• No results found

ISA-62443-2-2-WD

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "ISA-62443-2-2-WD"

Copied!
74
0
0

Loading.... (view fulltext now)

Download now ( 74 Page )

Full text

(1)THIS COPY OF A FULL OR ABRIDGED ISA PUBLICATION IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS. IT MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.. Copyright © by the International Society of Automaton. All rights reserved. Not for resale. Printed in the United States of America. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), without the prior written permission of the Publisher. ISA 67 Alexander Drive P. O. Box 12277 Research Triangle Park, North Carolina 27709 USA. This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.. FOR USE AND REVIEW ONLY BY MEMBERS OF ISA99 AND APPROVED PARTIES:.

(2) This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.. This page intentionally left blank.

(3) ISA‑62443-2-2, D1E4, April 2013. –3–. ISA99, WG02, TG02. 1. 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20. ISA‑62443-2-2 Security for industrial automation and control systems Implementation Guidance for and IACS Security Management System Draft 1, Edit 4 April 2013. Text appearing red italics should be considered editorial comments, provided as an aid in the preparation of the document. It will be removed before the draft is completed.. This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.. 2.

(4) ISA. 67 Alexander Drive. P. O. Box 12277. Research Triangle Park, NC 27709 USA. –4–. ISA. Security for industrial automation and control systems. <Document Title>. ISBN: -to-be-assigned-. Copyright © 2011 by ISA. All rights reserved. Not for resale. Printed in the United States of America. This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.. ISA‑62443-2-2, D1E4, April 2013 ISA99, WG02, TG02. 21. 22. 23.

(5) –5–. ISA99, WG02, TG02. 24. PREFACE. 25 26. This preface, as well as all footnotes and annexes, is included for information purposes and is not part of ISA-62443.02.02.. 27 28 29 30 31 32. This document has been prepared as part of the service of ISA, the International Society of Automation, toward a goal of uniformity in the field of instrumentation. To be of real value, this document should not be static but should be subject to periodic review. Toward this end, the Society welcomes all comments and criticisms and asks that they be addressed to the Secretary, Standards and Practices Board; ISA; 67 Alexander Drive; P. O. Box 122 77; Research Triangle Park, NC 27709; Telephone (919) 549-8411; Fax (919) 549-8288; E-mail: standards@isa.org.. 33 34 35 36 37 38 39 40 41 42. The ISA Standards and Practices Department is aware of the growing need for attention to the metric system of units in general and the Internatio nal System of Units (SI) in particular, in the preparation of instrumentation standards. The Department is further aware of the benefits to USA users of ISA standards of incorporating suitable references to the SI (and the metric system) in their business and professional dealings with other countries. Toward this end, this Department will endeavor to introduce SI-acceptable metric units in all new and revised standards, recommended practices and technical reports to the greatest extent possible. Standard f or Use of the International System of Units (SI): The Modern Metric System, published by the American Society for Testing and Materials as IEEE/ASTM SI 10-97, and future revisions, will be the reference guide for definitions, symbols, abbreviations, and co nversion factors.. 43 44 45 46 47. It is the policy of ISA to encourage and welcome the participation of all concerned individuals and interests in the development of ISA standards, recommended practices and technical reports. Participation in the ISA standards-making process by an individual in no way constitutes endorsement by the employer of that individual, of ISA or of any of the standards, recommended practices and technical reports that ISA develops.. 48 49 50 51 52. CAUTION – ISA adheres to the policy of the American National Standa rds Institute with regard to patents. If ISA is informed of an existing patent that is required for use of the standard, it will require the owner of the patent to either grant a royalty -free license for use of the patent by users complying with the standard or a license on reasonable terms and conditions that are free from unfair discrimination.. 53 54 55 56 57 58 59 60. Even if ISA is unaware of any patent covering this Standard, the user is cautioned that implementation of the standard may require use of techniques, processes or materials covered by patent rights. ISA takes no position on the existence or validity of any patent rights that may be involved in implementing the standard. ISA is not responsible for identifying all patents that may require a license before implementati on of the standard or for investigating the validity or scope of any patents brought to its attention. The user should carefully investigate relevant patents before using the standard for the user’s intended application.. 61 62 63. However, ISA asks that anyone reviewing this standard who is aware of any patents that may impact implementation of the standard notify the ISA Standards and Practices Department of the patent and its owner.. 64 65 66 67 68 69 70. Additionally, the use of this standard may involve hazardous materials, operat ions or equipment. The standard cannot anticipate all possible applications or address all possible safety issues associated with use in hazardous conditions. The user of this standard must exercise sound professional judgment concerning its use and applic ability under the user’s particular circumstances. The user must also consider the applicability of any governmental regulatory limitations and established safety and health practices before implementing this standard.. 71. This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.. ISA‑62443-2-2, D1E4, April 2013.

(6) ISA‑62443-2-2, D1E4, April 2013 72 73. –6–. ISA99, WG02, TG02. The following people served as active members of ISA99, Working Group 02, Task Group 02 for the preparation of this document: Name. Company. Contributor. <WG/TG Leader’s Name>, WG/TG Chair. <WG/TG Leader’s Company>. X. <Editor’s Name>, Lead Editor. <Editor’s Company>. X. Reviewer. 74 75 76. This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.. <Member & Reviewer Names >.

