 29 8.3.2 Return of assets ........................................................................................ 29 8.3.3 Removal of access rights ........................................................................... 29 Physical and Environmental Security .............................................................................. 30
125 126 127 128 129 130 131 132 133 134 135 136
9.1 9.2
Introduction ........................................................................................................... 30 Secure Areas ........................................................................................................ 30 9.2.1 {Requirement} ........................................................................................... 30 9.3 Equipment Security ............................................................................................... 30 9.3.1 Physical Access Authorizations ................................................................. 30 9.3.2 Physical Access Control ............................................................................ 31 9.3.3 Access Control for Communication Medium ............................................... 31 9.3.4 Access Control for Display Medium ............................................................ 32 9.3.5 Monitoring Physical Access ....................................................................... 32 9.3.6 Visitor Control ............................................................................................ 32 9.3.7 Access Records ......................................................................................... 32 10 Communications and Operations Management ............................................................... 33
137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164
10.1 Introduction ........................................................................................................... 33 10.2 Operational Procedures and Responsibilities ......................................................... 33 10.2.1 Automated Marking .................................................................................... 33 10.3 Third Party Service Delivery Management ............................................................. 33 10.3.1 {Requirement} ........................................................................................... 33 10.4 System planning and acceptance .......................................................................... 33 10.4.1 {Requirement} ........................................................................................... 33 10.5 Protection against malicious and mobile code ....................................................... 34 10.5.1 Malicious Code Protection ......................................................................... 34 10.5.2 Security Alerts and Advisories ................................................................... 34 10.6 Backup .................................................................................................................. 34 10.6.1 {Requirement} ........................................................................................... 34 10.7 Network Security Management .............................................................................. 35 10.7.1 {Requirement} ........................................................................................... 35 10.8 Media Handling ..................................................................................................... 35 10.8.1 Media Protection Policy and Procedures .................................................... 35 10.8.2 Media Access ............................................................................................ 35 10.8.3 Media Labeling .......................................................................................... 36 10.8.4 Media Storage ........................................................................................... 36 10.8.5 Media Transport ........................................................................................ 37 10.8.6 Media Sanitization and Disposal ................................................................ 38 10.8.7 Access Control for Display Medium ............................................................ 38 10.8.8 Public Key Infrastructure Certificates ......................................................... 38 10.9 Exchange of Information ........................................................................................ 39 10.9.1 {Requirement} ........................................................................................... 39 10.10 Electronic Commerce Services .............................................................................. 39 10.10.1 {Requirement} ........................................................................................... 39 10.11 Monitoring ............................................................................................................. 39
This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
120 121 122 123 124
–8–
–9–
ISA99, WG02, TG02
165 166 167 168 169
10.11.1 Audit and Accountability Policy and Procedures ......................................... 39 10.11.2 Auditable Events........................................................................................ 40 10.11.3 Audit Monitoring, Analysis and Reporting ................................................... 40 10.11.4 Audit Record Retention .............................................................................. 40 11 Access Control ............................................................................................................... 41
170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202
11.1 Introduction ........................................................................................................... 41 11.2 Business Requirement ........................................................................................... 41 11.2.1 Access Control Policy and Procedures ...................................................... 41 11.2.2 System and Information Integrity Policy and Procedures ............................ 41 11.2.3 Flaw Remediation ...................................................................................... 42 11.3 User Access Management ..................................................................................... 42 11.3.1 Account Management ................................................................................ 42 11.3.2 Separation of Duties .................................................................................. 43 11.4 User Responsibilities ............................................................................................. 43 11.4.1 {Requirement} ........................................................................................... 43 11.5 Network Access Control ........................................................................................ 44 11.5.1 Least Privilege ........................................................................................... 44 11.5.2 Permitted Actions Without Identification or Authentication ......................... 44 11.5.3 Remote Access.......................................................................................... 44 11.5.4 Use of External Information Systems ......................................................... 45 11.6 Operating System Access Control ......................................................................... 45 11.6.1 {Requirement} ........................................................................................... 45 11.7 Application and Information Access Control ........................................................... 46 11.7.1 {Requirement} ........................................................................................... 46 11.8 Mobile Computing and Teleworking ....................................................................... 46 11.8.1 Wireless Access Restrictions ..................................................................... 46 11.8.2 Use Control for Portable and Mobile Devices ............................................. 46 11.8.3 Mobile Code .............................................................................................. 47 11.8.4 Supervision and Review – Use Control ...................................................... 47 11.8.5 Identification and Authentication Policy and Procedures ............................ 47 11.8.6 Identifier Management ............................................................................... 48 11.8.7 Authenticator Management ........................................................................ 48 11.8.8 Software and Information Integrity ............................................................. 49 11.8.9 Information Input Restrictions .................................................................... 49 11.8.10 Error Handling ........................................................................................... 49 11.8.11 Information Output Handling and Retention ............................................... 50 11.8.12 Boundary Protection .................................................................................. 50 12 Systems acquisition, development and maintenance ...................................................... 51
203 204 205 206 207 208 209
12.1 Introduction ........................................................................................................... 51 12.2 Security requirements of information systems ........................................................ 51 12.2.1 {Requirement} ........................................................................................... 51 12.3 Correct Processing in Applications ........................................................................ 51 12.3.1 {Requirement} ........................................................................................... 51 12.4 Cryptographic Controls .......................................................................................... 51 12.4.1 Cryptographic Module Validation ............................................................... 51
This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
ISA‑62443-2-2, D1E4, April 2013
– 10 –
ISA99, WG02, TG02
210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228
12.5 Security of System Files ........................................................................................ 51 12.5.1 {Requirement} ........................................................................................... 51 12.6 Security in development and support processes .................................................... 52 12.6.1 {Requirement} ........................................................................................... 52 12.7 Technical vulnerability management ...................................................................... 52 12.7.1 Configuration Management Policy and Procedures .................................... 52 12.7.2 Baseline Configuration ............................................................................... 52 12.7.3 Configuration Change Control .................................................................... 53 12.7.4 Monitoring Configuration Changes ............................................................. 53 12.7.5 Access Restrictions for Change ................................................................. 54 12.7.6 Network and Security Configuration Settings ............................................. 54 12.7.7 IACS Component Inventory ........................................................................ 54 12.7.8 System Maintenance Policy and Procedures .............................................. 55 12.7.9 Controlled Maintenance ............................................................................. 55 12.7.10 Maintenance Tools .................................................................................... 56 12.7.11 Remote Maintenance ................................................................................. 56 12.7.12 Maintenance Personnel ............................................................................. 57 12.7.13 Timely Maintenance ................................................................................... 57 13 Incident Management ..................................................................................................... 58
229 230 231 232 233 234 235 236 237 238 239 240 241
13.1 Introduction ........................................................................................................... 58 13.2 Reporting Security Events and Weaknesses .......................................................... 58 13.2.1 {Requirement} ........................................................................................... 58 13.3 Management of Incidents and Improvements ......................................................... 58 13.3.1 Incident Response Policy and Procedures ................................................. 58 13.3.2 Incident Response Training ....................................................................... 58 13.3.3 Incident Response Testing and Exercises .................................................. 59 13.3.4 Incident Handling ....................................................................................... 59 13.3.5 Incident Monitoring .................................................................................... 59 13.3.6 Incident Reporting ..................................................................................... 60 13.3.7 Incident Response Assistance ................................................................... 60 13.3.8 IACS Monitoring Tools and Techniques ..................................................... 60 14 Business Continuity Management ................................................................................... 62
242 243 244 245 246 247 248 249 250 251 252 253 254
14.1 Introduction ........................................................................................................... 62 14.2 Security Aspects.................................................................................................... 62 14.2.1 Contingency Planning Policy and Procedures ............................................ 62 14.2.2 Contingency Plan ...................................................................................... 62 14.2.3 Contingency Training ................................................................................. 63 14.2.4 Contingency Plan Testing and Exercises ................................................... 63 14.2.5 Contingency Plan Update .......................................................................... 64 14.2.6 Alternate Storage Site ............................................................................... 64 14.2.7 Alternate Control Site ................................................................................ 64 14.2.8 IACS Backup ............................................................................................. 65 14.2.9 IACS Recovery and Reconstruction ........................................................... 65 14.2.10 Power Equipment and Cabling ................................................................... 66 14.3 Telecommunications Services ............................................................................... 66
This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
ISA‑62443-2-2, D1E4, April 2013
ISA‑62443-2-2, D1E4, April 2013
– 11 –
ISA99, WG02, TG02
14.3.1 14.3.2 14.3.3 14.3.4 14.3.5 14.3.6 15 Compliance
Emergency Shutoff .................................................................................... 66 Emergency Power...................................................................................... 67 Emergency Lighting ................................................................................... 67 Fire Protection ........................................................................................... 67 Temperature and Humidity Controls ........................................................... 68 Water Damage Protection .......................................................................... 68 .................................................................................................................... 68
262 263 264
15.1 General ................................................................................................................. 68 15.1.1 {Requirement} ........................................................................................... 68 Annex A (informative) Foundational Requirements ................................................................ 70
265 266 267 268 269 270 271 272 273
A.1 A.2 A.3 A.4 A.5 A.6 A.7 A.8 Annex B
274 275
B.1 Overview ............................................................................................................... 72 BIBLIOGRAPHY ................................................................................................................... 73
Overview ............................................................................................................... 70 FR1 A CCESS C ONTROL ............................................................................................ 70 FR2 U SE C ONTROL ................................................................................................. 70 FR3 D ATA I NTEGRITY .............................................................................................. 70 FR4 D ATA C ONFIDENTIALITY .................................................................................... 70 FR5 R ESTRICT D ATA F LOW ...................................................................................... 71 FR6 T IMELY R ESPONSE TO AN E VENT ....................................................................... 71 FR7 R ESOURCE A VAILABILITY ................................................................................... 71 (informative) - Mapping Controls to Foundational Requirements ............................. 72
276 277
No table of figures entries found.
278
No table of figures entries found.
279
This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
255 256 257 258 259 260 261
ISA‑62443-2-2, D1E4, April 2013
– 12 –
ISA99, WG02, TG02
280
FORWORD
281 282 283 284
This standard is part of a series that addresses the issue of security for industrial automation and control systems. It has been developed by Working Group 02, Task Group 02 of the ISA99 committee.
285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301
SKELETON NOTE The forward should only be a few lines and should indicate the basic premise of the document and why it is important. It should also indicate if this document supersedes or modifies any other document. The following information comes from the IEC Directives. The foreword shall appear in each document. It shall not contain requirements, recommendations, figures or tables. It consists of a general part and a specific part. The general part (supplied by the Central Secretariat of ISO or by the Central Office of the IEC, as appropriate) gives information relating to the organization responsible and to International Standards in general, i.e. a) the designation and name of the committee that prepared the document, b) information regarding the approval of the document, and c) information regarding the drafting conventions used, co mprising a reference to this part of the ISO/IEC Directives. The specific part (supplied by the committee secretariat) shall give a statement of significant technical changes from any previous edition of the document and as many of the following as are appropriate: d) an indication of any other international organization that has contributed to the preparation of the document; e) a statement that the document cancels and replaces other documents in whole or in part; f) the relationship of the document to other documents (see 5.2.1.3); g) in IEC, an indication of the next stability date (see ISO/IEC Directives, IEC Supplement, 2010, 3.4).
This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
302
This standard addresses the requirements for the operation of an effective cyber security program within the context of the foundational requirements defined in ISA‑62443-1-1.
ISA‑62443-2-2, D1E4, April 2013
– 13 –
ISA99, WG02, TG02
INTRODUCTION
303
The format of this document follows the ISO/IEC requirements discussed in ISO/IEC Directives, Pa rt 2. [12] 1 The ISO/IEC Directives specify the format of this document as well as the use of terms like “shall”, “should”, and “may”. The use of those terms for the requirements specified in Clause Error! Reference source not f ound. of this document use the conventions discussed in the ISO/IEC Directives, Appendix H.
304 305 306 307 308 309
NOTE
310
Context
311 312 313 314 315
Industrial automation and control system (IACS) organizations increasingly use commercial -offthe-shelf (COTS) networked devices that are inexpensive, efficient and highly automated. These devices and networking technologies provide an increased opportunity for cyber attack against the IACS equipment. This weakness may lead to health, safety and environmenta l (HSE) consequences in deployed systems.
316 317 318 319 320 321
Organizations deploying pre-existing information technology (IT) and business cyber security solutions to address IACS security may not fully comprehend the results of this decision. While many business IT applications and security solutions can be applied to IACS, they need to be applied in the correct way to eliminate inadvertent consequences. For this reason, the approach used to define system requirements needs to be based on a combination of functional and consequence analysis, and often an awareness of operational issues as well.
322 323 324 325 326 327 328
The primary goal of the ISA‑99 series is to provide a flexible framework that facilitates addressing current and future vulnerabilities in IACS and applying necessary mitigations in a systematic, defensible manner. It is important to understand that the intention of the ISA ‑99 series is to build extensions to enterprise security that adapt the requirements for IT business systems and combine them with the unique requirements that embrac e the strong availability needed by IACS. The ISA‑99 committee has made every effort to avoid building unique stovepipe security architectures for IACS.
329 330 331 332
This International Standard provides interpretation guidelines for the implementation and management of information security management for Industrial Automation and Control Systems (IACS). The approach used is consistent with ISO/IEC 27002 (Code of practice for information security management).
333 334 335 336 337
IACS security goals focus on system availability, plant prote ction, plant operations (even if in a degraded mode), and time-critical system response. IT security goals often do not place the same emphasis on these factors. They may be more concerned with protecting information rather than physical assets. These different goals need to be clearly stated as security objectives regardless of the degree of plant integration achieved.
338 339 340
This document assumes that a security program has been established in accordance with ISA‑99.02.01 and that patch management is implemented consistent with the recommendations detailed in ISA‑TR99.02.03.
341
Audience
342 343 344 345 346
The audience for the information in this standard includes asset owners, those responsible for information security; system vendors, auditors, and application content providers, with a common set of general security control objectives based on ISO/IEC 27002, IACS specific controls, and information security management guidelines allowing for the selection and implementation of such controls.
347 ————————— 1 Numbers in square brackets refer to the Bibliography.
This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
The initial content of this section is based on similar material from other standards in the ISA99 series. This is provided only as a starting point.
ISA‑62443-2-2, D1E4, April 2013
368 369
ISA99, WG02, TG02
SKELETON NOTE For most documents in the ISA-99 series, the Introduction will probably be labeled as Clause 0, since there are sub-clauses included. This is common. The Introduction should be limited to no more than 2 pages and should contain no figures. If figures are needed, then that section sh ould be moved to Clause 4+ or an Annex. If you need a Clause 0, you will need to edit the “iecstd_us.dotm” and change starting number for the Heading style to start at 0. After that, make sure that the styles reload into the Skeleton file and change the style of the Introduction section header to Heading instead of Heading (Nonumber). The Introduction should indicate major similarities or relationships between the document and existing ISO/IEC documents. It does not have to include detailed explanations, bu t should give the reader some context in relation to other documents. The following information comes from the IEC Directives. The introduction is an optional preliminary element used, if required, to give specific information or commentary about the technical content of the document, and about the reasons prompting its preparation. It shall not contain requirements. Whenever alternative solutions are adopted internationally in a document and preferences for the different alternatives provided, the reasons for the preferences shall be explained in the introduction [see A.6 d)]. Where patent rights have been identified in a document, the introduction shall include an appropriate notice. See Annex F for further information. The introduction shall not be numbered unless there is a need to create numbered subdivisions. In this case, it shall be numbered 0, with subclauses being numbered 0.1, 0.2, etc. Any numbered figure, table, displayed formula or footnote shall be numbered normally beginning with 1.
This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367
– 14 –
ISA‑62443-2-2, D1E4, April 2013
– 15 –
ISA99, WG02, TG02
1
371 372
The initial content of this section is based on similar material from other standards in the ISA99 series. This is provided only as a starting point.
373 374 375 376 377 378
This standard addresses the operation of an effective IACS cyber security program. Aspects of this operation are examined in the context of the foundational requirements (FRs) described in ISA‑99.01.01. The requirements and controls would be used by various members of the industrial automation and control systems (IACS) community along with the defined zones an d conduits for the system under consideration (SuC) while developing the appropriate technical system target security assurance level (SAL), SAL-T(system), for a specific asset.
