ISA-62443-2-2-WD

Share Embed Donate


Short Description

Security for industrial automation and control systems. Implementation Guidance for and IACS Security Management System...

Description

THIS COPY OF A FULL OR ABRIDGED ISA PUBLICATION IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS. IT MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.

Copyright © by the International Society of Automaton. All rights reserved. Not for resale. Printed in the United States of America. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), without the prior written permission of the Publisher. ISA 67 Alexander Drive P. O. Box 12277 Research Triangle Park, North Carolina 27709 USA

This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.

FOR USE AND REVIEW ONLY BY MEMBERS OF ISA99 AND APPROVED PARTIES:

This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.

This page intentionally left blank

ISA‑62443-2-2, D1E4, April 2013

–3–

ISA99, WG02, TG02

1

3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20

ISA‑62443-2-2 Security for industrial automation and control systems Implementation Guidance for and IACS Security Management System Draft 1, Edit 4 April 2013

Text appearing red italics should be considered editorial comments, provided as an aid in the preparation of the document. It will be removed before the draft is completed.

This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.

2

ISA

67 Alexander Drive

P. O. Box 12277

Research Triangle Park, NC 27709 USA

–4–

ISA

Security for industrial automation and control systems



ISBN: -to-be-assigned-

Copyright © 2011 by ISA. All rights reserved. Not for resale. Printed in the United States of America. This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.

ISA‑62443-2-2, D1E4, April 2013 ISA99, WG02, TG02

21

22

23

–5–

ISA99, WG02, TG02

24

PREFACE

25 26

This preface, as well as all footnotes and annexes, is included for information purposes and is not part of ISA-62443.02.02.

27 28 29 30 31 32

This document has been prepared as part of the service of ISA, the International Society of Automation, toward a goal of uniformity in the field of instrumentation. To be of real value, this document should not be static but should be subject to periodic review. Toward this end, the Society welcomes all comments and criticisms and asks that they be addressed to the Secretary, Standards and Practices Board; ISA; 67 Alexander Drive; P. O. Box 122 77; Research Triangle Park, NC 27709; Telephone (919) 549-8411; Fax (919) 549-8288; E-mail: [email protected]

33 34 35 36 37 38 39 40 41 42

The ISA Standards and Practices Department is aware of the growing need for attention to the metric system of units in general and the Internatio nal System of Units (SI) in particular, in the preparation of instrumentation standards. The Department is further aware of the benefits to USA users of ISA standards of incorporating suitable references to the SI (and the metric system) in their business and professional dealings with other countries. Toward this end, this Department will endeavor to introduce SI-acceptable metric units in all new and revised standards, recommended practices and technical reports to the greatest extent possible. Standard f or Use of the International System of Units (SI): The Modern Metric System, published by the American Society for Testing and Materials as IEEE/ASTM SI 10-97, and future revisions, will be the reference guide for definitions, symbols, abbreviations, and co nversion factors.

43 44 45 46 47

It is the policy of ISA to encourage and welcome the participation of all concerned individuals and interests in the development of ISA standards, recommended practices and technical reports. Participation in the ISA standards-making process by an individual in no way constitutes endorsement by the employer of that individual, of ISA or of any of the standards, recommended practices and technical reports that ISA develops.

48 49 50 51 52

CAUTION – ISA adheres to the policy of the American National Standa rds Institute with regard to patents. If ISA is informed of an existing patent that is required for use of the standard, it will require the owner of the patent to either grant a royalty -free license for use of the patent by users complying with the standard or a license on reasonable terms and conditions that are free from unfair discrimination.

53 54 55 56 57 58 59 60

Even if ISA is unaware of any patent covering this Standard, the user is cautioned that implementation of the standard may require use of techniques, processes or materials covered by patent rights. ISA takes no position on the existence or validity of any patent rights that may be involved in implementing the standard. ISA is not responsible for identifying all patents that may require a license before implementati on of the standard or for investigating the validity or scope of any patents brought to its attention. The user should carefully investigate relevant patents before using the standard for the user’s intended application.

61 62 63

However, ISA asks that anyone reviewing this standard who is aware of any patents that may impact implementation of the standard notify the ISA Standards and Practices Department of the patent and its owner.

64 65 66 67 68 69 70

Additionally, the use of this standard may involve hazardous materials, operat ions or equipment. The standard cannot anticipate all possible applications or address all possible safety issues associated with use in hazardous conditions. The user of this standard must exercise sound professional judgment concerning its use and applic ability under the user’s particular circumstances. The user must also consider the applicability of any governmental regulatory limitations and established safety and health practices before implementing this standard.

71

This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.

ISA‑62443-2-2, D1E4, April 2013

ISA‑62443-2-2, D1E4, April 2013 72 73

–6–

ISA99, WG02, TG02

The following people served as active members of ISA99, Working Group 02, Task Group 02 for the preparation of this document: Name

Company

Contributor

, WG/TG Chair



X

, Lead Editor



X

Reviewer

74 75 76

This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.



ISA‑62443-2-2, D1E4, April 2013

–7–

ISA99, WG02, TG02

CONTENTS

77

79

PREFACE ............................................................................................................................... 5

80

FORWORD ........................................................................................................................... 12

81

INTRODUCTION ................................................................................................................... 13

82 83 84

1

Context ........................................................................................................................... 13 Audience ........................................................................................................................ 13 Scope ............................................................................................................................. 15

85

2

Normative references ..................................................................................................... 15

86

3

Terms, definitions, abbreviated terms, acronyms, and conventions ................................. 16

4

3.1 Terms and definitions ............................................................................................ 16 3.2 Abbreviated terms and acronyms ........................................................................... 18 3.3 Conventions .......................................................................................................... 19 Overview ........................................................................................................................ 21

87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119

4.1 4.2

5

Structure ............................................................................................................... 21 Information security management in IACS ............................................................. 21 4.2.1 Goal .......................................................................................................... 21 4.2.2 IACS assets to be protected ...................................................................... 21 4.2.3 Establishment of information security management.................................... 22 Security Policy ................................................................................................................ 23 5.1

6

Introduction ........................................................................................................... 23 5.1.1 {Requirement} ........................................................................................... 23 Organization of Security ................................................................................................. 23 6.1 6.2

7

Introduction ........................................................................................................... 23 Internal Organization ............................................................................................. 23 6.2.1 {Requirement} ........................................................................................... 23 6.3 External Parties ..................................................................................................... 23 6.3.1 {Requirement} ........................................................................................... 23 Asset Management ......................................................................................................... 24 7.1 7.2

8

Introduction ........................................................................................................... 24 Responsibility for Assets ....................................................................................... 24 7.2.1 {Requirement} ........................................................................................... 24 7.3 Information Classification ...................................................................................... 24 7.3.1 {Requirement} ........................................................................................... 24 Human Resources Security ............................................................................................ 24 8.1

8.2

Prior to Employment .............................................................................................. 24 8.1.1 Roles and responsibilities .......................................................................... 24 8.1.2 Screening .................................................................................................. 25 8.1.3 Terms and conditions of employment ......................................................... 26 During Employment ............................................................................................... 27 8.2.1 Management responsibilities ...................................................................... 27 8.2.2 Information security awareness, education, and training ............................ 28 8.2.3 Disciplinary process ................................................................................... 29

This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.

78

ISA‑62443-2-2, D1E4, April 2013

ISA99, WG02, TG02

8.3

9

Termination or Change of Employment .................................................................. 29 8.3.1 Termination responsibilities ....................................................................... 29 8.3.2 Return of assets ........................................................................................ 29 8.3.3 Removal of access rights ........................................................................... 29 Physical and Environmental Security .............................................................................. 30

125 126 127 128 129 130 131 132 133 134 135 136

9.1 9.2

Introduction ........................................................................................................... 30 Secure Areas ........................................................................................................ 30 9.2.1 {Requirement} ........................................................................................... 30 9.3 Equipment Security ............................................................................................... 30 9.3.1 Physical Access Authorizations ................................................................. 30 9.3.2 Physical Access Control ............................................................................ 31 9.3.3 Access Control for Communication Medium ............................................... 31 9.3.4 Access Control for Display Medium ............................................................ 32 9.3.5 Monitoring Physical Access ....................................................................... 32 9.3.6 Visitor Control ............................................................................................ 32 9.3.7 Access Records ......................................................................................... 32 10 Communications and Operations Management ............................................................... 33

137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164

10.1 Introduction ........................................................................................................... 33 10.2 Operational Procedures and Responsibilities ......................................................... 33 10.2.1 Automated Marking .................................................................................... 33 10.3 Third Party Service Delivery Management ............................................................. 33 10.3.1 {Requirement} ........................................................................................... 33 10.4 System planning and acceptance .......................................................................... 33 10.4.1 {Requirement} ........................................................................................... 33 10.5 Protection against malicious and mobile code ....................................................... 34 10.5.1 Malicious Code Protection ......................................................................... 34 10.5.2 Security Alerts and Advisories ................................................................... 34 10.6 Backup .................................................................................................................. 34 10.6.1 {Requirement} ........................................................................................... 34 10.7 Network Security Management .............................................................................. 35 10.7.1 {Requirement} ........................................................................................... 35 10.8 Media Handling ..................................................................................................... 35 10.8.1 Media Protection Policy and Procedures .................................................... 35 10.8.2 Media Access ............................................................................................ 35 10.8.3 Media Labeling .......................................................................................... 36 10.8.4 Media Storage ........................................................................................... 36 10.8.5 Media Transport ........................................................................................ 37 10.8.6 Media Sanitization and Disposal ................................................................ 38 10.8.7 Access Control for Display Medium ............................................................ 38 10.8.8 Public Key Infrastructure Certificates ......................................................... 38 10.9 Exchange of Information ........................................................................................ 39 10.9.1 {Requirement} ........................................................................................... 39 10.10 Electronic Commerce Services .............................................................................. 39 10.10.1 {Requirement} ........................................................................................... 39 10.11 Monitoring ............................................................................................................. 39

This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.

120 121 122 123 124

–8–

–9–

ISA99, WG02, TG02

165 166 167 168 169

10.11.1 Audit and Accountability Policy and Procedures ......................................... 39 10.11.2 Auditable Events........................................................................................ 40 10.11.3 Audit Monitoring, Analysis and Reporting ................................................... 40 10.11.4 Audit Record Retention .............................................................................. 40 11 Access Control ............................................................................................................... 41

170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202

11.1 Introduction ........................................................................................................... 41 11.2 Business Requirement ........................................................................................... 41 11.2.1 Access Control Policy and Procedures ...................................................... 41 11.2.2 System and Information Integrity Policy and Procedures ............................ 41 11.2.3 Flaw Remediation ...................................................................................... 42 11.3 User Access Management ..................................................................................... 42 11.3.1 Account Management ................................................................................ 42 11.3.2 Separation of Duties .................................................................................. 43 11.4 User Responsibilities ............................................................................................. 43 11.4.1 {Requirement} ........................................................................................... 43 11.5 Network Access Control ........................................................................................ 44 11.5.1 Least Privilege ........................................................................................... 44 11.5.2 Permitted Actions Without Identification or Authentication ......................... 44 11.5.3 Remote Access.......................................................................................... 44 11.5.4 Use of External Information Systems ......................................................... 45 11.6 Operating System Access Control ......................................................................... 45 11.6.1 {Requirement} ........................................................................................... 45 11.7 Application and Information Access Control ........................................................... 46 11.7.1 {Requirement} ........................................................................................... 46 11.8 Mobile Computing and Teleworking ....................................................................... 46 11.8.1 Wireless Access Restrictions ..................................................................... 46 11.8.2 Use Control for Portable and Mobile Devices ............................................. 46 11.8.3 Mobile Code .............................................................................................. 47 11.8.4 Supervision and Review – Use Control ...................................................... 47 11.8.5 Identification and Authentication Policy and Procedures ............................ 47 11.8.6 Identifier Management ............................................................................... 48 11.8.7 Authenticator Management ........................................................................ 48 11.8.8 Software and Information Integrity ............................................................. 49 11.8.9 Information Input Restrictions .................................................................... 49 11.8.10 Error Handling ........................................................................................... 49 11.8.11 Information Output Handling and Retention ............................................... 50 11.8.12 Boundary Protection .................................................................................. 50 12 Systems acquisition, development and maintenance ...................................................... 51

203 204 205 206 207 208 209

12.1 Introduction ........................................................................................................... 51 12.2 Security requirements of information systems ........................................................ 51 12.2.1 {Requirement} ........................................................................................... 51 12.3 Correct Processing in Applications ........................................................................ 51 12.3.1 {Requirement} ........................................................................................... 51 12.4 Cryptographic Controls .......................................................................................... 51 12.4.1 Cryptographic Module Validation ............................................................... 51

This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.

ISA‑62443-2-2, D1E4, April 2013

– 10 –

ISA99, WG02, TG02

210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228

12.5 Security of System Files ........................................................................................ 51 12.5.1 {Requirement} ........................................................................................... 51 12.6 Security in development and support processes .................................................... 52 12.6.1 {Requirement} ........................................................................................... 52 12.7 Technical vulnerability management ...................................................................... 52 12.7.1 Configuration Management Policy and Procedures .................................... 52 12.7.2 Baseline Configuration ............................................................................... 52 12.7.3 Configuration Change Control .................................................................... 53 12.7.4 Monitoring Configuration Changes ............................................................. 53 12.7.5 Access Restrictions for Change ................................................................. 54 12.7.6 Network and Security Configuration Settings ............................................. 54 12.7.7 IACS Component Inventory ........................................................................ 54 12.7.8 System Maintenance Policy and Procedures .............................................. 55 12.7.9 Controlled Maintenance ............................................................................. 55 12.7.10 Maintenance Tools .................................................................................... 56 12.7.11 Remote Maintenance ................................................................................. 56 12.7.12 Maintenance Personnel ............................................................................. 57 12.7.13 Timely Maintenance ................................................................................... 57 13 Incident Management ..................................................................................................... 58

229 230 231 232 233 234 235 236 237 238 239 240 241

13.1 Introduction ........................................................................................................... 58 13.2 Reporting Security Events and Weaknesses .......................................................... 58 13.2.1 {Requirement} ........................................................................................... 58 13.3 Management of Incidents and Improvements ......................................................... 58 13.3.1 Incident Response Policy and Procedures ................................................. 58 13.3.2 Incident Response Training ....................................................................... 58 13.3.3 Incident Response Testing and Exercises .................................................. 59 13.3.4 Incident Handling ....................................................................................... 59 13.3.5 Incident Monitoring .................................................................................... 59 13.3.6 Incident Reporting ..................................................................................... 60 13.3.7 Incident Response Assistance ................................................................... 60 13.3.8 IACS Monitoring Tools and Techniques ..................................................... 60 14 Business Continuity Management ................................................................................... 62

242 243 244 245 246 247 248 249 250 251 252 253 254

14.1 Introduction ........................................................................................................... 62 14.2 Security Aspects.................................................................................................... 62 14.2.1 Contingency Planning Policy and Procedures ............................................ 62 14.2.2 Contingency Plan ...................................................................................... 62 14.2.3 Contingency Training ................................................................................. 63 14.2.4 Contingency Plan Testing and Exercises ................................................... 63 14.2.5 Contingency Plan Update .......................................................................... 64 14.2.6 Alternate Storage Site ............................................................................... 64 14.2.7 Alternate Control Site ................................................................................ 64 14.2.8 IACS Backup ............................................................................................. 65 14.2.9 IACS Recovery and Reconstruction ........................................................... 65 14.2.10 Power Equipment and Cabling ................................................................... 66 14.3 Telecommunications Services ............................................................................... 66

This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.

ISA‑62443-2-2, D1E4, April 2013

ISA‑62443-2-2, D1E4, April 2013

– 11 –

ISA99, WG02, TG02

14.3.1 14.3.2 14.3.3 14.3.4 14.3.5 14.3.6 15 Compliance

Emergency Shutoff .................................................................................... 66 Emergency Power...................................................................................... 67 Emergency Lighting ................................................................................... 67 Fire Protection ........................................................................................... 67 Temperature and Humidity Controls ........................................................... 68 Water Damage Protection .......................................................................... 68 .................................................................................................................... 68

262 263 264

15.1 General ................................................................................................................. 68 15.1.1 {Requirement} ........................................................................................... 68 Annex A (informative) Foundational Requirements ................................................................ 70

265 266 267 268 269 270 271 272 273

A.1 A.2 A.3 A.4 A.5 A.6 A.7 A.8 Annex B

274 275

B.1 Overview ............................................................................................................... 72 BIBLIOGRAPHY ................................................................................................................... 73

Overview ............................................................................................................... 70 FR1 A CCESS C ONTROL ............................................................................................ 70 FR2 U SE C ONTROL ................................................................................................. 70 FR3 D ATA I NTEGRITY .............................................................................................. 70 FR4 D ATA C ONFIDENTIALITY .................................................................................... 70 FR5 R ESTRICT D ATA F LOW ...................................................................................... 71 FR6 T IMELY R ESPONSE TO AN E VENT ....................................................................... 71 FR7 R ESOURCE A VAILABILITY ................................................................................... 71 (informative) - Mapping Controls to Foundational Requirements ............................. 72

276 277

No table of figures entries found.

278

No table of figures entries found.

279

This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.

255 256 257 258 259 260 261

ISA‑62443-2-2, D1E4, April 2013

– 12 –

ISA99, WG02, TG02

280

FORWORD

281 282 283 284

This standard is part of a series that addresses the issue of security for industrial automation and control systems. It has been developed by Working Group 02, Task Group 02 of the ISA99 committee.