(7) ISA‑62443-2-2, D1E4, April 2013. –7–. ISA99, WG02, TG02. CONTENTS. 77. 79. PREFACE ............................................................................................................................... 5. 80. FORWORD ........................................................................................................................... 12. 81. INTRODUCTION ................................................................................................................... 13. 82 83 84. 1. Context ........................................................................................................................... 13 Audience ........................................................................................................................ 13 Scope ............................................................................................................................. 15. 85. 2. Normative references ..................................................................................................... 15. 86. 3. Terms, definitions, abbreviated terms, acronyms, and conventions ................................. 16. 4. 3.1 Terms and definitions ............................................................................................ 16 3.2 Abbreviated terms and acronyms ........................................................................... 18 3.3 Conventions .......................................................................................................... 19 Overview ........................................................................................................................ 21. 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119. 4.1 4.2. 5. Structure ............................................................................................................... 21 Information security management in IACS ............................................................. 21 4.2.1 Goal .......................................................................................................... 21 4.2.2 IACS assets to be protected ...................................................................... 21 4.2.3 Establishment of information security management.................................... 22 Security Policy ................................................................................................................ 23 5.1. 6. Introduction ........................................................................................................... 23 5.1.1 {Requirement} ........................................................................................... 23 Organization of Security ................................................................................................. 23 6.1 6.2. 7. Introduction ........................................................................................................... 23 Internal Organization ............................................................................................. 23 6.2.1 {Requirement} ........................................................................................... 23 6.3 External Parties ..................................................................................................... 23 6.3.1 {Requirement} ........................................................................................... 23 Asset Management ......................................................................................................... 24 7.1 7.2. 8. Introduction ........................................................................................................... 24 Responsibility for Assets ....................................................................................... 24 7.2.1 {Requirement} ........................................................................................... 24 7.3 Information Classification ...................................................................................... 24 7.3.1 {Requirement} ........................................................................................... 24 Human Resources Security ............................................................................................ 24 8.1. 8.2. Prior to Employment .............................................................................................. 24 8.1.1 Roles and responsibilities .......................................................................... 24 8.1.2 Screening .................................................................................................. 25 8.1.3 Terms and conditions of employment ......................................................... 26 During Employment ............................................................................................... 27 8.2.1 Management responsibilities ...................................................................... 27 8.2.2 Information security awareness, education, and training ............................ 28 8.2.3 Disciplinary process ................................................................................... 29. This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.. 78.

(8) ISA‑62443-2-2, D1E4, April 2013. ISA99, WG02, TG02. 8.3. 9. Termination or Change of Employment .................................................................. 29 8.3.1 Termination responsibilities ....................................................................... 29 8.3.2 Return of assets ........................................................................................ 29 8.3.3 Removal of access rights ........................................................................... 29 Physical and Environmental Security .............................................................................. 30. 125 126 127 128 129 130 131 132 133 134 135 136. 9.1 9.2. Introduction ........................................................................................................... 30 Secure Areas ........................................................................................................ 30 9.2.1 {Requirement} ........................................................................................... 30 9.3 Equipment Security ............................................................................................... 30 9.3.1 Physical Access Authorizations ................................................................. 30 9.3.2 Physical Access Control ............................................................................ 31 9.3.3 Access Control for Communication Medium ............................................... 31 9.3.4 Access Control for Display Medium ............................................................ 32 9.3.5 Monitoring Physical Access ....................................................................... 32 9.3.6 Visitor Control ............................................................................................ 32 9.3.7 Access Records ......................................................................................... 32 10 Communications and Operations Management ............................................................... 33. 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164. 10.1 Introduction ........................................................................................................... 33 10.2 Operational Procedures and Responsibilities ......................................................... 33 10.2.1 Automated Marking .................................................................................... 33 10.3 Third Party Service Delivery Management ............................................................. 33 10.3.1 {Requirement} ........................................................................................... 33 10.4 System planning and acceptance .......................................................................... 33 10.4.1 {Requirement} ........................................................................................... 33 10.5 Protection against malicious and mobile code ....................................................... 34 10.5.1 Malicious Code Protection ......................................................................... 34 10.5.2 Security Alerts and Advisories ................................................................... 34 10.6 Backup .................................................................................................................. 34 10.6.1 {Requirement} ........................................................................................... 34 10.7 Network Security Management .............................................................................. 35 10.7.1 {Requirement} ........................................................................................... 35 10.8 Media Handling ..................................................................................................... 35 10.8.1 Media Protection Policy and Procedures .................................................... 35 10.8.2 Media Access ............................................................................................ 35 10.8.3 Media Labeling .......................................................................................... 36 10.8.4 Media Storage ........................................................................................... 36 10.8.5 Media Transport ........................................................................................ 37 10.8.6 Media Sanitization and Disposal ................................................................ 38 10.8.7 Access Control for Display Medium ............................................................ 38 10.8.8 Public Key Infrastructure Certificates ......................................................... 38 10.9 Exchange of Information ........................................................................................ 39 10.9.1 {Requirement} ........................................................................................... 39 10.10 Electronic Commerce Services .............................................................................. 39 10.10.1 {Requirement} ........................................................................................... 39 10.11 Monitoring ............................................................................................................. 39. This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.. 120 121 122 123 124. –8–.

(9) –9–. ISA99, WG02, TG02. 165 166 167 168 169. 10.11.1 Audit and Accountability Policy and Procedures ......................................... 39 10.11.2 Auditable Events........................................................................................ 40 10.11.3 Audit Monitoring, Analysis and Reporting ................................................... 40 10.11.4 Audit Record Retention .............................................................................. 40 11 Access Control ............................................................................................................... 41. 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202. 11.1 Introduction ........................................................................................................... 41 11.2 Business Requirement ........................................................................................... 41 11.2.1 Access Control Policy and Procedures ...................................................... 41 11.2.2 System and Information Integrity Policy and Procedures ............................ 41 11.2.3 Flaw Remediation ...................................................................................... 42 11.3 User Access Management ..................................................................................... 42 11.3.1 Account Management ................................................................................ 42 11.3.2 Separation of Duties .................................................................................. 43 11.4 User Responsibilities ............................................................................................. 43 11.4.1 {Requirement} ........................................................................................... 43 11.5 Network Access Control ........................................................................................ 44 11.5.1 Least Privilege ........................................................................................... 44 11.5.2 Permitted Actions Without Identification or Authentication ......................... 44 11.5.3 Remote Access.......................................................................................... 44 11.5.4 Use of External Information Systems ......................................................... 45 11.6 Operating System Access Control ......................................................................... 45 11.6.1 {Requirement} ........................................................................................... 45 11.7 Application and Information Access Control ........................................................... 46 11.7.1 {Requirement} ........................................................................................... 46 11.8 Mobile Computing and Teleworking ....................................................................... 46 11.8.1 Wireless Access Restrictions ..................................................................... 46 11.8.2 Use Control for Portable and Mobile Devices ............................................. 46 11.8.3 Mobile Code .............................................................................................. 47 11.8.4 Supervision and Review – Use Control ...................................................... 47 11.8.5 Identification and Authentication Policy and Procedures ............................ 47 11.8.6 Identifier Management ............................................................................... 48 11.8.7 Authenticator Management ........................................................................ 48 11.8.8 Software and Information Integrity ............................................................. 49 11.8.9 Information Input Restrictions .................................................................... 49 11.8.10 Error Handling ........................................................................................... 49 11.8.11 Information Output Handling and Retention ............................................... 50 11.8.12 Boundary Protection .................................................................................. 50 12 Systems acquisition, development and maintenance ...................................................... 51. 203 204 205 206 207 208 209. 12.1 Introduction ........................................................................................................... 51 12.2 Security requirements of information systems ........................................................ 51 12.2.1 {Requirement} ........................................................................................... 51 12.3 Correct Processing in Applications ........................................................................ 51 12.3.1 {Requirement} ........................................................................................... 51 12.4 Cryptographic Controls .......................................................................................... 51 12.4.1 Cryptographic Module Validation ............................................................... 51. This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.. ISA‑62443-2-2, D1E4, April 2013.