379 380 381 382 383 384 385 386 387 388 389 390 391
SKELETON NOTE Clause 1 shall always be the Scope. This is a short statement that describes the scope of this document only. It does not list the overall scope of ISA -99. That has been described in other documents and does not need to be repeated here. The following information comes from the IEC Directives. This element shall appear at the beginning of each document and define without ambiguity the subject of the document and the aspects covered, thereby indicating the limits of applicability of the document or particular parts of it. It shall not contain requirements. In documents that are subdivided into parts, the scope of each part shall define the subject of that part of the document only. The scope shall be succinct so that it can be used as a summary for bibliographic purposes. This element shall be worded as a series of statements of fact. Forms of expression such as the following shall be used: “This International Standard the dimensions of … " - specifies {a method of … " the characteristics of … " a system for … " - establishes { general principles for … "
392 393 394 395 396 397 398 399
Scope
— gives guidelines for …” — defines terms …” Statements of applicability of the document shall be introduced by wording such as: “This International Standard is applicable to …” The wording shall be altered as a function of the document type concerned, i.e. International Standard, Technical Specification, Publicly Available Specification, Technical Report or Guide.
400
2
Normative references
401 402 403
The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
404 405 406
The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. F or undated references, the latest edition of the referenced document (including any amendments) applies.
407 408
ISA‑99.01.01 – Security for industrial and automation control systems: Terminology, concepts and models
409 410
ISA‑99.02.01 – Security for industrial and automation control system: Establishing an industrial automation and control systems security program
411 412
ISA‑99.03.02 – Security for industrial and automation control system: Security assurance levels for zones and conduits
413 414
SKELETON NOTE Generally, in the ISA-99 series, there is only 1 completely normative document, ISA -99.01.01. If there are others, put them here as well. Normative references shall be International Standards documents of
This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
370
ISA‑62443-2-2, D1E4, April 2013 415 416
– 16 –
ISA99, WG02, TG02
some sort. Even though a document gets listed here, it will also be liste d in the Bibliography along with all the other documents.
417
3
Terms, definitions, abbreviated terms, acronyms, and conventions
418 419
The initial content of this section is based on similar material from other standards in the ISA99 series. This is provided only as a starting point.
420
3.1
421 422
For the purposes of this document, the terms and definitions given in ISA‑62443-1-1 and the following apply.
423 424 425 426
3.1.1 authentication verifying the identity of an IACS user, often as a prerequisite to allowing access to resources in an information system
427 428 429
3.1.2 authenticity property of being genuine and being able to be verified and trusted
430
NOTE
431 432 433 434
3.1.3 automatic pertaining to a process or equipment that, under specified conditions, functions without human intervention
435
[IEV number 351-21-40]
436 437 438
3.1.4 availability ensuring timely and reliable access to and use of information
439
[FIPS 199]
440 441 442 443
3.1.5 communication channel logical or physical point-to-point or point-to-multipoint data flow between components in one zone to one or more components in another zone
444 445 446 447
3.1.6 confidentiality preserving authorized restrictions on information access and disclosure, including means fo r protecting personal privacy and proprietary information
448
[FIPS 199]
449 450 451 452
3.1.7 connection association established between two or more endpoints which supports the transfer of IACS specific data
453 454 455
3.1.8 consequence outcome of an event
456 457 458 459
3.1.9 environment aggregate of external procedures, conditions, and objects affecting the development, operation and maintenance of IACS
It may also be defined as confidence in the validity of a transmission, a message, or message o riginator.
This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
Terms and definitions
– 17 –
ISA99, WG02, TG02
460 461 462
3.1.10 event occurrence or change of a particular set of circumstances
463 464 465 466
3.1.11 external information systems hardware, software components and repositories that are connecte d by some means or embedded within the component
467 468 469 470
3.1.12 IACS user entity (including human users, processes and devices) that performs a function in the IACS or a component used by the IACS
471 472 473
3.1.13 impact evaluated consequence of a particular event
474 475 476
3.1.14 industrial automation and control system system which controls the manufacturing process within a defined set of operational limits
477 478 479 480
3.1.15 integrity guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity
481
[FIPS 199]
482 483 484 485 486
3.1.16 local access any access to an organizational IACS by an IACS user communicating through an internal, organization-controlled network (such as a local area network) or directly to the IACS without the use of a network
487 488 489 490 491
3.1.17 non-repudiation assurance that the sender of information is provided with proof of delivery and all recipients are provided with proof of the sender’s identity, so the sender cannot deny having sent the information and the recipient cannot deny having received the information
492 493 494 495
3.1.18 remote access any access to an IACS by an IACS user communicating through an external, non -organizationcontrolled network (such as the Internet)
496 497 498 499
3.1.19 remote session session initiated whenever an IACS is accessed by a human user communicating across the boundary of a zone defined by the asset owner based on their risk assessment
500 501 502 503
3.1.20 role set of connected behaviors, privileges and obligations associated to IACS users in a given situation
504
NOTE 1
The privileges to perform certain operations are assigned to specific ro les.
This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
ISA‑62443-2-2, D1E4, April 2013
ISA‑62443-2-2, D1E4, April 2013
– 18 –
ISA99, WG02, TG02
505 506 507 508
NOTE 2
509 510 511 512 513
3.1.21 security assurance level measure of confidence that computer systems and data are free from vulnerabilities, either intentionally designed computer components or accidently inserted at any time during its lifecycle, and that the computer systems functions in the intended manner
514 515 516 517
3.1.22 session semi-permanent, stateful, communicating devices
518
NOTE
519 520 521 522 523
3.1.23 threat any circumstance or event with the potential to adversely affect organizational operations (including mission, functions, image or reputation), organizational assets, IACS or individuals via unauthorized access, destruction, disclosure, modification of dat a and/or denial of service
524 525 526 527
3.1.24 trust belief that an operation or data transaction source or process is secure and will perform as intended
528 529 530
3.1.25 untrusted entity that has not met predefined requirements to be trusted
531 532 533 534 535 536 537 538
3.1.26 vulnerability
539
3.2
540
This subclause defines the abbreviated terms and acronyms used in this document.
Role definitions must be distinguished in infrastructure role definitions (within a process), functional role definitions (part of an entity functions) or organizational role definition (a person position). A functional role may be associated with privileges and confer responsibility and authority on a user assigned to that role
interactive
information
interchange
between
two
or
more
Typically a session has a clearly defined start process and end process.
weakness in an IACS function, procedure, internal control or implementation that could be exploited or triggered by a threat source SKELETON NOTE Only add in the reference at the end of the term if it relates directly to something from an international standard. IEC seems to dislike referencing national standards documents (ISA, NIST, NERC, NEMA, etc.). Only include these references if there is an ISO/IEC, NATO, etc. reference. Also, if the reference is not exactly from the reference, indicate something like “Adapted from … ”.
Abbreviated terms and acronyms
AC
Access Control
AES
Advanced encryption standard
API
Application programming interface
CA
Certification authority
CIP
Critical infrastructure protection
COTS
Commercial-off-the-shelf
DC
Data confidentiality
DI
Data integrity
DMZ
Demilitarized zone
This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
Adapted from [ISO/IEC 1st WD 24760: 2005 -10-01]
– 19 –
DoS
Denial of service
FR
Foundational requirement
FTP
File transfer protocol
HSE
Health, safety, and environmental
HTTP
Hypertext transfer protocol
IACS
Industrial automation and control system(s)
ID
Identifier
IDS
Intrusion detection system
IEC
International Electrotechnical Commission
IEEE
Institute of Electrical and Electronics Engineers
IM
Instant messaging
IPS
Intrusion prevention system
ISO
International Organization for Standardization
IT
Information technology
NERC
North American Electric Reliability Corporation
NIST
U.S. National Institute of Standards and Technology
PDF
Portable document format
RA
Resource availability
RDF
Restrict data flow
RE
Requirement enhancement
SAL
Security assurance level
SIS
Safety instrumented system
SP
Special Publication (from NIST)
SR
System requirement
SuC
System under consideration
TRE
Timely response to an event
UC
Use control
US-CERT
U.S. Computer Emergency Readiness Team
USB
Universal serial bus
VoIP
Voice over internet protocol
ISA99, WG02, TG02
541
3.3
Conventions
542 543 544 545 546
Much of the content of this standard is expressed in the form of specific requirements or controls. Each of these has a baseline requirement and zero or more requirement enhancements to strengthen security assurance. Rationale and supplemental guidance may be provided for each baseline requirement, and for any associated enhancement as is deemed necessary, to provide clarity to the reader.
547 548
SKELETON NOTE This sub-clause is where specific conventions used in the document, like specific clause/sub clause formatting, special text conventions, or any other things that the reader should know in order to read
This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
ISA‑62443-2-2, D1E4, April 2013
549 550 – 20 –
This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
ISA‑62443-2-2, D1E4, April 2013 ISA99, WG02, TG02
the document. The reader may still need some introduction to conventions used throughout the document, but this sub-clause allows for a greater explanation in one place.
551
ISA‑62443-2-2, D1E4, April 2013
– 21 –
ISA99, WG02, TG02
552
4
Overview
553
4.1
554 555 556
The content of this standard has been organized in a manner similar to that used in ISO/IEC 27002. In cases where objectives and controls specified in ISO/IEC 27002 are applicable without a need for any additional information, only a reference is provided to ISO/IEC 27002.
557 558 559 560
In cases where controls need additional guidance spec ific to IACS, the ISO/IEC 27002 control and implementation guidance is repeated without modification, followed by the IACS specific guidance related to this control. IACS specific guidance and information is included in the following clauses:
561
– Organization of information security (clause 6)
562
– Asset management (clause 7)
563
– Human resources security (clause 8)
564
– Physical and environmental security (clause 9)
565
– Communications and operations management (clause 10)
566
– Access control (clause 11)
567
– Information systems acquisition, development and maintenance (clause 12)
568
– Information security incident management (clause 13)
569
– Business continuity management (clause 14)
570
4.2
571
4.2.1
572 573 574 575
Industrial control systems and associated networks are faced with security threats from a wide range of sources, including computer-assisted fraud, espionage, sabotage, vandalism, information leakage, earthquake, fire or flood. These security threats may originate from inside or outside the control systems environment resulting in damage to the organization.
576 577 578 579
Once the security of an IACS is compromised, for example by unauthorized access, the system or the equipment under control may suffer damage. Therefore, it is essential for an asset owner to ensure its security by continuously improving its related programs in accordance with ISO/IEC 27001.
580 581 582 583 584
Effective IACS security is achieved by implementing a suitable set of controls based on those described in this standard. These controls need to be established, implemen ted, monitored, reviewed and improved in facilities, services and applications. The successful deployment of security controls will better enable meeting the security and business objectives of the organization to be met.
585
4.2.2
586 587 588
In order to establish information security management, it is essential for an asset owner to clarify and identify all IACS related assets. The clarification of attributes and importance of the assets makes it possible to implement appropriate controls.
Information security management in IACS Goal
IACS assets to be protected
This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
Structure
ISA‑62443-2-2, D1E4, April 2013
– 22 –
ISA99, WG02, TG02
589
4.2.3
Establishment of information security management
590
4.2.3.1
591 592
It is essential for asset owners to identify their security requirements. There are three main sources of security requirements as follows:
593 594 595
a) What is derived from assessing risks to IAC S operation, taking into account the overall business strategy and objectives. Through risk assessment, threats to assets are identified, vulnerability to and likelihood of occurrence is evaluated and potential impact is estimated;
596 597
b) The legal, statutory, regulatory, and contractual requirements that asset owners have to satisfy, and the socio-cultural environment;
598 599
c) The particular set of principles, objective and business requirements for information processing that an asset owner has developed to support its operations.
600
4.2.3.2
601 602 603 604 605
Security requirements are identified by a methodical assessment of security risks. Expenditure on controls needs to be balanced against the business harm likely to result from security failures. The results of the risk assessment will help to guide and determine the appropriate management action and priorities for managing information security risks, and for implementing controls selected to protect against these risks.
606 607
Risk assessment should be repeated periodically to address any changes that might influence the risk assessment results.
608
4.2.3.3
609 610 611
Once security requirements and risks have been identified and decisions for the treatment of risks have been made, appropriate controls should be selected and implemented to ensure risks are reduced to an acceptable level.
612 613 614 615
This standard provides guidance and IACS specific controls, in addition to general information security management, taking account of IACS specific requirements. Therefore, asset owners are recommended to select controls from this guideline and implement them. In addition, new controls can be designed to meet specific needs as appropriate.
616 617 618 619
The selection of security controls is dependent upon organizational decisions based on the criteria for risk acceptance, risk treatment options, and the general risk management approach applied by asset owners, and should also be subject to all relevant national and international legislation and regulations.
620
4.2.3.4
621 622
Experience has shown that the following factors are often critical to the successful implementation of information security in an industrial automation and control system :
623 624
a) information security policy, objectives, and activities t hat reflect business objectives and the specific characteristics of an IACS;
625 626
b) an approach and framework to implementing, maintaining, monitoring, and improving information security that is consistent with the organizational culture;
627
c) visible support and commitment from all levels of managem ent;
628
d) a good understanding of the security requirements, risk assessment, and risk management;
629 630
e) effective marketing of information security to all managers, employees, and other parties to achieve awareness;
Assessing security risks
Selecting controls
Critical success factors
This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
How to establish security requirements
– 23 –
ISA99, WG02, TG02
631 632
f) distribution of guidance on information security policy and standards to all managers, employees and other parties;
633
g) provision to fund information security management activities;
634
h) providing appropriate awareness, training, and education;
635
i) establishing an effective information security inci dent management process;
636 637
j) implementation of a measurement system that is used to evaluate performance in information security management and feedback suggestions for improvement.
638
5
639
5.1
640
5.1.1
Security Policy Introduction
641
{Requirement} Requirement:
642 643
Foundational Requirement:
644
Rationale/Supplemental Guidance:
645
Requirement Enhancements:
646 647
6
Organization of Security
648
6.1
Introduction
650
6.2
Internal Organization
651
6.2.1
649
652
{Requirement} Requirement:
653 654
Foundational Requirement:
655
Rationale/Supplemental Guidance:
656
Requirement Enhancements:
657 658
6.3
659
6.3.1
660
External Parties {Requirement} Requirement:
661 662
Foundational Requirement:
663
Rationale/Supplemental Guidance:
664
Requirement Enhancements:
This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
ISA‑62443-2-2, D1E4, April 2013
ISA‑62443-2-2, D1E4, April 2013
– 24 –
ISA99, WG02, TG02
665 666
7
Asset Management
667
7.1
Introduction
669
7.2
Responsibility for Assets
670
7.2.1
668
671
Requirement:
672 673
Foundational Requirement:
674
Rationale/Supplemental Guidance:
675
Requirement Enhancements:
676 677
7.3
Information Classification
678
7.3.1
679
{Requirement} Requirement:
680 681
Foundational Requirement:
682
Rationale/Supplemental Guidance:
683
Requirement Enhancements:
684 685
8
Human Resources Security
686
8.1 Prior to Employment
687 688 689
Objective: To ensure that employees, contractors and third party users understand their responsibilities, and are suitable for the roles they are considered for, and to reduce the risk of theft, fraud or misuse of facilities.
690 691
Security responsibilities should be addressed prior to e mployment in adequate job descriptions and in terms and conditions of employment.
692 693
All candidates for employment, contractors and third party users should be adequately screened, especially for sensitive jobs.
694 695
Employees, contractors and third party users of information processing facilities should sign an agreement on their security roles and responsibilities.
696
8.1.1
697
Control
698 699
Security roles and responsibilities of employees, contractors and third party users should be defined and documented in accordance with the organization’s information security policy.
700
Implementation guidance
Roles and responsibilities
This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
{Requirement}
ISA‑62443-2-2, D1E4, April 2013
ISA99, WG02, TG02
Security roles and responsibilities should include the requirement to:
702 703
a) implement and act in accordance with the organization’s information security policies (see 5.1);
704 705
b) protect assets from unauthorized access, disclosure, modification, destruction or interference;
706
c) execute particular security processes or activities;
707
d) ensure responsibility is assigned to the individual for actions taken;
708
e) report security events or potential events or other security risks to the organization.
709 710
Security roles and responsibilities should be defined and clearly communicated to job candidates during the pre-employment process.
711
IACS-specific implementation guidance
712 713 714 715
Facilities should appoint staff who have the right credentials or appropriate knowledge and skills to be in charge of the supervision of matters related to the installation, maintenance and operation of IACS. The relevant staff should be notified of their assigned roles and responsibilities.
716
Other Information
717 718 719
Job descriptions can be used to document security roles and responsibilities. Security roles and responsibilities for individuals not engaged via the organization’s employment process, e.g. engaged via a third party organization, should also be clearly defined and communicated.
