ISA-62443-1-1-draft

(1)

FOR REVIEW PURPOSES ONLY! FOR REVIEW PURPOSES ONLY!

THIS DOCUMENT IS AWORKINGDRAFT OF ANISA99 COMMITTEE WORK PRODUCT.IT MAY NOT BE ACCURATE OF COMPLETE AND IS SUBJECT TO CHANGE WITHOUT NOTICE.

IT IS PROVIDEDSOLELY FOR THE PURPOSE OF REVIEW IN SUPPORT OF FURTHER DEVELOPMENT

OF COMMITTEE WORK PRODUCTS.

THIS DOCUMENT MAY NOT BE COPIED, DISTRIBUTED TO OTHERS, OR OFFERED FOR FURTHER REPRODUCTION OR FOR SALE.

Printed in the United States of America. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), without the prior written permission of the Publisher.

ISA

67 Alexander Drive P. O. Box 12277

Research Triangle Park, North Carolina 27709 USA

(2)

(3)

1

2

ISA-62443-1-1

Security for industrial automation and control systems

Models and Concepts

Draft 5, Edit 4

August 2015

T h i s d o c u m e n t i s a W O R K I N G D R A F T o f a n I S A 9 9 c o m m i t t e e w o r k p r o d u c t . I t m a y n o t b e a c c u r a t e o f c o m p l e t e a n d i s s u b j e c t t o c h a n g e w i t h o u t n o t i c e . I t i s p r o v i d e d S O L E L Y f o r t h e p u r p o s e o f r e v i e w i n s u p p o r t o f f u r t h e r d e v e l o p m e n t o f c o m m i t t e e w o r k p r o d u c t s . T h i s d o c u m e n t m a y n o t b e c o p i e d , d i s t r i b u t e d t o o t h e r s , o r o f f e r e d f o r f u r t h e r r e p r o d u c t i o n o r f o r s a l e .

(4)

ISA-62443-1-1, D5E4, August 2015 – 2 – ISA99, WG03 3 4 5 ISA ISA

Security for industrial automation and control systems

Models and Concepts

ISBN: -to-be-assigned-

ISA

67 Alexander Drive P. O. Box 12277

Research Triangle Park, NC 27709 USA

(5)

ISA99, WG03 – 3 – ISA-62443-1-1, D5E4, August 2015

PREFACE

6

This preface, as well as all footnotes and annexes, is included for information purposes and is 7

not part of ISA-62443-1-1. 8

This document has been prepared as part of the service of ISA, the International Society of 9

Automa tio n, to war d a goal of uniformity in th e fiel d of ins trumentatio n. To be of re al value , this 10

document should not be static but should be subject to periodic review. Toward this end, the 11

Society welcomes all comments and criticisms and asks that they be addressed to the 12

Secretary, Standards and Practices Board; ISA; 67 Alexander Drive; P. O. Box 12277; 13

Research Triangle Park, NC 27709; Telephone (919) 549-8411; Fax (919) 549-8288; E-mail: 14

[email protected]. 15

The ISA Standards and Practices Department is aware of the growing need for attention to the

16

metric system of units in general and the International System of Units (SI) in particular, in th e

17

preparation of instrumentation standards. The Department is further aware of the benefits to 18

USA users of ISA standards of incorporating suitable references to the SI (and the metric 19

system) in their business and professional dealings with other countries. Toward this end, this 20

Department will endeavor to introduce SI-acceptable metric units in all new and revised 21

standards, recommended practices and technical reports to the greatest extent possible. 22

Standard for Use of the International System of Units (SI): The Modern Metric System, 23

published by the Am erican Society for Testing and Materials as IEE E/ASTM SI 10-97, and

24

future revisions, will be the reference guide for definitions, symbols, abbreviations, and 25

conversion factors. 26

It is the policy of ISA to encourage and welcome the participation of all concerned individuals 27

and interests in the development of ISA standards, recommended practices and technical 28

reports. Participation in the ISA standards-making process by an individual in no way 29

constitutes endorsement by the employer of that individual, of ISA or of any of the standards, 30

recommended practices and technical reports that ISA develops. 31

CAUTION

CAUTION – – ISA adheres to the policy of the American National Standards Institute with ISA adheres to the policy of the American National Standards Institute with 32

regard to patents. If ISA is informed of an existing patent that is required for use of the regard to patents. If ISA is informed of an existing patent that is required for use of the 33

standard, it will require the owner of the patent to either grant a royalty-free license for standard, it will require the owner of the patent to either grant a royalty-free license for 34

use of the patent by users complying with the standard or a license on reasonable use of the patent by users complying with the standard or a license on reasonable 35

terms and conditions that are free from unfair discrimination. terms and conditions that are free from unfair discrimination. 36

Even if ISA is unaware of any patent covering this Standard, the user is cautioned that Even if ISA is unaware of any patent covering this Standard, the user is cautioned that 37

implementation of the standard may require use of techniques, processes or materials implementation of the standard may require use of techniques, processes or materials 38

covered by patent rights. ISA takes no position on the existence or validity of any covered by patent rights. ISA takes no position on the existence or validity of any 39

patent rights that may be involved in implementing the standard. ISA is not responsible patent rights that may be involved in implementing the standard. ISA is not responsible 40

for identifying all patents that may require a license before implementation of the for identifying all patents that may require a license before implementation of the 41

standard or for investigating the validity or scope of any patents brought to its standard or for investigating the validity or scope of any patents brought to its 42

attention. The user should carefully investigate relevant patents before using the attention. The user should carefully investigate relevant patents before using the 43

standard for the user’s intended application.

44

However, ISA asks that anyone reviewing this standard who is aware of any patents that However, ISA asks that anyone reviewing this standard who is aware of any patents that 45

may impact implementation of the standard notify the ISA Standards and Practices may impact implementation of the standard notify the ISA Standards and Practices 46

Department of the patent and its owner. Department of the patent and its owner. 47

Additionally, the use of this standard may involve hazardous materials, operations or Additionally, the use of this standard may involve hazardous materials, operations or 48

equipment. The standard cannot anticipate all possible applications or address all equipment. The standard cannot anticipate all possible applications or address all 49

possible safety issues associated with use in hazardous conditions. The user of this possible safety issues associated with use in hazardous conditions. The user of this 50

standard must exercise sound professional judgment concerning its use and standard must exercise sound professional judgment concerning its use and 51

applicability under the user’s particular circumstances. The user must also consid

applicability under the user’s particular circumstances. The user must also consid er theer the

52

applicability of any governmental regulatory limitations and established safety and applicability of any governmental regulatory limitations and established safety and 53

health practices before implementing this standard. health practices before implementing this standard. 54 55 T h i s d o c u m e n t i s a W O R K I N G D R A F T o f a n I S A 9 9 c o m m i t t e e w o r k p r o d u c t . I t m a y n o t b e a c c u r a t e o f c o m p l e t e a n d i s s u b j e c t t o c h a n g e w i t h o u t n o t i c e . I t i s p r o v i d e d S O L E L Y f o r t h e p u r p o s e o f r e v i e w i n s u p p o r t o f f u r t h e r d e v e l o p m e n t o f c o m m i t t e e w o r k p r o d u c t s . T h i s d o c u m e n t m a y n o t b e c o p i e d , d i s t r i b u t e d t o o t h e r s , o r o f f e r e d f o r f u r t h e r r e p r o d u c t i o n o r f o r s a l e .