285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301

SKELETON NOTE The forward should only be a few lines and should indicate the basic premise of the document and why it is important. It should also indicate if this document supersedes or modifies any other document. The following information comes from the IEC Directives. The foreword shall appear in each document. It shall not contain requirements, recommendations, figures or tables. It consists of a general part and a specific part. The general part (supplied by the Central Secretariat of ISO or by the Central Office of the IEC, as appropriate) gives information relating to the organization responsible and to International Standards in general, i.e. a) the designation and name of the committee that prepared the document, b) information regarding the approval of the document, and c) information regarding the drafting conventions used, co mprising a reference to this part of the ISO/IEC Directives. The specific part (supplied by the committee secretariat) shall give a statement of significant technical changes from any previous edition of the document and as many of the following as are appropriate: d) an indication of any other international organization that has contributed to the preparation of the document; e) a statement that the document cancels and replaces other documents in whole or in part; f) the relationship of the document to other documents (see 5.2.1.3); g) in IEC, an indication of the next stability date (see ISO/IEC Directives, IEC Supplement, 2010, 3.4).

This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.

302

This standard addresses the requirements for the operation of an effective cyber security program within the context of the foundational requirements defined in ISA‑62443-1-1.

ISA‑62443-2-2, D1E4, April 2013

– 13 –

ISA99, WG02, TG02

INTRODUCTION

303

The format of this document follows the ISO/IEC requirements discussed in ISO/IEC Directives, Pa rt 2. [12] 1 The ISO/IEC Directives specify the format of this document as well as the use of terms like “shall”, “should”, and “may”. The use of those terms for the requirements specified in Clause Error! Reference source not f ound. of this document use the conventions discussed in the ISO/IEC Directives, Appendix H.

304 305 306 307 308 309

NOTE

310

Context

311 312 313 314 315

Industrial automation and control system (IACS) organizations increasingly use commercial -offthe-shelf (COTS) networked devices that are inexpensive, efficient and highly automated. These devices and networking technologies provide an increased opportunity for cyber attack against the IACS equipment. This weakness may lead to health, safety and environmenta l (HSE) consequences in deployed systems.

316 317 318 319 320 321

Organizations deploying pre-existing information technology (IT) and business cyber security solutions to address IACS security may not fully comprehend the results of this decision. While many business IT applications and security solutions can be applied to IACS, they need to be applied in the correct way to eliminate inadvertent consequences. For this reason, the approach used to define system requirements needs to be based on a combination of functional and consequence analysis, and often an awareness of operational issues as well.

322 323 324 325 326 327 328

The primary goal of the ISA‑99 series is to provide a flexible framework that facilitates addressing current and future vulnerabilities in IACS and applying necessary mitigations in a systematic, defensible manner. It is important to understand that the intention of the ISA ‑99 series is to build extensions to enterprise security that adapt the requirements for IT business systems and combine them with the unique requirements that embrac e the strong availability needed by IACS. The ISA‑99 committee has made every effort to avoid building unique stovepipe security architectures for IACS.

329 330 331 332

This International Standard provides interpretation guidelines for the implementation and management of information security management for Industrial Automation and Control Systems (IACS). The approach used is consistent with ISO/IEC 27002 (Code of practice for information security management).

333 334 335 336 337

IACS security goals focus on system availability, plant prote ction, plant operations (even if in a degraded mode), and time-critical system response. IT security goals often do not place the same emphasis on these factors. They may be more concerned with protecting information rather than physical assets. These different goals need to be clearly stated as security objectives regardless of the degree of plant integration achieved.

338 339 340

This document assumes that a security program has been established in accordance with ISA‑99.02.01 and that patch management is implemented consistent with the recommendations detailed in ISA‑TR99.02.03.

341

Audience

342 343 344 345 346

The audience for the information in this standard includes asset owners, those responsible for information security; system vendors, auditors, and application content providers, with a common set of general security control objectives based on ISO/IEC 27002, IACS specific controls, and information security management guidelines allowing for the selection and implementation of such controls.

347 ————————— 1 Numbers in square brackets refer to the Bibliography.

This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.

The initial content of this section is based on similar material from other standards in the ISA99 series. This is provided only as a starting point.

ISA‑62443-2-2, D1E4, April 2013

368 369

ISA99, WG02, TG02

SKELETON NOTE For most documents in the ISA-99 series, the Introduction will probably be labeled as Clause 0, since there are sub-clauses included. This is common. The Introduction should be limited to no more than 2 pages and should contain no figures. If figures are needed, then that section sh ould be moved to Clause 4+ or an Annex. If you need a Clause 0, you will need to edit the “iecstd_us.dotm” and change starting number for the Heading style to start at 0. After that, make sure that the styles reload into the Skeleton file and change the style of the Introduction section header to Heading instead of Heading (Nonumber). The Introduction should indicate major similarities or relationships between the document and existing ISO/IEC documents. It does not have to include detailed explanations, bu t should give the reader some context in relation to other documents. The following information comes from the IEC Directives. The introduction is an optional preliminary element used, if required, to give specific information or commentary about the technical content of the document, and about the reasons prompting its preparation. It shall not contain requirements. Whenever alternative solutions are adopted internationally in a document and preferences for the different alternatives provided, the reasons for the preferences shall be explained in the introduction [see A.6 d)]. Where patent rights have been identified in a document, the introduction shall include an appropriate notice. See Annex F for further information. The introduction shall not be numbered unless there is a need to create numbered subdivisions. In this case, it shall be numbered 0, with subclauses being numbered 0.1, 0.2, etc. Any numbered figure, table, displayed formula or footnote shall be numbered normally beginning with 1.

This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.

348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367

– 14 –

ISA‑62443-2-2, D1E4, April 2013

– 15 –

ISA99, WG02, TG02

1

371 372

The initial content of this section is based on similar material from other standards in the ISA99 series. This is provided only as a starting point.

373 374 375 376 377 378

This standard addresses the operation of an effective IACS cyber security program. Aspects of this operation are examined in the context of the foundational requirements (FRs) described in ISA‑99.01.01. The requirements and controls would be used by various members of the industrial automation and control systems (IACS) community along with the defined zones an d conduits for the system under consideration (SuC) while developing the appropriate technical system target security assurance level (SAL), SAL-T(system), for a specific asset.

379 380 381 382 383 384 385 386 387 388 389 390 391

SKELETON NOTE Clause 1 shall always be the Scope. This is a short statement that describes the scope of this document only. It does not list the overall scope of ISA -99. That has been described in other documents and does not need to be repeated here. The following information comes from the IEC Directives. This element shall appear at the beginning of each document and define without ambiguity the subject of the document and the aspects covered, thereby indicating the limits of applicability of the document or particular parts of it. It shall not contain requirements. In documents that are subdivided into parts, the scope of each part shall define the subject of that part of the document only. The scope shall be succinct so that it can be used as a summary for bibliographic purposes. This element shall be worded as a series of statements of fact. Forms of expression such as the following shall be used: “This International Standard the dimensions of … " - specifies {a method of … " the characteristics of … " a system for … " - establishes { general principles for … "

392 393 394 395 396 397 398 399

Scope

— gives guidelines for …” — defines terms …” Statements of applicability of the document shall be introduced by wording such as: “This International Standard is applicable to …” The wording shall be altered as a function of the document type concerned, i.e. International Standard, Technical Specification, Publicly Available Specification, Technical Report or Guide.

400

2

Normative references

401 402 403

The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.

404 405 406

The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. F or undated references, the latest edition of the referenced document (including any amendments) applies.

407 408

ISA‑99.01.01 – Security for industrial and automation control systems: Terminology, concepts and models

409 410

ISA‑99.02.01 – Security for industrial and automation control system: Establishing an industrial automation and control systems security program

411 412

ISA‑99.03.02 – Security for industrial and automation control system: Security assurance levels for zones and conduits

413 414

SKELETON NOTE Generally, in the ISA-99 series, there is only 1 completely normative document, ISA -99.01.01. If there are others, put them here as well. Normative references shall be International Standards documents of

This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.

370

ISA‑62443-2-2, D1E4, April 2013 415 416

– 16 –

ISA99, WG02, TG02

some sort. Even though a document gets listed here, it will also be liste d in the Bibliography along with all the other documents.

417

3

Terms, definitions, abbreviated terms, acronyms, and conventions

418 419

The initial content of this section is based on similar material from other standards in the ISA99 series. This is provided only as a starting point.

420

3.1

421 422

For the purposes of this document, the terms and definitions given in ISA‑62443-1-1 and the following apply.

423 424 425 426

3.1.1 authentication verifying the identity of an IACS user, often as a prerequisite to allowing access to resources in an information system

427 428 429

3.1.2 authenticity property of being genuine and being able to be verified and trusted

430

NOTE

431 432 433 434

3.1.3 automatic pertaining to a process or equipment that, under specified conditions, functions without human intervention

435

[IEV number 351-21-40]

436 437 438

3.1.4 availability ensuring timely and reliable access to and use of information

439

[FIPS 199]

440 441 442 443

3.1.5 communication channel logical or physical point-to-point or point-to-multipoint data flow between components in one zone to one or more components in another zone

444 445 446 447

3.1.6 confidentiality preserving authorized restrictions on information access and disclosure, including means fo r protecting personal privacy and proprietary information

448

[FIPS 199]

449 450 451 452

3.1.7 connection association established between two or more endpoints which supports the transfer of IACS specific data

453 454 455

3.1.8 consequence outcome of an event

456 457 458 459

3.1.9 environment aggregate of external procedures, conditions, and objects affecting the development, operation and maintenance of IACS

It may also be defined as confidence in the validity of a transmission, a message, or message o riginator.

This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.

Terms and definitions

– 17 –

ISA99, WG02, TG02

460 461 462

3.1.10 event occurrence or change of a particular set of circumstances

463 464 465 466

3.1.11 external information systems hardware, software components and repositories that are connecte d by some means or embedded within the component

467 468 469 470

3.1.12 IACS user entity (including human users, processes and devices) that performs a function in the IACS or a component used by the IACS

471 472 473

3.1.13 impact evaluated consequence of a particular event

474 475 476

3.1.14 industrial automation and control system system which controls the manufacturing process within a defined set of operational limits

477 478 479 480

3.1.15 integrity guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity

481

[FIPS 199]

482 483 484 485 486

3.1.16 local access any access to an organizational IACS by an IACS user communicating through an internal, organization-controlled network (such as a local area network) or directly to the IACS without the use of a network

487 488 489 490 491

3.1.17 non-repudiation assurance that the sender of information is provided with proof of delivery and all recipients are provided with proof of the sender’s identity, so the sender cannot deny having sent the information and the recipient cannot deny having received the information

492 493 494 495

3.1.18 remote access any access to an IACS by an IACS user communicating through an external, non -organizationcontrolled network (such as the Internet)

496 497 498 499

3.1.19 remote session session initiated whenever an IACS is accessed by a human user communicating across the boundary of a zone defined by the asset owner based on their risk assessment

500 501 502 503

3.1.20 role set of connected behaviors, privileges and obligations associated to IACS users in a given situation

504

NOTE 1

The privileges to perform certain operations are assigned to specific ro les.

This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.

ISA‑62443-2-2, D1E4, April 2013

ISA‑62443-2-2, D1E4, April 2013

– 18 –

ISA99, WG02, TG02

505 506 507 508

NOTE 2

509 510 511 512 513

3.1.21 security assurance level measure of confidence that computer systems and data are free from vulnerabilities, either intentionally designed computer components or accidently inserted at any time during its lifecycle, and that the computer systems functions in the intended manner

514 515 516 517

3.1.22 session semi-permanent, stateful, communicating devices

518

NOTE

519 520 521 522 523

3.1.23 threat any circumstance or event with the potential to adversely affect organizational operations (including mission, functions, image or reputation), organizational assets, IACS or individuals via unauthorized access, destruction, disclosure, modification of dat a and/or denial of service

524 525 526 527

3.1.24 trust belief that an operation or data transaction source or process is secure and will perform as intended

528 529 530

3.1.25 untrusted entity that has not met predefined requirements to be trusted

531 532 533 534 535 536 537 538

3.1.26 vulnerability

539

3.2

540

This subclause defines the abbreviated terms and acronyms used in this document.

Role definitions must be distinguished in infrastructure role definitions (within a process), functional role definitions (part of an entity functions) or organizational role definition (a person position). A functional role may be associated with privileges and confer responsibility and authority on a user assigned to that role

interactive

information

interchange

between

two

or

more

Typically a session has a clearly defined start process and end process.

weakness in an IACS function, procedure, internal control or implementation that could be exploited or triggered by a threat source SKELETON NOTE Only add in the reference at the end of the term if it relates directly to something from an international standard. IEC seems to dislike referencing national standards documents (ISA, NIST, NERC, NEMA, etc.). Only include these references if there is an ISO/IEC, NATO, etc. reference. Also, if the reference is not exactly from the reference, indicate something like “Adapted from … ”.

Abbreviated terms and acronyms

AC

Access Control

AES

Advanced encryption standard

API

Application programming interface

CA

Certification authority

CIP

Critical infrastructure protection

COTS

Commercial-off-the-shelf

DC

Data confidentiality

DI

Data integrity

DMZ

Demilitarized zone

This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.

Adapted from [ISO/IEC 1st WD 24760: 2005 -10-01]

– 19 –

DoS

Denial of service

FR

Foundational requirement

FTP

File transfer protocol

HSE

Health, safety, and environmental

HTTP

Hypertext transfer protocol

IACS

Industrial automation and control system(s)

ID

Identifier

IDS

Intrusion detection system

IEC

International Electrotechnical Commission

IEEE

Institute of Electrical and Electronics Engineers

IM

Instant messaging

IPS

Intrusion prevention system

ISO

International Organization for Standardization

IT

Information technology

NERC

North American Electric Reliability Corporation

NIST

U.S. National Institute of Standards and Technology

PDF

Portable document format

RA

Resource availability

RDF

Restrict data flow

RE

Requirement enhancement

SAL

Security assurance level

SIS

Safety instrumented system

SP

Special Publication (from NIST)

SR

System requirement

SuC

System under consideration

TRE

Timely response to an event

UC

Use control

US-CERT

U.S. Computer Emergency Readiness Team

USB

Universal serial bus

VoIP

Voice over internet protocol

ISA99, WG02, TG02

541

3.3

Conventions

542 543 544 545 546

Much of the content of this standard is expressed in the form of specific requirements or controls. Each of these has a baseline requirement and zero or more requirement enhancements to strengthen security assurance. Rationale and supplemental guidance may be provided for each baseline requirement, and for any associated enhancement as is deemed necessary, to provide clarity to the reader.

547 548

SKELETON NOTE This sub-clause is where specific conventions used in the document, like specific clause/sub clause formatting, special text conventions, or any other things that the reader should know in order to read

This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.

ISA‑62443-2-2, D1E4, April 2013

549 550 – 20 –

This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.

ISA‑62443-2-2, D1E4, April 2013 ISA99, WG02, TG02

the document. The reader may still need some introduction to conventions used throughout the document, but this sub-clause allows for a greater explanation in one place.

551

ISA‑62443-2-2, D1E4, April 2013

– 21 –

ISA99, WG02, TG02

552

4

Overview

553

4.1

554 555 556

The content of this standard has been organized in a manner similar to that used in ISO/IEC 27002. In cases where objectives and controls specified in ISO/IEC 27002 are applicable without a need for any additional information, only a reference is provided to ISO/IEC 27002.

557 558 559 560

In cases where controls need additional guidance spec ific to IACS, the ISO/IEC 27002 control and implementation guidance is repeated without modification, followed by the IACS specific guidance related to this control. IACS specific guidance and information is included in the following clauses:

561

– Organization of information security (clause 6)

562

– Asset management (clause 7)

563

– Human resources security (clause 8)

564

– Physical and environmental security (clause 9)

565

– Communications and operations management (clause 10)

566

– Access control (clause 11)

567

– Information systems acquisition, development and maintenance (clause 12)

568

– Information security incident management (clause 13)

569

– Business continuity management (clause 14)

570

4.2

571

4.2.1

572 573 574 575

Industrial control systems and associated networks are faced with security threats from a wide range of sources, including computer-assisted fraud, espionage, sabotage, vandalism, information leakage, earthquake, fire or flood. These security threats may originate from inside or outside the control systems environment resulting in damage to the organization.

576 577 578 579

Once the security of an IACS is compromised, for example by unauthorized access, the system or the equipment under control may suffer damage. Therefore, it is essential for an asset owner to ensure its security by continuously improving its related programs in accordance with ISO/IEC 27001.

580 581 582 583 584

Effective IACS security is achieved by implementing a suitable set of controls based on those described in this standard. These controls need to be established, implemen ted, monitored, reviewed and improved in facilities, services and applications. The successful deployment of security controls will better enable meeting the security and business objectives of the organization to be met.

585

4.2.2

586 587 588

In order to establish information security management, it is essential for an asset owner to clarify and identify all IACS related assets. The clarification of attributes and importance of the assets makes it possible to implement appropriate controls.

Information security management in IACS Goal

IACS assets to be protected

This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.

Structure

ISA‑62443-2-2, D1E4, April 2013

– 22 –

ISA99, WG02, TG02

589

4.2.3

Establishment of information security management

590

4.2.3.1

591 592

It is essential for asset owners to identify their security requirements. There are three main sources of security requirements as follows:

593 594 595

a) What is derived from assessing risks to IAC S operation, taking into account the overall business strategy and objectives. Through risk assessment, threats to assets are identified, vulnerability to and likelihood of occurrence is evaluated and potential impact is estimated;

596 597

b) The legal, statutory, regulatory, and contractual requirements that asset owners have to satisfy, and the socio-cultural environment;

598 599

c) The particular set of principles, objective and business requirements for information processing that an asset owner has developed to support its operations.