720 721
Requirement:
722 723
Foundational Requirement:
724
Rationale/Supplemental Guidance:
725
Requirement Enhancements:
726 727
8.1.2
Screening
728
Control
729 730 731 732
Background verification checks on all candidates for employment, contractors, and third party users should be carried out in accordance with relevant laws, regulations and ethics, and proportional to the business requirements, the classification of the information to be accessed, and the perceived risks.
733
Implementation guidance
734 735
Verification checks should take into account all relevant privacy, protection of personal data and/or employment based legislation, and should, where permitted, include the following:
736
a) availability of satisfactory character references, e.g. one business and one per sonal;
737
b) a check (for completeness and accuracy) of the applicant’s curriculum vitae;
738
c) confirmation of claimed academic and professional qualifications;
739
d) independent identity check (passport or similar document);
This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
701
– 25 –
– 26 –
ISA99, WG02, TG02
740
e) more detailed checks, such as credit checks or checks of criminal records.
741 742 743 744
Where a job, either on initial appointment or on promotion, involves the person having access to information processing facilities, and in particular if these are handling sensitive information, e.g. financial information or highly confidential information, the organization should also consider further, more detailed checks.
745 746
Procedures should define criteria and limitations for verification checks, e.g. who is eligible to screen people, and how, when and why verification checks a re carried out.
747 748 749 750 751 752
A screening process should also be carried out for contractors, and third party users. Where contractors are provided through an agency the contract with the agency should clearly specify the agency’s responsibilities for screening and the notification procedures they need to follow if screening has not been completed or if the results give cause for doubt or concern. In the same way, the agreement with the third party (see also 6.2.3) should clearly specify all responsibilities and notification procedures for screening.
753 754 755 756
Information on all candidates being considered for positions within the organization should be collected and handled in accordance with any appropriate legislation existing in the relevant jurisdiction. Depending on applicable legislation, the candidates should be informed beforehand about the screening activities.
757
IACS-specific implementation guidance
758 759 760
Facilities should also consider further, more detailed checks for job positions that give staff access to IACS that have been assessed as critical and thus require higher levels of security. [wording?]
761
8.1.3
762
Control
763 764 765
As part of their contractual obligation, employees, contractors and third party users should agree and sign the terms and conditions of their employment contract, which should state their and the organization’s responsibilities for information security.
766
Implementation guidance
767 768
The terms and conditions of employment should reflect the organization’s security policy in addition to clarifying and stating:
769 770 771
a) that all employees, contractors and third party users who are given access to sensitive information should sign a confidentiality or non-disclosure agreement prior to being given access to information processing facilities;
772 773
b) the employee’s, contractor’s and any other user’s legal responsibilities and rights, e.g. regarding copyright laws or data protection legislation (see also 15.1.1 and 15.1.2);
774 775 776
c) responsibilities for the classification of information and management of organizational assets associated with information systems and services handled by the employee, contractor or third party user (see also 7.2.1 and 10.7.3);
777 778
d) responsibilities of the employee, contractor or third party user for the handling of information received from other companies or external parties;
779 780 781
e) responsibilities of the organization for the handling of personal information, including personal information created as a result of, or in the course of, employment with the organization (see also 15.1.4);
782 783
f)
Terms and conditions of employment
responsibilities that are extended outside the organization’s premises and outside normal working hours, e.g. in the case of home-working (see also 9.2.5 and 11.7.1);
This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
ISA‑62443-2-2, D1E4, April 2013
– 27 –
ISA99, WG02, TG02
784 785
g) actions to be taken if the employee, contractor or third party user disregards the organization’s security requirements (see also 8.2.3).
786 787 788
The organization should ensure that employees, contractors and third party users agree to terms and conditions concerning information security appropriate to the nature and extent of access they will have to the organization’s assets associated with information systems and services.
789 790
Where appropriate, responsibilities contained within the terms and conditions of employment should continue for a defined period after the end of the employment (see also 8.3).
791
IACS-specific implementation guidance
792 793
Facilities should clarify and state the responsibilities for maintaining IACS availability, plant protection, plant operations (even if in a degraded mode), and time -critical system response.
794
Other Information
795 796 797 798 799 800
A code of conduct may be used to cover the employee’s, contractor’s or third party user’s responsibilities regarding confidentiality, data protection, ethics, appropriate use of the organization’s equipment and facilities, as well as reputable practices expected by the organization. The contractor or third party users may be associated with an external organization that may in turn be required to enter in contractual arrangements on behalf of the contracted individual.
801
8.2 During Employment
802 803 804 805
Objective: To ensure that employees, contractors and third party users are aware of information security threats and concerns, their responsibilities and liabilities, and are equipped to support organizational security policy in the course of their normal work, and to reduce the risk of human error.
806 807
Management responsibilities should be defined to ensure that security is applied throughout an individual’s employment within the organization.
808 809 810 811
An adequate level of awareness, education, and training in security procedures and the correct use of information processing facilities should be provided to all employees, contractors and third party users to minimize possible security risks. A formal disciplinary process for handling security breaches should be established.
812
8.2.1
813
Control
814 815
Management should require employees, contractors and third party users to apply security in accordance with established policies and procedures of the organization.
816
Implementation guidance
817 818
Management responsibilities should include ensuring that employees, contractor s and third party users:
819 820
a) are properly briefed on their information security roles and responsibilities prior to being granted access to sensitive information or information systems;
821
b) are provided with guidelines to state security expectations of their role within the organization;
822
c) are motivated to fulfil the security policies of the organization;
823 824
d) achieve a level of awareness on security relevant to their roles and responsibilities within the organization (see also 8.2.2);
Management responsibilities
This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
ISA‑62443-2-2, D1E4, April 2013
ISA‑62443-2-2, D1E4, April 2013
– 28 –
ISA99, WG02, TG02
825 826
e) conform to the terms and conditions of employment, which includes the organization’s information security policy and appropriate methods of working;
827
f)
continue to have the appropriate skills and qualifications.
829
IACS-specific implementation guidance
830 831
Management should ensure that individuals responsible for operating and maintaining IACS are included in the above mentioned activities
832
Other Information
833 834 835
If employees, contractors and third party users are not made aware of their security responsibilities, they can cause considerable damage to an organization. Motivated personnel are likely to be more reliable and cause less information security incidents.
836 837 838
Poor management may cause personnel to feel undervalued resulting in a negative security impact to the organization. For example, poor management may lead to security being neglected or potential misuse of the organization’s assets.
839
Requirement:
840
Foundational Requirement:
841
Rationale/Supplemental Guidance:
842
Requirement Enhancements:
843
8.2.2
Information security awareness, education, and training
844
Control
845 846 847
All employees of the organization and, where relevant, contractors and third party users should receive appropriate awareness training and regular updates in organizational policies and procedures, as relevant for their job function.
848
Implementation guidance
849 850 851
Awareness training should commence with a formal induction process designed to introduce the organization’s security policies and expectations before access to information or services is granted.
852 853 854
Ongoing training should include security requirements, legal responsibilities and business controls, as well as training in the correct use of information processing facilities e.g. log -on procedure, use of software packages and information on the disciplinary process (see 8.2.3).
855
IACS-specific implementation guidance
856 857 858
Individuals responsible for operating and maintaining IACS should be included in the above mentioned activities and, where necessary, specific training should be developed for individuals in these roles.
859
Other Information
860 861 862 863
The security awareness, education, and training activities should be suitable and relevant to the person’s role, responsibilities and skills, and should include information on known threats, who to contact for further security advice and the proper channels for reporting inf ormation security incidents (see also 13.1).
This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
828
ISA‑62443-2-2, D1E4, April 2013
– 29 –
ISA99, WG02, TG02
864 865
Training to enhance awareness is intended to allow individuals to recognize information security problems and incidents, and respond according to the needs of their work role.
866
8.2.3
867
The control objective and the contents from ISO/IEC 27002 clause 8.2.3 apply.
868
8.3 Termination or Change of Employment
869 870
Objective: To ensure that employees, contractors and third party users exit an organization or change employment in an orderly manner.
871 872 873
Responsibilities should be in place to ensure an employee’s, contractor’s or third party user’s exit from the organization is managed, and that the return of all equipment and the removal of all access rights are completed.
874 875 876
Change of responsibilities and employments within an organization should be managed as the termination of the respective responsibility or employment in line with this section, and any new employments should be managed as described in section 8.1.
877
8.3.1
878
The control objective and the contents from ISO/IEC 27002 clause 8.3 .1 apply.
879
8.3.2
880
The control objective and the contents from ISO/IEC 27002 clause 8.3.2 apply.
881
8.3.3
882
Control
883 884 885
The access rights of all employees, contractors and third party users to information and information processing facilities should be removed upon termination of their employment, contract or agreement, or adjusted upon change.
886
Implementation guidance
887 888 889 890 891 892 893 894 895
Upon termination, the access rights of an individual to assets associ ated with information systems and services should be reconsidered. This will determine whether it is necessary to remove access rights. Changes of an employment should be reflected in removal of all access rights that were not approved for the new employment. The access rights that should be removed or adapted include physical and logical access, keys, identification cards, information processing facilities (see also 11.2.4), subscriptions, and removal from any documentation that identifies them as a current member of the organization. If a departing employee, contractor or third party user has known passwords for accounts remaining active, these should be changed upon termination or change of employment, contract or agreement.
896 897 898
Access rights for information assets and information processing facilities should be reduced or removed before the employment terminates or changes, depending on the evaluation of risk factors such as:
899 900
a) whether the termination or change is initiated by the employee, contractor or third party user, or by management and the reason of termination;
Termination responsibilities
Return of assets
Removal of access rights
901
f)
the current responsibilities of the employee, contractor or any other user;
902
g) the value of the assets currently accessible.
903 904
IACS-specific implementation guidance
This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
Disciplinary process
– 30 –
ISA99, WG02, TG02
905 906
Other risk factors to be considered when reducing or removing access rights should include risks associated with disruption to IACS availability, plant protection, and plant operations.
907
Other Information
908 909 910 911 912
In certain circumstances access rights may be allocated on the basis of being available to more people than the departing employee, contractor or third party user, e.g. group IDs. In such circumstances, departing individuals should be removed from any group access lists and arrangements should be made to advise all other employees, contractors and third party users involved to no longer share this information with the person departing.
913 914 915
In cases of management-initiated termination, disgruntled employees, contractors or third party users may deliberately corrupt information or sabotage information processing facilities. In cases of persons resigning, they may be tempted to collect information for future use.
916 917
9
918
9.1
Physical and Environmental Security Introduction
919 920
9.2 Secure Areas
921
9.2.1
922
{Requirement} Requirement:
923 924
Foundational Requirement:
925
Rationale/Supplemental Guidance:
926
Requirement Enhancements:
927 928
9.3 Equipment Security
929
9.3.1
Physical Access Authorizations
930
Requirement:
931 932 933 934 935
The organization shall develop and keeps current a list of personnel with authorized access to the facility where the IACS resides ( except for those areas within the facility officially designated as publicly accessible) and issues assigns appropriate authorization credentials. Designated officials within the organization review and approve the access list and authorization credentials [Assignment: organization-defined frequency].
936
Foundational Requirement:
937 938 939 940
Rationale/Supplemental Guidance: Appropriate authorization credentials include, for example, badges, identification cards, smart cards, key pads codes or biometric attributes. The organization promptly removes from the access list personnel no longer requiring access to the facility where the IACS resides.
941
Requirement Enhancements:
942 943
(1) Authorized access shall be adjusted for assignments in restricted areas or for personnel dismissal.
This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
ISA‑62443-2-2, D1E4, April 2013
– 31 –
ISA‑62443-2-2, D1E4, April 2013 9.3.2
Physical Access Control
945
Requirement:
946 947 948 949 950 951
The organization shall control all physical access points (including designated entry/exit points) to the facility where the IACS resides (except for those areas within the facility officially designated as publicly accessible) and verifies individual access authorizations before granting access to the facility. The organization controls access to areas officially designated as publicly accessible, as appropriate, in accordance with the organization’s assessment of risk.
952
Foundational Requirement:
953 954 955 956 957 958 959 960 961 962 963 964
Rationale/Supplemental Guidance: The organization uses physical access devices (e.g., keys, locks, combinations, card readers) and/or guards to control entry to facilities containing IACS. The organization secures keys, combinations, and other access devices and inventories those devices regularly. The organization changes combinations and keys: (i) periodically; and (ii) when keys are lost, combinations are compromised, or individuals are transferred or terminated. Workstations and associated peripherals connected to (and part of) an organizational IACS may be located in areas designated as publicly accessible with access to such devices being appropriately controlled. The organization considers IACS safety and security interdependencies. The organization considers access requirements in emergency situations. During an emergency-related event, the organization may restrict access to IACS facilities and assets to authorized individuals only.
965
Requirement Enhancements:
966 967 968
(1) The organization controls physical access to the IACS independent of the physical access controls for the facility. Identity verification is required for entry to the most secured IACS spaces.
969 970 971 972 973 974 975 976 977 978
Rationale/Supplemental Guidance: This requirement enhancement, in general, applies to server rooms, communications centers, telecom munication spaces, control rooms, instrument rack rooms, remote control rooms or any other areas within a facility containing large concentrations of IACS components or components with a higher impact level than that of the majority of the facility. The intent is to provide an additional layer of physical security for those areas where the organization may be more vulnerable due to the concentration of IACS components or the impact level of the components. The requirement enhancement is not intended to apply to workstations or peripheral devices that are typically dispersed throughout the facility and used routinely by organizational personnel.
979
FR1 Access Control
9.3.3 Access Control for Communication Medium
980
Requirement:
981 982
The organization shall control physical access to IACS distr ibution and communication lines within local organizational facilities.
983
Foundational Requirement:
984 985 986 987 988 989 990
Rationale/Supplemental Guidance: Physical protections applied to IACS distribution and communication lines help prevent accidental damage, disruption, and ph ysical tampering. Additionally, physical protections are necessary to help prevent eavesdropping or in transit modification of unencrypted communications. Protective measures to control physical access to IACS distribution and communication lines include : (i) including endpoints or any access point contained in locked wiring closets; (ii) disconnected or locked spare jacks; and/or (iii) protection of cabling by conduit or cable trays.
991
Requirement Enhancements: None.
This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
944
ISA99, WG02, TG02
ISA‑62443-2-2, D1E4, April 2013
ISA99, WG02, TG02
9.3.4 Access Control for Display Medium
993
Requirement:
994 995
The organization shall control physical access to IACS devices that display information to prevent unauthorized individuals from observing the display output.
996
Foundational Requirement:
997
Rationale/Supplemental Guidance: None.
998
Requirement Enhancements:
999 1000 1001
(1) Access displays shall be placed in such a manner to prevent others from viewing the display of clear text access information. 9.3.5 Monitoring Physical Access
1002
Requirement:
1003 1004
The organization shall monitor physical access to the IACS to detect and respond to physical security incidents.
1005
Foundational Requirement:
1006 1007 1008 1009
Rationale/Supplemental Guidance: The organization reviews physical access logs periodically and investigates apparent security violations or s uspicious physical access activities. Response to detected physical security incidents is part of the organization’s incident response capability.
1010
Requirement Enhancements:
1011 1012
(1) The organization monitors real-time physical intrusion alarms and surveillance equipment.
1013 1014
(2) The organization employs automated mechanisms to r ecognize potential intrusions and initiate appropriate response actions.
1015
9.3.6 Visitor Control
1016
Requirement:
1017 1018 1019
The organization shall control physical access to the IACS by authenticating visitors before authorizing access to the facility where the IACS resides oth er than areas designated as publicly accessible.
1020
Foundational Requirement:
1021 1022
Rationale/Supplemental Guidance: Personnel without permanent authorization or permanent duties, including physical access to an IACS, are considered a visitor.
1023
Requirement Enhancements:
1024
(1) The organization escorts visitors and monitors visitor activity.
1025
9.3.7 Access Records
1026
Requirement:
1027 1028 1029 1030 1031 1032
The organization shall maintain visitor access records to the facility where the IACS resides (except for those areas within the facility officially designated as publicly accessible).The detailed contents of these records are to be defined by the asset owner and their respective security policy. Designated officials within the organization review the visitor access records [Assignment: organization-defined frequency] and maintain those records for [Assignment: organization-defined periodicity]. .
This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
992
– 32 –
– 33 –
ISA99, WG02, TG02
1033
Foundational Requirement:
1034 1035 1036 1037 1038
Rationale/Supplemental Guidance: These logs are intended to support forensic investigation. Useful attributes would include: (i) name and organization of the person visiting; (ii) signature of the visitor; (iii) form of identification; (iv) date of access; (v) time of entry and departure; (vi) purpose of visit; and (vii) name and organization of person visited..