(6)

ISA-62443-1-1, D5E4, August 2015 – 4 – ISA99, WG03

The following people served as active members of ISA99, Working Group 03, Task Group 0 56

for the preparation of this document: 57

58

Name

Name Company Company CC ontributor ontributor ReviewerReviewer Bruce Billedeaux Maverick Technologie s 

Eric Cosman OIT Concepts LLC 

Jim Gilsinn Kenexis 

Tom Good DuPont 

Evan Hand Conagra Foods 

Dennis Holstein OPUS Consulting Group 

Jean-Pierr e Hauet 

Eric Hopp Rockwe ll Automation 

Pierre Kobes Siemens 

Jeff Potter Emerson Process Management 

Ragnar Schierholz ABB 

Leon Steinocher Consultan t 

Chris Stephens Fluor 

Bradley Taylor The George Washingto n University/

NAVSEA 

Donovan Tindill Honeyw ell 

Rich Weekly Barr-Tho rp Electric Co., Inc. 

59 60 T h i s d o c u m e n t i s a W O R K I N G D R A F T o f a n I S A 9 9 c o m m i t t e e w o r k p r o d u c t . I t m a y n o t b e a c c u r a t e o f c o m p l e t e a n d i s s u b j e c t t o c h a n g e w i t h o u t n o t i c e . I t i s p r o v i d e d S O L E L Y f o r t h e p u r p o s e o f r e v i e w i n s u p p o r t o f f u r t h e r d e v e l o p m e n t o f c o m m i t t e e w o r k p r o d u c t s . T h i s d o c u m e n t m a y n o t b e c o p i e d , d i s t r i b u t e d t o o t h e r s , o r o f f e r e d f o r f u r t h e r r e p r o d u c t i o n o r f o r s a l e .

(7)

4 The ISA‑62443 standards ... ... ... ... ... ... 25 72 5 The Situation ... ... ... ... ... ... ... 27 73 5.1 Overview ... ... ... ... ... ... ... 27 74 5.2 Business Environment ... ... ... ... ... ... 27 75 5.3 Current Systems ... ... ... ... ... ... .. 27 76 5.4 Current Trends ... ... ... ... ... ... .. 28 77 5.5 Potential Consequences ... ... ... ... ... ... 29 78 5.6 Impact of Countermeasures ... ... ... ... ... 29 79 5.7 Common Constraints ... ... ... ... ... ... 29 80

5.7.1 Support of Essential Functions ... ... ... ... 29 81 5.7.2 Compensating countermeasures ... ... ... ... 30 82 6 Security Elements ... ... ... ... ... ... ... 30 83 6.1 Introduction ... ... ... ... ... ... ... 30 84 6.2 People ... ... ... ... ... ... ... 31 85 6.3 Processes ... ... ... ... ... ... ... 32 86 6.4 Technology ... ... ... ... ... ... ... 32 87 6.5 Use Cases ... ... ... ... ... ... ... 33 88 6.6 Summary ... ... ... ... ... ... ... 35 89

7 Roles and Responsibilities ... ... ... ... ... ... 35 90 7.1 General ... ... ... ... ... ... ... 35 91 8 IACS Definition ... ... ... ... ... ... ... 36 92 8.1 Functionality Included ... ... ... ... ... ... 36 93

8.2 Systems and Interfaces ... ... ... ... ... ... 37 94

8.3 Act ivi ty-Based Crite ria ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... . 37 95

8.4 Ass et- Base d Crite ri a ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... . 37 96 8.5 Consequence-Based Criteria ... ... ... ... ... 38 97 9 Models ... ... ... ... ... ... ... ... 38 98 9.1 General ... ... ... ... ... ... ... 38 99 9.2 Reference Model ... ... ... ... ... ... 38 100

9.2.1 Level 4 – Enterprise Business Systems ... ... ... ... 39 101

9.2.2 Level 3 - Operations Management ... ... ... ... 39 102

9.2.3 Level 2 – Supervisory Control ... ... ... ... 39 103

9.2.4 Level 1 – Local or Basic Control ... ... ... ... 39 104

9.2.5 Level 0 – Process ... ... ... ... ... ... 40 105

9.3 Reference Architecture Model ... ... ... ... ... 40 106 T h i s d o c u m e n t i s a W O R K I N G D R A F T o f a n I S A 9 9 c o m m i t t e e w o r k p r o d u c t . I t m a y n o t b e a c c u r a t e o f c o m p l e t e a n d i s s u b j e c t t o c h a n g e w i t h o u t n o t i c e . I t i s p r o v i d e d S O L E L Y f o r t h e p u r p o s e o f r e v i e w i n s u p p o r t o f f u r t h e r d e v e l o p m e n t o f c o m m i t t e e w o r k p r o d u c t s . T h i s d o c u m e n t m a y n o t b e c o p i e d , d i s t r i b u t e d t o o t h e r s , o r o f f e r e d f o r f u r t h e r r e p r o d u c t i o n o r f o r s a l e .

