Professional Documents
Culture Documents
Technical Note - TN 021: 2019: Subject: Clarification To Trust of Networks
Technical Note - TN 021: 2019: Subject: Clarification To Trust of Networks
The updates include amendments to Section 5.2 to simplify the third condition which shall be
satisfied for a network to be considered trusted.
International standards for safety-related messaging in networks such as IEC 62280 Railway
applications - Communication, signalling and processing systems - Safety related communication
in transmission systems require defences to be implemented within the safety-related system:
These requirements apply throughout system life and need to consider the following:
To consider a network to be trusted, IEC 62280 requires that the likelihood of unauthorised
access and injection of malicious safety-related messages is ‘negligible’, ‘excluded’, and ‘ruled-
out’.
TfNSW considers that it is now impractical to design, construct, operate, and maintain any
wireless network or wired wide area network that is capable of solely achieving a level of trust
required for safety-related systems.
Therefore, all safety-related systems will require defences to protect against injected safety-
related messages in networks in accordance with current TfNSW standards. These defences may
be partially implemented in an access protection layer.
Both trusted and untrusted networks may be used as conduits within an IACS.
A network may only be considered trusted if all of the following conditions are satisfied:
• all communication assets are dedicated to the IACS SuC and not shared with other systems;
including enterprise systems, other IACS, or external service provider systems
• it is operated and maintained through life in accordance with IACS SuC policies and
procedures
• it is a wired local area network wholly within a single physically secured premise
Premise Premise
Access Access
protection protection
layer layer
Untrusted network
In accordance with IEC 62280, the access protection layer shall be included in the safety case,
but does not need to be safe by itself.
• trusted networks
The baseline cybersecurity system requirements for use of untrusted networks include the
following additional system requirements from IEC 62443-3-3 that shall be complied with:
Authorisation:
Technical content Checked and Endorsed by Interdisciplinary Authorised
prepared by approved by coordination for release
checked by
Signature
Date
Name James Piper James Piper Omer Saricilar Peter McGregor Andrea
Parker
Position A/Lead A/Lead A/Lead Signals A/Chief Engineer A/Executive
Telecommunications Telecommunications and Control Director
Engineer Engineer Systems
Engineer
Standard
Version 1.0
Issue date: 25 May 2018
Effective date: 01 July 2018
Important message
This document is one of a set of standards developed solely and specifically for use on
Transport Assets (as defined in the Asset Standards Authority Charter). It is not suitable for any
other purpose.
The copyright and any other intellectual property in this document will at all times remain the
property of the State of New South Wales (Transport for NSW).
You must not use or adapt this document or rely upon it in any way unless you are providing
products or services to a NSW Government agency and that agency has expressly authorised
you in writing to do so. If this document forms part of a contract with, or is a condition of
approval by a NSW Government agency, use of the document is subject to the terms of the
contract or approval. To be clear, the content of this document is not licensed under any
Creative Commons Licence.
This document may contain third party material. The inclusion of third party material is for
illustrative purposes only and does not represent an endorsement by NSW Government of any
third party product or service.
If you use this document or rely upon it without authorisation under these terms, the State of
New South Wales (including Transport for NSW) and its personnel does not accept any liability
to you or any other person for any loss, damage, costs and expenses that you or anyone else
may suffer or incur from your use and reliance on the content contained in this document. Users
should exercise their own skill and care in the use of the document.
This document may not be current and is uncontrolled when printed or downloaded. Standards
may be accessed from the Transport for NSW website at www.transport.nsw.gov.au
Standard governance
Owner: Lead Telecommunications Engineer, Asset Standards Authority
Authoriser: Chief Engineer, Asset Standards Authority
Approver: Executive Director, Asset Standards Authority on behalf of the ASA Configuration Control
Board
Document history
Version Summary of changes
1.0 First issue.
Preface
The Asset Standards Authority (ASA) is a key strategic branch of Transport for NSW (TfNSW).
As the network design and standards authority for NSW Transport Assets, as specified in the
ASA Charter, the ASA identifies, selects, develops, publishes, maintains and controls a suite of
requirements documents on behalf of TfNSW, the asset owner.
The ASA deploys TfNSW requirements for asset and safety assurance by creating and
managing TfNSW's governance models, documents and processes. To achieve this, the ASA
focuses on four primary tasks:
• publishing and managing TfNSW's process and requirements documents including TfNSW
plans, standards, manuals and guides
• collaborating with the Transport cluster and industry through open engagement
The AEO framework authorises engineering organisations to supply and provide asset related
products and services to TfNSW. It works to assure the safety, quality and fitness for purpose of
those products and services over the asset's whole-of-life. AEOs are expected to demonstrate
how they have applied the requirements of ASA documents, including TfNSW plans, standards
and guides, when delivering assets and related services for TfNSW.
Compliance with ASA requirements by itself is not sufficient to ensure satisfactory outcomes for
NSW Transport Assets. The ASA expects that professional judgement be used by competent
personnel when using ASA requirements to produce those outcomes.