1039
Requirement Enhancements:
1040 1041
(1) The organization employs automated mechanisms to facilitate the maintenance and review of access records.
1042 1043
(2) The organization maintains a record of all physical access, both visitor and authorized individuals.
1044
10 Communications and Operations Management
1045
10.1
Introduction
1046 1047
10.2 Operational Procedures and Responsibilities
1048
10.2.1 Automated Marking
1049
Requirement:
1050 1051
The IACS shall mark output using standard naming conventions to identify any special dissemination, handling, or distribution instructions .
1052
Foundational Requirement:
1053 1054
Rationale/Supplemental Guidance: Automated marking refers to markings employed on external media (e.g., hardcopy documents output from the IACS).
1055
Requirement Enhancements: None.
1056
10.3 Third Party Service Delivery Management
1057
10.3.1
1058
{Requirement} Requirement:
1059 1060
Foundational Requirement:
1061
Rationale/Supplemental Guidance:
1062
Requirement Enhancements:
1063 1064
10.4 System planning and acceptance
1065
10.4.1
1066
{Requirement} Requirement:
1067 1068
Foundational Requirement:
1069
Rationale/Supplemental Guidance:
This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
ISA‑62443-2-2, D1E4, April 2013
ISA‑62443-2-2, D1E4, April 2013 1070
– 34 –
ISA99, WG02, TG02
Requirement Enhancements:
1071 1072
10.5 Protection against malicious and mobile code
1073
10.5.1 Malicious Code Protection
1075 1076 1077
Requirement: The organization updates malicious code protection mechanisms (including the latest virus definitions) whenever new releases are available in accordance with organizationa l configuration management policy and procedures.
1078
Foundational Requirement:
1079 1080 1081 1082 1083 1084 1085 1086 1087 1088
Rationale/Supplemental Guidance: The organization considers using malicious code protection software products from multiple vendors (e.g., using one vendor for boundary devices and servers and another vendor for workstations). The organization also considers the receipt of false positives during malicious code detection and eradication and the resulting potential affect on the availability of the IACS. Updates are scheduled to occur during planned IACS outages. The organization considers IACS vendor recommendations for malicious code protection. To reduce malicious code, organizations remove the functions and services that should not be employed on the IACS (e.g., Voice Over Internet Protocol, Instant Messaging, File Transfer Protocol, Hyper Text Transfer Protocol, electronic mail, file sharing).
1089
Requirement Enhancements: None.
1090
10.5.2 Security Alerts and Advisories
1091 1092 1093
Requirement: The organization shall receive IACS security alerts/advisories on a regular basis, issues alerts/advisories to appropriate personnel, and takes appropriate actions in response.
1094
Foundational Requirement:
1095 1096 1097 1098 1099 1100
Rationale/Supplemental Guidance: The organization documents the types of actions to be taken in response to security alerts/advisories. The organization also maintains contact with special interest groups (e.g., inform ation security forums) that: (i) facilitate sharing of security-related information (e.g., threats, vulnerabilities, and latest security technologies); (ii) provide access to advice from security professionals; and (iii) improve knowledge of security best practices.
1101
Requirement Enhancements:
1102 1103
(1) The organization employs automated mechanisms to make security alert and advisory information available throughout the organization as needed.
1104
10.6 Backup
1105
10.6.1
1106
{Requirement} Requirement:
1107 1108
Foundational Requirement:
1109
Rationale/Supplemental Guidance:
1110
Requirement Enhancements:
1111
This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
1074
ISA‑62443-2-2, D1E4, April 2013 1112
10.7 Network Security Management
1113
10.7.1
1114
– 35 –
ISA99, WG02, TG02
{Requirement} Requirement:
1116
Foundational Requirement:
1117
Rationale/Supplemental Guidance:
1118
Requirement Enhancements:
1119 1120
10.8 Media Handling
1121
10.8.1 Media Protection Policy and Procedures
1122
Requirement:
1123 1124 1125 1126 1127
The organization shall develop, disseminate, and periodically reviews/updates: (i) a formal, documented, media protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (ii) formal, documented procedures to facilitate the implementation of the media protection policy and associated media protection requirements.
1128
Foundational Requirement:
1129 1130 1131 1132 1133
Rationale/Supplemental Guidance: The media protection policy and procedures are consistent with applicable laws, directives, policies, regulations, standards, and guidance. The media protection policy can be included as part of the general information security policy for the organization. Media protection procedures can be developed for the security program in general, and for a particular IACS, when required.
1134
Requirement Enhancements: None.
1135 1136
10.8.2 Media Access
1137
Requirement:
1138
The organization shall restrict access to IACS media to authorized individuals.
1139
Foundational Requirement:
1140 1141 1142 1143 1144 1145
Rationale/Supplemental Guidance: IACS media includes both digital media (e.g., diskettes, magnetic tapes, external/removable hard drives, flash/thumb drives, compact disks, digital video disks) and non-digital media (e.g., paper, microfilm). This requirement also applies to portable and mobile computing and communications devices with information storage capability (e.g., notebook computers, personal digital assistants, cellular telephones).
1146 1147 1148 1149 1150 1151 1152 1153 1154
An organizational assessment of risk guides the sel ection of media and associated information contained on that media requiring restricted access. Organizations document in policy and procedures, the media requiring restricted access, individuals authorized to access the media, and the specific measures t aken to restrict access. The rigor with 𝑡𝑎𝑟𝑔𝑒𝑡 which this requirement is applied is commensurate with the 𝑆𝑠𝑦𝑠𝑡𝑒𝑚 categorization of the information contained on the media. For example, fewer protection measures are needed for media containing information determined by the organization to be in the public domain, to be publicly releasable, or to have limited or no adverse impact on the organization or individuals if accessed by other than authorized personnel. In these
This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
1115
– 36 –
ISA99, WG02, TG02
1155 1156
situations, it is assumed that the physical access requirements where the media resides provide adequate protection.
1157
Requirement Enhancements:
1158 1159
(1) The organization employs automated mechanisms to restrict access to media storage areas and to audit access attempts and access granted.
1160 1161 1162 1163 1164 1165
Foundational Requirement: Rationale/Supplemental Guidance: This requirement enhancement is primarily applicable to designated media storage areas within an organization where a significant volume of media is stored and is not intended to apply to every lo cation where some media is stored (e.g., in individual offices).
1166
10.8.3 Media Labeling
1167
Requirement:
1168 1169 1170 1171 1172
The organization shall: (i) affix external labels to removable IACS media and IACS output indicating the distribution limitations, handling caveats and applicable security markings (if any) of the information; and (ii) exempt [Assignment: organization-defined list of media types or hardware components] from labeling so long as they remain within [ Assignment: organization-defined protected environment].
1173
Foundational Requirement:
1174 1175 1176 1177 1178
Rationale/Supplemental Guidance: An organizational assessment of selection of media requiring labeling. Organizations document in policy the media requiring labeling and the specific measures taken to afford The rigor with which this requirement is applied is commensurate categorization of the information contained on the media.
1179
Requirement Enhancements: None.
1180
risk guides the and procedures, such protection. 𝑡𝑎𝑟𝑔𝑒𝑡 with the 𝑆𝑠𝑦𝑠𝑡𝑒𝑚
10.8.4 Media Storage
1181
Requirement:
1182 1183
The organization shall physically control and securely store IACS media within controlled areas.
1184
Foundational Requirement:
1185 1186 1187 1188 1189 1190
Rationale/Supplemental Guidance: IACS media includes both digital media (e.g., diskettes, magnetic tapes, external/removable hard drives, flash/thumb drives, compact disks, digital video disks) and non-digital media (e.g., paper, microfilm). A controlled area is any area or space for which the organization has confidence that the physical and procedural protections provided are sufficient to meet the requirements established for protecting the information and/or IACS.
1191 1192 1193
This requirement applies to portable and mobile computing and communications devices with information storage capability (e.g., notebook computers, personal digital assistants, cellular telephones, telephone systems (voicemail only)).
1194 1195 1196 1197 1198 1199 1200
Organizations document in policy and procedures, the media requiring physical protection and the specific measures taken to afford such protection. The rigor with which this 𝑡𝑎𝑟𝑔𝑒𝑡 requirement is applied is commensurate with the 𝑆𝑠𝑦𝑠𝑡𝑒𝑚 categorization of the information contained on the media. For example, fewer protection measures are needed for media containing information determined by the organization to have limited or no adverse impact on the organization or individuals if accessed by non -authorized personnel. The assumption is that the physical access controls to the facility where the media resides
This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
ISA‑62443-2-2, D1E4, April 2013
– 37 –
ISA99, WG02, TG02
1201 1202 1203
provide adequate protection. The organization protects IACS media identified by the organization until the media are destroyed or sanitized using approved equipment, techniques, and procedures.
1204 1205 1206 1207 1208
As part of a defense-in-depth protection strategy, the organization considers routinely encrypting data at rest on selected secondary storage device s. The organization implements effective cryptographic key management in support of secondary storage encryption and provides protections to maintain the availability of the information in the event of the loss of cryptographic keys by IACS users.
1209
Requirement Enhancements: None.
1210
10.8.5 Media Transport
1211
Requirement:
1212 1213 1214
The organization shall protect and control IACS media during transport outside of controlled areas and restricts the activities associated with transport of such media to authorized personnel.
1215
Foundational Requirement:
1216 1217 1218 1219 1220 1221 1222 1223 1224 1225 1226 1227 1228 1229 1230 1231 1232 1233 1234 1235 1236 1237 1238
Rationale/Supplemental Guidance: IACS media includes both digital media (e.g., diskettes, tapes, removable hard drives, flash/thumb drives, compact disks, digital video disks) and non-digital media (e.g., paper, microfilm). A c ontrolled area is any area or space for which the organization has confidence that the physical and procedural protections provided are sufficient to meet the requirements established for protecting the information and/or IACS. This requirement also applies to portable and mobile computing and communications devices with information storage capability (e.g., notebook computers, personal digital assistants, cellular telephones) that are transported outside of controlled areas. Telephone systems are also co nsidered IACS and may have the capability to store information on internal media (e.g., on voicemail systems). Since telephone systems do not have, in most cases, the identification, authentication, and access control mechanisms typically employed in othe r IACS, organizational personnel exercise extreme caution in the types of information stored on telephone voicemail systems that are transported outside of controlled areas. An organizational assessment of risk guides the selection of media and associated information contained on that media requiring protection during transport. Organizations document in policy and procedures, the media requiring protection during transport and the specific measures taken to protect such transported media. The rigor with which this requirement is applied is 𝑡𝑎𝑟𝑔𝑒𝑡 commensurate with the 𝑆𝑠𝑦𝑠𝑡𝑒𝑚 categorization of the information contained on the media. An organizational assessment of risk also guides the selection and use of appropriate storage containers for transporting non-digital media. Authorized transport and courier personnel may include individuals from outside the organization (e.g., U.S. Postal Service or a commercial transport or delivery service).
1239
Requirement Enhancements:
1240 1241 1242
(1) The organization protects digital and non-digital media during transport outside of controlled areas using [Assignment: organization-defined security measures, e.g., locked container, cryptography].
1243 1244 1245 1246 1247 1248
Rationale/Supplemental Guidance: Physical and technical security measures for the protection of digital and non-digital media are approved by the organization, 𝑡𝑎𝑟𝑔𝑒𝑡 commensurate with the 𝑆𝑠𝑦𝑠𝑡𝑒𝑚 categorization of the information residing on the media, and consistent with applicable laws, directives, policies, regulations, standards, and guidance. Cryptographic mechanisms can provide confidentiality and/or integrity protections depending upon the mechanisms used.
This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
ISA‑62443-2-2, D1E4, April 2013
– 38 –
ISA99, WG02, TG02
1249 1250
(2) The organization documents, where appropriate, activities associated with the transport of IACS media using [Assignment: organization-defined system of records].
1251 1252 1253
Rationale/Supplemental Guidance: Organizations establish documentation requirements for activities associated with the transport of IACS media in accordance with the organizational assessment of risk.
1254
(3) The organization employs an identified custodian at all times to transport IACS media.
1255 1256 1257
Rationale/Supplemental Guidance: Organizations establish documentation requirements for activities associated with the transport of IACS media in accordance with the organizational assessment of risk.
1258
10.8.6 Media Sanitization and Disposal
1259
Requirement:
1260 1261
The organization shall sanitize IACS media, both digital and non-digital, prior to disposal or release for reuse.
1262
Foundational Requirement:
1263 1264 1265 1266 1267 1268 1269 1270 1271 1272 1273
Rationale/Supplemental Guidance: Sanitization is the process used to remove information from IACS media such that there is reasonable assurance, in proporti on to the confidentiality of the information, that the information cannot be retrieved or reconstructed. Sanitization techniques, including clearing, purging, and destroying media information, prevent the disclosure of organizational information to unauth orized individuals when such media is reused or disposed. The organization uses its discretion on sanitization techniques and procedures for media containing information deemed to be in the public domain or publicly releasable, or deemed to have no advers e impact on the organization or individuals if released for reuse or disposed. The National Security Agency provides media sanitization guidance and maintains a listing of approved sanitization products at http://www.nsa.gov/ia/government/mdg.cfm .
1274
Requirement Enhancements:
1275 1276
(1) The organization tracks, documents, and verifies media sanitization and disposal actions.
1277 1278
(2) The organization periodically tests sanitization equipment and procedures to verify correct performance.
1279
10.8.7 Access Control for Display Medium
1280
Requirement:
1281 1282
The organization shall control physical access to IACS devices that display information to prevent unauthorized individuals from observing the display output.
1283
Foundational Requirement:
1284
Rationale/Supplemental Guidance: None.
1285 1286 1287
Requirement Enhancements: None.
1288
10.8.8 Public Key Infrastructure Certificates
1289
Requirement:
1290 1291
Where public key cryptography is utilized, the organization shall determine what appropriate interfaces are required with existing public key infrastructure under an
This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
ISA‑62443-2-2, D1E4, April 2013
– 39 –
ISA99, WG02, TG02
1292 1293
appropriate certificate policy or obtains public key certificates under an appropriate certificate policy from an approved service provider.
1294
Foundational Requirement:
1295 1296 1297 1298
Rationale/Supplemental Guidance: Registration to receive a public key certificate needs to include authorization by a supervisor or a responsible official and needs to be accomplished using a secure process that verifies the identity of the certificate holder and ensures that the certificate is issued to the intended party.
1299
Requirement Enhancements: None.
1300
10.9 Exchange of Information
1301
10.9.1
1302
{Requirement} Requirement:
1303 1304
Foundational Requirement:
1305
Rationale/Supplemental Guidance:
1306
Requirement Enhancements:
1307 1308
10.10 Electronic Commerce Services
1309
10.10.1 {Requirement}
1310
Requirement:
1311 1312
Foundational Requirement:
1313
Rationale/Supplemental Guidance:
1314
Requirement Enhancements:
1315 1316
10.11 Monitoring
1317
10.11.1 Audit and Accountability Policy and Procedures
1318
Requirement:
1319 1320 1321 1322 1323
The organization shall develop, disseminate, and periodically reviews/updates: (i) a formal, documented, audit and accountability policy that addresses purpos e, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (ii) formal, documented procedures to facilitate the implementation of the audit and accountability policy and associated audit and ac countability controls.
1324
Foundational Requirement:
1325 1326 1327 1328 1329 1330
Rationale/Supplemental Guidance: The audit and accountability policy and procedures are consistent with applicable laws, directives, policies, regulations, standards, and guidance. The audit and accountability policy can be included as part of the general information security policy for the organization. Audit and accountability procedures can be developed for the security program in general, and for a particular IACS, when required. The parameters to be monitored are a local matter. Of those parameters it is
This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
ISA‑62443-2-2, D1E4, April 2013
ISA‑62443-2-2, D1E4, April 2013
– 40 –
ISA99, WG02, TG02
1331 1332
strongly recommended to consider false-positives (e.g. how many times did an authorized entity get hindered or prevented from performing its function ).
1333
Requirement Enhancements: None.
1335 1336 1337
10.11.2 Auditable Events Requirement: The organization periodically reviews and updates the list of orga nization-defined auditable events.
1338
Foundational Requirement:
1339 1340 1341 1342 1343 1344 1345
Rationale/Supplemental Guidance: The purpose of this requirement is to identify important events which need to be audited as significant and relevant to the security of the IACS. The security audit function is usually coordinated with the network health and status monitoring function which may be in a different zone. Commonly recognized and accepted checklists and configuration guides should be considered when compiling a list of auditable events. The organization defines auditable events that are adequate to support after-the-fact investigations of security incidents.