(10) – 10 –. ISA99, WG02, TG02. 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228. 12.5 Security of System Files ........................................................................................ 51 12.5.1 {Requirement} ........................................................................................... 51 12.6 Security in development and support processes .................................................... 52 12.6.1 {Requirement} ........................................................................................... 52 12.7 Technical vulnerability management ...................................................................... 52 12.7.1 Configuration Management Policy and Procedures .................................... 52 12.7.2 Baseline Configuration ............................................................................... 52 12.7.3 Configuration Change Control .................................................................... 53 12.7.4 Monitoring Configuration Changes ............................................................. 53 12.7.5 Access Restrictions for Change ................................................................. 54 12.7.6 Network and Security Configuration Settings ............................................. 54 12.7.7 IACS Component Inventory ........................................................................ 54 12.7.8 System Maintenance Policy and Procedures .............................................. 55 12.7.9 Controlled Maintenance ............................................................................. 55 12.7.10 Maintenance Tools .................................................................................... 56 12.7.11 Remote Maintenance ................................................................................. 56 12.7.12 Maintenance Personnel ............................................................................. 57 12.7.13 Timely Maintenance ................................................................................... 57 13 Incident Management ..................................................................................................... 58. 229 230 231 232 233 234 235 236 237 238 239 240 241. 13.1 Introduction ........................................................................................................... 58 13.2 Reporting Security Events and Weaknesses .......................................................... 58 13.2.1 {Requirement} ........................................................................................... 58 13.3 Management of Incidents and Improvements ......................................................... 58 13.3.1 Incident Response Policy and Procedures ................................................. 58 13.3.2 Incident Response Training ....................................................................... 58 13.3.3 Incident Response Testing and Exercises .................................................. 59 13.3.4 Incident Handling ....................................................................................... 59 13.3.5 Incident Monitoring .................................................................................... 59 13.3.6 Incident Reporting ..................................................................................... 60 13.3.7 Incident Response Assistance ................................................................... 60 13.3.8 IACS Monitoring Tools and Techniques ..................................................... 60 14 Business Continuity Management ................................................................................... 62. 242 243 244 245 246 247 248 249 250 251 252 253 254. 14.1 Introduction ........................................................................................................... 62 14.2 Security Aspects.................................................................................................... 62 14.2.1 Contingency Planning Policy and Procedures ............................................ 62 14.2.2 Contingency Plan ...................................................................................... 62 14.2.3 Contingency Training ................................................................................. 63 14.2.4 Contingency Plan Testing and Exercises ................................................... 63 14.2.5 Contingency Plan Update .......................................................................... 64 14.2.6 Alternate Storage Site ............................................................................... 64 14.2.7 Alternate Control Site ................................................................................ 64 14.2.8 IACS Backup ............................................................................................. 65 14.2.9 IACS Recovery and Reconstruction ........................................................... 65 14.2.10 Power Equipment and Cabling ................................................................... 66 14.3 Telecommunications Services ............................................................................... 66. This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.. ISA‑62443-2-2, D1E4, April 2013.

(11) ISA‑62443-2-2, D1E4, April 2013. – 11 –. ISA99, WG02, TG02. 14.3.1 14.3.2 14.3.3 14.3.4 14.3.5 14.3.6 15 Compliance. Emergency Shutoff .................................................................................... 66 Emergency Power...................................................................................... 67 Emergency Lighting ................................................................................... 67 Fire Protection ........................................................................................... 67 Temperature and Humidity Controls ........................................................... 68 Water Damage Protection .......................................................................... 68 .................................................................................................................... 68. 262 263 264. 15.1 General ................................................................................................................. 68 15.1.1 {Requirement} ........................................................................................... 68 Annex A (informative) Foundational Requirements ................................................................ 70. 265 266 267 268 269 270 271 272 273. A.1 A.2 A.3 A.4 A.5 A.6 A.7 A.8 Annex B. 274 275. B.1 Overview ............................................................................................................... 72 BIBLIOGRAPHY ................................................................................................................... 73. Overview ............................................................................................................... 70 FR1 A CCESS C ONTROL ............................................................................................ 70 FR2 U SE C ONTROL ................................................................................................. 70 FR3 D ATA I NTEGRITY .............................................................................................. 70 FR4 D ATA C ONFIDENTIALITY .................................................................................... 70 FR5 R ESTRICT D ATA F LOW ...................................................................................... 71 FR6 T IMELY R ESPONSE TO AN E VENT ....................................................................... 71 FR7 R ESOURCE A VAILABILITY ................................................................................... 71 (informative) - Mapping Controls to Foundational Requirements ............................. 72. 276 277. No table of figures entries found.. 278. No table of figures entries found.. 279. This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.. 255 256 257 258 259 260 261.