600

4.2.3.2

601 602 603 604 605

Security requirements are identified by a methodical assessment of security risks. Expenditure on controls needs to be balanced against the business harm likely to result from security failures. The results of the risk assessment will help to guide and determine the appropriate management action and priorities for managing information security risks, and for implementing controls selected to protect against these risks.

606 607

Risk assessment should be repeated periodically to address any changes that might influence the risk assessment results.

608

4.2.3.3

609 610 611

Once security requirements and risks have been identified and decisions for the treatment of risks have been made, appropriate controls should be selected and implemented to ensure risks are reduced to an acceptable level.

612 613 614 615

This standard provides guidance and IACS specific controls, in addition to general information security management, taking account of IACS specific requirements. Therefore, asset owners are recommended to select controls from this guideline and implement them. In addition, new controls can be designed to meet specific needs as appropriate.

616 617 618 619

The selection of security controls is dependent upon organizational decisions based on the criteria for risk acceptance, risk treatment options, and the general risk management approach applied by asset owners, and should also be subject to all relevant national and international legislation and regulations.

620

4.2.3.4

621 622

Experience has shown that the following factors are often critical to the successful implementation of information security in an industrial automation and control system :

623 624

a) information security policy, objectives, and activities t hat reflect business objectives and the specific characteristics of an IACS;

625 626

b) an approach and framework to implementing, maintaining, monitoring, and improving information security that is consistent with the organizational culture;

627

c) visible support and commitment from all levels of managem ent;

628

d) a good understanding of the security requirements, risk assessment, and risk management;

629 630

e) effective marketing of information security to all managers, employees, and other parties to achieve awareness;

Assessing security risks

Selecting controls

Critical success factors

This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.

How to establish security requirements

– 23 –

ISA99, WG02, TG02

631 632

f) distribution of guidance on information security policy and standards to all managers, employees and other parties;

633

g) provision to fund information security management activities;

634

h) providing appropriate awareness, training, and education;

635

i) establishing an effective information security inci dent management process;

636 637

j) implementation of a measurement system that is used to evaluate performance in information security management and feedback suggestions for improvement.

638

5

639

5.1

640

5.1.1

Security Policy Introduction

641

{Requirement} Requirement:

642 643

Foundational Requirement:

644

Rationale/Supplemental Guidance:

645

Requirement Enhancements:

646 647

6

Organization of Security

648

6.1

Introduction

650

6.2

Internal Organization

651

6.2.1

649

652

{Requirement} Requirement:

653 654

Foundational Requirement:

655

Rationale/Supplemental Guidance:

656

Requirement Enhancements:

657 658

6.3

659

6.3.1

660

External Parties {Requirement} Requirement:

661 662

Foundational Requirement:

663

Rationale/Supplemental Guidance:

664

Requirement Enhancements:

This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.

ISA‑62443-2-2, D1E4, April 2013

ISA‑62443-2-2, D1E4, April 2013

– 24 –

ISA99, WG02, TG02

665 666

7

Asset Management

667

7.1

Introduction

669

7.2

Responsibility for Assets

670

7.2.1

668

671

Requirement:

672 673

Foundational Requirement:

674

Rationale/Supplemental Guidance:

675

Requirement Enhancements:

676 677

7.3

Information Classification

678

7.3.1

679

{Requirement} Requirement:

680 681

Foundational Requirement:

682

Rationale/Supplemental Guidance:

683

Requirement Enhancements:

684 685

8

Human Resources Security

686

8.1 Prior to Employment

687 688 689

Objective: To ensure that employees, contractors and third party users understand their responsibilities, and are suitable for the roles they are considered for, and to reduce the risk of theft, fraud or misuse of facilities.

690 691

Security responsibilities should be addressed prior to e mployment in adequate job descriptions and in terms and conditions of employment.

692 693

All candidates for employment, contractors and third party users should be adequately screened, especially for sensitive jobs.

694 695

Employees, contractors and third party users of information processing facilities should sign an agreement on their security roles and responsibilities.

696

8.1.1

697

Control

698 699

Security roles and responsibilities of employees, contractors and third party users should be defined and documented in accordance with the organization’s information security policy.

700

Implementation guidance

Roles and responsibilities

This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.

{Requirement}

ISA‑62443-2-2, D1E4, April 2013

ISA99, WG02, TG02

Security roles and responsibilities should include the requirement to:

702 703

a) implement and act in accordance with the organization’s information security policies (see 5.1);

704 705

b) protect assets from unauthorized access, disclosure, modification, destruction or interference;

706

c) execute particular security processes or activities;

707

d) ensure responsibility is assigned to the individual for actions taken;

708

e) report security events or potential events or other security risks to the organization.

709 710

Security roles and responsibilities should be defined and clearly communicated to job candidates during the pre-employment process.

711

IACS-specific implementation guidance

712 713 714 715

Facilities should appoint staff who have the right credentials or appropriate knowledge and skills to be in charge of the supervision of matters related to the installation, maintenance and operation of IACS. The relevant staff should be notified of their assigned roles and responsibilities.

716

Other Information

717 718 719

Job descriptions can be used to document security roles and responsibilities. Security roles and responsibilities for individuals not engaged via the organization’s employment process, e.g. engaged via a third party organization, should also be clearly defined and communicated.

720 721

Requirement:

722 723

Foundational Requirement:

724

Rationale/Supplemental Guidance:

725

Requirement Enhancements:

726 727

8.1.2

Screening

728

Control

729 730 731 732

Background verification checks on all candidates for employment, contractors, and third party users should be carried out in accordance with relevant laws, regulations and ethics, and proportional to the business requirements, the classification of the information to be accessed, and the perceived risks.

733

Implementation guidance

734 735

Verification checks should take into account all relevant privacy, protection of personal data and/or employment based legislation, and should, where permitted, include the following:

736

a) availability of satisfactory character references, e.g. one business and one per sonal;

737

b) a check (for completeness and accuracy) of the applicant’s curriculum vitae;

738

c) confirmation of claimed academic and professional qualifications;

739

d) independent identity check (passport or similar document);

This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.

701

– 25 –

– 26 –

ISA99, WG02, TG02

740

e) more detailed checks, such as credit checks or checks of criminal records.

741 742 743 744

Where a job, either on initial appointment or on promotion, involves the person having access to information processing facilities, and in particular if these are handling sensitive information, e.g. financial information or highly confidential information, the organization should also consider further, more detailed checks.

745 746

Procedures should define criteria and limitations for verification checks, e.g. who is eligible to screen people, and how, when and why verification checks a re carried out.

747 748 749 750 751 752

A screening process should also be carried out for contractors, and third party users. Where contractors are provided through an agency the contract with the agency should clearly specify the agency’s responsibilities for screening and the notification procedures they need to follow if screening has not been completed or if the results give cause for doubt or concern. In the same way, the agreement with the third party (see also 6.2.3) should clearly specify all responsibilities and notification procedures for screening.

753 754 755 756

Information on all candidates being considered for positions within the organization should be collected and handled in accordance with any appropriate legislation existing in the relevant jurisdiction. Depending on applicable legislation, the candidates should be informed beforehand about the screening activities.

757

IACS-specific implementation guidance

758 759 760

Facilities should also consider further, more detailed checks for job positions that give staff access to IACS that have been assessed as critical and thus require higher levels of security. [wording?]

761

8.1.3

762

Control

763 764 765

As part of their contractual obligation, employees, contractors and third party users should agree and sign the terms and conditions of their employment contract, which should state their and the organization’s responsibilities for information security.

766

Implementation guidance

767 768

The terms and conditions of employment should reflect the organization’s security policy in addition to clarifying and stating:

769 770 771

a) that all employees, contractors and third party users who are given access to sensitive information should sign a confidentiality or non-disclosure agreement prior to being given access to information processing facilities;

772 773

b) the employee’s, contractor’s and any other user’s legal responsibilities and rights, e.g. regarding copyright laws or data protection legislation (see also 15.1.1 and 15.1.2);

774 775 776

c) responsibilities for the classification of information and management of organizational assets associated with information systems and services handled by the employee, contractor or third party user (see also 7.2.1 and 10.7.3);

777 778

d) responsibilities of the employee, contractor or third party user for the handling of information received from other companies or external parties;

779 780 781

e) responsibilities of the organization for the handling of personal information, including personal information created as a result of, or in the course of, employment with the organization (see also 15.1.4);

782 783

f)

Terms and conditions of employment

responsibilities that are extended outside the organization’s premises and outside normal working hours, e.g. in the case of home-working (see also 9.2.5 and 11.7.1);

This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.

ISA‑62443-2-2, D1E4, April 2013

– 27 –

ISA99, WG02, TG02

784 785

g) actions to be taken if the employee, contractor or third party user disregards the organization’s security requirements (see also 8.2.3).

786 787 788

The organization should ensure that employees, contractors and third party users agree to terms and conditions concerning information security appropriate to the nature and extent of access they will have to the organization’s assets associated with information systems and services.

789 790

Where appropriate, responsibilities contained within the terms and conditions of employment should continue for a defined period after the end of the employment (see also 8.3).

791

IACS-specific implementation guidance

792 793

Facilities should clarify and state the responsibilities for maintaining IACS availability, plant protection, plant operations (even if in a degraded mode), and time -critical system response.

794

Other Information

795 796 797 798 799 800

A code of conduct may be used to cover the employee’s, contractor’s or third party user’s responsibilities regarding confidentiality, data protection, ethics, appropriate use of the organization’s equipment and facilities, as well as reputable practices expected by the organization. The contractor or third party users may be associated with an external organization that may in turn be required to enter in contractual arrangements on behalf of the contracted individual.

801

8.2 During Employment

802 803 804 805

Objective: To ensure that employees, contractors and third party users are aware of information security threats and concerns, their responsibilities and liabilities, and are equipped to support organizational security policy in the course of their normal work, and to reduce the risk of human error.

806 807

Management responsibilities should be defined to ensure that security is applied throughout an individual’s employment within the organization.

808 809 810 811

An adequate level of awareness, education, and training in security procedures and the correct use of information processing facilities should be provided to all employees, contractors and third party users to minimize possible security risks. A formal disciplinary process for handling security breaches should be established.

812

8.2.1

813

Control

814 815

Management should require employees, contractors and third party users to apply security in accordance with established policies and procedures of the organization.

816

Implementation guidance

817 818

Management responsibilities should include ensuring that employees, contractor s and third party users:

819 820

a) are properly briefed on their information security roles and responsibilities prior to being granted access to sensitive information or information systems;

821

b) are provided with guidelines to state security expectations of their role within the organization;

822

c) are motivated to fulfil the security policies of the organization;

823 824

d) achieve a level of awareness on security relevant to their roles and responsibilities within the organization (see also 8.2.2);

Management responsibilities

This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.

ISA‑62443-2-2, D1E4, April 2013

ISA‑62443-2-2, D1E4, April 2013

– 28 –

ISA99, WG02, TG02

825 826

e) conform to the terms and conditions of employment, which includes the organization’s information security policy and appropriate methods of working;

827

f)

continue to have the appropriate skills and qualifications.

829

IACS-specific implementation guidance

830 831

Management should ensure that individuals responsible for operating and maintaining IACS are included in the above mentioned activities

832

Other Information

833 834 835

If employees, contractors and third party users are not made aware of their security responsibilities, they can cause considerable damage to an organization. Motivated personnel are likely to be more reliable and cause less information security incidents.

836 837 838

Poor management may cause personnel to feel undervalued resulting in a negative security impact to the organization. For example, poor management may lead to security being neglected or potential misuse of the organization’s assets.

839

Requirement:

840

Foundational Requirement:

841

Rationale/Supplemental Guidance:

842

Requirement Enhancements:

843

8.2.2

Information security awareness, education, and training

844

Control

845 846 847

All employees of the organization and, where relevant, contractors and third party users should receive appropriate awareness training and regular updates in organizational policies and procedures, as relevant for their job function.

848

Implementation guidance

849 850 851

Awareness training should commence with a formal induction process designed to introduce the organization’s security policies and expectations before access to information or services is granted.

852 853 854

Ongoing training should include security requirements, legal responsibilities and business controls, as well as training in the correct use of information processing facilities e.g. log -on procedure, use of software packages and information on the disciplinary process (see 8.2.3).

855

IACS-specific implementation guidance

856 857 858

Individuals responsible for operating and maintaining IACS should be included in the above mentioned activities and, where necessary, specific training should be developed for individuals in these roles.

859

Other Information

860 861 862 863

The security awareness, education, and training activities should be suitable and relevant to the person’s role, responsibilities and skills, and should include information on known threats, who to contact for further security advice and the proper channels for reporting inf ormation security incidents (see also 13.1).

This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.

828

ISA‑62443-2-2, D1E4, April 2013

– 29 –

ISA99, WG02, TG02

864 865

Training to enhance awareness is intended to allow individuals to recognize information security problems and incidents, and respond according to the needs of their work role.

866

8.2.3

867

The control objective and the contents from ISO/IEC 27002 clause 8.2.3 apply.

868

8.3 Termination or Change of Employment

869 870

Objective: To ensure that employees, contractors and third party users exit an organization or change employment in an orderly manner.

871 872 873

Responsibilities should be in place to ensure an employee’s, contractor’s or third party user’s exit from the organization is managed, and that the return of all equipment and the removal of all access rights are completed.

874 875 876

Change of responsibilities and employments within an organization should be managed as the termination of the respective responsibility or employment in line with this section, and any new employments should be managed as described in section 8.1.

877

8.3.1

878

The control objective and the contents from ISO/IEC 27002 clause 8.3 .1 apply.

879

8.3.2

880

The control objective and the contents from ISO/IEC 27002 clause 8.3.2 apply.

881

8.3.3

882

Control

883 884 885

The access rights of all employees, contractors and third party users to information and information processing facilities should be removed upon termination of their employment, contract or agreement, or adjusted upon change.

886

Implementation guidance

887 888 889 890 891 892 893 894 895

Upon termination, the access rights of an individual to assets associ ated with information systems and services should be reconsidered. This will determine whether it is necessary to remove access rights. Changes of an employment should be reflected in removal of all access rights that were not approved for the new employment. The access rights that should be removed or adapted include physical and logical access, keys, identification cards, information processing facilities (see also 11.2.4), subscriptions, and removal from any documentation that identifies them as a current member of the organization. If a departing employee, contractor or third party user has known passwords for accounts remaining active, these should be changed upon termination or change of employment, contract or agreement.

896 897 898

Access rights for information assets and information processing facilities should be reduced or removed before the employment terminates or changes, depending on the evaluation of risk factors such as:

899 900

a) whether the termination or change is initiated by the employee, contractor or third party user, or by management and the reason of termination;

Termination responsibilities

Return of assets

Removal of access rights

901

f)

the current responsibilities of the employee, contractor or any other user;

902

g) the value of the assets currently accessible.

903 904

IACS-specific implementation guidance

This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.

Disciplinary process

– 30 –

ISA99, WG02, TG02

905 906

Other risk factors to be considered when reducing or removing access rights should include risks associated with disruption to IACS availability, plant protection, and plant operations.

907

Other Information

908 909 910 911 912

In certain circumstances access rights may be allocated on the basis of being available to more people than the departing employee, contractor or third party user, e.g. group IDs. In such circumstances, departing individuals should be removed from any group access lists and arrangements should be made to advise all other employees, contractors and third party users involved to no longer share this information with the person departing.

913 914 915

In cases of management-initiated termination, disgruntled employees, contractors or third party users may deliberately corrupt information or sabotage information processing facilities. In cases of persons resigning, they may be tempted to collect information for future use.

916 917

9

918

9.1

Physical and Environmental Security Introduction

919 920

9.2 Secure Areas

921

9.2.1

922

{Requirement} Requirement:

923 924

Foundational Requirement:

925

Rationale/Supplemental Guidance:

926

Requirement Enhancements:

927 928

9.3 Equipment Security

929

9.3.1

Physical Access Authorizations

930

Requirement:

931 932 933 934 935

The organization shall develop and keeps current a list of personnel with authorized access to the facility where the IACS resides ( except for those areas within the facility officially designated as publicly accessible) and issues assigns appropriate authorization credentials. Designated officials within the organization review and approve the access list and authorization credentials [Assignment: organization-defined frequency].

936

Foundational Requirement:

937 938 939 940

Rationale/Supplemental Guidance: Appropriate authorization credentials include, for example, badges, identification cards, smart cards, key pads codes or biometric attributes. The organization promptly removes from the access list personnel no longer requiring access to the facility where the IACS resides.

941

Requirement Enhancements:

942 943

(1) Authorized access shall be adjusted for assignments in restricted areas or for personnel dismissal.

This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.

ISA‑62443-2-2, D1E4, April 2013

– 31 –

ISA‑62443-2-2, D1E4, April 2013 9.3.2

Physical Access Control

945

Requirement:

946 947 948 949 950 951

The organization shall control all physical access points (including designated entry/exit points) to the facility where the IACS resides (except for those areas within the facility officially designated as publicly accessible) and verifies individual access authorizations before granting access to the facility. The organization controls access to areas officially designated as publicly accessible, as appropriate, in accordance with the organization’s assessment of risk.