1346
Requirement Enhancements: None.
1347
10.11.3 Audit Monitoring, Analysis and Reporting
1348
Requirement:
1349 1350 1351
The organization shall regularly review/analyze IACS audit records for indications of inappropriate or unusual activity, investigates suspicious activity or suspected violations, reports findings to appropriate officials, and takes necessary actions.
1352
Foundational Requirement:
1353 1354 1355 1356
Rationale/Supplemental Guidance: Organizations increase the level of audit monitoring and analysis activity within the IACS whenever there is an indication of increased risk to organizational operations, organizational assets, or individuals based on law enforcement information, intelligence information, or other credible sources of information.
1357
Requirement Enhancements:
1358 1359 1360
(1) The organization employs automated mechanisms to integrate audit monitoring, analysis, and reporting into an overall process for investigation and res ponse to suspicious activities.
1361 1362 1363 1364
(2) The organization employs automated mechanisms to alert security personnel of the following inappropriate or unusual activities with security implications: [ Assignment: organization-defined list of inappropriate or unusual ac tivities that are to result in alerts].
1365
10.11.4 Audit Record Retention
1366
Requirement:
1367 1368 1369
The organization shall retain audit records for [Assignment: organization-defined time period] to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements.
This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
1334
– 41 –
ISA99, WG02, TG02
1370
Foundational Requirement:
1371 1372 1373
Rationale/Supplemental Guidance: The organization retains audit records until it is determined that they are no longer needed for administrative, legal, audit , or other operational purposes.
1374
Requirement Enhancements: None.
1375
11 Access Control
1376
11.1
Introduction
1377 1378
11.2 Business Requirement
1379
11.2.1 Access Control Policy and Procedures
1380
Requirement:
1381 1382 1383 1384 1385
The organization shall develop, disseminate, and periodically reviews/updates: (i) a formal, documented, access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (ii) formal, documented procedures to facilitate the implementation of the access control policy and associated access controls.
1386
Foundational Requirement:
1387 1388 1389 1390 1391 1392
Rationale/Supplemental Guidance: The access control policy and procedures are consistent with applicable laws, directives, policies, regulations, standards, and guidance and in alignment with the security requirements of the IACS(s). The access control policy can be included as part of the general information security policy for the organization. Access control procedures can be developed for the security program in gener al, and for a particular IACS, when required.
1393
Requirement Enhancements: None.
1394
11.2.2 System and Information Integrity Policy and Procedures
1395
Requirement:
1396 1397 1398 1399 1400 1401
The organization shall develop, disseminate, and periodically reviews/updates: (i) a formal, documented, system and information integrity policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (ii) formal, documented procedures to facilitate the implementation of the s ystem and information integrity policy and associated system and information integrity requirements.
1402
Foundational Requirement:
1403 1404 1405 1406 1407 1408
Rationale/Supplemental Guidance: The system and information integrity policy and procedures are consistent with applicable laws, directives, policies, regulations, standards, and guidance. The system and information integrity policy can be included as part of the general information security policy for the organization. System and information integrity procedures can be developed for the security program in general, and for a particular IACS, when required.
1409
Requirement Enhancements: None.
This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
ISA‑62443-2-2, D1E4, April 2013
ISA‑62443-2-2, D1E4, April 2013
ISA99, WG02, TG02
11.2.3 Flaw Remediation
1411
Requirement:
1412
The organization shall identify, report, and correct IACS flaws.
1413
Foundational Requirement:
1414 1415 1416 1417 1418 1419 1420 1421 1422 1423 1424
Rationale/Supplemental Guidance: The organization identifies IACS containing software affected by recently announced software flaws (and potential vulnerabilities resulting from those flaws). The organization (or the software developer/vendor in the case of software developed and maintained by a vendor/contractor) promptly installs newly released security relevant patches, service packs, and hot fixes, and tests patches, service packs, and hot fixes for effectiveness and potential side effects on the organization’s IACS before installation. Flaws discovered during security assessments, continuous monitoring, incident response activities, or IACS error handling are also addressed expeditiously. Flaw remediation is incorporated into configuration management as an emergency change. The flaw remediation process shall be consistent with certification, safety and regulatory testing requirements.
1425
Requirement Enhancements:
1426 1427
(1) The organization centrally manages the flaw remediation process and installs updates automatically.
1428 1429 1430
(2) The organization employs automated mechanisms to periodically and upon demand determine the state of IACS components with regard to flaw remediation.
1431
11.3 User Access Management
1432
11.3.1 Account Management
1433
Foundational Requirement:
1434
Requirement:
1435 1436
The organization reviews accounts [Assignment: organization-defined frequency, at least annually]. A history of account changes shall be maintained if only manually.
1437
Foundational Requirement:
1438 1439 1440 1441 1442 1443 1444
Rationale/Supplemental Guidance: Account management might include (i.e., individual, role, and system, device-based, and system), establishment of conditions for group membership, and assignment of associated authorizations. In certain IACS instances, where the organization has determined that individual accounts are unnecessary from a risk-analysis and/or regulatory aspect, shared accounts are acceptable as long as adequate compensating controls (such as limited physical access) are in place and documented.
1445 1446 1447
Non-user accounts (sometimes termed service accounts) that are utilized for process -toprocess communication (for example, an HMI connecting to a database) typically requires different security policies from human user accounts.
1448 1449
The organization identifies authorized users of the IACS and specifies access rights/privileges. The organization grants access to the IACS based on:
1450 1451
(i)
a valid need-to-know/need-to-share that is determined by assigned official duties and satisfying all functional and security criteria; and
1452 1453
(ii)
Intended system usage. The organization requires proper identification for requests to establish accounts and approves all such requests.
1454 1455
(iii)
The organization specifically authorizes and monitors the use of guest/anonymous accounts and removes, disables, or otherwise secures
This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
1410
– 42 –
ISA‑62443-2-2, D1E4, April 2013
ISA99, WG02, TG02
unnecessary accounts. Account managers are notified when IACS users are terminated or transferred and associated accounts are removed, disabled, or otherwise secured.
1459 1460 1461 1462 1463
(iv)
Account managers are also notified when users’ IACS usage or need -toknow/need-to-share changes. In cases where accounts are role-based, i.e., the workstation, hardware, and/or field devices define a user role, access to the IACS includes physical security policies and procedures based on organization risk assessment.
1464 1465 1466 1467 1468 1469
(v)
In cases where physical access to the workstation, hardware, and/or field devices predefine privileges, the organization implements physical security policies, and procedures based on organization risk assessment. Account management may include additional account types (e.g., role-based, device-based, attribute-based). The organization removes, changes, disables, or otherwise secures default accounts.
1470
Requirement Enhancements:
1471 1472 1473
(1) The organization has policies and procedures to terminate guest or temporary accounts after [Assignment: organization-defined time period for each type of account].
1474 1475
(2) The organization has policies and procedures to disable inactive accounts after [Assignment: organization-defined time period].
1476 1477
(3) The organization employs mechanisms to audit account creation, Modification, disabling, and termination actions and to notify, as required, appropriate individuals.
1478
11.3.2 Separation of Duties
1479
Foundational Requirement:
1480
Requirement:
1481 1482
When assigning permissions and/or roles to users, the organization shall obey the separation of duties as outlined in their security policy.
1483
Foundational Requirement:
1484 1485 1486
Rationale/Supplemental Guidance: The organization establishes appropriate divisions of responsibility and separates duties as needed to eliminate conflicts of interest in the responsibilities and duties of individuals. Examples of separation of duties incl ude:
1487 1488
(i)
mission functions and distinct IACS support functions are divided among different individuals/roles
1489 1490 1491
(ii)
different individuals perform IACS support functions (e.g., system management, systems programming, quality assurance/testing, configuration management, and network security)
1492 1493
(iii)
security personnel who administer access control functions do not administer audit functions
1494 1495
Requirement Enhancements: None. (4)
1496
11.4 User Responsibilities
1497
11.4.1
1498
{Requirement} Requirement:
1499 1500
Foundational Requirement:
This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
1456 1457 1458
– 43 –
ISA‑62443-2-2, D1E4, April 2013 1501
Rationale/Supplemental Guidance:
1502
Requirement Enhancements:
– 44 –
ISA99, WG02, TG02
1504
11.5 Network Access Control
1505
11.5.1 Least Privilege
1506
Foundational Requirement:
1507
Requirement:
1508 1509 1510
The organization shall enforce set of rights/privileges or accesses as required by ISA 99.02.xx needed by asset owner (or processes acting on behalf of asset owners) for the performance of specified tasks.
1511
Foundational Requirement:
1512 1513 1514 1515
Rationale/Supplemental Guidance: The organization employs the concept of least privilege for specific duties and IACS (zones and conduits) in accordance with risk assessments as necessary to adequately mitigate risk to organizational operations, organizational assets, and individuals.
1516
Requirement Enhancements: None.
1517
11.5.2 Permitted Actions Without Identification or Authentication
1518
Foundational Requirement:
1519
Requirement:
1520 1521 1522
The organization shall identify and document (log) specific IACS user actions that can be performed on the IACS without additional identification or authentication, if and only if prior identification and authentication have already occurred.
1523
Foundational Requirement:
1524 1525 1526
Rationale/Supplemental Guidance: The organization may allow limited IACS user activity without identification and authentication for corrective actions (e.g., emergency). The intent is to prevent repeated unnecessary identification and/or authe ntication.
1527
Requirement Enhancements:
1528 1529
(1) The organization permits actions to be performed without identification and authentication only to the extent necessary to accomplish mission objectives.
1530 1531
11.5.3 Remote Access
1532
Foundational Requirement:
1533
Requirement:
1534
The organization shall authorize all methods of remote access to the IACS.
1535
Foundational Requirement:
1536 1537 1538 1539 1540
Rationale/Supplemental Guidance: Remote access is any access to an IACS by an IACS user (human user, process, or device) communicating through an external, no norganization-controlled network (e.g., the Internet). Examples of remote access methods include dial-up, broadband, and wireless. Remote access to IACS component locations (e.g., control center, field locations) is only enabled when approved by the org anization.
This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
1503
ISA‑62443-2-2, D1E4, April 2013
– 45 –
ISA99, WG02, TG02
1541
Requirement Enhancements:
1542 1543
(1) The organization controls all remote accesses through a limited number of managed access control points.
1544 1545 1546
(2) The organization permits remote access for privileged functions only for compelling operational needs and documents the rationale for such access in the security plan for the IACS. 11.5.4 Use of External Information Systems
1548
Foundational Requirement:
1549
Requirement:
1550 1551 1552
The organization shall establish terms and conditions for authorized individuals to: (i) access the IACS from an external information system; and (ii) process, store, and/or transmit organization-controlled information using an external information system.
1553
Foundational Requirement:
1554 1555 1556 1557 1558 1559 1560 1561
Rationale/Supplemental Guidance: External information systems are information systems or components of information systems that are outside of the accreditation boundary established by the organization and for which the organization typically has no direct control over the application of required security controls or the assessment of secu rity control effectiveness. External information systems include, but are not limited to, personally owned information systems (e.g., computers, cellular telephones, or personal digital assistants); privately owned computing and communications devices res ident in commercial or public facilities (e.g., hotels, convention centers, or airports).
1562 1563 1564 1565 1566 1567 1568 1569
Authorized individuals include organizational personnel, contractors, or any other individuals with authorized access to the organizational IACS. The organization establishes terms and conditions for the use of external information systems in accordance with organizational security policies and procedures. The terms and conditions address as a minimum; (i) the types of applications that can be accessed on the organizational IACS from the external information system; and (ii) the maximum 𝑐𝑎𝑝𝑎𝑏𝑙𝑒 𝑆𝑠𝑦𝑠𝑡𝑒𝑚 category of information that can be transmitted to or processed and stored on the external information system.
1570
Requirement Enhancements:
1571 1572 1573 1574 1575 1576 1577
(1) The organization prohibits authorized individuals from using an external information system to access the IACS or to process, store, or transmit organization -controlled information except in situations where the organization: (i) can verify the employment of required security controls on the external system as specified in the organization’s information security policy and system security plan; or (ii) has approved IACS connection or processing agreements with the organizational entity hosting the external information system.
1578 1579
(2) The organization provides a domain of filtered control for access by external IACS users, and limits access only to this domain.
1580 1581
(3) The organization provides a separate domain of information for read -only or download-only access by external IACS users and limits access only to this domain.
1582
11.6 Operating System Access Control
1583
11.6.1
1584
{Requirement} Requirement:
1585 1586
Foundational Requirement:
This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
1547
ISA‑62443-2-2, D1E4, April 2013 1587
Rationale/Supplemental Guidance:
1588
Requirement Enhancements:
– 46 –
ISA99, WG02, TG02
1589 1590
11.7 Application and Information Access Control
1591
11.7.1
Requirement:
1593 1594
Foundational Requirement:
1595
Rationale/Supplemental Guidance:
1596
Requirement Enhancements:
1597 1598
11.8 Mobile Computing and Teleworking
1599
11.8.1 Wireless Access Restrictions
1600
Foundational Requirement:
1601
Requirement:
1602
The organization shall produce implementation guidance for wireless technologies.
1603 1604 1605 1606 1607 1608
Foundational Requirement: Rationale/Supplemental Guidance: Wireless technologies include, but are not limited to, microwave, satellite, packet radio [UHF/VHF], 802.11x, 802.15.4 (ZigBee, WirelessHART, ISA100.11a), and Bluetooth.
1609 1610
(1) The organization shall deploy continuous passive monitoring for unauthorized wireless access points and takes appropriate action if such access points are discovered.
1611 1612 1613 1614 1615 1616 1617
Foundational Requirement: Rationale/Supplemental Guidance: At the time of publication of this document, these access points are typically based on 802.11x technology. In the future, this will change and thus other wireless technologies will need to be monitored as well. Regardless, organizations should conduct a thorough scan for unauthorized wireless access points in facilities containing high-impact IACS. The scan should involve the entire facility, not just areas containing a high -impact IACS.
1618
Requirement Enhancements:
11.8.2 Use Control for Portable and Mobile Devices
1619
Foundational Requirement:
1620
Requirement:
1621 1622
The organization shall produce implementation guidance for organization -controlled portable and mobile devices.
1623
Foundational Requirement:
1624 1625 1626
Rationale/Supplemental Guidance: Portable and mobile devices may introduce undesired network traffic, malware and/or information exposure, and thus there should be specific control associated with their usage in the typical IACS environment.
1627 1628
Portable and mobile devices (e.g., notebook c omputers, personal digital assistants, cellular telephones, and other computing and communications devices with network
This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
1592
{Requirement}
– 47 –
ISA99, WG02, TG02
1629 1630 1631 1632 1633 1634 1635
connectivity are only allowed access to the IACS in accordance with organizational security policies and procedures. Security policies and procedures include device identification and authentication, implementation of mandatory protective software (e.g., malicious code detection, firewall), configuration management, scanning devices for malicious code, updating virus protection software, scanning for critical software updates and patches, conducting primary operating system (and possibly other resident software) integrity checks, and disabling unnecessary hardware (e.g., wireless, infrared).
1636 1637
Requirement Enhancements: None.
1638
11.8.3 Mobile Code
1639
Foundational Requirement:
1640
Requirement:
1641 1642
The organization shall produce implementation guidance regarding the use of mobile code technologies based on the potential to cause damage to the IACS.
1643
Foundational Requirement:
1644 1645 1646 1647 1648 1649 1650 1651
Rationale/Supplemental Guidance: Mobile code technologies include, for example, Java, JavaScript, ActiveX, PDF, Postscript, Shockwave movies, Flash animations, and VBScript. Usage restrictions and implementation guidance apply to both the selection and use of mobile code installed on servers and mobile code downloaded and executed on individual workstations. Control procedures prevent the development, acquisition, or introduction of unacceptable mobile code within the IACS. For example, mobile code exchanges might be disallowed directly with the IACS, but rather in a controlled adjacent information environment maintained by IACS personnel.
1652
Requirement Enhancements: None.
1653
11.8.4 Supervision and Review – Use Control
1654
Foundational Requirement:
1655
Requirement:
1656 1657
The organization shall supervise and review the activities of IACS users with respect to the enforcement and usage of IACS assets.