(12) ISA‑62443-2-2, D1E4, April 2013. – 12 –. ISA99, WG02, TG02. 280. FORWORD. 281 282 283 284. This standard is part of a series that addresses the issue of security for industrial automation and control systems. It has been developed by Working Group 02, Task Group 02 of the ISA99 committee.. 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301. SKELETON NOTE The forward should only be a few lines and should indicate the basic premise of the document and why it is important. It should also indicate if this document supersedes or modifies any other document. The following information comes from the IEC Directives. The foreword shall appear in each document. It shall not contain requirements, recommendations, figures or tables. It consists of a general part and a specific part. The general part (supplied by the Central Secretariat of ISO or by the Central Office of the IEC, as appropriate) gives information relating to the organization responsible and to International Standards in general, i.e. a) the designation and name of the committee that prepared the document, b) information regarding the approval of the document, and c) information regarding the drafting conventions used, co mprising a reference to this part of the ISO/IEC Directives. The specific part (supplied by the committee secretariat) shall give a statement of significant technical changes from any previous edition of the document and as many of the following as are appropriate: d) an indication of any other international organization that has contributed to the preparation of the document; e) a statement that the document cancels and replaces other documents in whole or in part; f) the relationship of the document to other documents (see 5.2.1.3); g) in IEC, an indication of the next stability date (see ISO/IEC Directives, IEC Supplement, 2010, 3.4).. This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.. 302. This standard addresses the requirements for the operation of an effective cyber security program within the context of the foundational requirements defined in ISA‑62443-1-1..

(13) ISA‑62443-2-2, D1E4, April 2013. – 13 –. ISA99, WG02, TG02. INTRODUCTION. 303. The format of this document follows the ISO/IEC requirements discussed in ISO/IEC Directives, Pa rt 2. [12] 1 The ISO/IEC Directives specify the format of this document as well as the use of terms like “shall”, “should”, and “may”. The use of those terms for the requirements specified in Clause Error! Reference source not f ound. of this document use the conventions discussed in the ISO/IEC Directives, Appendix H.. 304 305 306 307 308 309. NOTE. 310. Context. 311 312 313 314 315. Industrial automation and control system (IACS) organizations increasingly use commercial -offthe-shelf (COTS) networked devices that are inexpensive, efficient and highly automated. These devices and networking technologies provide an increased opportunity for cyber attack against the IACS equipment. This weakness may lead to health, safety and environmenta l (HSE) consequences in deployed systems.. 316 317 318 319 320 321. Organizations deploying pre-existing information technology (IT) and business cyber security solutions to address IACS security may not fully comprehend the results of this decision. While many business IT applications and security solutions can be applied to IACS, they need to be applied in the correct way to eliminate inadvertent consequences. For this reason, the approach used to define system requirements needs to be based on a combination of functional and consequence analysis, and often an awareness of operational issues as well.. 322 323 324 325 326 327 328. The primary goal of the ISA‑99 series is to provide a flexible framework that facilitates addressing current and future vulnerabilities in IACS and applying necessary mitigations in a systematic, defensible manner. It is important to understand that the intention of the ISA ‑99 series is to build extensions to enterprise security that adapt the requirements for IT business systems and combine them with the unique requirements that embrac e the strong availability needed by IACS. The ISA‑99 committee has made every effort to avoid building unique stovepipe security architectures for IACS.. 329 330 331 332. This International Standard provides interpretation guidelines for the implementation and management of information security management for Industrial Automation and Control Systems (IACS). The approach used is consistent with ISO/IEC 27002 (Code of practice for information security management).. 333 334 335 336 337. IACS security goals focus on system availability, plant prote ction, plant operations (even if in a degraded mode), and time-critical system response. IT security goals often do not place the same emphasis on these factors. They may be more concerned with protecting information rather than physical assets. These different goals need to be clearly stated as security objectives regardless of the degree of plant integration achieved.. 338 339 340. This document assumes that a security program has been established in accordance with ISA‑99.02.01 and that patch management is implemented consistent with the recommendations detailed in ISA‑TR99.02.03.. 341. Audience. 342 343 344 345 346. The audience for the information in this standard includes asset owners, those responsible for information security; system vendors, auditors, and application content providers, with a common set of general security control objectives based on ISO/IEC 27002, IACS specific controls, and information security management guidelines allowing for the selection and implementation of such controls.. 347 ————————— 1 Numbers in square brackets refer to the Bibliography.. This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.. The initial content of this section is based on similar material from other standards in the ISA99 series. This is provided only as a starting point..

(14) ISA‑62443-2-2, D1E4, April 2013. 368 369. ISA99, WG02, TG02. SKELETON NOTE For most documents in the ISA-99 series, the Introduction will probably be labeled as Clause 0, since there are sub-clauses included. This is common. The Introduction should be limited to no more than 2 pages and should contain no figures. If figures are needed, then that section sh ould be moved to Clause 4+ or an Annex. If you need a Clause 0, you will need to edit the “iecstd_us.dotm” and change starting number for the Heading style to start at 0. After that, make sure that the styles reload into the Skeleton file and change the style of the Introduction section header to Heading instead of Heading (Nonumber). The Introduction should indicate major similarities or relationships between the document and existing ISO/IEC documents. It does not have to include detailed explanations, bu t should give the reader some context in relation to other documents. The following information comes from the IEC Directives. The introduction is an optional preliminary element used, if required, to give specific information or commentary about the technical content of the document, and about the reasons prompting its preparation. It shall not contain requirements. Whenever alternative solutions are adopted internationally in a document and preferences for the different alternatives provided, the reasons for the preferences shall be explained in the introduction [see A.6 d)]. Where patent rights have been identified in a document, the introduction shall include an appropriate notice. See Annex F for further information. The introduction shall not be numbered unless there is a need to create numbered subdivisions. In this case, it shall be numbered 0, with subclauses being numbered 0.1, 0.2, etc. Any numbered figure, table, displayed formula or footnote shall be numbered normally beginning with 1.. This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.. 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367. – 14 –.