(8)

ISA-62443-1-1, D5E4, August 2015 – 6 – ISA99, WG03 9.4 Zone Model ... ... ... ... ... ... ... 41 107 10 General Concepts ... ... ... ... ... ... ... 41 108 10.1 Security Context ... ... ... ... ... ... .. 41 109 10.2 Security Objectives ... ... ... ... ... 42 110 10.3 Least Privilege ... ... ... ... ... ... .. 43 111 10.4 Defense in Depth ... ... ... ... ... ... 43 112 10.5 Threat-Risk Assessment ... ... ... ... ... ... 43 113

10.6 Policies and Procedures ... ... ... ... ... 43 114 10.6.1 General ... ... ... ... ... ... .. 43 115 10.6.2 Enterprise Level ... ... ... ... ... ... 44 116 10.6.3 Operational Level ... ... ... ... ... ... 45 117

10.7 Topics Covered by Policies and Procedures ... ... ... ... 45 118

10.8 Key Management... ... ... ... ... ... 47 119

10.8.1 Introduction ... ... ... ... ... ... 47 120

10.8.2 Generation and distribution of keys ... ... ... ... 48 121

10.8.3 Key State Phases ... ... ... ... ... ... 49 122

11 Fundamental Concepts ... ... ... ... ... ... 49 123

11.1 Security Life Cycle ... ... ... ... ... ... 49 124

11.1.1 Introduction ... ... ... ... ... ... 49 125

11.1.2 Product life cycle ... ... ... ... ... ... 51 126

11.1.3 IACS Life Cycle ... ... ... ... ... ... 52 127

11.2 Maturity Levels ... ... ... ... ... ... .. 54 128

11.2.1 Maturity Phases ... ... ... ... ... ... 55 129

11.3 Zones and Conduits ... ... ... ... ... ... 58 130 11.3.1 Introduction ... ... ... ... ... ... 58 131 11.3.2 Zones ... ... ... ... ... ... ... 58 132 11.3.3 Conduits ... ... ... ... ... ... .. 58 133 11.3.4 Channels ... ... ... ... ... ... 59 134 11.3.5 Determining Requirements ... ... ... ... ... 59 135 11.3.6 Defining Zones ... ... ... ... ... ... 60 136 11.3.7 Zone Identification ... ... ... ... ... .. 60 137 11.3.8 Defining Conduits ... ... ... ... ... ... 62 138 11.4 Security Levels ... ... ... ... ... ... .. 64 139 11.4.1 Introduction ... ... ... ... ... ... 64 140 11.4.2 Definition ... ... ... ... ... ... 64 141

11.4.3 Types of Security Levels .... ... ... ... ... ... 65 142

11.4.4 Using Security Levels ... ... ... ... ... 65 143

11.4.5 Security Level Vector ... ... ... ... ... .. 68 144

11.4.6 Foundational Requirements ... ... ... ... ... 68 145

11.4.7 Level Definitions ... ... ... ... ... ... 69 146

11.4.8 Security Level Vector Format ... ... ... ... ... 70 147

11.5 Foundational Requirements ... ... ... ... ... 71 148

11.5.1 FR 1 – Iden tification and authentication control (IAC) ... ... 71 149

11.5.2 FR 2 – Use control (UC) ... ... ... ... ... 72 150

11.5.3 FR 3 – System integrity (SI) ... ... ... ... ... 72 151

11.5.4 FR 4 – Data confidentiality (DC) ... ... ... ... 72 152

11.5.5 FR 5 – Restricted data flow (RDF) ... ... ... ... 73 153

11.5.6 FR 6 – Timely response to events ( TRE) ... ... ... 73 154 T h i s d o c u m e n t i s a W O R K I N G D R A F T o f a n I S A 9 9 c o m m i t t e e w o r k p r o d u c t . I t m a y n o t b e a c c u r a t e o f c o m p l e t e a n d i s s u b j e c t t o c h a n g e w i t h o u t n o t i c e . I t i s p r o v i d e d S O L E L Y f o r t h e p u r p o s e o f r e v i e w i n s u p p o r t o f f u r t h e r d e v e l o p m e n t o f c o m m i t t e e w o r k p r o d u c t s . T h i s d o c u m e n t m a y n o t b e c o p i e d , d i s t r i b u t e d t o o t h e r s , o r o f f e r e d f o r f u r t h e r r e p r o d u c t i o n o r f o r s a l e .

(9)

11.5.7 FR 7 – Resource availability (RA) ... ... ... ... 73 155

11.6 Safety and Security ... ... ... ... ... ... 73 156

11.6.1 Rationale ... ... ... ... ... ... 74 157

12 Compliance Metrics ... ... ... ... ... ... ... 74 158

Annex A – Zones and Conduits Examples ... ... ... ... ... ... 75 159

A.1 Introduction ... ... ... ... ... ... ... 75 160

A.2 Untrusted Conduits ... ... ... ... ... ... 75 161

A.3 Multi-Plant Model... ... ... ... ... ... 75 162

A.4 (Description) ... ... ... ... ... ... ... 76 163

A.5 SCADA Applications ... ... ... ... ... ... 77 164

Annex B – Truck Loading Description... ... ... ... ... 81 165

B.1 Introduction ... ... ... ... ... ... ... 81 166

B.2 Safety and Security ... ... ... ... ... ... 90 167

Annex C – Example: Pr ocedure to apply f oundational req uirements .. ... ... .. 92 168

C.1 Overview ... ... ... ... ... ... ... 92 169

C.1.1 Description of example system under consideration ... ... .. 92 170

C.1.2 Technical Approach ... ... ... ... ... 92 171

C.1.3 Achie ved s ecu ri ty ass urance lev el .... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... 95 172

C.2 System security assurance when commissioned ... ... ... ... 96 173

C.3 System security assurance during after c ommissioning ... ... 96 174

Annex D (inform ative) Un der st anding ho w t o use the ISA99 adaptation of the IEC 175

styleguide ... ... ... ... ... ... ... ... 97 176

D.1 Overview ... ... ... ... ... ... ... 97 177

D.2 Document and page formatting ... ... ... ... ... 97 178 D.3 Sectioning ... ... ... ... ... ... ... 98 179 D.4 Figures ... ... ... ... ... ... ... 99 180 D.5 Tables ... ... ... ... ... ... ... 99 181

D.6 Wording and language recommendations ... ... ... ... 100 182

BIBLIOGRAPHY ... ... ... ... ... ... ... 101 183

184

Figure 1 – ISA‑62443 Work Products ... ... ... ... ... .. 26 185

Figure 2 – Security Elements Grouping ... ... ... ... ... 31 186

Figure 3 – Three-Legged Table ... ... ... ... ... ... 34 187

Figure 4 – Implementation of People, Process, and Technology ... ... ... 35 188

Figure 5 – Reference Model ... ... ... ... ... ... 39 189

Figure 6 – Physical Architecture Model Example .... ... ... ... ... 41 190

Figure 7 – Context Element Relationships ... ... ... ... ... ... 42 191

Figure 8 – Context Model ... ... ... ... ... ... 42 192

Figure 9 – Key management life cycle ... ... ... ... ... 48 193

Figure 10 – Security aspects in relevant life cycles ... ... ... ... 50 194

Figure 11 – Interdepende ncies in product and IAC S lifecycles ... ... ... 51 195

Figure 12 – High-level process-industry example showing zones and conduits... 66 196