1658
Foundational Requirement:
1659 1660 1661 1662 1663 1664 1665 1666 1667
Rationale/Supplemental Guidance: The organization reviews audit records (e.g., user activity logs) for inappropriate activities in accordance wit h organizational procedures. The organization investigates any unusual IACS -related activities and periodically reviews changes to access authorizations. The organization reviews more frequently the activities of IACS users with significant IACS roles and responsibilities. The extent of the audit record reviews is based on the impact level of the IACS. For example, for low -impact systems, it is not intended that security logs be reviewed frequently for every workstation, but rather at central points such as a web proxy or email servers and when specific circumstances warrant review of other audit records.
1668 1669 1670 1671
Requirement Enhancements: (1) The organization develops a baseline of normal IACS user behavior, allowable variances and employs automated mechanisms to facilitate the review of user activities.
1672 1673
11.8.5 Identification and Authentication Policy and Procedures Foundational Requirement:
This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
ISA‑62443-2-2, D1E4, April 2013
– 48 –
ISA99, WG02, TG02
1674
Requirement:
1675 1676 1677 1678 1679 1680
The organization shall develop, disseminate, and periodically review/update: (i) a formal, documented, identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (ii) formal, documented procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls for IACS.
1681
Foundational Requirement:
1682 1683 1684 1685 1686 1687
Rationale/Supplemental Guidance: The organization ensures the identification and authentication policy and procedures are consistent with applicable laws, directives, policies, regulations, standards, and guidance. The identification and authentication policy can be included as part of the general security policy for the organization. Identification and authentication procedures can be developed for the security program in general, and for a particular IACS, when required.
1688 1689
Requirement Enhancements: None.
1690
11.8.6 Identifier Management
1691
Foundational Requirement:
1692
Requirement:
1693 1694 1695 1696
The organization shall manage identifiers by user, group, role, and/or system interface. An appropriate organization official or group is responsible for authorizing the issuance of user identifiers, issuing the user identifier to the intended party, and archiving user identifiers.
1697
Foundational Requirement:
1698 1699 1700 1701 1702 1703 1704 1705
Rationale/Supplemental Guidance: Identifiers are distinguished from the privileges which they permit an entity to perform within a specific IACS control domain/zone (see also 2.6, Authenticator Management). Where users function as a single group (e.g., control room operators), user identification may be role-based, group-based, or device-based. For some IACS, the capability for immediate operator interaction is critical. Local emergency actions for the IACS must not be hampered by identification requirements. Access to these systems may be restricted by appropriate compensating security mechanism s. Identifiers may be required on portions of the IACS but not necessarily the entire system.
1706 1707 1708 1709 1710 1711 1712 1713 1714 1715
For very high SAL level IACS the requirement for maximum control is increased, not decreased. Security measures that have the potential to cause loss of control in process operations are not acceptable. In these cases, to maintain the higher SAL levels, compensating measures external to the IACS (e.g. additional physical security measure s and/or enhanced personnel background checks) will be needed. In these cases, it may be possible to see a normally high SAL level IACS at a lower SAL 1 or 2 rating, depending upon the compensating controls. Lockout or loss of control due to security mea sures is not acceptable in high availability IACS.
1716 1717 1718
(1) The organization shall verify the identity of each IACS user. This verification may be maintained separately from the IACS (such as by the appropriate HR group).
1719 1720
Requirement Enhancements:
11.8.7 Authenticator Management Foundational Requirement:
This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
ISA‑62443-2-2, D1E4, April 2013
ISA‑62443-2-2, D1E4, April 2013
1722 1723
ISA99, WG02, TG02
Requirement: The organization shall establish administrative procedures for initial authenticator distribution, for lost/compromised, or damaged authenticators, and for revoking authenticators.
1724
Foundational Requirement:
1725 1726 1727 1728 1729 1730 1731
Rationale/Supplemental Guidance: IACS authenticators include, for example, tokens, Public Key certificates, biometrics, passwords, physical keys, and key cards. IACS users should take reasonable measures to safeguard authenticators including maintainin g possession of their individual authenticators, not loaning or sharing authenticators with others, and reporting lost or compromised authenticators immediately. In the case of a process or device, such users should also take measures to protect their IAC S authenticators.
1732 1733 1734 1735 1736 1737
If the IACS is required to have a high level of availability, measures must be taken to maintain this high level of availability (e.g. compensating physical controls, duplicate keys, supervisory override). Lockout or loss of control due to security measures is not acceptable.
1738 1739 1740 1741
Requirement Enhancements: None. 11.8.8 Software and Information Integrity Requirement: The organization reassesses the integrity of software and information by performing [ Assignment: organization-defined frequency] integrity scans of the system.
1742
Foundational Requirement:
1743 1744 1745 1746 1747
Rationale/Supplemental Guidance: This requirement complements related Access Control requirements. Access Control involves enforcing the roles, permissions, and use patterns as designed. Integrity verification methods are employed to detect, record, report, and protect against the effects of software and information tampering that may occur if other protection mechanisms (e.g. Access Control) have been circumvented.
1748
Requirement Enhancements: None.
1749 1750
11.8.9 Information Input Restrictions
1751
Requirement:
1752 1753 1754
Restrictions on entities authorized to input information to the IACS may extend beyond the typical access controls employed by the system and include limitations based on specific operational/project responsibilities.
1755
Foundational Requirement:
1756
Rationale/Supplemental Guidance: None.
1757
Requirement Enhancements: None.
1758
11.8.10 Error Handling
1759
Requirement:
1760 1761
The extent to which the IACS identifies and handles error conditions shall be guided by organizational policy and operational requirements.
This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
1721
– 49 –
ISA‑62443-2-2, D1E4, April 2013
– 50 –
1762
Foundational Requirement:
1763
Rationale/Supplemental Guidance: None.
1764
Requirement Enhancements: None.
ISA99, WG02, TG02
1765 11.8.11 Information Output Handling and Retention
1767
Requirement:
1768 1769
The organization shall handle and retain output from the IACS in accordance with applicable laws, directives, policies, regulations, standards, and operational requirements.
1770
Foundational Requirement:
1771
Rationale/Supplemental Guidance: None.
1772
Requirement Enhancements: None.
1773
11.8.12 Boundary Protection
1774
Requirement:
1775 1776 1777
The organization carefully considers the intrinsically shared nature of commercial telecommunications services in the implementation of security controls associated with the use of such services.
1778
Foundational Requirement:
1779 1780 1781 1782 1783 1784 1785
Rationale/Supplemental Guidance: Commercial telecommunications services are commonly based on network components and consolidated management systems shared by all attached commercial customers, and may include third party provided access lines and other service elements. Consequently, such interconnecting communication services may represent sources of increased risk despite contract security provisions. Therefore, when this situation occurs, the organization either implements appropriate compensating security controls or explicitly accepts the additional risk.
1786
Requirement Enhancements:
1787 1788 1789 1790
(1) The organization implements a managed interface (boundary protection devices in an effective security architecture) with any external telecommunication service, implementing controls appropriate to the required protection of the confidentiality and integrity of the information being transmitted.
1791 1792
This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
1766
ISA‑62443-2-2, D1E4, April 2013
– 51 –
1793
12 Systems acquisition, development and maintenance
1794
12.1
ISA99, WG02, TG02
Introduction
1795 1796
12.2 Security requirements of information systems
1797
12.2.1
Requirement:
1799 1800
Foundational Requirement:
1801
Rationale/Supplemental Guidance:
1802
Requirement Enhancements:
1803 1804
12.3 Correct Processing in Applications
1805
12.3.1
1806
{Requirement} Requirement:
1807 1808
Foundational Requirement:
1809
Rationale/Supplemental Guidance:
1810
Requirement Enhancements:
1811 1812
12.4 Cryptographic Controls
1813
12.4.1 Cryptographic Module Validation
1814 1815 1816 1817
Requirement: If cryptography is required, the IACS shall employ validated cryptographic modules that applicable laws, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module ma y require.
1818
Foundational Requirement:
1819 1820 1821 1822 1823
Rationale/Supplemental Guidance: The use of cryptography is determined after careful consideration of the security needs and the potential ramifications on system performance. The procurement process most effective safeguard is to use a cryptographic module validated by a recognized 3 rd party authority, e.g. the Cryptographic Module Validation Program.
1824
Requirement Enhancements: None.
1825 1826
12.5 Security of System Files
1827
12.5.1
1828 1829
{Requirement} Requirement:
This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
1798
{Requirement}
ISA‑62443-2-2, D1E4, April 2013 1830
Foundational Requirement:
1831
Rationale/Supplemental Guidance:
1832
Requirement Enhancements:
– 52 –
ISA99, WG02, TG02
1833 1834
12.6 Security in development and support processes
1835
12.6.1
Requirement:
1837 1838
Foundational Requirement:
1839
Rationale/Supplemental Guidance:
1840
Requirement Enhancements:
1841 1842
12.7 Technical vulnerability management
1843
12.7.1 Configuration Management Policy and Procedures
1844
Requirement:
1845 1846 1847 1848 1849 1850
The organization shall develop, disseminate, and periodically review/update: (i) a formal, documented, configuration management policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (ii) formal, documented procedures to facilitate the implementation of the configuration management policy and associated configuration management controls.
1851
Foundational Requirement:
1852 1853 1854 1855 1856 1857
Rationale/Supplemental Guidance: The configuration management policy and procedures are consistent with applicable laws, directives, policies, regulations, standards, and guidance. The configuration management policy can be included as part of the general information security policy for the organization. Co nfiguration management procedures can be developed for the security program in general, and for a particular IACS, when required.
1858 1859
Requirement Enhancements: None.
1860 1861 1862 1863
12.7.2 Baseline Configuration Requirement: The organization shall develop, document, and maintain a current baseline configuration of the IACS.
1864
Foundational Requirement:
1865 1866 1867 1868 1869
Rationale/Supplemental Guidance: This requirement establishes a baseline configuration for the IACS. The baseline configuration provides information about a particular component’s makeup (e.g., the standard software load for a workstation or notebook computer including updated patch information) and the component’s logical placement within the IACS architecture. The baseline configuration also provides the organization
This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
1836
{Requirement}
– 53 –
ISA99, WG02, TG02
1870 1871
with a well-defined and documented specification to which the IACS is built and deviations, if required, are documented in support of mission needs/ objectives.
1872
Requirement Enhancements:
1873 1874
(1) The organization updates the baseline configuration of the IACS as an integral part of IACS component installations.
1875 1876
(2) The organization employs automated mechanisms to maintain an up -to-date, complete, accurate, and readily available baseline configuration of the IACS.
1877 1878 1879
12.7.3 Configuration Change Control Requirement: The organization shall authorize, document, and control changes to the IACS.
1880
Foundational Requirement:
1881 1882 1883 1884 1885 1886 1887 1888 1889 1890
Rationale/Supplemental Guidance: The organization manages configuration changes to the IACS using an organizationally approved process. Configuration change control involves the systematic proposal, justification, implementation, test/evaluation, review, and disposition of changes to the IACS, including upgrades and modifications. Configuration change control includes changes to the configuration settings for information technology products (e.g., operating systems, firewalls, routers). The organization includes emergency changes in the configuration change control process, including changes resulting from the remediation of flaws. The approvals to implement a change to the IACS include successful results from the security analysis of the change. The organization audits activities associated with configuration changes to the IACS.
1891
Requirement Enhancements:
1892 1893 1894 1895
(1) The organization employs automated mechanisms to: (i) document proposed c hanges to the IACS; (ii) notify appropriate approval authorities; (iii) highlight approvals that have not been received in a timely manner; (iv) inhibit change until necessary approvals are received; and (v) document completed changes to the IACS.
1896 1897
(2) The organization tests, validates, and documents changes (e.g., patches and updates) before implementing the changes on the operational IACS.
1898 1899 1900 1901 1902 1903 1904 1905 1906 1907 1908 1909
Foundational Requirement: Rationale/Supplemental Guidance: The organization ensures that testing does not interfere with IACS functions. The individual/group conducting the tests fully understands the organizational information security policies and procedures, the IACS security policies and procedures, and the specific health, safety, and environmental risks associated with a particular facility and/or process. A production IACS may need to be taken off-line, or replicated to the extent feasible, before testing can be conducted. If an IACS must be taken off-line for testing, the tests are scheduled to occur during planned IACS outages whenever possible. In situations where the organization cannot, for operational reasons, conduct live testing of a production IACS, the organization employs compensating controls (e.g., providing a replicated system to conduct testing).
1910
12.7.4 Monitoring Configuration Changes
1911
Requirement:
1912 1913
The organization shall conduct security impact analyses to determine the effects of configuration changes.
1914
Foundational Requirement:
This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
ISA‑62443-2-2, D1E4, April 2013
– 54 –
ISA99, WG02, TG02
1915 1916 1917 1918 1919 1920 1921 1922
Rationale/Supplemental Guidance: Prior to change implementation, and as part of the change approval process, the organization analyzes changes to the IACS for potential adverse security consequences. After the IACS is changed (including upgrades and modifications), the organization checks the security features to verify that the features are still functioning properly. The organization audits activities associated with configuration changes to the IACS. Monitoring configuration changes and conducting security impact analyses are important elements with regard to the ongoing assessment o f security controls in the IACS.
1923 1924
Requirement Enhancements: None.
1925
12.7.5 Access Restrictions for Change
1926
Requirement:
1927 1928 1929
The organization shall: (i) approve individual access privileges and enforces physical and logical access restrictions associated with changes to the IACS; and (ii) generate, retain, and review records reflecting all such changes.
1930
Foundational Requirement:
1931 1932 1933 1934 1935
Rationale/Supplemental Guidance: Planned or unplanned changes to the hardware, software, and/or firmware components of the IACS can have signif icant effects on the overall security of the system. Accordingly, only qualified and authorized individuals obtain access to IACS components for purposes of initiating changes, including upgrades and modifications.
1936
Requirement Enhancements:
1937 1938 1939
(1) The organization employs automated mechanisms to enforce access restrictions and support auditing of the enforcement actions.
1940 1941 1942 1943 1944 1945 1946
12.7.6 Network and Security Configuration Settings Requirement: The IACS vendor shall provide guidelines for recommended network and securi ty configurations. The organization shall, based upon guidelines provided by the vendor: (i) establish mandatory network and security configuration settings for IACS components (ii) configure these settings to the most restrictive mode consistent with ope rational requirements; (iii) document these settings; and (iv) enforce these settings in all components of the IACS.
1947
Foundational Requirement:
1948 1949
Rationale/Supplemental Guidance: These configuration settings are the adjustable parameters of the IACS components.
1950
Requirement Enhancements:
1951 1952 1953
(1) The organization shall employ automated mechanisms to centrally manage, apply, and verify configuration settings.
1954 1955
12.7.7 IACS Component Inventory Requirement:
This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
ISA‑62443-2-2, D1E4, April 2013
– 55 –
ISA99, WG02, TG02
1956 1957
The organization shall develop, document, and maintain a current inventor y of the components of the IACS and relevant ownership information.
1958
Foundational Requirement:
1959 1960 1961 1962 1963 1964 1965
Rationale/Supplemental Guidance: The organization determines the appropriate level of granularity for the IACS components included in the inventory that are subj ect to management control (i.e., tracking, and reporting). The inventory of IACS components includes any information determined to be necessary by the organization to achieve effective property accountability (e.g., manufacturer, model number, serial numb er, software license information, system/component owner). The component inventory is consistent with the accreditation boundary of the IACS.
1966 1967 1968
Requirement Enhancements: (1) The organization updates the inventory of IACS components as an integral part of component installations.
1969 1970 1971
(2) The organization employs automated mechanisms to help maintain an up -to-date, complete, accurate, and readily available inventory of IACS components.
1972
12.7.8 System Maintenance Policy and Procedures
1973
Requirement:
1974 1975 1976 1977 1978
The organization shall develop, disseminate, and periodically review/update: (i) a formal, documented, IACS maintenance policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (ii) formal, documented procedures to facilitate the implementation of the IACS maintenance policy and associated system maintenance controls.
1979
Foundational Requirement:
1980 1981 1982 1983 1984
Rationale/Supplemental Guidance: The IACS maintenance policy and procedures are consistent with applicable laws, directives, policies, regulations, standards, and guidance. The IACS maintenance policy can be included as part of the general information security policy for the organization. System maintenance procedures can be developed for the security program in general, and for a particular IACS, when required.
1985
Requirement Enhancements: None.
1986 1987 1988 1989 1990 1991
12.7.9 Controlled Maintenance Requirement: The organization shall schedule, perform, document, and review records of routine preventative and regular maintenance (including repairs) on the components of the IACS in accordance with vendor, system integrator, and/or organizational specifications and requirements.