(15) ISA‑62443-2-2, D1E4, April 2013. – 15 –. ISA99, WG02, TG02. 1. 371 372. The initial content of this section is based on similar material from other standards in the ISA99 series. This is provided only as a starting point.. 373 374 375 376 377 378. This standard addresses the operation of an effective IACS cyber security program. Aspects of this operation are examined in the context of the foundational requirements (FRs) described in ISA‑99.01.01. The requirements and controls would be used by various members of the industrial automation and control systems (IACS) community along with the defined zones an d conduits for the system under consideration (SuC) while developing the appropriate technical system target security assurance level (SAL), SAL-T(system), for a specific asset.. 379 380 381 382 383 384 385 386 387 388 389 390 391. SKELETON NOTE Clause 1 shall always be the Scope. This is a short statement that describes the scope of this document only. It does not list the overall scope of ISA -99. That has been described in other documents and does not need to be repeated here. The following information comes from the IEC Directives. This element shall appear at the beginning of each document and define without ambiguity the subject of the document and the aspects covered, thereby indicating the limits of applicability of the document or particular parts of it. It shall not contain requirements. In documents that are subdivided into parts, the scope of each part shall define the subject of that part of the document only. The scope shall be succinct so that it can be used as a summary for bibliographic purposes. This element shall be worded as a series of statements of fact. Forms of expression such as the following shall be used: “This International Standard the dimensions of … " - specifies {a method of … " the characteristics of … " a system for … " - establishes { general principles for … ". 392 393 394 395 396 397 398 399. Scope. — gives guidelines for …” — defines terms …” Statements of applicability of the document shall be introduced by wording such as: “This International Standard is applicable to …” The wording shall be altered as a function of the document type concerned, i.e. International Standard, Technical Specification, Publicly Available Specification, Technical Report or Guide.. 400. 2. Normative references. 401 402 403. The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.. 404 405 406. The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. F or undated references, the latest edition of the referenced document (including any amendments) applies.. 407 408. ISA‑99.01.01 – Security for industrial and automation control systems: Terminology, concepts and models. 409 410. ISA‑99.02.01 – Security for industrial and automation control system: Establishing an industrial automation and control systems security program. 411 412. ISA‑99.03.02 – Security for industrial and automation control system: Security assurance levels for zones and conduits. 413 414. SKELETON NOTE Generally, in the ISA-99 series, there is only 1 completely normative document, ISA -99.01.01. If there are others, put them here as well. Normative references shall be International Standards documents of. This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.. 370.

(16) ISA‑62443-2-2, D1E4, April 2013 415 416. – 16 –. ISA99, WG02, TG02. some sort. Even though a document gets listed here, it will also be liste d in the Bibliography along with all the other documents.. 417. 3. Terms, definitions, abbreviated terms, acronyms, and conventions. 418 419. The initial content of this section is based on similar material from other standards in the ISA99 series. This is provided only as a starting point.. 420. 3.1. 421 422. For the purposes of this document, the terms and definitions given in ISA‑62443-1-1 and the following apply.. 423 424 425 426. 3.1.1 authentication verifying the identity of an IACS user, often as a prerequisite to allowing access to resources in an information system. 427 428 429. 3.1.2 authenticity property of being genuine and being able to be verified and trusted. 430. NOTE. 431 432 433 434. 3.1.3 automatic pertaining to a process or equipment that, under specified conditions, functions without human intervention. 435. [IEV number 351-21-40]. 436 437 438. 3.1.4 availability ensuring timely and reliable access to and use of information. 439. [FIPS 199]. 440 441 442 443. 3.1.5 communication channel logical or physical point-to-point or point-to-multipoint data flow between components in one zone to one or more components in another zone. 444 445 446 447. 3.1.6 confidentiality preserving authorized restrictions on information access and disclosure, including means fo r protecting personal privacy and proprietary information. 448. [FIPS 199]. 449 450 451 452. 3.1.7 connection association established between two or more endpoints which supports the transfer of IACS specific data. 453 454 455. 3.1.8 consequence outcome of an event. 456 457 458 459. 3.1.9 environment aggregate of external procedures, conditions, and objects affecting the development, operation and maintenance of IACS. It may also be defined as confidence in the validity of a transmission, a message, or message o riginator.. This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.. Terms and definitions.

(17) – 17 –. ISA99, WG02, TG02. 460 461 462. 3.1.10 event occurrence or change of a particular set of circumstances. 463 464 465 466. 3.1.11 external information systems hardware, software components and repositories that are connecte d by some means or embedded within the component. 467 468 469 470. 3.1.12 IACS user entity (including human users, processes and devices) that performs a function in the IACS or a component used by the IACS. 471 472 473. 3.1.13 impact evaluated consequence of a particular event. 474 475 476. 3.1.14 industrial automation and control system system which controls the manufacturing process within a defined set of operational limits. 477 478 479 480. 3.1.15 integrity guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity. 481. [FIPS 199]. 482 483 484 485 486. 3.1.16 local access any access to an organizational IACS by an IACS user communicating through an internal, organization-controlled network (such as a local area network) or directly to the IACS without the use of a network. 487 488 489 490 491. 3.1.17 non-repudiation assurance that the sender of information is provided with proof of delivery and all recipients are provided with proof of the sender’s identity, so the sender cannot deny having sent the information and the recipient cannot deny having received the information. 492 493 494 495. 3.1.18 remote access any access to an IACS by an IACS user communicating through an external, non -organizationcontrolled network (such as the Internet). 496 497 498 499. 3.1.19 remote session session initiated whenever an IACS is accessed by a human user communicating across the boundary of a zone defined by the asset owner based on their risk assessment. 500 501 502 503. 3.1.20 role set of connected behaviors, privileges and obligations associated to IACS users in a given situation. 504. NOTE 1. The privileges to perform certain operations are assigned to specific ro les.. This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.. ISA‑62443-2-2, D1E4, April 2013.

(18) ISA‑62443-2-2, D1E4, April 2013. – 18 –. ISA99, WG02, TG02. 505 506 507 508. NOTE 2. 509 510 511 512 513. 3.1.21 security assurance level measure of confidence that computer systems and data are free from vulnerabilities, either intentionally designed computer components or accidently inserted at any time during its lifecycle, and that the computer systems functions in the intended manner. 514 515 516 517. 3.1.22 session semi-permanent, stateful, communicating devices. 518. NOTE. 519 520 521 522 523. 3.1.23 threat any circumstance or event with the potential to adversely affect organizational operations (including mission, functions, image or reputation), organizational assets, IACS or individuals via unauthorized access, destruction, disclosure, modification of dat a and/or denial of service. 524 525 526 527. 3.1.24 trust belief that an operation or data transaction source or process is secure and will perform as intended. 528 529 530. 3.1.25 untrusted entity that has not met predefined requirements to be trusted. 531 532 533 534 535 536 537 538. 3.1.26 vulnerability. 539. 3.2. 540. This subclause defines the abbreviated terms and acronyms used in this document.. Role definitions must be distinguished in infrastructure role definitions (within a process), functional role definitions (part of an entity functions) or organizational role definition (a person position). A functional role may be associated with privileges and confer responsibility and authority on a user assigned to that role. interactive. information. interchange. between. two. or. more. Typically a session has a clearly defined start process and end process.. weakness in an IACS function, procedure, internal control or implementation that could be exploited or triggered by a threat source SKELETON NOTE Only add in the reference at the end of the term if it relates directly to something from an international standard. IEC seems to dislike referencing national standards documents (ISA, NIST, NERC, NEMA, etc.). Only include these references if there is an ISO/IEC, NATO, etc. reference. Also, if the reference is not exactly from the reference, indicate something like “Adapted from … ”.. Abbreviated terms and acronyms. AC. Access Control. AES. Advanced encryption standard. API. Application programming interface. CA. Certification authority. CIP. Critical infrastructure protection. COTS. Commercial-off-the-shelf. DC. Data confidentiality. DI. Data integrity. DMZ. Demilitarized zone. This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.. Adapted from [ISO/IEC 1st WD 24760: 2005 -10-01].