952

Foundational Requirement:

953 954 955 956 957 958 959 960 961 962 963 964

Rationale/Supplemental Guidance: The organization uses physical access devices (e.g., keys, locks, combinations, card readers) and/or guards to control entry to facilities containing IACS. The organization secures keys, combinations, and other access devices and inventories those devices regularly. The organization changes combinations and keys: (i) periodically; and (ii) when keys are lost, combinations are compromised, or individuals are transferred or terminated. Workstations and associated peripherals connected to (and part of) an organizational IACS may be located in areas designated as publicly accessible with access to such devices being appropriately controlled. The organization considers IACS safety and security interdependencies. The organization considers access requirements in emergency situations. During an emergency-related event, the organization may restrict access to IACS facilities and assets to authorized individuals only.

965

Requirement Enhancements:

966 967 968

(1) The organization controls physical access to the IACS independent of the physical access controls for the facility. Identity verification is required for entry to the most secured IACS spaces.

969 970 971 972 973 974 975 976 977 978

Rationale/Supplemental Guidance: This requirement enhancement, in general, applies to server rooms, communications centers, telecom munication spaces, control rooms, instrument rack rooms, remote control rooms or any other areas within a facility containing large concentrations of IACS components or components with a higher impact level than that of the majority of the facility. The intent is to provide an additional layer of physical security for those areas where the organization may be more vulnerable due to the concentration of IACS components or the impact level of the components. The requirement enhancement is not intended to apply to workstations or peripheral devices that are typically dispersed throughout the facility and used routinely by organizational personnel.

979

FR1 Access Control

9.3.3 Access Control for Communication Medium

980

Requirement:

981 982

The organization shall control physical access to IACS distr ibution and communication lines within local organizational facilities.

983

Foundational Requirement:

984 985 986 987 988 989 990

Rationale/Supplemental Guidance: Physical protections applied to IACS distribution and communication lines help prevent accidental damage, disruption, and ph ysical tampering. Additionally, physical protections are necessary to help prevent eavesdropping or in transit modification of unencrypted communications. Protective measures to control physical access to IACS distribution and communication lines include : (i) including endpoints or any access point contained in locked wiring closets; (ii) disconnected or locked spare jacks; and/or (iii) protection of cabling by conduit or cable trays.

991

Requirement Enhancements: None.

This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.

944

ISA99, WG02, TG02

ISA‑62443-2-2, D1E4, April 2013

ISA99, WG02, TG02

9.3.4 Access Control for Display Medium

993

Requirement:

994 995

The organization shall control physical access to IACS devices that display information to prevent unauthorized individuals from observing the display output.

996

Foundational Requirement:

997

Rationale/Supplemental Guidance: None.

998

Requirement Enhancements:

999 1000 1001

(1) Access displays shall be placed in such a manner to prevent others from viewing the display of clear text access information. 9.3.5 Monitoring Physical Access

1002

Requirement:

1003 1004

The organization shall monitor physical access to the IACS to detect and respond to physical security incidents.

1005

Foundational Requirement:

1006 1007 1008 1009

Rationale/Supplemental Guidance: The organization reviews physical access logs periodically and investigates apparent security violations or s uspicious physical access activities. Response to detected physical security incidents is part of the organization’s incident response capability.

1010

Requirement Enhancements:

1011 1012

(1) The organization monitors real-time physical intrusion alarms and surveillance equipment.

1013 1014

(2) The organization employs automated mechanisms to r ecognize potential intrusions and initiate appropriate response actions.

1015

9.3.6 Visitor Control

1016

Requirement:

1017 1018 1019

The organization shall control physical access to the IACS by authenticating visitors before authorizing access to the facility where the IACS resides oth er than areas designated as publicly accessible.

1020

Foundational Requirement:

1021 1022

Rationale/Supplemental Guidance: Personnel without permanent authorization or permanent duties, including physical access to an IACS, are considered a visitor.

1023

Requirement Enhancements:

1024

(1) The organization escorts visitors and monitors visitor activity.

1025

9.3.7 Access Records

1026

Requirement:

1027 1028 1029 1030 1031 1032

The organization shall maintain visitor access records to the facility where the IACS resides (except for those areas within the facility officially designated as publicly accessible).The detailed contents of these records are to be defined by the asset owner and their respective security policy. Designated officials within the organization review the visitor access records [Assignment: organization-defined frequency] and maintain those records for [Assignment: organization-defined periodicity]. .

This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.

992

– 32 –

– 33 –

ISA99, WG02, TG02

1033

Foundational Requirement:

1034 1035 1036 1037 1038

Rationale/Supplemental Guidance: These logs are intended to support forensic investigation. Useful attributes would include: (i) name and organization of the person visiting; (ii) signature of the visitor; (iii) form of identification; (iv) date of access; (v) time of entry and departure; (vi) purpose of visit; and (vii) name and organization of person visited..

1039

Requirement Enhancements:

1040 1041

(1) The organization employs automated mechanisms to facilitate the maintenance and review of access records.

1042 1043

(2) The organization maintains a record of all physical access, both visitor and authorized individuals.

1044

10 Communications and Operations Management

1045

10.1

Introduction

1046 1047

10.2 Operational Procedures and Responsibilities

1048

10.2.1 Automated Marking

1049

Requirement:

1050 1051

The IACS shall mark output using standard naming conventions to identify any special dissemination, handling, or distribution instructions .

1052

Foundational Requirement:

1053 1054

Rationale/Supplemental Guidance: Automated marking refers to markings employed on external media (e.g., hardcopy documents output from the IACS).

1055

Requirement Enhancements: None.

1056

10.3 Third Party Service Delivery Management

1057

10.3.1

1058

{Requirement} Requirement:

1059 1060

Foundational Requirement:

1061

Rationale/Supplemental Guidance:

1062

Requirement Enhancements:

1063 1064

10.4 System planning and acceptance

1065

10.4.1

1066

{Requirement} Requirement:

1067 1068

Foundational Requirement:

1069

Rationale/Supplemental Guidance:

This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.

ISA‑62443-2-2, D1E4, April 2013

ISA‑62443-2-2, D1E4, April 2013 1070

– 34 –

ISA99, WG02, TG02

Requirement Enhancements:

1071 1072

10.5 Protection against malicious and mobile code

1073

10.5.1 Malicious Code Protection

1075 1076 1077

Requirement: The organization updates malicious code protection mechanisms (including the latest virus definitions) whenever new releases are available in accordance with organizationa l configuration management policy and procedures.

1078

Foundational Requirement:

1079 1080 1081 1082 1083 1084 1085 1086 1087 1088

Rationale/Supplemental Guidance: The organization considers using malicious code protection software products from multiple vendors (e.g., using one vendor for boundary devices and servers and another vendor for workstations). The organization also considers the receipt of false positives during malicious code detection and eradication and the resulting potential affect on the availability of the IACS. Updates are scheduled to occur during planned IACS outages. The organization considers IACS vendor recommendations for malicious code protection. To reduce malicious code, organizations remove the functions and services that should not be employed on the IACS (e.g., Voice Over Internet Protocol, Instant Messaging, File Transfer Protocol, Hyper Text Transfer Protocol, electronic mail, file sharing).

1089

Requirement Enhancements: None.

1090

10.5.2 Security Alerts and Advisories

1091 1092 1093

Requirement: The organization shall receive IACS security alerts/advisories on a regular basis, issues alerts/advisories to appropriate personnel, and takes appropriate actions in response.

1094

Foundational Requirement:

1095 1096 1097 1098 1099 1100

Rationale/Supplemental Guidance: The organization documents the types of actions to be taken in response to security alerts/advisories. The organization also maintains contact with special interest groups (e.g., inform ation security forums) that: (i) facilitate sharing of security-related information (e.g., threats, vulnerabilities, and latest security technologies); (ii) provide access to advice from security professionals; and (iii) improve knowledge of security best practices.

1101

Requirement Enhancements:

1102 1103

(1) The organization employs automated mechanisms to make security alert and advisory information available throughout the organization as needed.

1104

10.6 Backup

1105

10.6.1

1106

{Requirement} Requirement:

1107 1108

Foundational Requirement:

1109

Rationale/Supplemental Guidance:

1110

Requirement Enhancements:

1111

This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.

1074

ISA‑62443-2-2, D1E4, April 2013 1112

10.7 Network Security Management

1113

10.7.1

1114

– 35 –

ISA99, WG02, TG02

{Requirement} Requirement:

1116

Foundational Requirement:

1117

Rationale/Supplemental Guidance:

1118

Requirement Enhancements:

1119 1120

10.8 Media Handling

1121

10.8.1 Media Protection Policy and Procedures

1122

Requirement:

1123 1124 1125 1126 1127

The organization shall develop, disseminate, and periodically reviews/updates: (i) a formal, documented, media protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (ii) formal, documented procedures to facilitate the implementation of the media protection policy and associated media protection requirements.

1128

Foundational Requirement:

1129 1130 1131 1132 1133

Rationale/Supplemental Guidance: The media protection policy and procedures are consistent with applicable laws, directives, policies, regulations, standards, and guidance. The media protection policy can be included as part of the general information security policy for the organization. Media protection procedures can be developed for the security program in general, and for a particular IACS, when required.

1134

Requirement Enhancements: None.

1135 1136

10.8.2 Media Access

1137

Requirement:

1138

The organization shall restrict access to IACS media to authorized individuals.

1139

Foundational Requirement:

1140 1141 1142 1143 1144 1145

Rationale/Supplemental Guidance: IACS media includes both digital media (e.g., diskettes, magnetic tapes, external/removable hard drives, flash/thumb drives, compact disks, digital video disks) and non-digital media (e.g., paper, microfilm). This requirement also applies to portable and mobile computing and communications devices with information storage capability (e.g., notebook computers, personal digital assistants, cellular telephones).

1146 1147 1148 1149 1150 1151 1152 1153 1154

An organizational assessment of risk guides the sel ection of media and associated information contained on that media requiring restricted access. Organizations document in policy and procedures, the media requiring restricted access, individuals authorized to access the media, and the specific measures t aken to restrict access. The rigor with 𝑡𝑎𝑟𝑔𝑒𝑡 which this requirement is applied is commensurate with the 𝑆𝑠𝑦𝑠𝑡𝑒𝑚 categorization of the information contained on the media. For example, fewer protection measures are needed for media containing information determined by the organization to be in the public domain, to be publicly releasable, or to have limited or no adverse impact on the organization or individuals if accessed by other than authorized personnel. In these

This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.

1115

– 36 –

ISA99, WG02, TG02

1155 1156

situations, it is assumed that the physical access requirements where the media resides provide adequate protection.

1157

Requirement Enhancements:

1158 1159

(1) The organization employs automated mechanisms to restrict access to media storage areas and to audit access attempts and access granted.

1160 1161 1162 1163 1164 1165

Foundational Requirement: Rationale/Supplemental Guidance: This requirement enhancement is primarily applicable to designated media storage areas within an organization where a significant volume of media is stored and is not intended to apply to every lo cation where some media is stored (e.g., in individual offices).

1166

10.8.3 Media Labeling

1167

Requirement:

1168 1169 1170 1171 1172

The organization shall: (i) affix external labels to removable IACS media and IACS output indicating the distribution limitations, handling caveats and applicable security markings (if any) of the information; and (ii) exempt [Assignment: organization-defined list of media types or hardware components] from labeling so long as they remain within [ Assignment: organization-defined protected environment].

1173

Foundational Requirement:

1174 1175 1176 1177 1178

Rationale/Supplemental Guidance: An organizational assessment of selection of media requiring labeling. Organizations document in policy the media requiring labeling and the specific measures taken to afford The rigor with which this requirement is applied is commensurate categorization of the information contained on the media.

1179

Requirement Enhancements: None.

1180

risk guides the and procedures, such protection. 𝑡𝑎𝑟𝑔𝑒𝑡 with the 𝑆𝑠𝑦𝑠𝑡𝑒𝑚

10.8.4 Media Storage

1181

Requirement:

1182 1183

The organization shall physically control and securely store IACS media within controlled areas.

1184

Foundational Requirement:

1185 1186 1187 1188 1189 1190

Rationale/Supplemental Guidance: IACS media includes both digital media (e.g., diskettes, magnetic tapes, external/removable hard drives, flash/thumb drives, compact disks, digital video disks) and non-digital media (e.g., paper, microfilm). A controlled area is any area or space for which the organization has confidence that the physical and procedural protections provided are sufficient to meet the requirements established for protecting the information and/or IACS.

1191 1192 1193

This requirement applies to portable and mobile computing and communications devices with information storage capability (e.g., notebook computers, personal digital assistants, cellular telephones, telephone systems (voicemail only)).

1194 1195 1196 1197 1198 1199 1200

Organizations document in policy and procedures, the media requiring physical protection and the specific measures taken to afford such protection. The rigor with which this 𝑡𝑎𝑟𝑔𝑒𝑡 requirement is applied is commensurate with the 𝑆𝑠𝑦𝑠𝑡𝑒𝑚 categorization of the information contained on the media. For example, fewer protection measures are needed for media containing information determined by the organization to have limited or no adverse impact on the organization or individuals if accessed by non -authorized personnel. The assumption is that the physical access controls to the facility where the media resides

This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.

ISA‑62443-2-2, D1E4, April 2013

– 37 –

ISA99, WG02, TG02

1201 1202 1203

provide adequate protection. The organization protects IACS media identified by the organization until the media are destroyed or sanitized using approved equipment, techniques, and procedures.

1204 1205 1206 1207 1208

As part of a defense-in-depth protection strategy, the organization considers routinely encrypting data at rest on selected secondary storage device s. The organization implements effective cryptographic key management in support of secondary storage encryption and provides protections to maintain the availability of the information in the event of the loss of cryptographic keys by IACS users.

1209

Requirement Enhancements: None.

1210

10.8.5 Media Transport

1211

Requirement:

1212 1213 1214

The organization shall protect and control IACS media during transport outside of controlled areas and restricts the activities associated with transport of such media to authorized personnel.

1215

Foundational Requirement:

1216 1217 1218 1219 1220 1221 1222 1223 1224 1225 1226 1227 1228 1229 1230 1231 1232 1233 1234 1235 1236 1237 1238

Rationale/Supplemental Guidance: IACS media includes both digital media (e.g., diskettes, tapes, removable hard drives, flash/thumb drives, compact disks, digital video disks) and non-digital media (e.g., paper, microfilm). A c ontrolled area is any area or space for which the organization has confidence that the physical and procedural protections provided are sufficient to meet the requirements established for protecting the information and/or IACS. This requirement also applies to portable and mobile computing and communications devices with information storage capability (e.g., notebook computers, personal digital assistants, cellular telephones) that are transported outside of controlled areas. Telephone systems are also co nsidered IACS and may have the capability to store information on internal media (e.g., on voicemail systems). Since telephone systems do not have, in most cases, the identification, authentication, and access control mechanisms typically employed in othe r IACS, organizational personnel exercise extreme caution in the types of information stored on telephone voicemail systems that are transported outside of controlled areas. An organizational assessment of risk guides the selection of media and associated information contained on that media requiring protection during transport. Organizations document in policy and procedures, the media requiring protection during transport and the specific measures taken to protect such transported media. The rigor with which this requirement is applied is 𝑡𝑎𝑟𝑔𝑒𝑡 commensurate with the 𝑆𝑠𝑦𝑠𝑡𝑒𝑚 categorization of the information contained on the media. An organizational assessment of risk also guides the selection and use of appropriate storage containers for transporting non-digital media. Authorized transport and courier personnel may include individuals from outside the organization (e.g., U.S. Postal Service or a commercial transport or delivery service).

1239

Requirement Enhancements:

1240 1241 1242

(1) The organization protects digital and non-digital media during transport outside of controlled areas using [Assignment: organization-defined security measures, e.g., locked container, cryptography].

1243 1244 1245 1246 1247 1248

Rationale/Supplemental Guidance: Physical and technical security measures for the protection of digital and non-digital media are approved by the organization, 𝑡𝑎𝑟𝑔𝑒𝑡 commensurate with the 𝑆𝑠𝑦𝑠𝑡𝑒𝑚 categorization of the information residing on the media, and consistent with applicable laws, directives, policies, regulations, standards, and guidance. Cryptographic mechanisms can provide confidentiality and/or integrity protections depending upon the mechanisms used.

This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.

ISA‑62443-2-2, D1E4, April 2013

– 38 –

ISA99, WG02, TG02

1249 1250

(2) The organization documents, where appropriate, activities associated with the transport of IACS media using [Assignment: organization-defined system of records].

1251 1252 1253

Rationale/Supplemental Guidance: Organizations establish documentation requirements for activities associated with the transport of IACS media in accordance with the organizational assessment of risk.

1254

(3) The organization employs an identified custodian at all times to transport IACS media.

1255 1256 1257

Rationale/Supplemental Guidance: Organizations establish documentation requirements for activities associated with the transport of IACS media in accordance with the organizational assessment of risk.

1258

10.8.6 Media Sanitization and Disposal

1259

Requirement:

1260 1261

The organization shall sanitize IACS media, both digital and non-digital, prior to disposal or release for reuse.

1262

Foundational Requirement:

1263 1264 1265 1266 1267 1268 1269 1270 1271 1272 1273

Rationale/Supplemental Guidance: Sanitization is the process used to remove information from IACS media such that there is reasonable assurance, in proporti on to the confidentiality of the information, that the information cannot be retrieved or reconstructed. Sanitization techniques, including clearing, purging, and destroying media information, prevent the disclosure of organizational information to unauth orized individuals when such media is reused or disposed. The organization uses its discretion on sanitization techniques and procedures for media containing information deemed to be in the public domain or publicly releasable, or deemed to have no advers e impact on the organization or individuals if released for reuse or disposed. The National Security Agency provides media sanitization guidance and maintains a listing of approved sanitization products at http://www.nsa.gov/ia/government/mdg.cfm .