1992
Foundational Requirement:
1993 1994 1995 1996 1997 1998 1999
Rationale/Supplemental Guidance: All maintenance activities to include routin e, scheduled maintenance and repairs are controlled; whether performed on site or remotely and whether the equipment is serviced on site or removed to another location. Organizational officials approve the removal of the IACS or IACS components from the facility when repairs are necessary. If the IACS or component of the system requires off site repair, the organization removes all information from associated media using approved procedures. After maintenance is performed on the IACS, the organization
This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
ISA‑62443-2-2, D1E4, April 2013
– 56 –
ISA99, WG02, TG02
2000 2001
checks all potentially affected security controls to verify that the controls are still functioning properly.
2002
Requirement Enhancements:
2003 2004 2005 2006 2007
(1) The organization maintains maintenance records for the IACS that include: (i) the date and time of maintenance; (ii) name of the individual performing the maintenance; (iii) name of escort, if necessary; (iv) a description of the maintenance performed; and (v) a list of equipment removed or replaced (including identification numbers, if applicable).
2008 2009 2010 2011
(2) The organization employs automated mechanisms to schedule and conduct maintenance as required, and to create up-to date, accurate, complete, and available records of all maintenance actions, both needed and completed.
2012
12.7.10 Maintenance Tools
2013
Requirement:
2014 2015
The organization shall approve, control, and monitor the use of IACS maintenance tools and maintains the tools on an ongoing basis.
2016
Foundational Requirement:
2017 2018 2019 2020 2021 2022 2023
Rationale/Supplemental Guidance: The intent of this requirement is to address hardware and software brought into the IACS specifically for diagnostic/repair actions (e.g., a hardware or software packet sniffer that is introduced for the purpose of a particular maintenance activity). Hardware and/or software components that may support IACS maintenance, yet are a part of the system (e.g., the software implementing “ping”, “ls”, “ipconfig” or the hardware and software implementing the monitoring port of an Ethernet switch) are not covered by this requirement.
2024
Requirement Enhancements:
2025 2026
(1) The organization inspects all maintenance tools c arried into a facility by maintenance personnel for obvious improper modifications.
2027
Foundational Requirement:
2028 2029
Rationale/Supplemental Guidance: Maintenance tools include, for diagnostic and test equipment used to conduct maintenance on the IACS.
example,
2030 2031
(2) The organization checks all media containing diagnostic and test programs for malicious code before the media are used in the IACS.
2032 2033 2034 2035 2036
(3) The organization checks all maintenance equipment with the capability of retaining information so that no organizational information is written on the equipment or the equipment is appropriately sanitized before release; if the equipment cannot be sanitized, the equipment remains within the facility or is destroyed, unless an appropriate organization official explicitly authori zes an exception.
2037 2038 2039
(4) The organization employs automated mechanisms to restrict the use of maintenance tools to authorized personnel only.
2040 2041 2042 2043
12.7.11 Remote Maintenance Requirement: The organization shall authorize, monitor, and control any remotely executed maintenanc e and diagnostic activities, if employed.
This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
ISA‑62443-2-2, D1E4, April 2013
– 57 –
ISA99, WG02, TG02
2044
Foundational Requirement:
2045 2046 2047 2048 2049 2050 2051 2052 2053 2054 2055 2056 2057 2058
Rationale/Supplemental Guidance: Remote maintenance and diagnostic activities are conducted by individuals communicating through an external, non -organization-controlled network (e.g., the Internet). The use of remote maintenance and diagnostic tools is consistent with organizational policy and documented in the security plan for the IACS. The organization maintains records for all remote maintenance and diagnostic activities. Other techniques and/or controls to consider for improving the security of remote maintenance include: (i) encryption and decryption of communications; (ii) strong identification and authentication techniques; and (iii) remote disconnect verification. When remote maintenance is completed, the organization (or IACS in certain cases) terminates all sessions and remote connections invoked in the performance of that activity. If password-based authentication is used to accomplish remote maintenance, the organization changes the passwords following each remote maintenance service. The National Security Agency provides a listing of approved media sanitization products at http://www.nsa.gov/ia/government/mdg.cfm .
2059
Requirement Enhancements:
2060 2061 2062
(1) The organization audits all remote maintenance and diagnostic sessions and appropriate organizational personnel review the maintenanc e records of the remote sessions.
2063 2064 2065
(2) The organization addresses the installation and use of remote maintenance and diagnostic links in the security plan for the IACS.
2066 2067 2068
12.7.12 Maintenance Personnel Requirement: The organization shall allow only authorized personnel to perform maintenance on the IACS.
2069
Foundational Requirement:
2070 2071 2072 2073 2074 2075 2076
Rationale/Supplemental Guidance: Maintenance personnel (whether performing maintenance locally or remotely) have appropriate access authorizations to the IACS when maintenance activities allow access to organizational information or could result in a future compromise of confidentiality, integrity, or availability. When maintenance personnel do not have needed access authorizations, organizational personnel with appropriate access authorizations supervise maintenance personnel during the performance of maintenance activities on the IACS.
2077
Requirement Enhancements: None.
2078
12.7.13 Timely Maintenance
2079
Requirement:
2080 2081 2082
The organization shall obtain maintenance support and spare parts for [ Assignment: organizationdefined list of key IACS components] within [Assignment: organization-defined time period] of failure.
2083
Foundational Requirement:
2084
Rationale/Supplemental Guidance: None.
2085
Requirement Enhancements: None.
This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
ISA‑62443-2-2, D1E4, April 2013
ISA-62443.02.02, D1E4, April 2013 2086
13 Incident Management
2087
13.1
– 58 –
ISA99, WG02, TG02
Introduction
2088 2089
13.2 Reporting Security Events and Weaknesses
2090
13.2.1
Requirement:
2092 2093
Foundational Requirement:
2094
Rationale/Supplemental Guidance:
2095
Requirement Enhancements:
2096 2097
13.3 Management of Incidents and Improvements
2098
13.3.1 Incident Response Policy and Procedures
2099
Requirement:
2100 2101 2102 2103 2104
The organization shall develop, disseminate, and periodically review/update: (i) a forma l, documented, incident response policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (ii) formal, documented procedures to facilitate the implementation of the incident response policy and associated incident response controls.
2105
Foundational Requirement:
2106 2107 2108 2109 2110
Rationale/Supplemental Guidance: The incident response policy and procedures are consistent with applicable laws, directives, policies, regulations, standards, and guidance. The incident response policy can be included as part of the general information security policy for the organization. Incident response procedures can be developed for the security program in general, and for a particular IACS, when required.
2111 2112
Requirement Enhancements: None.
2113 2114 2115 2116 2117
13.3.2 Incident Response Training Requirement: The organization shall train personnel in their incident response roles and responsibilities with respect to the IACS and provides refresher training [ Assignment: organization-defined frequency, at least annually].
2118
Foundational Requirement:
2119
Rationale/Supplemental Guidance: None.
2120
Requirement Enhancements:
2121 2122
(1) The organization incorporates simulated events into incident response training to facilitate effective response by personnel in crisis situations.
2123 2124
(2) The organization employs automated mechanisms to provide a more thorough and realistic training environment.
This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
2091
{Requirement}
ISA‑62443-2-2, D1E4, April 2013
– 59 –
ISA99, WG02, TG02
2125
2127 2128 2129 2130 2131
13.3.3 Incident Response Testing and Exercises Requirement: The organization shall test and/or exercise the incident response capability for the IACS [Assignment: organization-defined frequency, at least annually ] using [Assignment: organization-defined tests and/or exercises] to determine the incident response effectiveness and documents the results.
2132
Foundational Requirement:
2133
Rationale/Supplemental Guidance: None
2134
Requirement Enhancements:
2135 2136
(1) The organization employs automated mechanisms to more thoroughly and effectively test/exercise the incident response capability.
2137 2138 2139 2140 2141 2142
Foundational Requirement: Rationale/Supplemental Guidance: Automated mechanisms can provide the ability to more thoroughly and effectively test or exercise the incident response ca pability by providing more complete coverage of incident response issues, selecting more realistic test/exercise scenarios and environments, and more effectively stressing the response capability.
2143
13.3.4 Incident Handling
2144
Requirement:
2145 2146
The organization shall implement an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery.
2147
Foundational Requirement:
2148 2149 2150 2151 2152
Rationale/Supplemental Guidance: Incident-related information can be obtained from a variety of sources including, but not limited to, audit monitoring, network monitoring, physical access monitoring, and user/administrator reports. The organization incorporates the lessons learned from ongoing incident handling activities into the incident response procedures and implements the procedures accordingly.
2153
Requirement Enhancements:
2154 2155
(1) The organization employs automated mechanisms to support the incident handling process.
2156
13.3.5 Incident Monitoring
2157
Requirement:
2158
The organization shall track and document IACS security incidents on an ongoing basis.
2159
Foundational Requirement:
2160
Rationale/Supplemental Guidance: None.
2161
Requirement Enhancements:
2162 2163
(1) The organization employs automated mechanisms to assist in the tracking of security incidents and in the collection and analysis of incident information.
This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
2126
ISA-62443.02.02, D1E4, April 2013
2165 2166
ISA99, WG02, TG02
13.3.6 Incident Reporting Requirement: The organization shall promptly reports incident information to appropriate authorities.
2167
Foundational Requirement:
2168 2169 2170 2171 2172 2173 2174
Rationale/Supplemental Guidance: The types of incident information reported, the content and timeliness of the reports, and the list of designated reporting authorities or organizations are consistent with applicable laws, directives, policies, regulations, standards, and guidance. The United States Computer Em ergency Readiness Team (USCERT) maintains the IACS Security Center at http://www.uscert.gov/control_systems. In addition to incident information, weaknesses and vulnerabilities in the IACS are reported to appropriate organizational officials in a timely manner to prevent security incidents.
2175
Requirement Enhancements:
2176 2177
(1) The organization employs automated mechanisms to assist in the reporting of security incidents.
2178 2179 2180 2181 2182
13.3.7 Incident Response Assistance Requirement: The organization shall provide an incident response support resource that offers advice and assistance to users of the IACS for the handling and reporting of security incidents. The support resource is an integral part of the organization’s incident respo nse capability.
2183
Foundational Requirement:
2184 2185 2186
Rationale/Supplemental Guidance: Possible implementations of incident response support resources in an organization include a help desk or an assistance group and access to forensics services, when required.
2187
Requirement Enhancements:
2188 2189
(1) The organization employs automated mechanisms to increase the availability of incident response-related information and support.
2190 2191
13.3.8 IACS Monitoring Tools and Techniques
2192
Requirement:
2193 2194 2195 2196
The organization shall determine the required granularity of the information collected based upon its monitoring objectives and the capability of the IACS to support such activities. This includes monitoring inbound and outbound communications for unusual or unauthorized activities or conditions.
2197
Foundational Requirement:
2198 2199 2200 2201 2202
Rationale/Supplemental Guidance: Organizations consult appropriate legal counsel with regard to all IACS monitoring activities. Organizations heighten the level of IACS monitoring activity whenever there is an indication of increas ed risk to organizational operations, organizational assets, or individuals based on law enforcement information, intelligence information, or other credible sources of information.
2203
Requirement Enhancements:
2204 2205
(1) The organization interconnects and configures individual intrusion detection tools into a system wide intrusion detection system using common protocols.
This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
2164
– 60 –
– 61 –
This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
ISA‑62443-2-2, D1E4, April 2013 ISA99, WG02, TG02
2206
ISA-62443.02.02, D1E4, April 2013 2207
14 Business Continuity Management
2208
14.1
– 62 –
ISA99, WG02, TG02
Introduction
2210
14.2 Security Aspects
2211
14.2.1 Contingency Planning Policy and Procedures
2212
Requirement:
2213 2214 2215 2216 2217
The organization shall develop, disseminates, and periodically reviews/updates: (i) a formal, documented, contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (ii) formal, documented procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls.
2218
Foundational Requirement:
2219 2220 2221 2222 2223
Rationale/Supplemental Guidance: The contingency planning policy and procedures are consistent with applicable laws, directives, policies, regulations, standards, and guidance. The contingency planning policy can be included as part of the general information security policy for the organization. Contingency planning procedures can be develop ed for the security program in general, and for a particular IACS, when required.
2224
Requirement Enhancements: None.
2225 2226 2227 2228 2229 2230 2231
14.2.2 Contingency Plan Requirement: The organization shall develop and implement a contingency plan for the IACS addressing contingency roles, responsibilities, assigned individuals with contact information, and activities associated with restoring the system after a disruption or failure. Designated officials within the organization review and approve the contingency plan and distribute copies of the plan to key contingency personnel.
2232
Foundational Requirement:
2233 2234 2235 2236 2237 2238
Rationale/Supplemental Guidance: The organization defines contingency plans for categories of disruptions or failures. In the event of a loss of processing within the IACS or communication with operational facilities, the IACS executes predetermined procedures (e.g., alert the operator of the failure and then do nothing, alert the operator and then safely shut down the industrial process, alert the operator and then maintain the last operational setting prior to failure). These examples are not exhaustive.
2239
Requirement Enhancements:
2240 2241
(1) The organization coordinates contingency plan development with organizational elements responsible for related plans.
2242
Foundational Requirement:
2243 2244 2245
Rationale/Supplemental Guidance: Examples of related plans include Business Continuity Plan, Disaster Recovery Plan, Continuity of Operations Plan, Business Recovery Plan, Incident Response Plan, and Emergency Action Plan.
2246 2247 2248
(2) The organization conducts capacity planning s o that necessary capacity for information processing, telecommunications, and environmental support exists during crisis situations.
This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
2209
ISA‑62443-2-2, D1E4, April 2013
2250 2251 2252 2253
ISA99, WG02, TG02
14.2.3 Contingency Training Requirement: The organization shall train personnel in their contingency roles and responsibilities w ith respect to the IACS and provides refresher training [Assignment: organization-defined frequency, at least annually].
2254
Foundational Requirement:
2255
Rationale/Supplemental Guidance: None.
2256
Requirement Enhancements:
2257 2258
(1) The organization incorporates simulated events into contingency training to facilitate effective response by personnel in crisis situations.
2259 2260
(2) The organization employs automated mechanisms to provide a more thorough and realistic training environment.
2261 2262 2263 2264 2265 2266 2267
14.2.4 Contingency Plan Testing and Exercises Requirement: The organization shall: (i) test and/or exercise the contingency plan for the IACS [ Assignment: organization-defined frequency, at least annually ] using [Assignment: organization-defined tests and/or exercises] to determine the plan’s effectiveness and the organization’s readiness to execute the plan; and (ii) review the contingency plan test/exercise results and initiates corrective actions.
2268
Foundational Requirement:
2269 2270 2271 2272 2273 2274 2275
Rationale/Supplemental Guidance: There are several methods for testing and/or exercising contingency plans to identify potential weaknesses (e.g., full -scale contingency plan testing, functional/tabletop exercises). The depth and rigor of contingency plan 𝑡𝑎𝑟𝑔𝑒𝑡 testing and/or exercises increases with the 𝑆𝑠𝑦𝑠𝑡𝑒𝑚 level of the IACS. Contingency plan testing and/or exercises also include a determination of the effects on organizational operations and assets (e.g., reduction in mission capability) and individuals arising due to contingency operations in accordance with t he plan.
2276
Requirement Enhancements:
2277 2278
(1) The organization coordinates contingency plan testing and/or organizational elements responsible for related plans.
exercises
with
2279
Foundational Requirement:
2280 2281 2282
Rationale/Supplemental Guidance: Examples of related plans include Business Continuity Plan, Disaster Recovery Plan, Continuity of Operations Plan, Business Recovery Plan, Incident Response Plan, and Emergency Action Plan.
2283 2284 2285
(2) The organization tests/exercises the contingency plan at the alt ernate processing site to familiarize contingency personnel with the facility and available resources and to evaluate the site’s capabilities to support contingency operations.
2286 2287 2288 2289
(3) The organization employs automated mechanisms to more thoroughly and effectivel y test/exercise the contingency plan by providing more complete coverage of contingency issues, selecting more realistic test/exercise scenarios and environments, and more effectively stressing the IACS and supported missions.
This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
2249
– 63 –
ISA-62443.02.02, D1E4, April 2013
– 64 –
ISA99, WG02, TG02
2290
2292 2293 2294 2295 2296
14.2.5 Contingency Plan Update Requirement: The organization shall review the contingency plan for the IACS [ Assignment: organizationdefined frequency, at least annually] and revises the plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing.
2297
Foundational Requirement:
2298 2299 2300 2301 2302
Rationale/Supplemental Guidance: Organizational changes include changes in mission, functions, or business processes supported by the IACS. The organization communicates changes to appropriate organizational elements responsible for related plans (e.g., Business Continuity Plan, Disaster Recovery Plan, Continuity of Operations Plan, Business Recovery Plan, Incident Response Plan, Emergency Action Plan).