(19) – 19 –. DoS. Denial of service. FR. Foundational requirement. FTP. File transfer protocol. HSE. Health, safety, and environmental. HTTP. Hypertext transfer protocol. IACS. Industrial automation and control system(s). ID. Identifier. IDS. Intrusion detection system. IEC. International Electrotechnical Commission. IEEE. Institute of Electrical and Electronics Engineers. IM. Instant messaging. IPS. Intrusion prevention system. ISO. International Organization for Standardization. IT. Information technology. NERC. North American Electric Reliability Corporation. NIST. U.S. National Institute of Standards and Technology. PDF. Portable document format. RA. Resource availability. RDF. Restrict data flow. RE. Requirement enhancement. SAL. Security assurance level. SIS. Safety instrumented system. SP. Special Publication (from NIST). SR. System requirement. SuC. System under consideration. TRE. Timely response to an event. UC. Use control. US-CERT. U.S. Computer Emergency Readiness Team. USB. Universal serial bus. VoIP. Voice over internet protocol. ISA99, WG02, TG02. 541. 3.3. Conventions. 542 543 544 545 546. Much of the content of this standard is expressed in the form of specific requirements or controls. Each of these has a baseline requirement and zero or more requirement enhancements to strengthen security assurance. Rationale and supplemental guidance may be provided for each baseline requirement, and for any associated enhancement as is deemed necessary, to provide clarity to the reader.. 547 548. SKELETON NOTE This sub-clause is where specific conventions used in the document, like specific clause/sub clause formatting, special text conventions, or any other things that the reader should know in order to read. This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.. ISA‑62443-2-2, D1E4, April 2013.

(20) 549 550 – 20 –. This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.. ISA‑62443-2-2, D1E4, April 2013 ISA99, WG02, TG02. the document. The reader may still need some introduction to conventions used throughout the document, but this sub-clause allows for a greater explanation in one place.. 551.

(21) ISA‑62443-2-2, D1E4, April 2013. – 21 –. ISA99, WG02, TG02. 552. 4. Overview. 553. 4.1. 554 555 556. The content of this standard has been organized in a manner similar to that used in ISO/IEC 27002. In cases where objectives and controls specified in ISO/IEC 27002 are applicable without a need for any additional information, only a reference is provided to ISO/IEC 27002.. 557 558 559 560. In cases where controls need additional guidance spec ific to IACS, the ISO/IEC 27002 control and implementation guidance is repeated without modification, followed by the IACS specific guidance related to this control. IACS specific guidance and information is included in the following clauses:. 561. – Organization of information security (clause 6). 562. – Asset management (clause 7). 563. – Human resources security (clause 8). 564. – Physical and environmental security (clause 9). 565. – Communications and operations management (clause 10). 566. – Access control (clause 11). 567. – Information systems acquisition, development and maintenance (clause 12). 568. – Information security incident management (clause 13). 569. – Business continuity management (clause 14). 570. 4.2. 571. 4.2.1. 572 573 574 575. Industrial control systems and associated networks are faced with security threats from a wide range of sources, including computer-assisted fraud, espionage, sabotage, vandalism, information leakage, earthquake, fire or flood. These security threats may originate from inside or outside the control systems environment resulting in damage to the organization.. 576 577 578 579. Once the security of an IACS is compromised, for example by unauthorized access, the system or the equipment under control may suffer damage. Therefore, it is essential for an asset owner to ensure its security by continuously improving its related programs in accordance with ISO/IEC 27001.. 580 581 582 583 584. Effective IACS security is achieved by implementing a suitable set of controls based on those described in this standard. These controls need to be established, implemen ted, monitored, reviewed and improved in facilities, services and applications. The successful deployment of security controls will better enable meeting the security and business objectives of the organization to be met.. 585. 4.2.2. 586 587 588. In order to establish information security management, it is essential for an asset owner to clarify and identify all IACS related assets. The clarification of attributes and importance of the assets makes it possible to implement appropriate controls.. Information security management in IACS Goal. IACS assets to be protected. This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.. Structure.

(22) ISA‑62443-2-2, D1E4, April 2013. – 22 –. ISA99, WG02, TG02. 589. 4.2.3. Establishment of information security management. 590. 4.2.3.1. 591 592. It is essential for asset owners to identify their security requirements. There are three main sources of security requirements as follows:. 593 594 595. a) What is derived from assessing risks to IAC S operation, taking into account the overall business strategy and objectives. Through risk assessment, threats to assets are identified, vulnerability to and likelihood of occurrence is evaluated and potential impact is estimated;. 596 597. b) The legal, statutory, regulatory, and contractual requirements that asset owners have to satisfy, and the socio-cultural environment;. 598 599. c) The particular set of principles, objective and business requirements for information processing that an asset owner has developed to support its operations.. 600. 4.2.3.2. 601 602 603 604 605. Security requirements are identified by a methodical assessment of security risks. Expenditure on controls needs to be balanced against the business harm likely to result from security failures. The results of the risk assessment will help to guide and determine the appropriate management action and priorities for managing information security risks, and for implementing controls selected to protect against these risks.. 606 607. Risk assessment should be repeated periodically to address any changes that might influence the risk assessment results.. 608. 4.2.3.3. 609 610 611. Once security requirements and risks have been identified and decisions for the treatment of risks have been made, appropriate controls should be selected and implemented to ensure risks are reduced to an acceptable level.. 612 613 614 615. This standard provides guidance and IACS specific controls, in addition to general information security management, taking account of IACS specific requirements. Therefore, asset owners are recommended to select controls from this guideline and implement them. In addition, new controls can be designed to meet specific needs as appropriate.. 616 617 618 619. The selection of security controls is dependent upon organizational decisions based on the criteria for risk acceptance, risk treatment options, and the general risk management approach applied by asset owners, and should also be subject to all relevant national and international legislation and regulations.. 620. 4.2.3.4. 621 622. Experience has shown that the following factors are often critical to the successful implementation of information security in an industrial automation and control system :. 623 624. a) information security policy, objectives, and activities t hat reflect business objectives and the specific characteristics of an IACS;. 625 626. b) an approach and framework to implementing, maintaining, monitoring, and improving information security that is consistent with the organizational culture;. 627. c) visible support and commitment from all levels of managem ent;. 628. d) a good understanding of the security requirements, risk assessment, and risk management;. 629 630. e) effective marketing of information security to all managers, employees, and other parties to achieve awareness;. Assessing security risks. Selecting controls. Critical success factors. This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.. How to establish security requirements.