Figure 13 – High-level manufacturing exam ple showing zones and conduits ... ... 67 197

Figure 14 – High-level manufacturing exam ple showing zones and conduits ... ... 68 198

Figure 15 – Conduit Example ... ... ... ... ... ... 75 199

Figure 16 – Multiplant Zone Example ... ... ... ... ... 76 200 T h i s d o c u m e n t i s a W O R K I N G D R A F T o f a n I S A 9 9 c o m m i t t e e w o r k p r o d u c t . I t m a y n o t b e a c c u r a t e o f c o m p l e t e a n d i s s u b j e c t t o c h a n g e w i t h o u t n o t i c e . I t i s p r o v i d e d S O L E L Y f o r t h e p u r p o s e o f r e v i e w i n s u p p o r t o f f u r t h e r d e v e l o p m e n t o f c o m m i t t e e w o r k p r o d u c t s . T h i s d o c u m e n t m a y n o t b e c o p i e d , d i s t r i b u t e d t o o t h e r s , o r o f f e r e d f o r f u r t h e r r e p r o d u c t i o n o r f o r s a l e .

(10)

ISA-62443-1-1, D5E4, August 2015 – 8 – ISA99, WG03

Figure 17 – Separate Zones Example ... ... ... ... ... 77 201

Figure 18 – SCADA Zone Example ... ... ... ... ... ... 78 202

Figure 19 – SCADA Separate Zones Example ... ... ... ... ... 79 203

Figure 20 – Enterprise Conduit ... ... ... ... ... ... 79 204

Figure 21 – SCADA Conduit Example ... ... ... ... ... 80 205

Figure 22 – Chemical Truck Loading Control System Architecture Diagram ... ... 81 206

Figure 23 – Chemical Truck Loading System with Definition of SUT Boundar y ... ... 82 207

Figure 24 – Diagram o f major components for chemical truck loading example ... 83 208

Figure 25 – Zone and Conduit Identification ... ... ... ... ... 86 209

Figure 26 – High-level process-industry example showing zones and conduits... 88 210

Figure 27 – High-level manufacturing exam ple show ing zones and conduits ... ... 89 211

Figure 28 – Examp le application - Chemical truck loading station ... ... ... 92 212

213

Table 1 – E lements App lied to Change Contro l and Configuration Managem ent ... ... 34 214

Table 2 – Entities with relevant life cycles and the respective m ain responsible role ... 50 215

Table 3 – Security Maturity Phases ... ... ... ... ... ... 56 216

Table 4 – Concept Phase ... ... ... ... ... ... 56 217

Table 5 – Functional Analysis Phase .. ... ... ... ... ... 56 218

Table 6 – Implementation Phase ... ... ... ... ... 57 219

Table 7 – Operations Phase ... ... ... ... ... ... 57 220

Table 8 – Recycle and Disposal Phase ... ... ... ... ... 57 221

Table 9 – Zone Characteristics ... ... ... ... ... ... 87 222 223 224 T h i s d o c u m e n t i s a W O R K I N G D R A F T o f a n I S A 9 9 c o m m i t t e e w o r k p r o d u c t . I t m a y n o t b e a c c u r a t e o f c o m p l e t e a n d i s s u b j e c t t o c h a n g e w i t h o u t n o t i c e . I t i s p r o v i d e d S O L E L Y f o r t h e p u r p o s e o f r e v i e w i n s u p p o r t o f f u r t h e r d e v e l o p m e n t o f c o m m i t t e e w o r k p r o d u c t s . T h i s d o c u m e n t m a y n o t b e c o p i e d , d i s t r i b u t e d t o o t h e r s , o r o f f e r e d f o r f u r t h e r r e p r o d u c t i o n o r f o r s a l e .

(11)

FOREWORD

225

This document is part of a multipart standard th at addresses the issue of security for industrial

226

automation and control systems (IACS). It has been developed by working group 03 of the 227

ISA99 committee in cooperation with IEC TC65/WG10. 228

This document describes the concepts and models that form the foundation of all standards in 229

the series. Many of these topics are addressed in more detail in one or more related 230

standards. It supersedes the srcinal version of this standard (ISA-99.00.01-2007). 231 232 233 T h i s d o c u m e n t i s a W O R K I N G D R A F T o f a n I S A 9 9 c o m m i t t e e w o r k p r o d u c t . I t m a y n o t b e a c c u r a t e o f c o m p l e t e a n d i s s u b j e c t t o c h a n g e w i t h o u t n o t i c e . I t i s p r o v i d e d S O L E L Y f o r t h e p u r p o s e o f r e v i e w i n s u p p o r t o f f u r t h e r d e v e l o p m e n t o f c o m m i t t e e w o r k p r o d u c t s . T h i s d o c u m e n t m a y n o t b e c o p i e d , d i s t r i b u t e d t o o t h e r s , o r o f f e r e d f o r f u r t h e r r e p r o d u c t i o n o r f o r s a l e .

(12)

ISA-62443-1-1, D5E4, August 2015 – 1 0 – ISA99, WG03

INTRODUCTION

234

NOTE The format of this document fol lows the ISO/IEC re quirements disc ussed in ISO/IEC Di rectives, Part 2. 235

[15] 1 The ISO/IEC Directives specify the format of this document as well as the use of terms like “shall”, “should”, 236

and “may”. The use of those terms for the requirements specified in Clause 4 of this document use the conventions 237

discussed in the ISO/IEC Directives, Appendix H. 238

239

240

—————————

1 Numbers in square brackets refer to the Bibliography .

(13)

ISA99, WG03 – 1 1 – ISA-62443-1-1, D5E4, August 2015

1 Scope 1 Scope

241

This document is the first in the ISA ‑62443 series of standards that addresses various aspects

242

of IACS security. It introduces concepts and models that are described and applied in more 243

detail in subsequent standards in the series. 244

The content of this document includes both general purpose cyber security elements that are 245

applicable in the IACS environment, as well as a small set of concepts and models that are 246

specific or unique to IACS. Normative content is limited to what required to define essential 247

concepts that must be consistently applied across all aspects of and IACS security response.

248

The intended audience for this specification is the IACS community, including asset owners, 249

system integrators, product suppliers, service providers and, where appropriate, compliance 250

authorities. Compliance authorities include but are not limited to government agencies and 251

regulators with the legal authority to perform audits to verify compliance with governing laws 252

and regulations. 253

System integrators, product suppliers and service providers will use this document to evaluate 254

whether their products and services can provide the functional security capability to meet the 255

asset owner’s target security level requirements. As with the assignment of these 256

requirements, applicability of individual control system requirements and requirement 257

enhancements must be based on an asset owner’s security policies, procedures and risk 258

assessment in the context of their specific site. 259

There is insufficient detail in this document to design and build a comprehensive security 260

architecture. That requires additional system-level analysis and development of derived 261

requirements that are the subject of other documents in the ISA ‑62443 series.