1274

Requirement Enhancements:

1275 1276

(1) The organization tracks, documents, and verifies media sanitization and disposal actions.

1277 1278

(2) The organization periodically tests sanitization equipment and procedures to verify correct performance.

1279

10.8.7 Access Control for Display Medium

1280

Requirement:

1281 1282

The organization shall control physical access to IACS devices that display information to prevent unauthorized individuals from observing the display output.

1283

Foundational Requirement:

1284

Rationale/Supplemental Guidance: None.

1285 1286 1287

Requirement Enhancements: None.

1288

10.8.8 Public Key Infrastructure Certificates

1289

Requirement:

1290 1291

Where public key cryptography is utilized, the organization shall determine what appropriate interfaces are required with existing public key infrastructure under an

This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.

ISA‑62443-2-2, D1E4, April 2013

– 39 –

ISA99, WG02, TG02

1292 1293

appropriate certificate policy or obtains public key certificates under an appropriate certificate policy from an approved service provider.

1294

Foundational Requirement:

1295 1296 1297 1298

Rationale/Supplemental Guidance: Registration to receive a public key certificate needs to include authorization by a supervisor or a responsible official and needs to be accomplished using a secure process that verifies the identity of the certificate holder and ensures that the certificate is issued to the intended party.

1299

Requirement Enhancements: None.

1300

10.9 Exchange of Information

1301

10.9.1

1302

{Requirement} Requirement:

1303 1304

Foundational Requirement:

1305

Rationale/Supplemental Guidance:

1306

Requirement Enhancements:

1307 1308

10.10 Electronic Commerce Services

1309

10.10.1 {Requirement}

1310

Requirement:

1311 1312

Foundational Requirement:

1313

Rationale/Supplemental Guidance:

1314

Requirement Enhancements:

1315 1316

10.11 Monitoring

1317

10.11.1 Audit and Accountability Policy and Procedures

1318

Requirement:

1319 1320 1321 1322 1323

The organization shall develop, disseminate, and periodically reviews/updates: (i) a formal, documented, audit and accountability policy that addresses purpos e, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (ii) formal, documented procedures to facilitate the implementation of the audit and accountability policy and associated audit and ac countability controls.

1324

Foundational Requirement:

1325 1326 1327 1328 1329 1330

Rationale/Supplemental Guidance: The audit and accountability policy and procedures are consistent with applicable laws, directives, policies, regulations, standards, and guidance. The audit and accountability policy can be included as part of the general information security policy for the organization. Audit and accountability procedures can be developed for the security program in general, and for a particular IACS, when required. The parameters to be monitored are a local matter. Of those parameters it is

This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.

ISA‑62443-2-2, D1E4, April 2013

ISA‑62443-2-2, D1E4, April 2013

– 40 –

ISA99, WG02, TG02

1331 1332

strongly recommended to consider false-positives (e.g. how many times did an authorized entity get hindered or prevented from performing its function ).

1333

Requirement Enhancements: None.

1335 1336 1337

10.11.2 Auditable Events Requirement: The organization periodically reviews and updates the list of orga nization-defined auditable events.

1338

Foundational Requirement:

1339 1340 1341 1342 1343 1344 1345

Rationale/Supplemental Guidance: The purpose of this requirement is to identify important events which need to be audited as significant and relevant to the security of the IACS. The security audit function is usually coordinated with the network health and status monitoring function which may be in a different zone. Commonly recognized and accepted checklists and configuration guides should be considered when compiling a list of auditable events. The organization defines auditable events that are adequate to support after-the-fact investigations of security incidents.

1346

Requirement Enhancements: None.

1347

10.11.3 Audit Monitoring, Analysis and Reporting

1348

Requirement:

1349 1350 1351

The organization shall regularly review/analyze IACS audit records for indications of inappropriate or unusual activity, investigates suspicious activity or suspected violations, reports findings to appropriate officials, and takes necessary actions.

1352

Foundational Requirement:

1353 1354 1355 1356

Rationale/Supplemental Guidance: Organizations increase the level of audit monitoring and analysis activity within the IACS whenever there is an indication of increased risk to organizational operations, organizational assets, or individuals based on law enforcement information, intelligence information, or other credible sources of information.

1357

Requirement Enhancements:

1358 1359 1360

(1) The organization employs automated mechanisms to integrate audit monitoring, analysis, and reporting into an overall process for investigation and res ponse to suspicious activities.

1361 1362 1363 1364

(2) The organization employs automated mechanisms to alert security personnel of the following inappropriate or unusual activities with security implications: [ Assignment: organization-defined list of inappropriate or unusual ac tivities that are to result in alerts].

1365

10.11.4 Audit Record Retention

1366

Requirement:

1367 1368 1369

The organization shall retain audit records for [Assignment: organization-defined time period] to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements.

This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.

1334

– 41 –

ISA99, WG02, TG02

1370

Foundational Requirement:

1371 1372 1373

Rationale/Supplemental Guidance: The organization retains audit records until it is determined that they are no longer needed for administrative, legal, audit , or other operational purposes.

1374

Requirement Enhancements: None.

1375

11 Access Control

1376

11.1

Introduction

1377 1378

11.2 Business Requirement

1379

11.2.1 Access Control Policy and Procedures

1380

Requirement:

1381 1382 1383 1384 1385

The organization shall develop, disseminate, and periodically reviews/updates: (i) a formal, documented, access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (ii) formal, documented procedures to facilitate the implementation of the access control policy and associated access controls.

1386

Foundational Requirement:

1387 1388 1389 1390 1391 1392

Rationale/Supplemental Guidance: The access control policy and procedures are consistent with applicable laws, directives, policies, regulations, standards, and guidance and in alignment with the security requirements of the IACS(s). The access control policy can be included as part of the general information security policy for the organization. Access control procedures can be developed for the security program in gener al, and for a particular IACS, when required.

1393

Requirement Enhancements: None.

1394

11.2.2 System and Information Integrity Policy and Procedures

1395

Requirement:

1396 1397 1398 1399 1400 1401

The organization shall develop, disseminate, and periodically reviews/updates: (i) a formal, documented, system and information integrity policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (ii) formal, documented procedures to facilitate the implementation of the s ystem and information integrity policy and associated system and information integrity requirements.

1402

Foundational Requirement:

1403 1404 1405 1406 1407 1408

Rationale/Supplemental Guidance: The system and information integrity policy and procedures are consistent with applicable laws, directives, policies, regulations, standards, and guidance. The system and information integrity policy can be included as part of the general information security policy for the organization. System and information integrity procedures can be developed for the security program in general, and for a particular IACS, when required.

1409

Requirement Enhancements: None.

This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.

ISA‑62443-2-2, D1E4, April 2013

ISA‑62443-2-2, D1E4, April 2013

ISA99, WG02, TG02

11.2.3 Flaw Remediation

1411

Requirement:

1412

The organization shall identify, report, and correct IACS flaws.

1413

Foundational Requirement:

1414 1415 1416 1417 1418 1419 1420 1421 1422 1423 1424

Rationale/Supplemental Guidance: The organization identifies IACS containing software affected by recently announced software flaws (and potential vulnerabilities resulting from those flaws). The organization (or the software developer/vendor in the case of software developed and maintained by a vendor/contractor) promptly installs newly released security relevant patches, service packs, and hot fixes, and tests patches, service packs, and hot fixes for effectiveness and potential side effects on the organization’s IACS before installation. Flaws discovered during security assessments, continuous monitoring, incident response activities, or IACS error handling are also addressed expeditiously. Flaw remediation is incorporated into configuration management as an emergency change. The flaw remediation process shall be consistent with certification, safety and regulatory testing requirements.

1425

Requirement Enhancements:

1426 1427

(1) The organization centrally manages the flaw remediation process and installs updates automatically.

1428 1429 1430

(2) The organization employs automated mechanisms to periodically and upon demand determine the state of IACS components with regard to flaw remediation.

1431

11.3 User Access Management

1432

11.3.1 Account Management

1433

Foundational Requirement:

1434

Requirement:

1435 1436

The organization reviews accounts [Assignment: organization-defined frequency, at least annually]. A history of account changes shall be maintained if only manually.

1437

Foundational Requirement:

1438 1439 1440 1441 1442 1443 1444

Rationale/Supplemental Guidance: Account management might include (i.e., individual, role, and system, device-based, and system), establishment of conditions for group membership, and assignment of associated authorizations. In certain IACS instances, where the organization has determined that individual accounts are unnecessary from a risk-analysis and/or regulatory aspect, shared accounts are acceptable as long as adequate compensating controls (such as limited physical access) are in place and documented.

1445 1446 1447

Non-user accounts (sometimes termed service accounts) that are utilized for process -toprocess communication (for example, an HMI connecting to a database) typically requires different security policies from human user accounts.

1448 1449

The organization identifies authorized users of the IACS and specifies access rights/privileges. The organization grants access to the IACS based on:

1450 1451

(i)

a valid need-to-know/need-to-share that is determined by assigned official duties and satisfying all functional and security criteria; and

1452 1453

(ii)

Intended system usage. The organization requires proper identification for requests to establish accounts and approves all such requests.

1454 1455

(iii)

The organization specifically authorizes and monitors the use of guest/anonymous accounts and removes, disables, or otherwise secures

This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.

1410

– 42 –

ISA‑62443-2-2, D1E4, April 2013

ISA99, WG02, TG02

unnecessary accounts. Account managers are notified when IACS users are terminated or transferred and associated accounts are removed, disabled, or otherwise secured.

1459 1460 1461 1462 1463

(iv)

Account managers are also notified when users’ IACS usage or need -toknow/need-to-share changes. In cases where accounts are role-based, i.e., the workstation, hardware, and/or field devices define a user role, access to the IACS includes physical security policies and procedures based on organization risk assessment.

1464 1465 1466 1467 1468 1469

(v)

In cases where physical access to the workstation, hardware, and/or field devices predefine privileges, the organization implements physical security policies, and procedures based on organization risk assessment. Account management may include additional account types (e.g., role-based, device-based, attribute-based). The organization removes, changes, disables, or otherwise secures default accounts.

1470

Requirement Enhancements:

1471 1472 1473

(1) The organization has policies and procedures to terminate guest or temporary accounts after [Assignment: organization-defined time period for each type of account].

1474 1475

(2) The organization has policies and procedures to disable inactive accounts after [Assignment: organization-defined time period].

1476 1477

(3) The organization employs mechanisms to audit account creation, Modification, disabling, and termination actions and to notify, as required, appropriate individuals.

1478

11.3.2 Separation of Duties

1479

Foundational Requirement:

1480

Requirement:

1481 1482

When assigning permissions and/or roles to users, the organization shall obey the separation of duties as outlined in their security policy.

1483

Foundational Requirement:

1484 1485 1486

Rationale/Supplemental Guidance: The organization establishes appropriate divisions of responsibility and separates duties as needed to eliminate conflicts of interest in the responsibilities and duties of individuals. Examples of separation of duties incl ude:

1487 1488

(i)

mission functions and distinct IACS support functions are divided among different individuals/roles

1489 1490 1491

(ii)

different individuals perform IACS support functions (e.g., system management, systems programming, quality assurance/testing, configuration management, and network security)

1492 1493

(iii)

security personnel who administer access control functions do not administer audit functions

1494 1495

Requirement Enhancements: None. (4)

1496

11.4 User Responsibilities

1497

11.4.1

1498

{Requirement} Requirement:

1499 1500

Foundational Requirement:

This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.

1456 1457 1458

– 43 –

ISA‑62443-2-2, D1E4, April 2013 1501

Rationale/Supplemental Guidance:

1502

Requirement Enhancements:

– 44 –

ISA99, WG02, TG02

1504

11.5 Network Access Control

1505

11.5.1 Least Privilege

1506

Foundational Requirement:

1507

Requirement:

1508 1509 1510

The organization shall enforce set of rights/privileges or accesses as required by ISA 99.02.xx needed by asset owner (or processes acting on behalf of asset owners) for the performance of specified tasks.

1511

Foundational Requirement:

1512 1513 1514 1515

Rationale/Supplemental Guidance: The organization employs the concept of least privilege for specific duties and IACS (zones and conduits) in accordance with risk assessments as necessary to adequately mitigate risk to organizational operations, organizational assets, and individuals.

1516

Requirement Enhancements: None.

1517

11.5.2 Permitted Actions Without Identification or Authentication

1518

Foundational Requirement:

1519

Requirement:

1520 1521 1522

The organization shall identify and document (log) specific IACS user actions that can be performed on the IACS without additional identification or authentication, if and only if prior identification and authentication have already occurred.

1523

Foundational Requirement:

1524 1525 1526

Rationale/Supplemental Guidance: The organization may allow limited IACS user activity without identification and authentication for corrective actions (e.g., emergency). The intent is to prevent repeated unnecessary identification and/or authe ntication.

1527

Requirement Enhancements:

1528 1529

(1) The organization permits actions to be performed without identification and authentication only to the extent necessary to accomplish mission objectives.

1530 1531

11.5.3 Remote Access

1532

Foundational Requirement:

1533

Requirement:

1534

The organization shall authorize all methods of remote access to the IACS.

1535

Foundational Requirement:

1536 1537 1538 1539 1540

Rationale/Supplemental Guidance: Remote access is any access to an IACS by an IACS user (human user, process, or device) communicating through an external, no norganization-controlled network (e.g., the Internet). Examples of remote access methods include dial-up, broadband, and wireless. Remote access to IACS component locations (e.g., control center, field locations) is only enabled when approved by the org anization.

This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.

1503

ISA‑62443-2-2, D1E4, April 2013

– 45 –

ISA99, WG02, TG02

1541

Requirement Enhancements:

1542 1543

(1) The organization controls all remote accesses through a limited number of managed access control points.

1544 1545 1546

(2) The organization permits remote access for privileged functions only for compelling operational needs and documents the rationale for such access in the security plan for the IACS. 11.5.4 Use of External Information Systems

1548

Foundational Requirement:

1549

Requirement:

1550 1551 1552

The organization shall establish terms and conditions for authorized individuals to: (i) access the IACS from an external information system; and (ii) process, store, and/or transmit organization-controlled information using an external information system.

1553

Foundational Requirement:

1554 1555 1556 1557 1558 1559 1560 1561

Rationale/Supplemental Guidance: External information systems are information systems or components of information systems that are outside of the accreditation boundary established by the organization and for which the organization typically has no direct control over the application of required security controls or the assessment of secu rity control effectiveness. External information systems include, but are not limited to, personally owned information systems (e.g., computers, cellular telephones, or personal digital assistants); privately owned computing and communications devices res ident in commercial or public facilities (e.g., hotels, convention centers, or airports).

1562 1563 1564 1565 1566 1567 1568 1569

Authorized individuals include organizational personnel, contractors, or any other individuals with authorized access to the organizational IACS. The organization establishes terms and conditions for the use of external information systems in accordance with organizational security policies and procedures. The terms and conditions address as a minimum; (i) the types of applications that can be accessed on the organizational IACS from the external information system; and (ii) the maximum 𝑐𝑎𝑝𝑎𝑏𝑙𝑒 𝑆𝑠𝑦𝑠𝑡𝑒𝑚 category of information that can be transmitted to or processed and stored on the external information system.

1570

Requirement Enhancements:

1571 1572 1573 1574 1575 1576 1577

(1) The organization prohibits authorized individuals from using an external information system to access the IACS or to process, store, or transmit organization -controlled information except in situations where the organization: (i) can verify the employment of required security controls on the external system as specified in the organization’s information security policy and system security plan; or (ii) has approved IACS connection or processing agreements with the organizational entity hosting the external information system.

1578 1579

(2) The organization provides a domain of filtered control for access by external IACS users, and limits access only to this domain.

1580 1581

(3) The organization provides a separate domain of information for read -only or download-only access by external IACS users and limits access only to this domain.

1582

11.6 Operating System Access Control

1583

11.6.1

1584

{Requirement} Requirement:

1585 1586

Foundational Requirement:

This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.

1547

ISA‑62443-2-2, D1E4, April 2013 1587

Rationale/Supplemental Guidance:

1588

Requirement Enhancements:

– 46 –

ISA99, WG02, TG02

1589 1590

11.7 Application and Information Access Control

1591

11.7.1

Requirement:

1593 1594

Foundational Requirement:

1595

Rationale/Supplemental Guidance:

1596

Requirement Enhancements:

1597 1598

11.8 Mobile Computing and Teleworking

1599

11.8.1 Wireless Access Restrictions

1600

Foundational Requirement:

1601

Requirement:

1602

The organization shall produce implementation guidance for wireless technologies.

1603 1604 1605 1606 1607 1608

Foundational Requirement: Rationale/Supplemental Guidance: Wireless technologies include, but are not limited to, microwave, satellite, packet radio [UHF/VHF], 802.11x, 802.15.4 (ZigBee, WirelessHART, ISA100.11a), and Bluetooth.

1609 1610

(1) The organization shall deploy continuous passive monitoring for unauthorized wireless access points and takes appropriate action if such access points are discovered.

1611 1612 1613 1614 1615 1616 1617

Foundational Requirement: Rationale/Supplemental Guidance: At the time of publication of this document, these access points are typically based on 802.11x technology. In the future, this will change and thus other wireless technologies will need to be monitored as well. Regardless, organizations should conduct a thorough scan for unauthorized wireless access points in facilities containing high-impact IACS. The scan should involve the entire facility, not just areas containing a high -impact IACS.

