DD IEC PAS 62443-3 pdf – Security for industrial process measurement and control — Part 3: Network and system security
4 Introduction and compliance Use of IT security methods and standards have become common place in the office environment in the form of the ubiquitous code of practice for information security management (ISO/IEC 27002, previously known as ISO/IEC 1 7799), for operational security, and the evaluation criteria for IT security (ISO/IEC 1 5408), for product development. Now the internet and wireless networks have arrived on the shop floor.
Security problems in automation systems are increasingly making headlines in the specialized press; but commonly acknowledged practice and related standards are lagging, and this despite the higher stakes involved in automation systems, with possible physical production losses and impact on health, human life and environment. As has previously occurred in the operational security in the office environment, this PAS is an initial effort to provide guidance for the operational security of automation systems. However, the methods and standards from the office environment cannot be easily applied to automation systems. A study of EWICS [1 5] 1 has shown that the widely used ISO/IEC 27002 would have to be extended considerably to be applicable to industrial control systems. While 1 89 items have been judged applicable to very applicable, 85 % or 45 % have been found to require additional guidance. This PAS contains good practice identified by practitioners based on their practical experience but developed independently of ISO/IEC 27002. NOTE While it may be desirable to harmonize the structure and vocabulary of this PAS with ISO/IEC 27002, this has not been done at this time. This PAS is intended to fill the presently existing void while further efforts are planned to enhance the guidance in a future edition of IEC 62443 as outlined in Annex A.
Compliance to the policy of this PAS is a local matter. It may be stated in reference to all provisions of the ICS policy or to part of it or to a customized version of it. Certain measures of the policy may not be applied because they are not applicable at a given time for a given configuration in a given security context. The policy allows for this modularity and customization. Also, depending on the specific ICS, it may be deemed necessary or desirable, for example, from a risk/cost trade-off perspective, not to implement certain measures as prescribed by the policy. By the nature of security, this may only be done temporarily in application of ICS policy using its exception management provision.
5 Principles and reference models 5.1 General This PAS describes good practice in terms of technical and organizational security measures for the protection of the ICS and its industrial control network (ICN), including generally existing ICN subnetworks. This clause explains the underlying reference models.
The users of this PAS should customize these models for their specific application, in order to apply the provisions of the security policy to their specific requirements.
The advice of this PAS may need to be complemented by other models and related policy, i.e.threat-risk assessment, general security policy, and ISMS.
5.2 Threat-risk model
A general security related threat-risk model is shown in Figure 1 . From the figure can be read:
• threats are using vulnerabilities of the ICS;
• without counter-measures they may represent intolerable risk (to the assets);
• generally counter-measures are required to minimize risk (to the assets).
Counter-measures are widely available, as general processes, detailed procedures and sometimes in detail specifications.
This PAS will provide counter-measures as processes, and this in the form of a proposed policy.
Threats are possible security-related unwanted events causing damage, i.e. monetary loss.
Events that have some likelihood to occur in an ICS are:
• attacks by vandals and terrorists;
• ICS failure following a security event;
• denial of service attacks;
• breach of confidentiality, for example, disclosure of production information;
• breach of the law;
• undesirable event through acts of God, for example, extreme weather conditions like a storm or tornado.