262

2

2 Normative Normative referencesreferences

263

The following referenced documents are indispensable for the application of this document.

264 _{For dated references, only the edition cited applies. For undated references, the latest edition}

265

of the referenced document (including any amendments) applies. 266

ISA‑TR62443-1-2, Security for Industrial Automation and Control Systems – Master Glossary

267

ISA‑62443-2-1, Security for industrial automation and control systems – Requirements for an

268

Industrial automation and control system security management system 269

ISA‑62443-3-2, Security for Industrial Automation and Control Systems – Security Risk

270

Assessment and System Des ign 271

ISA‑62443-3-3, Security for Industrial Automation and Control Systems – System Security

272

Requirements and Security Levels 273

ANSI/I SA-95.00.0 1-2000, Enterp rise -C ontro l Sys tem Int egr ation – Models and Terminology, 274

Clause 5 (Hierarchy Models) 275

ISO/IEC 27001 – Information technology – Security techniques – Information security

276

management systems – Requirements 277

ISO/IEC 27002, Information technology – Security techniques – Code of practice for

278

information security management 279 280 T h i s d o c u m e n t i s a W O R K I N G D R A F T o f a n I S A 9 9 c o m m i t t e e w o r k p r o d u c t . I t m a y n o t b e a c c u r a t e o f c o m p l e t e a n d i s s u b j e c t t o c h a n g e w i t h o u t n o t i c e . I t i s p r o v i d e d S O L E L Y f o r t h e p u r p o s e o f r e v i e w i n s u p p o r t o f f u r t h e r d e v e l o p m e n t o f c o m m i t t e e w o r k p r o d u c t s . T h i s d o c u m e n t m a y n o t b e c o p i e d , d i s t r i b u t e d t o o t h e r s , o r o f f e r e d f o r f u r t h e r r e p r o d u c t i o n o r f o r s a l e .

(14)

3

3 Terms, Terms, definitions, definitions, abbreviated abbreviated terms, terms, acronyms, acronyms, and and conventionsconventions

281

3.

3.1 1 Terms Terms and and definitionsdefinitions 282

For the purposes of this document, the terms and definitions given in ISA ‑62443-1-1 and the

283 following apply. 284 3.1.1 3.1.1 285 access access 286

ability and means to communicate with or otherwise interact with a system in order to use 287

system resources 288

Note to entry: Access may involve physical access (authorization to be allowed physically in an area, possession of 289

a physical key lock, PIN code, or access card or biometric attributes that allow access) or logical access 290

(authorizati on to log in to a system and application, through a combination of logical and physical means) 291 3.1.2 3.1.2 292 access control access control 293

protection of system resources against unauthorized access; a process by which use of 294

system resources is regulated according to a security policy and is permitted by only 295

authorized entities (users, programs, processes, or other systems) according to that policy 296 3.1.3 3.1.3 297 accountability accountability 298

property of a system (including all of its system resources) that ensures that the actions of a 299

system entity may be traced uniquely to that entity, which can be held responsible for its 300 actions 301 3.1.4 3.1.4 302 actuator actuator 303

actuating element connected to process equipment and to the control system 304 3.1.5 3.1.5 305 application application 306

software program that performs specific functions initiated by a user command or a process 307

event and that can be executed without access to system control, monitoring, or 308 administrative privileges 309 3.1.6 3.1.6 310 area area 311

subset of a site’s physical, geographic, or logical group of assets

312

Note to entry: An area may contain manufacturing lines, process cells, and production units. Areas may be 313

connected to each other by a site local area network and may contain systems related to the operations performed 314 in that area. 315 3.1.7 3.1.7 316 asset asset 317

physical or logical object owned by or under the custodial duties of an organization, having 318

either a perceived or actual value to the organization 319

Note to entry: In the case of industrial automation and control systems the physical assets that have the largest 320

directly measurabl e value may be the equipment under control. 321 3.1.8 3.1.8 322 asset operator asset operator 323

individual or organization responsible for the operation of the IACS 324 3.1.9 3.1.9 325 asset owner asset owner 326

individual or organization that owns the IACS assets 327 T h i s d o c u m e n t i s a W O R K I N G D R A F T o f a n I S A 9 9 c o m m i t t e e w o r k p r o d u c t . I t m a y n o t b e a c c u r a t e o f c o m p l e t e a n d i s s u b j e c t t o c h a n g e w i t h o u t n o t i c e . I t i s p r o v i d e d S O L E L Y f o r t h e p u r p o s e o f r e v i e w i n s u p p o r t o f f u r t h e r d e v e l o p m e n t o f c o m m i t t e e w o r k p r o d u c t s . T h i s d o c u m e n t m a y n o t b e c o p i e d , d i s t r i b u t e d t o o t h e r s , o r o f f e r e d f o r f u r t h e r r e p r o d u c t i o n o r f o r s a l e .

(15)

ISA99, WG03 – 1 3 – ISA-62443-1-1, D5E4, August 2015 3.1.10 3.1.10 328 attack attack 329

assault on a system that derives from an intelligent threat — i.e., an intelligent act that is a 330

deliberate attempt (especially in the sense of a method or technique) to evade security 331

services and violate the security policy of a system 332

Note to entry: There are different commonly recognized classes of attack: 333

An “ac ti ve att ack ” att em pts to alt er sys tem res our ces or aff ect the ir op era ti on. A “pa ssi ve at tac k” at tem pt s to lea rn 334

or make use of information from the system but does not affect system resource s. 335

An “in sid e att ack ” is an att ack ini tia te d by an entity inside the security perimeter (an “insider” ) – i.e., an entity that 336

is authorized to access system resources but uses them in a way not approved by those who granted the 337

authorization . An “outside attack” is initiated from outside the perimet er, by an unauthorized or illegitimate user of 338 the system (including an insider attacking from outside the security perimeter). Potential outside attackers range 339

from amateur pranksters to organized criminals, international terrorists, and hostile governments. 340 3.1.11 3.1.11 341 audit audit 342

independent review and examination of records and activities to assess the adequacy of 343

system controls, to ensure compliance with established policies and operational procedures, 344

and to recommend necessary changes in controls, policies, or proc edures (See “security