1618

Requirement Enhancements:

11.8.2 Use Control for Portable and Mobile Devices

1619

Foundational Requirement:

1620

Requirement:

1621 1622

The organization shall produce implementation guidance for organization -controlled portable and mobile devices.

1623

Foundational Requirement:

1624 1625 1626

Rationale/Supplemental Guidance: Portable and mobile devices may introduce undesired network traffic, malware and/or information exposure, and thus there should be specific control associated with their usage in the typical IACS environment.

1627 1628

Portable and mobile devices (e.g., notebook c omputers, personal digital assistants, cellular telephones, and other computing and communications devices with network

This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.

1592

{Requirement}

– 47 –

ISA99, WG02, TG02

1629 1630 1631 1632 1633 1634 1635

connectivity are only allowed access to the IACS in accordance with organizational security policies and procedures. Security policies and procedures include device identification and authentication, implementation of mandatory protective software (e.g., malicious code detection, firewall), configuration management, scanning devices for malicious code, updating virus protection software, scanning for critical software updates and patches, conducting primary operating system (and possibly other resident software) integrity checks, and disabling unnecessary hardware (e.g., wireless, infrared).

1636 1637

Requirement Enhancements: None.

1638

11.8.3 Mobile Code

1639

Foundational Requirement:

1640

Requirement:

1641 1642

The organization shall produce implementation guidance regarding the use of mobile code technologies based on the potential to cause damage to the IACS.

1643

Foundational Requirement:

1644 1645 1646 1647 1648 1649 1650 1651

Rationale/Supplemental Guidance: Mobile code technologies include, for example, Java, JavaScript, ActiveX, PDF, Postscript, Shockwave movies, Flash animations, and VBScript. Usage restrictions and implementation guidance apply to both the selection and use of mobile code installed on servers and mobile code downloaded and executed on individual workstations. Control procedures prevent the development, acquisition, or introduction of unacceptable mobile code within the IACS. For example, mobile code exchanges might be disallowed directly with the IACS, but rather in a controlled adjacent information environment maintained by IACS personnel.

1652

Requirement Enhancements: None.

1653

11.8.4 Supervision and Review – Use Control

1654

Foundational Requirement:

1655

Requirement:

1656 1657

The organization shall supervise and review the activities of IACS users with respect to the enforcement and usage of IACS assets.

1658

Foundational Requirement:

1659 1660 1661 1662 1663 1664 1665 1666 1667

Rationale/Supplemental Guidance: The organization reviews audit records (e.g., user activity logs) for inappropriate activities in accordance wit h organizational procedures. The organization investigates any unusual IACS -related activities and periodically reviews changes to access authorizations. The organization reviews more frequently the activities of IACS users with significant IACS roles and responsibilities. The extent of the audit record reviews is based on the impact level of the IACS. For example, for low -impact systems, it is not intended that security logs be reviewed frequently for every workstation, but rather at central points such as a web proxy or email servers and when specific circumstances warrant review of other audit records.

1668 1669 1670 1671

Requirement Enhancements: (1) The organization develops a baseline of normal IACS user behavior, allowable variances and employs automated mechanisms to facilitate the review of user activities.

1672 1673

11.8.5 Identification and Authentication Policy and Procedures Foundational Requirement:

This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.

ISA‑62443-2-2, D1E4, April 2013

– 48 –

ISA99, WG02, TG02

1674

Requirement:

1675 1676 1677 1678 1679 1680

The organization shall develop, disseminate, and periodically review/update: (i) a formal, documented, identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (ii) formal, documented procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls for IACS.

1681

Foundational Requirement:

1682 1683 1684 1685 1686 1687

Rationale/Supplemental Guidance: The organization ensures the identification and authentication policy and procedures are consistent with applicable laws, directives, policies, regulations, standards, and guidance. The identification and authentication policy can be included as part of the general security policy for the organization. Identification and authentication procedures can be developed for the security program in general, and for a particular IACS, when required.

1688 1689

Requirement Enhancements: None.

1690

11.8.6 Identifier Management

1691

Foundational Requirement:

1692

Requirement:

1693 1694 1695 1696

The organization shall manage identifiers by user, group, role, and/or system interface. An appropriate organization official or group is responsible for authorizing the issuance of user identifiers, issuing the user identifier to the intended party, and archiving user identifiers.

1697

Foundational Requirement:

1698 1699 1700 1701 1702 1703 1704 1705

Rationale/Supplemental Guidance: Identifiers are distinguished from the privileges which they permit an entity to perform within a specific IACS control domain/zone (see also 2.6, Authenticator Management). Where users function as a single group (e.g., control room operators), user identification may be role-based, group-based, or device-based. For some IACS, the capability for immediate operator interaction is critical. Local emergency actions for the IACS must not be hampered by identification requirements. Access to these systems may be restricted by appropriate compensating security mechanism s. Identifiers may be required on portions of the IACS but not necessarily the entire system.

1706 1707 1708 1709 1710 1711 1712 1713 1714 1715

For very high SAL level IACS the requirement for maximum control is increased, not decreased. Security measures that have the potential to cause loss of control in process operations are not acceptable. In these cases, to maintain the higher SAL levels, compensating measures external to the IACS (e.g. additional physical security measure s and/or enhanced personnel background checks) will be needed. In these cases, it may be possible to see a normally high SAL level IACS at a lower SAL 1 or 2 rating, depending upon the compensating controls. Lockout or loss of control due to security mea sures is not acceptable in high availability IACS.

1716 1717 1718

(1) The organization shall verify the identity of each IACS user. This verification may be maintained separately from the IACS (such as by the appropriate HR group).

1719 1720

Requirement Enhancements:

11.8.7 Authenticator Management Foundational Requirement:

This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.

ISA‑62443-2-2, D1E4, April 2013

ISA‑62443-2-2, D1E4, April 2013

1722 1723

ISA99, WG02, TG02

Requirement: The organization shall establish administrative procedures for initial authenticator distribution, for lost/compromised, or damaged authenticators, and for revoking authenticators.

1724

Foundational Requirement:

1725 1726 1727 1728 1729 1730 1731

Rationale/Supplemental Guidance: IACS authenticators include, for example, tokens, Public Key certificates, biometrics, passwords, physical keys, and key cards. IACS users should take reasonable measures to safeguard authenticators including maintainin g possession of their individual authenticators, not loaning or sharing authenticators with others, and reporting lost or compromised authenticators immediately. In the case of a process or device, such users should also take measures to protect their IAC S authenticators.

1732 1733 1734 1735 1736 1737

If the IACS is required to have a high level of availability, measures must be taken to maintain this high level of availability (e.g. compensating physical controls, duplicate keys, supervisory override). Lockout or loss of control due to security measures is not acceptable.

1738 1739 1740 1741

Requirement Enhancements: None. 11.8.8 Software and Information Integrity Requirement: The organization reassesses the integrity of software and information by performing [ Assignment: organization-defined frequency] integrity scans of the system.

1742

Foundational Requirement:

1743 1744 1745 1746 1747

Rationale/Supplemental Guidance: This requirement complements related Access Control requirements. Access Control involves enforcing the roles, permissions, and use patterns as designed. Integrity verification methods are employed to detect, record, report, and protect against the effects of software and information tampering that may occur if other protection mechanisms (e.g. Access Control) have been circumvented.

1748

Requirement Enhancements: None.

1749 1750

11.8.9 Information Input Restrictions

1751

Requirement:

1752 1753 1754

Restrictions on entities authorized to input information to the IACS may extend beyond the typical access controls employed by the system and include limitations based on specific operational/project responsibilities.

1755

Foundational Requirement:

1756

Rationale/Supplemental Guidance: None.

1757

Requirement Enhancements: None.

1758

11.8.10 Error Handling

1759

Requirement:

1760 1761

The extent to which the IACS identifies and handles error conditions shall be guided by organizational policy and operational requirements.

This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.

1721

– 49 –

ISA‑62443-2-2, D1E4, April 2013

– 50 –

1762

Foundational Requirement:

1763

Rationale/Supplemental Guidance: None.

1764

Requirement Enhancements: None.

ISA99, WG02, TG02

1765 11.8.11 Information Output Handling and Retention

1767

Requirement:

1768 1769

The organization shall handle and retain output from the IACS in accordance with applicable laws, directives, policies, regulations, standards, and operational requirements.

1770

Foundational Requirement:

1771

Rationale/Supplemental Guidance: None.

1772

Requirement Enhancements: None.

1773

11.8.12 Boundary Protection

1774

Requirement:

1775 1776 1777

The organization carefully considers the intrinsically shared nature of commercial telecommunications services in the implementation of security controls associated with the use of such services.

1778

Foundational Requirement:

1779 1780 1781 1782 1783 1784 1785

Rationale/Supplemental Guidance: Commercial telecommunications services are commonly based on network components and consolidated management systems shared by all attached commercial customers, and may include third party provided access lines and other service elements. Consequently, such interconnecting communication services may represent sources of increased risk despite contract security provisions. Therefore, when this situation occurs, the organization either implements appropriate compensating security controls or explicitly accepts the additional risk.

1786

Requirement Enhancements:

1787 1788 1789 1790

(1) The organization implements a managed interface (boundary protection devices in an effective security architecture) with any external telecommunication service, implementing controls appropriate to the required protection of the confidentiality and integrity of the information being transmitted.

1791 1792

This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.

1766

ISA‑62443-2-2, D1E4, April 2013

– 51 –

1793

12 Systems acquisition, development and maintenance

1794

12.1

ISA99, WG02, TG02

Introduction

1795 1796

12.2 Security requirements of information systems

1797

12.2.1

Requirement:

1799 1800

Foundational Requirement:

1801

Rationale/Supplemental Guidance:

1802

Requirement Enhancements:

1803 1804

12.3 Correct Processing in Applications

1805

12.3.1

1806

{Requirement} Requirement:

1807 1808

Foundational Requirement:

1809

Rationale/Supplemental Guidance:

1810

Requirement Enhancements:

1811 1812

12.4 Cryptographic Controls

1813

12.4.1 Cryptographic Module Validation

1814 1815 1816 1817

Requirement: If cryptography is required, the IACS shall employ validated cryptographic modules that applicable laws, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module ma y require.

1818

Foundational Requirement:

1819 1820 1821 1822 1823

Rationale/Supplemental Guidance: The use of cryptography is determined after careful consideration of the security needs and the potential ramifications on system performance. The procurement process most effective safeguard is to use a cryptographic module validated by a recognized 3 rd party authority, e.g. the Cryptographic Module Validation Program.

1824

Requirement Enhancements: None.

1825 1826

12.5 Security of System Files

1827

12.5.1

1828 1829

{Requirement} Requirement:

This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.

1798

{Requirement}

ISA‑62443-2-2, D1E4, April 2013 1830

Foundational Requirement:

1831

Rationale/Supplemental Guidance:

1832

Requirement Enhancements:

– 52 –

ISA99, WG02, TG02

1833 1834

12.6 Security in development and support processes

1835

12.6.1

Requirement:

1837 1838

Foundational Requirement:

1839

Rationale/Supplemental Guidance:

1840

Requirement Enhancements:

1841 1842

12.7 Technical vulnerability management

1843

12.7.1 Configuration Management Policy and Procedures

1844

Requirement:

1845 1846 1847 1848 1849 1850

The organization shall develop, disseminate, and periodically review/update: (i) a formal, documented, configuration management policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (ii) formal, documented procedures to facilitate the implementation of the configuration management policy and associated configuration management controls.

1851

Foundational Requirement:

1852 1853 1854 1855 1856 1857

Rationale/Supplemental Guidance: The configuration management policy and procedures are consistent with applicable laws, directives, policies, regulations, standards, and guidance. The configuration management policy can be included as part of the general information security policy for the organization. Co nfiguration management procedures can be developed for the security program in general, and for a particular IACS, when required.

1858 1859

Requirement Enhancements: None.

1860 1861 1862 1863

12.7.2 Baseline Configuration Requirement: The organization shall develop, document, and maintain a current baseline configuration of the IACS.

1864

Foundational Requirement:

1865 1866 1867 1868 1869

Rationale/Supplemental Guidance: This requirement establishes a baseline configuration for the IACS. The baseline configuration provides information about a particular component’s makeup (e.g., the standard software load for a workstation or notebook computer including updated patch information) and the component’s logical placement within the IACS architecture. The baseline configuration also provides the organization

This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.

1836

{Requirement}

– 53 –

ISA99, WG02, TG02

1870 1871

with a well-defined and documented specification to which the IACS is built and deviations, if required, are documented in support of mission needs/ objectives.

1872

Requirement Enhancements:

1873 1874

(1) The organization updates the baseline configuration of the IACS as an integral part of IACS component installations.

1875 1876

(2) The organization employs automated mechanisms to maintain an up -to-date, complete, accurate, and readily available baseline configuration of the IACS.

1877 1878 1879

12.7.3 Configuration Change Control Requirement: The organization shall authorize, document, and control changes to the IACS.

1880

Foundational Requirement:

1881 1882 1883 1884 1885 1886 1887 1888 1889 1890

Rationale/Supplemental Guidance: The organization manages configuration changes to the IACS using an organizationally approved process. Configuration change control involves the systematic proposal, justification, implementation, test/evaluation, review, and disposition of changes to the IACS, including upgrades and modifications. Configuration change control includes changes to the configuration settings for information technology products (e.g., operating systems, firewalls, routers). The organization includes emergency changes in the configuration change control process, including changes resulting from the remediation of flaws. The approvals to implement a change to the IACS include successful results from the security analysis of the change. The organization audits activities associated with configuration changes to the IACS.

1891

Requirement Enhancements:

1892 1893 1894 1895

(1) The organization employs automated mechanisms to: (i) document proposed c hanges to the IACS; (ii) notify appropriate approval authorities; (iii) highlight approvals that have not been received in a timely manner; (iv) inhibit change until necessary approvals are received; and (v) document completed changes to the IACS.

1896 1897

(2) The organization tests, validates, and documents changes (e.g., patches and updates) before implementing the changes on the operational IACS.

1898 1899 1900 1901 1902 1903 1904 1905 1906 1907 1908 1909

Foundational Requirement: Rationale/Supplemental Guidance: The organization ensures that testing does not interfere with IACS functions. The individual/group conducting the tests fully understands the organizational information security policies and procedures, the IACS security policies and procedures, and the specific health, safety, and environmental risks associated with a particular facility and/or process. A production IACS may need to be taken off-line, or replicated to the extent feasible, before testing can be conducted. If an IACS must be taken off-line for testing, the tests are scheduled to occur during planned IACS outages whenever possible. In situations where the organization cannot, for operational reasons, conduct live testing of a production IACS, the organization employs compensating controls (e.g., providing a replicated system to conduct testing).

1910

12.7.4 Monitoring Configuration Changes

1911

Requirement:

1912 1913

The organization shall conduct security impact analyses to determine the effects of configuration changes.

1914

Foundational Requirement:

This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.

ISA‑62443-2-2, D1E4, April 2013

– 54 –

ISA99, WG02, TG02

1915 1916 1917 1918 1919 1920 1921 1922

Rationale/Supplemental Guidance: Prior to change implementation, and as part of the change approval process, the organization analyzes changes to the IACS for potential adverse security consequences. After the IACS is changed (including upgrades and modifications), the organization checks the security features to verify that the features are still functioning properly. The organization audits activities associated with configuration changes to the IACS. Monitoring configuration changes and conducting security impact analyses are important elements with regard to the ongoing assessment o f security controls in the IACS.

1923 1924

Requirement Enhancements: None.

1925

12.7.5 Access Restrictions for Change

1926

Requirement:

1927 1928 1929

The organization shall: (i) approve individual access privileges and enforces physical and logical access restrictions associated with changes to the IACS; and (ii) generate, retain, and review records reflecting all such changes.

1930

Foundational Requirement:

1931 1932 1933 1934 1935

Rationale/Supplemental Guidance: Planned or unplanned changes to the hardware, software, and/or firmware components of the IACS can have signif icant effects on the overall security of the system. Accordingly, only qualified and authorized individuals obtain access to IACS components for purposes of initiating changes, including upgrades and modifications.

1936

Requirement Enhancements:

1937 1938 1939

(1) The organization employs automated mechanisms to enforce access restrictions and support auditing of the enforcement actions.

1940 1941 1942 1943 1944 1945 1946

12.7.6 Network and Security Configuration Settings Requirement: The IACS vendor shall provide guidelines for recommended network and securi ty configurations. The organization shall, based upon guidelines provided by the vendor: (i) establish mandatory network and security configuration settings for IACS components (ii) configure these settings to the most restrictive mode consistent with ope rational requirements; (iii) document these settings; and (iv) enforce these settings in all components of the IACS.

1947

Foundational Requirement:

1948 1949

Rationale/Supplemental Guidance: These configuration settings are the adjustable parameters of the IACS components.

1950

Requirement Enhancements:

1951 1952 1953

(1) The organization shall employ automated mechanisms to centrally manage, apply, and verify configuration settings.

1954 1955

12.7.7 IACS Component Inventory Requirement:

This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.

ISA‑62443-2-2, D1E4, April 2013

– 55 –

ISA99, WG02, TG02

1956 1957

The organization shall develop, document, and maintain a current inventor y of the components of the IACS and relevant ownership information.