(23) – 23 –. ISA99, WG02, TG02. 631 632. f) distribution of guidance on information security policy and standards to all managers, employees and other parties;. 633. g) provision to fund information security management activities;. 634. h) providing appropriate awareness, training, and education;. 635. i) establishing an effective information security inci dent management process;. 636 637. j) implementation of a measurement system that is used to evaluate performance in information security management and feedback suggestions for improvement.. 638. 5. 639. 5.1. 640. 5.1.1. Security Policy Introduction. 641. {Requirement} Requirement:. 642 643. Foundational Requirement:. 644. Rationale/Supplemental Guidance:. 645. Requirement Enhancements:. 646 647. 6. Organization of Security. 648. 6.1. Introduction. 650. 6.2. Internal Organization. 651. 6.2.1. 649. 652. {Requirement} Requirement:. 653 654. Foundational Requirement:. 655. Rationale/Supplemental Guidance:. 656. Requirement Enhancements:. 657 658. 6.3. 659. 6.3.1. 660. External Parties {Requirement} Requirement:. 661 662. Foundational Requirement:. 663. Rationale/Supplemental Guidance:. 664. Requirement Enhancements:. This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.. ISA‑62443-2-2, D1E4, April 2013.

(24) ISA‑62443-2-2, D1E4, April 2013. – 24 –. ISA99, WG02, TG02. 665 666. 7. Asset Management. 667. 7.1. Introduction. 669. 7.2. Responsibility for Assets. 670. 7.2.1. 668. 671. Requirement:. 672 673. Foundational Requirement:. 674. Rationale/Supplemental Guidance:. 675. Requirement Enhancements:. 676 677. 7.3. Information Classification. 678. 7.3.1. 679. {Requirement} Requirement:. 680 681. Foundational Requirement:. 682. Rationale/Supplemental Guidance:. 683. Requirement Enhancements:. 684 685. 8. Human Resources Security. 686. 8.1 Prior to Employment. 687 688 689. Objective: To ensure that employees, contractors and third party users understand their responsibilities, and are suitable for the roles they are considered for, and to reduce the risk of theft, fraud or misuse of facilities.. 690 691. Security responsibilities should be addressed prior to e mployment in adequate job descriptions and in terms and conditions of employment.. 692 693. All candidates for employment, contractors and third party users should be adequately screened, especially for sensitive jobs.. 694 695. Employees, contractors and third party users of information processing facilities should sign an agreement on their security roles and responsibilities.. 696. 8.1.1. 697. Control. 698 699. Security roles and responsibilities of employees, contractors and third party users should be defined and documented in accordance with the organization’s information security policy.. 700. Implementation guidance. Roles and responsibilities. This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.. {Requirement}.

(25) ISA‑62443-2-2, D1E4, April 2013. ISA99, WG02, TG02. Security roles and responsibilities should include the requirement to:. 702 703. a) implement and act in accordance with the organization’s information security policies (see 5.1);. 704 705. b) protect assets from unauthorized access, disclosure, modification, destruction or interference;. 706. c) execute particular security processes or activities;. 707. d) ensure responsibility is assigned to the individual for actions taken;. 708. e) report security events or potential events or other security risks to the organization.. 709 710. Security roles and responsibilities should be defined and clearly communicated to job candidates during the pre-employment process.. 711. IACS-specific implementation guidance. 712 713 714 715. Facilities should appoint staff who have the right credentials or appropriate knowledge and skills to be in charge of the supervision of matters related to the installation, maintenance and operation of IACS. The relevant staff should be notified of their assigned roles and responsibilities.. 716. Other Information. 717 718 719. Job descriptions can be used to document security roles and responsibilities. Security roles and responsibilities for individuals not engaged via the organization’s employment process, e.g. engaged via a third party organization, should also be clearly defined and communicated.. 720 721. Requirement:. 722 723. Foundational Requirement:. 724. Rationale/Supplemental Guidance:. 725. Requirement Enhancements:. 726 727. 8.1.2. Screening. 728. Control. 729 730 731 732. Background verification checks on all candidates for employment, contractors, and third party users should be carried out in accordance with relevant laws, regulations and ethics, and proportional to the business requirements, the classification of the information to be accessed, and the perceived risks.. 733. Implementation guidance. 734 735. Verification checks should take into account all relevant privacy, protection of personal data and/or employment based legislation, and should, where permitted, include the following:. 736. a) availability of satisfactory character references, e.g. one business and one per sonal;. 737. b) a check (for completeness and accuracy) of the applicant’s curriculum vitae;. 738. c) confirmation of claimed academic and professional qualifications;. 739. d) independent identity check (passport or similar document);. This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.. 701. – 25 –.