345

audit”) 346

Note to entry: There are three forms of audit. (1) External audits are conducted by parties who are not employees 347

or contractors of the organization. (2) Internal audit are conducted by a separate organizational unit dedicated to 348

internal auditing. (3) Controls self assessments are conducted by peer members of the process automation 349 function. 350 3.1.12 3.1.12 351 authenticate authenticate 352

verify the identity of a user, user device, or other entity, or to establish the validity of a 353 transmission 354 3.1.13 3.1.13 355 authentication authentication 356

security measure designed to establish the validity of a transmission, message, or srcinator, 357

or a means of verifying an individual's authorization to receive specific categories of 358 information 359 3.1.14 3.1.14 360 authorization authorization 361

right or a permission that is granted to a system entity to access a system resource 362 3.1.15 3.1.15 363 availability availability 364

probability that an asset, under the combined influence of its reliability, maintainability, and 365

security, will be able to fulfill its required function over a stated period of time, or at a given 366 point in time 367 3.1.16 3.1.16 368 border border 369

edge or boundary of a physical or logical security zone 370 3.1.17 3.1.17 371 botnet botnet 372

collection of software robots, or bots, which run autonomously 373

Note to entry: A botnet's srcinator can control the group remotely, possibly for nefarious purpo ses. 374 3.1.18 3.1.18 375 boundary boundary 376

software, hardware, or other physical barrier that limits access to a system or part of a system 377 T h i s d o c u m e n t i s a W O R K I N G D R A F T o f a n I S A 9 9 c o m m i t t e e w o r k p r o d u c t . I t m a y n o t b e a c c u r a t e o f c o m p l e t e a n d i s s u b j e c t t o c h a n g e w i t h o u t n o t i c e . I t i s p r o v i d e d S O L E L Y f o r t h e p u r p o s e o f r e v i e w i n s u p p o r t o f f u r t h e r d e v e l o p m e n t o f c o m m i t t e e w o r k p r o d u c t s . T h i s d o c u m e n t m a y n o t b e c o p i e d , d i s t r i b u t e d t o o t h e r s , o r o f f e r e d f o r f u r t h e r r e p r o d u c t i o n o r f o r s a l e .

(16)

ISA-62443-1-1, D5E4, August 2015 – 1 4 – ISA99, WG03 3.1.19 3.1.19 378 business system business system 379

collection of information technology elements (i.e., hardware, software and services) installed 380

with the intent to facilitate an organiza tion’s business process or processes (administrative or

381 project) 382 3.1.20 3.1.20 383 cell cell 384

lower-level element of a manufacturing process that performs manufacturing, field device 385

control, or vehicle functions 386

Note to entry: Entities at this level may be connected together by an area control network and may contain 387 information systems relate d to the operations performed in that entity.

388 3.1.21 3.1.21 389 channel channel 390

specific communication path established within a communication conduit ( See “conduit”).

391 3.1.22 3.1.22 392 client client 393

device or application receiving or requesting services or information from a server application 394 3.1.23 3.1.23 395 communication path communication path 396

logical connection between a source and one or more destinations, which could be devices, 397

physical processes, data items, commands, or programmatic interfaces 398

Note to entry: The communication path is not limited to wired or wireless networks, but includes other means of 399

communication such as memory, procedure calls , state of physical plant, portable media, and human interactions. 400 3.1.24 3.1.24 401 communication system communication system 402

arrangement of hardware, software, and propagation media to allow the transfer of messages 403

(ISO/IEC 7498 application layer service data units) from one application to another 404 3.1.25 3.1.25 405 compromise compromise 406

unauthorized disclosure, modification, substitution, or use of information (including plaintext 407

cryptographic keys and other critical security parameters) 408 3.1.26 3.1.26 409 conduit conduit 410

logical grouping of communication assets that protects the security of the channels it contains 411

Note to entry: This is analogous to the way that a physical conduit protects cables from physical damage. 412 3.1.27 3.1.27 413 confidentiality confidentiality 414

assurance that information is not disclosed to unauthorized individuals, processes, or devices 415 3.1.28 3.1.28 416 control center control center 417

central location used to operate a set of assets 418

Note 1 to entry: Infrastructu re industr ies typicall y use one o r more control c enters to su pervise or coordinate the ir 419

operations. If there are multiple control centers (for example, a backup center at a separate site), they are typically 420

connected together via a wide area network. The control center contains the SCADA host computers and 421

associated operator display devices plus ancillary information systems such as a historian. 422

Note 2 to entry: In some industries the term “control room” may be mor e commonly used. 423 3.1.29 3.1.29 424 control equipment control equipment 425

class that includes distributed control systems, programmable logic controllers, SCADA 426

systems, associated operator interface consoles, and field sensing and control devices used 427

to manage and control the process 428 T h i s d o c u m e n t i s a W O R K I N G D R A F T o f a n I S A 9 9 c o m m i t t e e w o r k p r o d u c t . I t m a y n o t b e a c c u r a t e o f c o m p l e t e a n d i s s u b j e c t t o c h a n g e w i t h o u t n o t i c e . I t i s p r o v i d e d S O L E L Y f o r t h e p u r p o s e o f r e v i e w i n s u p p o r t o f f u r t h e r d e v e l o p m e n t o f c o m m i t t e e w o r k p r o d u c t s . T h i s d o c u m e n t m a y n o t b e c o p i e d , d i s t r i b u t e d t o o t h e r s , o r o f f e r e d f o r f u r t h e r r e p r o d u c t i o n o r f o r s a l e .

(17)

Note to entry: The term also includes field bus networks where control logic and algorithms are executed on 429

intelligent electronic devices that coordinate actions with each other, as well as systems used to monitor the 430

process and the systems used to maintain the process. 431 3.1.30 3.1.30 432 control network control network 433

time-critical network that is typically connected to equipment that controls physical processes

434

Note to entry: The control network can be subdivided into zones, and there can be multiple separate control 435

networks within one company or site. 436 3.1.31 3.1.31 437 cost cost 438

value of impact to an organization or person that can be m easured

439 3.1.32 3.1.32 440 countermeasure countermeasure 441

action, device, procedure, or technique that reduces a threat, a vulnerability, or an attack by 442

eliminating or preventing it, by minimizing the harm it can cause, or by discovering and 443

reporting it so that corrective action can be taken 444

Note to entry: The term “Control” is also used to describe this concept in some contexts. The term countermeasure 445

has been chosen for this standard to avoid confusion with the word control in the cont ext of “process control.” 446 3.1.33 3.1.33 447 cryptographic algorithm cryptographic algorithm 448

algorithm based upon the science of cryptography, including encryption algorithms, 449

cryptographic hash algorithms, digital signature algorithms, and key agreement algorithms 450 3.1.34 3.1.34 451 cryptographic key cryptographic key 452

input parameter that varies the transformation performed by a cryptographic algorithm