1958

Foundational Requirement:

1959 1960 1961 1962 1963 1964 1965

Rationale/Supplemental Guidance: The organization determines the appropriate level of granularity for the IACS components included in the inventory that are subj ect to management control (i.e., tracking, and reporting). The inventory of IACS components includes any information determined to be necessary by the organization to achieve effective property accountability (e.g., manufacturer, model number, serial numb er, software license information, system/component owner). The component inventory is consistent with the accreditation boundary of the IACS.

1966 1967 1968

Requirement Enhancements: (1) The organization updates the inventory of IACS components as an integral part of component installations.

1969 1970 1971

(2) The organization employs automated mechanisms to help maintain an up -to-date, complete, accurate, and readily available inventory of IACS components.

1972

12.7.8 System Maintenance Policy and Procedures

1973

Requirement:

1974 1975 1976 1977 1978

The organization shall develop, disseminate, and periodically review/update: (i) a formal, documented, IACS maintenance policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (ii) formal, documented procedures to facilitate the implementation of the IACS maintenance policy and associated system maintenance controls.

1979

Foundational Requirement:

1980 1981 1982 1983 1984

Rationale/Supplemental Guidance: The IACS maintenance policy and procedures are consistent with applicable laws, directives, policies, regulations, standards, and guidance. The IACS maintenance policy can be included as part of the general information security policy for the organization. System maintenance procedures can be developed for the security program in general, and for a particular IACS, when required.

1985

Requirement Enhancements: None.

1986 1987 1988 1989 1990 1991

12.7.9 Controlled Maintenance Requirement: The organization shall schedule, perform, document, and review records of routine preventative and regular maintenance (including repairs) on the components of the IACS in accordance with vendor, system integrator, and/or organizational specifications and requirements.

1992

Foundational Requirement:

1993 1994 1995 1996 1997 1998 1999

Rationale/Supplemental Guidance: All maintenance activities to include routin e, scheduled maintenance and repairs are controlled; whether performed on site or remotely and whether the equipment is serviced on site or removed to another location. Organizational officials approve the removal of the IACS or IACS components from the facility when repairs are necessary. If the IACS or component of the system requires off site repair, the organization removes all information from associated media using approved procedures. After maintenance is performed on the IACS, the organization

This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.

ISA‑62443-2-2, D1E4, April 2013

– 56 –

ISA99, WG02, TG02

2000 2001

checks all potentially affected security controls to verify that the controls are still functioning properly.

2002

Requirement Enhancements:

2003 2004 2005 2006 2007

(1) The organization maintains maintenance records for the IACS that include: (i) the date and time of maintenance; (ii) name of the individual performing the maintenance; (iii) name of escort, if necessary; (iv) a description of the maintenance performed; and (v) a list of equipment removed or replaced (including identification numbers, if applicable).

2008 2009 2010 2011

(2) The organization employs automated mechanisms to schedule and conduct maintenance as required, and to create up-to date, accurate, complete, and available records of all maintenance actions, both needed and completed.

2012

12.7.10 Maintenance Tools

2013

Requirement:

2014 2015

The organization shall approve, control, and monitor the use of IACS maintenance tools and maintains the tools on an ongoing basis.

2016

Foundational Requirement:

2017 2018 2019 2020 2021 2022 2023

Rationale/Supplemental Guidance: The intent of this requirement is to address hardware and software brought into the IACS specifically for diagnostic/repair actions (e.g., a hardware or software packet sniffer that is introduced for the purpose of a particular maintenance activity). Hardware and/or software components that may support IACS maintenance, yet are a part of the system (e.g., the software implementing “ping”, “ls”, “ipconfig” or the hardware and software implementing the monitoring port of an Ethernet switch) are not covered by this requirement.

2024

Requirement Enhancements:

2025 2026

(1) The organization inspects all maintenance tools c arried into a facility by maintenance personnel for obvious improper modifications.

2027

Foundational Requirement:

2028 2029

Rationale/Supplemental Guidance: Maintenance tools include, for diagnostic and test equipment used to conduct maintenance on the IACS.

example,

2030 2031

(2) The organization checks all media containing diagnostic and test programs for malicious code before the media are used in the IACS.

2032 2033 2034 2035 2036

(3) The organization checks all maintenance equipment with the capability of retaining information so that no organizational information is written on the equipment or the equipment is appropriately sanitized before release; if the equipment cannot be sanitized, the equipment remains within the facility or is destroyed, unless an appropriate organization official explicitly authori zes an exception.

2037 2038 2039

(4) The organization employs automated mechanisms to restrict the use of maintenance tools to authorized personnel only.

2040 2041 2042 2043

12.7.11 Remote Maintenance Requirement: The organization shall authorize, monitor, and control any remotely executed maintenanc e and diagnostic activities, if employed.

This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.

ISA‑62443-2-2, D1E4, April 2013

– 57 –

ISA99, WG02, TG02

2044

Foundational Requirement:

2045 2046 2047 2048 2049 2050 2051 2052 2053 2054 2055 2056 2057 2058

Rationale/Supplemental Guidance: Remote maintenance and diagnostic activities are conducted by individuals communicating through an external, non -organization-controlled network (e.g., the Internet). The use of remote maintenance and diagnostic tools is consistent with organizational policy and documented in the security plan for the IACS. The organization maintains records for all remote maintenance and diagnostic activities. Other techniques and/or controls to consider for improving the security of remote maintenance include: (i) encryption and decryption of communications; (ii) strong identification and authentication techniques; and (iii) remote disconnect verification. When remote maintenance is completed, the organization (or IACS in certain cases) terminates all sessions and remote connections invoked in the performance of that activity. If password-based authentication is used to accomplish remote maintenance, the organization changes the passwords following each remote maintenance service. The National Security Agency provides a listing of approved media sanitization products at http://www.nsa.gov/ia/government/mdg.cfm .

2059

Requirement Enhancements:

2060 2061 2062

(1) The organization audits all remote maintenance and diagnostic sessions and appropriate organizational personnel review the maintenanc e records of the remote sessions.

2063 2064 2065

(2) The organization addresses the installation and use of remote maintenance and diagnostic links in the security plan for the IACS.

2066 2067 2068

12.7.12 Maintenance Personnel Requirement: The organization shall allow only authorized personnel to perform maintenance on the IACS.

2069

Foundational Requirement:

2070 2071 2072 2073 2074 2075 2076

Rationale/Supplemental Guidance: Maintenance personnel (whether performing maintenance locally or remotely) have appropriate access authorizations to the IACS when maintenance activities allow access to organizational information or could result in a future compromise of confidentiality, integrity, or availability. When maintenance personnel do not have needed access authorizations, organizational personnel with appropriate access authorizations supervise maintenance personnel during the performance of maintenance activities on the IACS.

2077

Requirement Enhancements: None.

2078

12.7.13 Timely Maintenance

2079

Requirement:

2080 2081 2082

The organization shall obtain maintenance support and spare parts for [ Assignment: organizationdefined list of key IACS components] within [Assignment: organization-defined time period] of failure.

2083

Foundational Requirement:

2084

Rationale/Supplemental Guidance: None.

2085

Requirement Enhancements: None.

This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.

ISA‑62443-2-2, D1E4, April 2013

ISA-62443.02.02, D1E4, April 2013 2086

13 Incident Management

2087

13.1

– 58 –

ISA99, WG02, TG02

Introduction

2088 2089

13.2 Reporting Security Events and Weaknesses

2090

13.2.1

Requirement:

2092 2093

Foundational Requirement:

2094

Rationale/Supplemental Guidance:

2095

Requirement Enhancements:

2096 2097

13.3 Management of Incidents and Improvements

2098

13.3.1 Incident Response Policy and Procedures

2099

Requirement:

2100 2101 2102 2103 2104

The organization shall develop, disseminate, and periodically review/update: (i) a forma l, documented, incident response policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (ii) formal, documented procedures to facilitate the implementation of the incident response policy and associated incident response controls.

2105

Foundational Requirement:

2106 2107 2108 2109 2110

Rationale/Supplemental Guidance: The incident response policy and procedures are consistent with applicable laws, directives, policies, regulations, standards, and guidance. The incident response policy can be included as part of the general information security policy for the organization. Incident response procedures can be developed for the security program in general, and for a particular IACS, when required.

2111 2112

Requirement Enhancements: None.

2113 2114 2115 2116 2117

13.3.2 Incident Response Training Requirement: The organization shall train personnel in their incident response roles and responsibilities with respect to the IACS and provides refresher training [ Assignment: organization-defined frequency, at least annually].

2118

Foundational Requirement:

2119

Rationale/Supplemental Guidance: None.

2120

Requirement Enhancements:

2121 2122

(1) The organization incorporates simulated events into incident response training to facilitate effective response by personnel in crisis situations.

2123 2124

(2) The organization employs automated mechanisms to provide a more thorough and realistic training environment.

This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.

2091

{Requirement}

ISA‑62443-2-2, D1E4, April 2013

– 59 –

ISA99, WG02, TG02

2125

2127 2128 2129 2130 2131

13.3.3 Incident Response Testing and Exercises Requirement: The organization shall test and/or exercise the incident response capability for the IACS [Assignment: organization-defined frequency, at least annually ] using [Assignment: organization-defined tests and/or exercises] to determine the incident response effectiveness and documents the results.

2132

Foundational Requirement:

2133

Rationale/Supplemental Guidance: None

2134

Requirement Enhancements:

2135 2136

(1) The organization employs automated mechanisms to more thoroughly and effectively test/exercise the incident response capability.

2137 2138 2139 2140 2141 2142

Foundational Requirement: Rationale/Supplemental Guidance: Automated mechanisms can provide the ability to more thoroughly and effectively test or exercise the incident response ca pability by providing more complete coverage of incident response issues, selecting more realistic test/exercise scenarios and environments, and more effectively stressing the response capability.

2143

13.3.4 Incident Handling

2144

Requirement:

2145 2146

The organization shall implement an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery.

2147

Foundational Requirement:

2148 2149 2150 2151 2152

Rationale/Supplemental Guidance: Incident-related information can be obtained from a variety of sources including, but not limited to, audit monitoring, network monitoring, physical access monitoring, and user/administrator reports. The organization incorporates the lessons learned from ongoing incident handling activities into the incident response procedures and implements the procedures accordingly.

2153

Requirement Enhancements:

2154 2155

(1) The organization employs automated mechanisms to support the incident handling process.

2156

13.3.5 Incident Monitoring

2157

Requirement:

2158

The organization shall track and document IACS security incidents on an ongoing basis.

2159

Foundational Requirement:

2160

Rationale/Supplemental Guidance: None.

2161

Requirement Enhancements:

2162 2163

(1) The organization employs automated mechanisms to assist in the tracking of security incidents and in the collection and analysis of incident information.

This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.

2126

ISA-62443.02.02, D1E4, April 2013

2165 2166

ISA99, WG02, TG02

13.3.6 Incident Reporting Requirement: The organization shall promptly reports incident information to appropriate authorities.

2167

Foundational Requirement:

2168 2169 2170 2171 2172 2173 2174

Rationale/Supplemental Guidance: The types of incident information reported, the content and timeliness of the reports, and the list of designated reporting authorities or organizations are consistent with applicable laws, directives, policies, regulations, standards, and guidance. The United States Computer Em ergency Readiness Team (USCERT) maintains the IACS Security Center at http://www.uscert.gov/control_systems. In addition to incident information, weaknesses and vulnerabilities in the IACS are reported to appropriate organizational officials in a timely manner to prevent security incidents.

2175

Requirement Enhancements:

2176 2177

(1) The organization employs automated mechanisms to assist in the reporting of security incidents.

2178 2179 2180 2181 2182

13.3.7 Incident Response Assistance Requirement: The organization shall provide an incident response support resource that offers advice and assistance to users of the IACS for the handling and reporting of security incidents. The support resource is an integral part of the organization’s incident respo nse capability.

2183

Foundational Requirement:

2184 2185 2186

Rationale/Supplemental Guidance: Possible implementations of incident response support resources in an organization include a help desk or an assistance group and access to forensics services, when required.

2187

Requirement Enhancements:

2188 2189

(1) The organization employs automated mechanisms to increase the availability of incident response-related information and support.

2190 2191

13.3.8 IACS Monitoring Tools and Techniques

2192

Requirement:

2193 2194 2195 2196

The organization shall determine the required granularity of the information collected based upon its monitoring objectives and the capability of the IACS to support such activities. This includes monitoring inbound and outbound communications for unusual or unauthorized activities or conditions.

2197

Foundational Requirement:

2198 2199 2200 2201 2202

Rationale/Supplemental Guidance: Organizations consult appropriate legal counsel with regard to all IACS monitoring activities. Organizations heighten the level of IACS monitoring activity whenever there is an indication of increas ed risk to organizational operations, organizational assets, or individuals based on law enforcement information, intelligence information, or other credible sources of information.

2203

Requirement Enhancements:

2204 2205

(1) The organization interconnects and configures individual intrusion detection tools into a system wide intrusion detection system using common protocols.

This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.

2164

– 60 –

– 61 –

This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.

ISA‑62443-2-2, D1E4, April 2013 ISA99, WG02, TG02

2206

ISA-62443.02.02, D1E4, April 2013 2207

14 Business Continuity Management

2208

14.1

– 62 –

ISA99, WG02, TG02

Introduction

2210

14.2 Security Aspects

2211

14.2.1 Contingency Planning Policy and Procedures

2212

Requirement:

2213 2214 2215 2216 2217

The organization shall develop, disseminates, and periodically reviews/updates: (i) a formal, documented, contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (ii) formal, documented procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls.

2218

Foundational Requirement:

2219 2220 2221 2222 2223

Rationale/Supplemental Guidance: The contingency planning policy and procedures are consistent with applicable laws, directives, policies, regulations, standards, and guidance. The contingency planning policy can be included as part of the general information security policy for the organization. Contingency planning procedures can be develop ed for the security program in general, and for a particular IACS, when required.

2224

Requirement Enhancements: None.

2225 2226 2227 2228 2229 2230 2231

14.2.2 Contingency Plan Requirement: The organization shall develop and implement a contingency plan for the IACS addressing contingency roles, responsibilities, assigned individuals with contact information, and activities associated with restoring the system after a disruption or failure. Designated officials within the organization review and approve the contingency plan and distribute copies of the plan to key contingency personnel.

2232

Foundational Requirement:

2233 2234 2235 2236 2237 2238

Rationale/Supplemental Guidance: The organization defines contingency plans for categories of disruptions or failures. In the event of a loss of processing within the IACS or communication with operational facilities, the IACS executes predetermined procedures (e.g., alert the operator of the failure and then do nothing, alert the operator and then safely shut down the industrial process, alert the operator and then maintain the last operational setting prior to failure). These examples are not exhaustive.

2239

Requirement Enhancements:

2240 2241

(1) The organization coordinates contingency plan development with organizational elements responsible for related plans.

2242

Foundational Requirement:

2243 2244 2245

Rationale/Supplemental Guidance: Examples of related plans include Business Continuity Plan, Disaster Recovery Plan, Continuity of Operations Plan, Business Recovery Plan, Incident Response Plan, and Emergency Action Plan.

2246 2247 2248

(2) The organization conducts capacity planning s o that necessary capacity for information processing, telecommunications, and environmental support exists during crisis situations.

This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.

2209

ISA‑62443-2-2, D1E4, April 2013

2250 2251 2252 2253

ISA99, WG02, TG02

14.2.3 Contingency Training Requirement: The organization shall train personnel in their contingency roles and responsibilities w ith respect to the IACS and provides refresher training [Assignment: organization-defined frequency, at least annually].

2254

Foundational Requirement:

2255

Rationale/Supplemental Guidance: None.

2256

Requirement Enhancements:

2257 2258

(1) The organization incorporates simulated events into contingency training to facilitate effective response by personnel in crisis situations.

2259 2260

(2) The organization employs automated mechanisms to provide a more thorough and realistic training environment.

2261 2262 2263 2264 2265 2266 2267

14.2.4 Contingency Plan Testing and Exercises Requirement: The organization shall: (i) test and/or exercise the contingency plan for the IACS [ Assignment: organization-defined frequency, at least annually ] using [Assignment: organization-defined tests and/or exercises] to determine the plan’s effectiveness and the organization’s readiness to execute the plan; and (ii) review the contingency plan test/exercise results and initiates corrective actions.

2268

Foundational Requirement:

2269 2270 2271 2272 2273 2274 2275

Rationale/Supplemental Guidance: There are several methods for testing and/or exercising contingency plans to identify potential weaknesses (e.g., full -scale contingency plan testing, functional/tabletop exercises). The depth and rigor of contingency plan 𝑡𝑎𝑟𝑔𝑒𝑡 testing and/or exercises increases with the 𝑆𝑠𝑦𝑠𝑡𝑒𝑚 level of the IACS. Contingency plan testing and/or exercises also include a determination of the effects on organizational operations and assets (e.g., reduction in mission capability) and individuals arising due to contingency operations in accordance with t he plan.

2276

Requirement Enhancements:

2277 2278

(1) The organization coordinates contingency plan testing and/or organizational elements responsible for related plans.

exercises

with

2279

Foundational Requirement:

2280 2281 2282

Rationale/Supplemental Guidance: Examples of related plans include Business Continuity Plan, Disaster Recovery Plan, Continuity of Operations Plan, Business Recovery Plan, Incident Response Plan, and Emergency Action Plan.

2283 2284 2285

(2) The organization tests/exercises the contingency plan at the alt ernate processing site to familiarize contingency personnel with the facility and available resources and to evaluate the site’s capabilities to support contingency operations.