2303
Requirement Enhancements: None.
2304 2305 2306 2307 2308
14.2.6 Alternate Storage Site Requirement: The organization shall identify an alternate storage site and initiates necessary agreements to permit the storage of IACS backup information.
2309
Foundational Requirement:
2310 2311 2312
Rationale/Supplemental Guidance: The frequency of IACS backups and the transfer rate of backup information to the alternate storage site (if so designated) are consistent with the organization’s recovery time objectives and recovery point objectives.
2313
Requirement Enhancements:
2314 2315
(1) The organization identifies an alternate storage site that is geographically separated from the primary storage site so as not to be susceptible to the same hazards.
2316 2317
(2) The organization configures the alternate storage site to facilitate timely and effective recovery operations.
2318 2319 2320
(3) The organization identifies potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster and outlines explicit mitigation actions.
2321 2322 2323 2324 2325 2326 2327
14.2.7 Alternate Control Site Requirement: The organization shall identify an alternate control site an d initiates necessary agreements to permit the resumption of IACS operations for critical mission/business functions within [Assignment: organization-defined time period] when the primary processing capabilities are unavailable.
2328
Foundational Requirement:
2329 2330
Rationale/Supplemental Guidance: Equipment and supplies required to resume operations within the organization-defined time period are either available at the alternate
This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
2291
– 65 –
ISA99, WG02, TG02
2331 2332
site or contracts are in place to support delivery to the site. Timeframes to resume IA CS operations are consistent with organization-established recovery time objectives.
2333
Requirement Enhancements:
2334 2335 2336
(1) The organization identifies an alternate processing site that is geographically separated from the primary processing site so as not to be suscep tible to the same hazards.
2337 2338 2339
(2) The organization identifies potential accessibility problems to the alternate processing site in the event of an area-wide disruption or disaster and outlines explicit mitigation actions.
2340 2341
(3) The organization develops alternate processing site agreements that contain priorityof-service provisions in accordance with the organization’s availability requirements.
2342 2343
(4) The organization fully configures the alternate processing site so that it is ready to be used as the operational site supporting a minimum required operational capability.
2344
14.2.8 IACS Backup
2345
Requirement:
2346 2347 2348
The frequency of IACS backups and the transfer rate of backup information to alternate storage sites (if so designated) shall be consistent with the organization’s recovery time objectives and recovery point objectives.
2349
Foundational Requirement:
2350 2351 2352
Rationale/Supplemental Guidance: Availability of up-to-date backups is essential for recovery from IACS failure and mis-configuration. Automating this function ensures that all required files are captured, reducing operator overhead.
2353 2354 2355 2356 2357
An organizational assessment of risk guides the use of encryption for backup information. While integrity and availability are the primary concerns for system backup information, protecting backup information from unauthorized disclosure is also an important consideration depending on the type of informati on residing on the backup media and the 𝑡𝑎𝑟𝑔𝑒𝑡 𝑆𝑠𝑦𝑠𝑡𝑒𝑚 level.
2358
Requirement Enhancements:
2359 2360
(1) The organization selectively uses backup information in the restoration of IACS functions as part of contingency plan testing.
2361 2362 2363
(2) The organization stores backup copies of the operating system and other critical IACS software in a separate facility or in a fire-rated container that is not collocated with the operational software.
2364
14.2.9 IACS Recovery and Reconstruction
2365
Requirement:
2366
None.
2367
Foundational Requirement:
2368 2369 2370 2371 2372 2373 2374
Rationale/Supplemental Guidance: IACS recovery and reconstitution to a known secure state means that all system parameters (either default or organization -established) are set to secure values, security-critical patches are reinstalled, security-related configuration settings are reestablished, system documentation and operating procedures are available, application and system software is reinstalled and configured with secure settings, information from the most recent, known secure backups is loaded, and the sy stem is fully tested and functional.
This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
ISA‑62443-2-2, D1E4, April 2013
ISA-62443.02.02, D1E4, April 2013
– 66 –
ISA99, WG02, TG02
2375
Requirement Enhancements:
2376 2377
(1) The organization shall include a full recovery and reconstitution of the IACS as part of contingency plan testing. 14.2.10 Power Equipment and Cabling
2379
Requirement:
2380 2381
The organization shall protect power equipment and power cabling for the IACS from damage and destruction.
2382
Foundational Requirement:
2383
Rationale/Supplemental Guidance: None.
2384
Requirement Enhancements:
2385
(1) The organization employs redundant and parallel power cabling paths.
2386 2387 2388 2389 2390 2391
14.3 Telecommunications Services Requirement: The organization shall identify primary and alternate telecommunications services to support the IACS and initiates necessary agreements to permit the resumption of system operations for critical mission/business functions within [ Assignment: organization-defined time period] when the primary telecommunications capabilities are unavailable.
2392
Foundational Requirement:
2393 2394 2395 2396 2397
Rationale/Supplemental Guidance: In the event that the primary and/or alternate telecommunications services are provided by a common carrier, the organization requests Telecommunications Service Priority (TSP) for all telecommunications services used for national security emergency preparedness (see http://tsp.ncs.gov for a full explanation of the TSP program).
2398
Requirement Enhancements:
2399 2400 2401
(1) The organization develops primary and alternate telecommunications service agreements that contain priority-of-service provisions in accordance with the organization’s availability requirements.
2402 2403
(2) The organization obtains alternate telecommunications services that do not share a single point of failure with primary telecommunications services.
2404 2405 2406
(3) The organization obtains alternate telecommunications service providers that are sufficiently separated from primary service providers so as not to be su sceptible to the same hazards.
2407 2408 2409
(4) The organization requires primary and alternate telecommunications service providers to have adequate contingency plans.
2410
14.3.1 Emergency Shutoff
2411
Requirement:
2412 2413 2414 2415
The IACS shall provide, for specific locations within a facility containing concentrations of IACS resources, the capability of shutting off power to any IACS component that may be malfunctioning or threatened without endangering personnel by requiring them to approach the equipment.
2416
Foundational Requirement:
This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
2378
– 67 –
ISA99, WG02, TG02
2417 2418 2419 2420
Rationale/Supplemental Guidance: Facilities containing concentrations of IACS resources may include, for example, data centers, server rooms, and mainframe rooms. Emergency shutoff capabilities are typically integrated with SIS systems, if present (e.g. automated fail-safe shutdown sequences).
2421
Requirement Enhancements:
2422 2423 2424
(1) The IACS shall protect the emergency power -off capability from accidental or unauthorized activation.
2425
14.3.2 Emergency Power
2426
Requirement:
2427 2428
The organization shall provide a short-term uninterruptible power supply to facilitate an orderly shutdown of the IACS in the event of a primary power source loss.
2429
Foundational Requirement:
2430
Rationale/Supplemental Guidance: None.
2431
Requirement Enhancements:
2432 2433 2434
(1) The organization provides a long-term alternate power supply for the IACS that is capable of maintaining minimally required operational capability in the event of an extended loss of the primary power source.
2435 2436 2437
(2) The organization provides a long-term alternate power supply for the IACS that is self contained and not reliant on external power generation.
2438
14.3.3 Emergency Lighting
2439
Requirement:
2440 2441 2442
The organization shall employ and maintains automatic emergency lighting that activates in the event of a power outage or disruption and that covers emergency exits and evacuation routes.
2443
Foundational Requirement:
2444
Rationale/Supplemental Guidance: None.
2445
Requirement Enhancements: None.
2446 2447
14.3.4 Fire Protection
2448
Requirement:
2449 2450
The organization shall employ and maintain fire suppression devices/systems that can be activated in the event of a fire.
2451
Foundational Requirement:
2452 2453 2454
Rationale/Supplemental Guidance: Fire suppression and detection devices/systems include, but are not limited to, sprinkler systems, handheld fire extinguishers, fixed fire hoses, and smoke detectors.
2455
Requirement Enhancements:
and
detection
This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
ISA‑62443-2-2, D1E4, April 2013
– 68 –
ISA99, WG02, TG02
2456 2457
(1) The organization employs fire detection devices/systems that activate automatically and notify the organization and emergency responders in the event of a fire.
2458 2459
(2) The organization employs fire suppression devices/systems that provide automatic notification of any activation to the organization and emergency responders.
2460 2461 2462
(3) The organization employs an automatic fire suppression capability in facilities that are not staffed on a continuous basis.
2463
14.3.5 Temperature and Humidity Controls
2464
Requirement:
2465 2466
The organization shall regularly maintain, within acceptable levels, and monitor the temperature and humidity within the facility where the IACS resides.
2467
Foundational Requirement:
2468
Rationale/Supplemental Guidance: None.
2469 2470
Requirement Enhancements: None.
2471
14.3.6 Water Damage Protection
2472
Requirement:
2473 2474 2475
The organization shall protect the IACS from water damage resulting from broken plumbing lines or other sources of water leakage by providing master shutoff valves that are accessible, working properly, and known to key personnel.
2476
Foundational Requirement:
2477
Rationale/Supplemental Guidance: None.
2478
Requirement Enhancements:
2479 2480 2481
(1) The organization employs mechanisms that, without the need for manual intervention, protect the IACS from water damage in the event of a significant water leak.
2482
15 Compliance
2483
15.1
2484
15.1.1
2485
General {Requirement} Requirement:
2486 2487
Foundational Requirement:
2488
Rationale/Supplemental Guidance:
2489
Requirement Enhancements:
2490 2491 2492
This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
ISA-62443.02.02, D1E4, April 2013
– 69 –
This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
ISA‑62443-2-2, D1E4, April 2013 ISA99, WG02, TG02
2493
ISA-62443.02.02, D1E4, April 2013
– 70 –
ISA99, WG02, TG02
Annex A (informative) Foundational Requirements
2494 2495 2496 2497
A.1
Overview
2498
This annex is intended to provide guidance to the reader as to the relevance of the SRs.
2499
A.2
2500 2501 2502 2503 2504 2505 2506 2507 2508 2509 2510
Identify and authenticate IACS users (incl. human users, processes, and devices), assign them to a pre-defined role, and allow them access to the system or assets.
2511
A.3
2512 2513 2514 2515 2516 2517 2518 2519 2520 2521
Enforce the assigned privileges of an authenticated IACS user to perform the requested action on the system or assets, and monitor the use of these privileges.
2522
A.4
2523 2524 2525 2526 2527 2528 2529 2530 2531
Ensure the integrity of information on communication channels and in data repositories to prevent unauthorized manipulation.
2532
A.5
2533 2534
Ensure the confidentiality of information on communication channels and in data repositories to prevent dissemination.
2535 2536 2537
Rationale: Some IACS generated information whether at rest or in transit is of confidential/sensitive nature. This implies that some communication channels and data -stores require protection against eavesdropping and unauthorized access.
Rationale: Asset owners will have to develop a list of IACS users and to determine for each device the required level of access control protection. The goal of access control is to protect the system by verifying the identity of a user requesting the access to a de vice of the system before activating the communication. Recommendations and guidelines should include mechanisms that will operate in mixed modes; e.g. some devices on a communication channel require strong access control, i.e. strong authentication mechanism and others do not. By extension, access control requirements need to be extended to data at rest.
FR2 USE C ONTROL
Rationale: Asset owners will have to assign to each IACS user the privileges defining the authorized use of the system. The goal of use control is to protect against unauthorized actions on IACS resources by verifying if the necessary privileges are granted before allowing performing the action. Examples of actions are read or write data, download program, set configuration, etc. Recommendations and guidelines should include mechanisms that will operate in mixed modes; e.g. some IACS resources require strong use control protection, i.e. restrictive privileges and others do not. By extension, use control requirements need to be extended to data at rest .
FR3 D ATA I NTEGRITY
Rationale: Using the organization’s risk assessment methodology, asset owners will “select” communication channels that require strong integrity protection. Derived prescriptive recommendations and guidelines should include mechanisms that will operate in mixed modes; e.g. some communication channels require strong integrity protection and others do not. By extension, data integrity requirements need to be extended to data at rest; i.e. protecting the integrity of data that resides in selected repositories.
FR4 D ATA CONFIDENTIALITY
This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
FR1 ACCESS CONTROL
ISA‑62443-2-2, D1E4, April 2013
– 71 –
ISA99, WG02, TG02
2538
A.6
FR5 RESTRICT D ATA F LOW
2539 2540 2541 2542 2543 2544 2545
Segment the system via zones and conduits to limit the unnecessary flow of data.
2546
A.7
2547 2548 2549 2550 2551 2552 2553 2554 2555 2556
Respond to security violations by notifying the proper authority, reporting needed forensic evidence of the violation, and taking timely corrective action when incidents are discovered.
2557
A.8
2558 2559 2560 2561 2562 2563
Ensure the availability of the system or assets against the denial of essential services.
FR6 T IMELY R ESPONSE TO AN EVENT
Rationale: Using the organization’s risk assessment methodology, asset owners will establish policies and proper lines of communication and control needed to respond to security violations. Derived prescriptive recommendations and guidelines shou ld include mechanisms that collect, report and automatically correlate the forensic evidence to ensure timely corrective action. The use of monitoring tools and techniques must not adversely affect the operational performance of the IACS.
FR7 RESOURCE AVAILABILITY
Rationale: The aim of this series of System Requirements is to ensure that the system is resilient against various types of Denial of Service events. Thi s includes the unavailability of system functionality at various levels.
This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
Rationale: Using the organization’s risk assessment methodology, asset owners will determine necessary information flow restrictions and thus by extension determine the configuration of the conduits used to deliver these data. Derived prescriptive recommendations and guidelines should include mechanisms that range from disconnecting control networks from business or public networks to using stateful firewalls and DMZ to manage the flow of information.
ISA-62443.02.02, D1E4, April 2013
– 72 –
ISA99, WG02, TG02
Annex B (informative) Mapping Controls to Foundational Requirements
2564 2565 2566 2567
B.1
2569 2570
This annex is intended to provide guidance to the reader as to the relevance of the specific controls to the various foundational requirements.
2571 2572
NOTE
2573
Overview
This annex will be completed as part of the final document generation after the primary content has been finalized.
This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
2568
ISA‑62443-2-2, D1E4, April 2013 2574 2575
– 73 –
ISA99, WG02, TG02
BIBLIOGRAPHY
2576 2577 2578 2579 2580
NOTE
2581
References to other parts, both existing and anticipated, of the ISA‑62443 series:
2582 2583
NOTE
2584 2585
[1]
ANSI/ISA‑62443-1-1-2007, Security for industrial automation and control systems: Terminology, concepts and models
2586 2587
[2]
ANSI/ISA‑TR62443-1-2, Security for industrial automation and control systems: Master glossary of terms and abbreviations
2588 2589
[3]
ANSI/ISA‑62443-1-3, Security for industrial automation and control systems: System security compliance metrics
2590 2591
[4]
ANSI/ISA‑62443-2-1-2009, Security for industrial automation and control systems: Establishing an industrial automation and control system security program
2592 2593
[5]
ANSI/ISA‑TR62443-2-3, Security for industrial automation and control systems: Patch management in the IACS environment
2594 2595
[6]
ANSI/ISA‑TR62443-3-1-2007, Security for industrial autom ation and control systems: Security technologies for industrial automation and control systems
2596 2597
[7]
ANSI/ISA‑62443-3-2, Security for industrial automation and control systems: Target security assurance levels for zones and conduits
2598 2599
[8]
ANSI/ISA‑62443-3-3, Security for industrial automation and control systems: System security requirements and security assurance levels
2600 2601
[9]
ANSI/Error! Unknown document property name., Security for industrial automation and control systems: Product development requirements
2602 2603
[10]
ANSI/ISA‑62443-4-1, Security for industrial automation and control systems: Embedded devices
2604
[11]
ANSI/ISA‑62443-4-2, Security for industrial automation and control systems: Host devices
2605
Other standards references:
2606
[12]
2607 2608
Some of these references are normative references (see Clause 2), published documents, in development, or anticipated. They are all listed here for completeness of the a nticipated parts of the ISA‑62443 series.
ISO/IEC Directives, Part 2, Rules for the structure and drafting of International Standards
This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
This bibliography includes references to sources used in the creation of this standard as well as references to sources that may aid the reader in developing a greater understanding of cyber security as a whole and developing a management system. Not all references in this bibliography are referred to throughout the text of this standard. The references have been broken down into different categories depending on the type of source they are.
– 74 –
This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
ISA-62443.02.02, D1E4, April 2013 ISA99, WG02, TG02
2609