453

Note to entry: Usually shortened to just “key.” 454 3.1.35 3.1.35 455 data confidentiality data confidentiality 456

property that information is not made available or disclosed to any unauthorized system entity, 457

including unauthorized individuals, entities, or processes 458 3.1.36 3.1.36 459 data integrity data integrity 460

property that data has not been changed, destroyed, or lost in an unauthorized or accidental 461

manner 462

Note to entry: This term deals with constancy of and confidence in data values, not with the information that the 463

values represent or the trustworthiness of the source of the values. 464 3.1.37 3.1.37 465 decryption decryption 466

process of changing cipher text into plaintext using a cryptographic algorithm and key (See 467 “encryption”) 468 3.1.38 3.1.38 469 defense in depth defense in depth 470

provision of multiple security protections, especially in layers, with the intent to delay if not 471

prevent an attack 472

Note to entry: Defense in depth implies layers of security and detection, even on single systems, and provides the 473

following features: 474

a) attackers are faced with brea king through or bypassing each layer w ithout being detected 475

b) flaw i n one layer c an be mitigated by capabilities in other layers 476

c) system security becomes a set of layers w ithin the overall network security. 477 3.1.39 3.1.39 478 demilitarized zone demilitarized zone 479

perimeter network segment that is logically between internal and external networks 480 T h i s d o c u m e n t i s a W O R K I N G D R A F T o f a n I S A 9 9 c o m m i t t e e w o r k p r o d u c t . I t m a y n o t b e a c c u r a t e o f c o m p l e t e a n d i s s u b j e c t t o c h a n g e w i t h o u t n o t i c e . I t i s p r o v i d e d S O L E L Y f o r t h e p u r p o s e o f r e v i e w i n s u p p o r t o f f u r t h e r d e v e l o p m e n t o f c o m m i t t e e w o r k p r o d u c t s . T h i s d o c u m e n t m a y n o t b e c o p i e d , d i s t r i b u t e d t o o t h e r s , o r o f f e r e d f o r f u r t h e r r e p r o d u c t i o n o r f o r s a l e .

(18)

Note 1 to entry: The purpose of a demilitarized zone is to enforce the internal network’s policy for external 481

information exchange and to provide external, untrusted sources with restricted access to releasable information 482

while shielding the internal network from outside attacks. 483

Note 2 to entry: In the context of industrial automation and control systems, the term “internal network” is 484

typically applied to the network or segment that is the primary focus of protection. For example, a control network 485

could be considered “internal” when connected to an “external” business network. 486 3.1.40 3.1.40 487 denial of service denial of service 488

prevention or interruption of authorized access to a system resource or the delaying of system

489

operations and functions 490

Note to entry: In the context of industrial automation and control systems, denial of service can refer to loss of 491

process function, not just loss of data communications. 492 3.1.41 3.1.41 493 digital signature digital signature 494

result of a cryptographic transformation of data which, when properly implemented, provides 495

the services of srcin authentication, data integrity, and signer non-repudiation 496

3.1.42 3.1.42 497

distributed control system distributed control system 498

type of control system in which the system elements are dispersed but operated in a coupled 499

manner 500

Note 1 to entry: Distribu ted control syste ms may have shorter coupling time cons tants than those typi cally found 501

in SCADA systems. 502

Note 2 to entry: Distributed control systems are commonly associated with continuous processes such as electric 503

power generation; oil and gas refining; chemical, pharmaceutical and paper manufacture, as well as discrete 504

processes such as automobile and other goods manufacture, packaging, and warehousing . 505 3.1.43 3.1.43 506 domain domain 507

environment or context that is defined by a security policy, security model, or security

508 _{architecture to include a set of system resources and the set of system entities that have the}

509

right to access the resources 510 3.1.44 3.1.44 511 eavesdropping eavesdropping 512

monitoring or recording of communicated information by unauthorized parties 513 3.1.45 3.1.45 514 electronic security electronic security 515

actions required to preclude unauthorized use of, denial of service to, modifications to, 516

disclosure of, loss of revenue from, or destruction of critical systems or informational assets 517

Note to entry: The objective is to reduce the risk of causing personal injury or endangering public health, losing 518

public or consumer confidence, disclosing sensitive assets, failing to protect business assets or failing to comply 519

with regulations. These concepts are applied to any system in the production process and include both stand -alone 520

and networked components. Communica tions between systems may be either through internal messaging or b y any 521

human or machine interfaces that authenticate, operate, control, or exchange data with any of these control 522

systems. Electronic security includes the concepts of identification, authentication, accountability, authorization, 523

availability , and privacy. 524 3.1.46 3.1.46 525 encryption encryption 526

cryptographic transformation of plaintext into ciphertext that conceals the data’s srcinal 527

meaning to prevent it from being known or u sed (See “decryption”)

528

Note to entry: If the transformation is reversible, the corresponding reversal process is called “decryption,” which is 529

a transformation that restores encrypted data to its srcinal state. 530 3.1.47 3.1.47 531 enterprise enterprise 532

business entity that produces or transports products or operates and maintains infrastructure 533 services 534 T h i s d o c u m e n t i s a W O R K I N G D R A F T o f a n I S A 9 9 c o m m i t t e e w o r k p r o d u c t . I t m a y n o t b e a c c u r a t e o f c o m p l e t e a n d i s s u b j e c t t o c h a n g e w i t h o u t n o t i c e . I t i s p r o v i d e d S O L E L Y f o r t h e p u r p o s e o f r e v i e w i n s u p p o r t o f f u r t h e r d e v e l o p m e n t o f c o m m i t t e e w o r k p r o d u c t s . T h i s d o c u m e n t m a y n o t b e c o p i e d , d i s t r i b u t e d t o o t h e r s , o r o f f e r e d f o r f u r t h e r r e p r o d u c t i o n o r f o r s a l e .