2286 2287 2288 2289

(3) The organization employs automated mechanisms to more thoroughly and effectivel y test/exercise the contingency plan by providing more complete coverage of contingency issues, selecting more realistic test/exercise scenarios and environments, and more effectively stressing the IACS and supported missions.

This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.

2249

– 63 –

ISA-62443.02.02, D1E4, April 2013

– 64 –

ISA99, WG02, TG02

2290

2292 2293 2294 2295 2296

14.2.5 Contingency Plan Update Requirement: The organization shall review the contingency plan for the IACS [ Assignment: organizationdefined frequency, at least annually] and revises the plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing.

2297

Foundational Requirement:

2298 2299 2300 2301 2302

Rationale/Supplemental Guidance: Organizational changes include changes in mission, functions, or business processes supported by the IACS. The organization communicates changes to appropriate organizational elements responsible for related plans (e.g., Business Continuity Plan, Disaster Recovery Plan, Continuity of Operations Plan, Business Recovery Plan, Incident Response Plan, Emergency Action Plan).

2303

Requirement Enhancements: None.

2304 2305 2306 2307 2308

14.2.6 Alternate Storage Site Requirement: The organization shall identify an alternate storage site and initiates necessary agreements to permit the storage of IACS backup information.

2309

Foundational Requirement:

2310 2311 2312

Rationale/Supplemental Guidance: The frequency of IACS backups and the transfer rate of backup information to the alternate storage site (if so designated) are consistent with the organization’s recovery time objectives and recovery point objectives.

2313

Requirement Enhancements:

2314 2315

(1) The organization identifies an alternate storage site that is geographically separated from the primary storage site so as not to be susceptible to the same hazards.

2316 2317

(2) The organization configures the alternate storage site to facilitate timely and effective recovery operations.

2318 2319 2320

(3) The organization identifies potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster and outlines explicit mitigation actions.

2321 2322 2323 2324 2325 2326 2327

14.2.7 Alternate Control Site Requirement: The organization shall identify an alternate control site an d initiates necessary agreements to permit the resumption of IACS operations for critical mission/business functions within [Assignment: organization-defined time period] when the primary processing capabilities are unavailable.

2328

Foundational Requirement:

2329 2330

Rationale/Supplemental Guidance: Equipment and supplies required to resume operations within the organization-defined time period are either available at the alternate

This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.

2291

– 65 –

ISA99, WG02, TG02

2331 2332

site or contracts are in place to support delivery to the site. Timeframes to resume IA CS operations are consistent with organization-established recovery time objectives.

2333

Requirement Enhancements:

2334 2335 2336

(1) The organization identifies an alternate processing site that is geographically separated from the primary processing site so as not to be suscep tible to the same hazards.

2337 2338 2339

(2) The organization identifies potential accessibility problems to the alternate processing site in the event of an area-wide disruption or disaster and outlines explicit mitigation actions.

2340 2341

(3) The organization develops alternate processing site agreements that contain priorityof-service provisions in accordance with the organization’s availability requirements.

2342 2343

(4) The organization fully configures the alternate processing site so that it is ready to be used as the operational site supporting a minimum required operational capability.

2344

14.2.8 IACS Backup

2345

Requirement:

2346 2347 2348

The frequency of IACS backups and the transfer rate of backup information to alternate storage sites (if so designated) shall be consistent with the organization’s recovery time objectives and recovery point objectives.

2349

Foundational Requirement:

2350 2351 2352

Rationale/Supplemental Guidance: Availability of up-to-date backups is essential for recovery from IACS failure and mis-configuration. Automating this function ensures that all required files are captured, reducing operator overhead.

2353 2354 2355 2356 2357

An organizational assessment of risk guides the use of encryption for backup information. While integrity and availability are the primary concerns for system backup information, protecting backup information from unauthorized disclosure is also an important consideration depending on the type of informati on residing on the backup media and the 𝑡𝑎𝑟𝑔𝑒𝑡 𝑆𝑠𝑦𝑠𝑡𝑒𝑚 level.

2358

Requirement Enhancements:

2359 2360

(1) The organization selectively uses backup information in the restoration of IACS functions as part of contingency plan testing.

2361 2362 2363

(2) The organization stores backup copies of the operating system and other critical IACS software in a separate facility or in a fire-rated container that is not collocated with the operational software.

2364

14.2.9 IACS Recovery and Reconstruction

2365

Requirement:

2366

None.

2367

Foundational Requirement:

2368 2369 2370 2371 2372 2373 2374

Rationale/Supplemental Guidance: IACS recovery and reconstitution to a known secure state means that all system parameters (either default or organization -established) are set to secure values, security-critical patches are reinstalled, security-related configuration settings are reestablished, system documentation and operating procedures are available, application and system software is reinstalled and configured with secure settings, information from the most recent, known secure backups is loaded, and the sy stem is fully tested and functional.

This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.

ISA‑62443-2-2, D1E4, April 2013

ISA-62443.02.02, D1E4, April 2013

– 66 –

ISA99, WG02, TG02

2375

Requirement Enhancements:

2376 2377

(1) The organization shall include a full recovery and reconstitution of the IACS as part of contingency plan testing. 14.2.10 Power Equipment and Cabling

2379

Requirement:

2380 2381

The organization shall protect power equipment and power cabling for the IACS from damage and destruction.

2382

Foundational Requirement:

2383

Rationale/Supplemental Guidance: None.

2384

Requirement Enhancements:

2385

(1) The organization employs redundant and parallel power cabling paths.

2386 2387 2388 2389 2390 2391

14.3 Telecommunications Services Requirement: The organization shall identify primary and alternate telecommunications services to support the IACS and initiates necessary agreements to permit the resumption of system operations for critical mission/business functions within [ Assignment: organization-defined time period] when the primary telecommunications capabilities are unavailable.

2392

Foundational Requirement:

2393 2394 2395 2396 2397

Rationale/Supplemental Guidance: In the event that the primary and/or alternate telecommunications services are provided by a common carrier, the organization requests Telecommunications Service Priority (TSP) for all telecommunications services used for national security emergency preparedness (see http://tsp.ncs.gov for a full explanation of the TSP program).

2398

Requirement Enhancements:

2399 2400 2401

(1) The organization develops primary and alternate telecommunications service agreements that contain priority-of-service provisions in accordance with the organization’s availability requirements.

2402 2403

(2) The organization obtains alternate telecommunications services that do not share a single point of failure with primary telecommunications services.

2404 2405 2406

(3) The organization obtains alternate telecommunications service providers that are sufficiently separated from primary service providers so as not to be su sceptible to the same hazards.

2407 2408 2409

(4) The organization requires primary and alternate telecommunications service providers to have adequate contingency plans.

2410

14.3.1 Emergency Shutoff

2411

Requirement:

2412 2413 2414 2415

The IACS shall provide, for specific locations within a facility containing concentrations of IACS resources, the capability of shutting off power to any IACS component that may be malfunctioning or threatened without endangering personnel by requiring them to approach the equipment.

2416

Foundational Requirement:

This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.

2378

– 67 –

ISA99, WG02, TG02

2417 2418 2419 2420

Rationale/Supplemental Guidance: Facilities containing concentrations of IACS resources may include, for example, data centers, server rooms, and mainframe rooms. Emergency shutoff capabilities are typically integrated with SIS systems, if present (e.g. automated fail-safe shutdown sequences).

2421

Requirement Enhancements:

2422 2423 2424

(1) The IACS shall protect the emergency power -off capability from accidental or unauthorized activation.

2425

14.3.2 Emergency Power

2426

Requirement:

2427 2428

The organization shall provide a short-term uninterruptible power supply to facilitate an orderly shutdown of the IACS in the event of a primary power source loss.

2429

Foundational Requirement:

2430

Rationale/Supplemental Guidance: None.

2431

Requirement Enhancements:

2432 2433 2434

(1) The organization provides a long-term alternate power supply for the IACS that is capable of maintaining minimally required operational capability in the event of an extended loss of the primary power source.

2435 2436 2437

(2) The organization provides a long-term alternate power supply for the IACS that is self contained and not reliant on external power generation.

2438

14.3.3 Emergency Lighting

2439

Requirement:

2440 2441 2442

The organization shall employ and maintains automatic emergency lighting that activates in the event of a power outage or disruption and that covers emergency exits and evacuation routes.

2443

Foundational Requirement:

2444

Rationale/Supplemental Guidance: None.

2445

Requirement Enhancements: None.

2446 2447

14.3.4 Fire Protection

2448

Requirement:

2449 2450

The organization shall employ and maintain fire suppression devices/systems that can be activated in the event of a fire.

2451

Foundational Requirement:

2452 2453 2454

Rationale/Supplemental Guidance: Fire suppression and detection devices/systems include, but are not limited to, sprinkler systems, handheld fire extinguishers, fixed fire hoses, and smoke detectors.

2455

Requirement Enhancements:

and

detection

This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.

ISA‑62443-2-2, D1E4, April 2013

– 68 –

ISA99, WG02, TG02

2456 2457

(1) The organization employs fire detection devices/systems that activate automatically and notify the organization and emergency responders in the event of a fire.

2458 2459

(2) The organization employs fire suppression devices/systems that provide automatic notification of any activation to the organization and emergency responders.

2460 2461 2462

(3) The organization employs an automatic fire suppression capability in facilities that are not staffed on a continuous basis.

2463

14.3.5 Temperature and Humidity Controls

2464

Requirement:

2465 2466

The organization shall regularly maintain, within acceptable levels, and monitor the temperature and humidity within the facility where the IACS resides.

2467

Foundational Requirement:

2468

Rationale/Supplemental Guidance: None.

2469 2470

Requirement Enhancements: None.

2471

14.3.6 Water Damage Protection

2472

Requirement:

2473 2474 2475

The organization shall protect the IACS from water damage resulting from broken plumbing lines or other sources of water leakage by providing master shutoff valves that are accessible, working properly, and known to key personnel.

2476

Foundational Requirement:

2477

Rationale/Supplemental Guidance: None.

2478

Requirement Enhancements:

2479 2480 2481

(1) The organization employs mechanisms that, without the need for manual intervention, protect the IACS from water damage in the event of a significant water leak.

2482

15 Compliance

2483

15.1

2484

15.1.1

2485

General {Requirement} Requirement:

2486 2487

Foundational Requirement:

2488

Rationale/Supplemental Guidance:

2489

Requirement Enhancements:

2490 2491 2492

This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.

ISA-62443.02.02, D1E4, April 2013

– 69 –

This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.

ISA‑62443-2-2, D1E4, April 2013 ISA99, WG02, TG02

2493

ISA-62443.02.02, D1E4, April 2013

– 70 –

ISA99, WG02, TG02

Annex A (informative) Foundational Requirements

2494 2495 2496 2497

A.1

Overview

2498

This annex is intended to provide guidance to the reader as to the relevance of the SRs.

2499

A.2

2500 2501 2502 2503 2504 2505 2506 2507 2508 2509 2510

Identify and authenticate IACS users (incl. human users, processes, and devices), assign them to a pre-defined role, and allow them access to the system or assets.

2511

A.3

2512 2513 2514 2515 2516 2517 2518 2519 2520 2521

Enforce the assigned privileges of an authenticated IACS user to perform the requested action on the system or assets, and monitor the use of these privileges.

2522

A.4

2523 2524 2525 2526 2527 2528 2529 2530 2531

Ensure the integrity of information on communication channels and in data repositories to prevent unauthorized manipulation.

2532

A.5

2533 2534

Ensure the confidentiality of information on communication channels and in data repositories to prevent dissemination.

2535 2536 2537

Rationale: Some IACS generated information whether at rest or in transit is of confidential/sensitive nature. This implies that some communication channels and data -stores require protection against eavesdropping and unauthorized access.

Rationale: Asset owners will have to develop a list of IACS users and to determine for each device the required level of access control protection. The goal of access control is to protect the system by verifying the identity of a user requesting the access to a de vice of the system before activating the communication. Recommendations and guidelines should include mechanisms that will operate in mixed modes; e.g. some devices on a communication channel require strong access control, i.e. strong authentication mechanism and others do not. By extension, access control requirements need to be extended to data at rest.

FR2 USE C ONTROL

Rationale: Asset owners will have to assign to each IACS user the privileges defining the authorized use of the system. The goal of use control is to protect against unauthorized actions on IACS resources by verifying if the necessary privileges are granted before allowing performing the action. Examples of actions are read or write data, download program, set configuration, etc. Recommendations and guidelines should include mechanisms that will operate in mixed modes; e.g. some IACS resources require strong use control protection, i.e. restrictive privileges and others do not. By extension, use control requirements need to be extended to data at rest .

FR3 D ATA I NTEGRITY

Rationale: Using the organization’s risk assessment methodology, asset owners will “select” communication channels that require strong integrity protection. Derived prescriptive recommendations and guidelines should include mechanisms that will operate in mixed modes; e.g. some communication channels require strong integrity protection and others do not. By extension, data integrity requirements need to be extended to data at rest; i.e. protecting the integrity of data that resides in selected repositories.

FR4 D ATA CONFIDENTIALITY

This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.

FR1 ACCESS CONTROL

ISA‑62443-2-2, D1E4, April 2013

– 71 –

ISA99, WG02, TG02

2538

A.6

FR5 RESTRICT D ATA F LOW

2539 2540 2541 2542 2543 2544 2545

Segment the system via zones and conduits to limit the unnecessary flow of data.

2546

A.7

2547 2548 2549 2550 2551 2552 2553 2554 2555 2556

Respond to security violations by notifying the proper authority, reporting needed forensic evidence of the violation, and taking timely corrective action when incidents are discovered.

2557

A.8

2558 2559 2560 2561 2562 2563

Ensure the availability of the system or assets against the denial of essential services.

FR6 T IMELY R ESPONSE TO AN EVENT

Rationale: Using the organization’s risk assessment methodology, asset owners will establish policies and proper lines of communication and control needed to respond to security violations. Derived prescriptive recommendations and guidelines shou ld include mechanisms that collect, report and automatically correlate the forensic evidence to ensure timely corrective action. The use of monitoring tools and techniques must not adversely affect the operational performance of the IACS.

FR7 RESOURCE AVAILABILITY

Rationale: The aim of this series of System Requirements is to ensure that the system is resilient against various types of Denial of Service events. Thi s includes the unavailability of system functionality at various levels.

This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.

Rationale: Using the organization’s risk assessment methodology, asset owners will determine necessary information flow restrictions and thus by extension determine the configuration of the conduits used to deliver these data. Derived prescriptive recommendations and guidelines should include mechanisms that range from disconnecting control networks from business or public networks to using stateful firewalls and DMZ to manage the flow of information.

ISA-62443.02.02, D1E4, April 2013

– 72 –

ISA99, WG02, TG02

Annex B (informative) Mapping Controls to Foundational Requirements

2564 2565 2566 2567

B.1

2569 2570

This annex is intended to provide guidance to the reader as to the relevance of the specific controls to the various foundational requirements.

2571 2572

NOTE

2573

Overview

This annex will be completed as part of the final document generation after the primary content has been finalized.

This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.

2568

ISA‑62443-2-2, D1E4, April 2013 2574 2575

– 73 –

ISA99, WG02, TG02

BIBLIOGRAPHY

2576 2577 2578 2579 2580

NOTE

2581

References to other parts, both existing and anticipated, of the ISA‑62443 series:

2582 2583

NOTE

2584 2585

[1]

ANSI/ISA‑62443-1-1-2007, Security for industrial automation and control systems: Terminology, concepts and models

2586 2587

[2]

ANSI/ISA‑TR62443-1-2, Security for industrial automation and control systems: Master glossary of terms and abbreviations

2588 2589

[3]

ANSI/ISA‑62443-1-3, Security for industrial automation and control systems: System security compliance metrics

2590 2591

[4]

ANSI/ISA‑62443-2-1-2009, Security for industrial automation and control systems: Establishing an industrial automation and control system security program

2592 2593

[5]

ANSI/ISA‑TR62443-2-3, Security for industrial automation and control systems: Patch management in the IACS environment

2594 2595

[6]

ANSI/ISA‑TR62443-3-1-2007, Security for industrial autom ation and control systems: Security technologies for industrial automation and control systems

2596 2597

[7]

ANSI/ISA‑62443-3-2, Security for industrial automation and control systems: Target security assurance levels for zones and conduits

2598 2599

[8]

ANSI/ISA‑62443-3-3, Security for industrial automation and control systems: System security requirements and security assurance levels

2600 2601

[9]

ANSI/Error! Unknown document property name., Security for industrial automation and control systems: Product development requirements

2602 2603

[10]

ANSI/ISA‑62443-4-1, Security for industrial automation and control systems: Embedded devices

2604

[11]

ANSI/ISA‑62443-4-2, Security for industrial automation and control systems: Host devices

2605

Other standards references:

2606

[12]

2607 2608

Some of these references are normative references (see Clause 2), published documents, in development, or anticipated. They are all listed here for completeness of the a nticipated parts of the ISA‑62443 series.

ISO/IEC Directives, Part 2, Rules for the structure and drafting of International Standards

This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.

This bibliography includes references to sources used in the creation of this standard as well as references to sources that may aid the reader in developing a greater understanding of cyber security as a whole and developing a management system. Not all references in this bibliography are referred to throughout the text of this standard. The references have been broken down into different categories depending on the type of source they are.

– 74 –

This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.

ISA-62443.02.02, D1E4, April 2013 ISA99, WG02, TG02

2609

View more...

Comments

Copyright ©2017 KUPDF Inc.
SUPPORT KUPDF