(26) – 26 –. ISA99, WG02, TG02. 740. e) more detailed checks, such as credit checks or checks of criminal records.. 741 742 743 744. Where a job, either on initial appointment or on promotion, involves the person having access to information processing facilities, and in particular if these are handling sensitive information, e.g. financial information or highly confidential information, the organization should also consider further, more detailed checks.. 745 746. Procedures should define criteria and limitations for verification checks, e.g. who is eligible to screen people, and how, when and why verification checks a re carried out.. 747 748 749 750 751 752. A screening process should also be carried out for contractors, and third party users. Where contractors are provided through an agency the contract with the agency should clearly specify the agency’s responsibilities for screening and the notification procedures they need to follow if screening has not been completed or if the results give cause for doubt or concern. In the same way, the agreement with the third party (see also 6.2.3) should clearly specify all responsibilities and notification procedures for screening.. 753 754 755 756. Information on all candidates being considered for positions within the organization should be collected and handled in accordance with any appropriate legislation existing in the relevant jurisdiction. Depending on applicable legislation, the candidates should be informed beforehand about the screening activities.. 757. IACS-specific implementation guidance. 758 759 760. Facilities should also consider further, more detailed checks for job positions that give staff access to IACS that have been assessed as critical and thus require higher levels of security. [wording?]. 761. 8.1.3. 762. Control. 763 764 765. As part of their contractual obligation, employees, contractors and third party users should agree and sign the terms and conditions of their employment contract, which should state their and the organization’s responsibilities for information security.. 766. Implementation guidance. 767 768. The terms and conditions of employment should reflect the organization’s security policy in addition to clarifying and stating:. 769 770 771. a) that all employees, contractors and third party users who are given access to sensitive information should sign a confidentiality or non-disclosure agreement prior to being given access to information processing facilities;. 772 773. b) the employee’s, contractor’s and any other user’s legal responsibilities and rights, e.g. regarding copyright laws or data protection legislation (see also 15.1.1 and 15.1.2);. 774 775 776. c) responsibilities for the classification of information and management of organizational assets associated with information systems and services handled by the employee, contractor or third party user (see also 7.2.1 and 10.7.3);. 777 778. d) responsibilities of the employee, contractor or third party user for the handling of information received from other companies or external parties;. 779 780 781. e) responsibilities of the organization for the handling of personal information, including personal information created as a result of, or in the course of, employment with the organization (see also 15.1.4);. 782 783. f). Terms and conditions of employment. responsibilities that are extended outside the organization’s premises and outside normal working hours, e.g. in the case of home-working (see also 9.2.5 and 11.7.1);. This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.. ISA‑62443-2-2, D1E4, April 2013.

(27) – 27 –. ISA99, WG02, TG02. 784 785. g) actions to be taken if the employee, contractor or third party user disregards the organization’s security requirements (see also 8.2.3).. 786 787 788. The organization should ensure that employees, contractors and third party users agree to terms and conditions concerning information security appropriate to the nature and extent of access they will have to the organization’s assets associated with information systems and services.. 789 790. Where appropriate, responsibilities contained within the terms and conditions of employment should continue for a defined period after the end of the employment (see also 8.3).. 791. IACS-specific implementation guidance. 792 793. Facilities should clarify and state the responsibilities for maintaining IACS availability, plant protection, plant operations (even if in a degraded mode), and time -critical system response.. 794. Other Information. 795 796 797 798 799 800. A code of conduct may be used to cover the employee’s, contractor’s or third party user’s responsibilities regarding confidentiality, data protection, ethics, appropriate use of the organization’s equipment and facilities, as well as reputable practices expected by the organization. The contractor or third party users may be associated with an external organization that may in turn be required to enter in contractual arrangements on behalf of the contracted individual.. 801. 8.2 During Employment. 802 803 804 805. Objective: To ensure that employees, contractors and third party users are aware of information security threats and concerns, their responsibilities and liabilities, and are equipped to support organizational security policy in the course of their normal work, and to reduce the risk of human error.. 806 807. Management responsibilities should be defined to ensure that security is applied throughout an individual’s employment within the organization.. 808 809 810 811. An adequate level of awareness, education, and training in security procedures and the correct use of information processing facilities should be provided to all employees, contractors and third party users to minimize possible security risks. A formal disciplinary process for handling security breaches should be established.. 812. 8.2.1. 813. Control. 814 815. Management should require employees, contractors and third party users to apply security in accordance with established policies and procedures of the organization.. 816. Implementation guidance. 817 818. Management responsibilities should include ensuring that employees, contractor s and third party users:. 819 820. a) are properly briefed on their information security roles and responsibilities prior to being granted access to sensitive information or information systems;. 821. b) are provided with guidelines to state security expectations of their role within the organization;. 822. c) are motivated to fulfil the security policies of the organization;. 823 824. d) achieve a level of awareness on security relevant to their roles and responsibilities within the organization (see also 8.2.2);. Management responsibilities. This document includes working drafts of, or extracts from documents in the ISA-62443 series. New versions will be generated periodically as individual documents are revised. IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.. ISA‑62443-2-2, D1E4, April 2013.

References

Download now ( PDF - 74 Page - 2.32 MB )

Related documents

Customer Satisfaction

TECHNICAL EDUCATION Center Of Exce llen ce ONE MissiON Dedicated to providing the highest level of customer service in the automation industry. Center

Company Profile PNG Microfinance Ltd

Dr Matthew Gamser was nominated by the International Finance Corporation and appointed as an Independent Director to PML Board in 2008 and is a member of PML Board Audit

Kristofer Batler - Postmodernizam

Imajući to u vidu, mnogi postmodernistički mislioci još uvijek trebaju prihvatiti etičku normu koja, čini mi se, ne treba biti relativizam koji ne pravi razlike, već

Karsten Muller Chess Endi

[The Chess Cafe Home Page] [Book Reviews] [Bulletin Board] [Columnists] [Endgame Studies] [The Skittles Room] [Archives].. [Links] [Online Bookstore] [About The Chess Cafe]

Listeria monocytogenes contamination in ready to eat foods

Factors were related to the host (i. population size of elderly and/or susceptible people; ii. underlying condition rate), the food (iii. monocytogenes prevalence in RTE food

The Rhetorical Allure of Post-Racial Process Discourse and the Democratic Myth

These process decisions mark a clear doctrinal shift to post-racial constitutional proceduralism. The process defines what rights are recognized, protected, and

General Education LET EXAM

Among the choices, option C- “commotion” is the only one not synonymous to the other options given, making it the correct and best

Photoinduced electron transfer in rhodamine B-containing amorphous titania gels

Figure 3 shows the effect of visible light irradiation time on the spectrum of RhB in the silica and titania gels, In the silica gel film, the absorption peak at approximately 559