(19)

3.1.48 3.1.48 535

equipment under control equipment under control 536

equipment, machinery, apparatus or plant used for manufacturing, process, transportation, 537

medical or other activities 538 3.1.49 3.1.49 539 essential function essential function 540

function or capability that is required to maintain health, safety, the environment and 541

availability for the equipment under control 542

Note to entry: Essential function s include, but are not limited to, the safe ty instrumented functio n (SIF), the control 543

function and the ability of the operator to view and manipulate the equipment under control. The loss of essential 544

functions is commonly termed loss of protection, loss of control and loss of view respectively. In some industries 545

additional functions such as history may be considered essential. 546 3.1.50 3.1.50 547 firewall firewall 548

inter-network connection device that restricts data communication traffic between two 549

connected networks 550

Note to entry: A firewall may be either an application installed on a general-purpose computer or a dedicated 551

platform (appliance) that forwards or rejects/dro ps packets on a network. Typical ly firewalls are used to d efine zone 552

borders. Firewal ls generally have rules restricti ng which ports are open. 553 3.1.51 3.1.51 554 gateway gateway 555

relay mechanism that attaches to two (or more) computer networks that have similar functions 556

but dissimilar implementations and that enables host computers on one network to 557

communicate with hosts on the other 558

Note to entry: Also described as an intermediate system that is the translation interface between two computer 559 networks. 560 3.1.52 3.1.52 561 geographic site geographic site 562

subset of an enterprise’s physical, geographic, or logical group of assets

563

Note to entry: A geographic site may contain areas, manufacturing lines, process cells, process units, control 564

centers, and vehicles and may be connected to other sites by a wide area network. 565 3.1.53 3.1.53 566 host host 567

computer that is attached to a communication subnetwork or inter-network and can use 568

services provided by the network to exchange data with other attached systems 569

3.1.54 3.1.54 570

industrial automation and control systems industrial automation and control systems 571

collection of personnel, hardware, and software that can affect or influence the safe, secure, 572

and reliable operation of an industrial process 573

Note to entry: These systems include, but are not limited to: 574

a) industrial control systems, including distributed control systems (DCSs), programmable logic controllers (PLCs), 575

remote terminal units (RTUs), intelligent electronic devices, supervisory control and data acquisition (SCADA), 576

networked electron ic sensing and control, and monitoring and diagnostic systems. ( In this context, process control 577

systems include basic process control system and safety-instrumented system [SIS] functions, whether they are 578

physically separate or integrated.) 579

b) associated information systems such as advanced or multivariable control, online optimizers, dedicated 580

equipment monitors, graphical interfaces, process historians, manufacturing execution systems, and plant 581

information management systems. 582

c) associated internal, human, network, or machine interfaces used to provide control, safety, and manufacturing 583

operations functionali ty to continuous, batch, discrete, and other processes. 584 3.1.55 3.1.55 585 insider insider 586

“trusted” person, employee, contractor, or supplier who has information that is not generally 587

known to the public (See “outsider”) 588 T h i s d o c u m e n t i s a W O R K I N G D R A F T o f a n I S A 9 9 c o m m i t t e e w o r k p r o d u c t . I t m a y n o t b e a c c u r a t e o f c o m p l e t e a n d i s s u b j e c t t o c h a n g e w i t h o u t n o t i c e . I t i s p r o v i d e d S O L E L Y f o r t h e p u r p o s e o f r e v i e w i n s u p p o r t o f f u r t h e r d e v e l o p m e n t o f c o m m i t t e e w o r k p r o d u c t s . T h i s d o c u m e n t m a y n o t b e c o p i e d , d i s t r i b u t e d t o o t h e r s , o r o f f e r e d f o r f u r t h e r r e p r o d u c t i o n o r f o r s a l e .

(20)

ISA-62443-1-1, D5E4, August 2015 – 1 8 – ISA99, WG03 3.1.56 3.1.56 589 integrity integrity 590

quality of a system reflecting the logical correctness and reliability of the operating system, 591

the logical completeness of the hardware and software implementing the protection 592

mechanisms, and the consistency of the data structures and occurrence of the stored data 593

Note to entry: In a formal security mode, integrity is often interpreted more narrowly to mean protection against 594

unauthorized modificatio n or destruction of information. 595 3.1.57 3.1.57 596 interception interception 597

capture and disclosure of message contents or use of traffic analysis to compromise the 598

confidentiality of a communication system based on message destination or srcin, frequency 599

or length of transmission, and other communication attributes 600 3.1.58 3.1.58 601 interface interface 602

logical entry or exit point that provides access to the module for logical inform ation flows

603 3.1.59 3.1.59 604 intrusion intrusion 605

unauthorized act of compromising a system (See “attack”). 606 3.1.60 3.1.60 607 intrusion detection intrusion detection 608

security service that monitors and analyzes system events for the purpose of finding, and 609

providing real-time or near real-time warning of, attempts to access system resources in an 610 unauthorized manner 611 3.1.61 3.1.61 612 ISO ISO 613

International Organization for Standardization 614 3.1.62 3.1.62 615 key management key management 616

process of handling and controlling cryptographic keys and related material (such as 617

initialization values) during their life cycle in a cryptographic system, including ordering, 618

generating, distributing, storing, loading, escrowing, archiving, auditing, and destroying the 619

keys and related material 620 3.1.63 3.1.63 621 line line 622

lower-level element of a manufacturing process that performs manufacturing, field device 623

control, or vehicle functions 624

Note to entry: See “Cell” 625

3.1.64 3.1.64 626

local area network local area network 627

communications network designed to connect computers and other intelligent devices in a 628

limited geographic area (typically less than 10 kilometers) 629 3.1.65 3.1.65 630 malicious code malicious code 631

programs or code written for the purpose of gathering information about systems or users, 632

destroying system data, providing a foothold for further intrusion into a system, falsifying 633

system data and reports, or providing time-consuming irritation to system operations and 634

maintenance personnel 635

Note 1 to entry: Malicious code attacks can take the form of viruses, worms, Trojan Horses, or other automated 636

exploits. 637

Note 2 to entry: Malicious code is also often referred to as “malware.” 638 T h i s d o c u m e n t i s a W O R K I N G D R A F T o f a n I S A 9 9 c o m m i t t e e w o r k p r o d u c t . I t m a y n o t b e a c c u r a t e o f c o m p l e t e a n d i s s u b j e c t t o c h a n g e w i t h o u t n o t i c e . I t i s p r o v i d e d S O L E L Y f o r t h e p u r p o s e o f r e v i e w i n s u p p o r t o f f u r t h e r d e v e l o p m e n t o f c o m m i t t e e w o r k p r o d u c t s . T h i s d o c u m e n t m a y n o t b e c o p i e d , d i s t r i b u t e d t o o t h e r s , o r o f f e r e d f o r f u r t h e r r e p r o d u c t i o n o r f o r s a l e .

ISA-62443-1-1-draft

ISA-62443-1-1

ISA-62443-1-1

Security for industrial automation and control systems

Security for industrial automation and control systems

Models and Concepts

Models and Concepts

Draft 5, Edit 4

Draft 5, Edit 4

August 2015

August 2015

PREFACE

CONTENTS

FOREWORD

INTRODUCTION