This document covers cyber risk management for IACS within the TfNSW Transport Network
across the asset life cycle.
This document has been prepared by the ASA in consultation with TfNSW agencies and
industry representatives.
This document has been informed by concepts contained in IEC TS 62443-1-1 Industrial
communication networks - Network and system security - Part 1-1: Terminology, concepts and
models and includes extracts from that standard.
The ASA thanks the International Electrotechnical Commission (IEC) for permission to
reproduce information from its international standards. All such extracts are copyright of IEC,
Geneva, Switzerland. All rights reserved.
IEC has no responsibility for the placement and context in which the extracts and contents are
reproduced by the author, nor is IEC in any way responsible for the other content or accuracy
therein.
Table of contents
1. Introduction .............................................................................................................................................. 7
2. Purpose .................................................................................................................................................... 7
2.1. Scope ..................................................................................................................................................... 7
2.2. Application ............................................................................................................................................. 8
3. Reference documents ............................................................................................................................. 8
4. Terms and definitions ............................................................................................................................. 9
5. Baseline cybersecurity system requirements .................................................................................... 11
5.1. System requirements for use of portable and mobile devices ............................................................. 12
5.2. System requirements for use of networks ........................................................................................... 13
5.3. System requirements for use of products ............................................................................................ 13
6. Baseline cybersecurity countermeasures .......................................................................................... 15
1. Introduction
Australia’s cyber security strategy sets out the Australian Government program for strong cyber
defences; seeking to raise the bar on cybersecurity performance.
It states that “while detecting and responding to cyber intrusions is important, even more
important is to harden our networks and systems and make them less vulnerable to intrusions”.
2. Purpose
This document standardises the application of mandatory baseline cybersecurity
countermeasures that protect against casual and coincidental violations and intentional violation
using simple means.
Note: Compliance with the mandatory baseline requirements alone may not ensure
that the security objectives of TfNSW are achieved. T MU SY 10013 PR Cybersecurity
for IACS – Cybersecurity Risk Management Procedure defines the procedure for
managing cybersecurity risk. This procedure is suitable for industrial automation and
control systems (IACS) and has been tailored for TfNSW.
This document defines the baseline cybersecurity system requirements that align with
IEC 62443-3-3 Industrial communication networks - Network and system security - Part 3-3:
System security requirements and security levels.
This document requires technical cybersecurity countermeasures be implemented that meet the
baseline system requirements and realise security level capabilities in accordance with the
corresponding controls from the Australian Government Information Security Manual (ISM) and
Australian Government Protective Security Policy Framework (PSPF).
Note: NSW public sector agencies, including TfNSW, are not required to directly
comply with the Australian Government ISM or PSPF. However, TfNSW has
proactively aligned to the ISM and PSPF in the areas of information and physical
security. Aligning to this approach for the cybersecurity of IACS achieves consistency
across TfNSW and nationally with the Australian Government.
2.1. Scope
This document addresses technical cybersecurity system requirements, capabilities and
countermeasures.
Note: The asset owner is responsible for defining policies and procedures for the
operation and maintenance of an IACS. Policies and procedures are addressed in
IEC 62443-2-1 Industrial communication networks - Network and system security -
Part 2-1: Establishing an industrial automation and control system security program.
2.2. Application
This document applies to asset owners, system integrators and product suppliers.
This document applies to the plan stage and acquire stage of the asset life cycle.
This document applies to new subsystems or products integrated into an existing ‘automation
solution’ as part of a configuration change.
The asset owner may direct the retrospective application of this document to an existing
automation solution.
This document shall be read in conjunction with the Cybersecurity for IACS series of standards
and IEC 62443 series of standards.
3. Reference documents
The following documents are cited in the text. For dated references, only the cited edition
applies. For undated references, the latest edition of the referenced document applies.
International standards
IEC 62280 Railway applications - Communication, signalling and processing systems - Safety
related communication in transmission systems
IEC/TS 62443-1-1 Industrial communication networks - Network and system security - Part 1-1:
Terminology, concepts and models
IEC 62443-2-1 Industrial communication networks - Network and system security - Part 2-1:
Establishing an industrial automation and control system security program
IEC 62443-2-4 Security for industrial automation and control systems – Part 2-4: Security
program requirements for IACS service providers
IEC 62443-3-3 Industrial communication networks - Network and system security - Part 3-3:
System security requirements and security levels
Commonwealth of Australia, Department of the Prime Minister and Cabinet 2016, Australia’s
Cyber Security Strategy
Senate of the United States Bill S.1691 — 115th Congress (2017-2018) Internet of Things (IoT)
Cybersecurity Improvement Act of 2017
asset owner individual or company responsible for one or more IACS (IEC 62443-3-3 ed.1.0)
authenticate verify the identity of a user, user device, or other entity, or the integrity of data
stored, transmitted, or otherwise exposed to unauthorized modification in an information
system, or to establish the validity of a transmission (IEC/TS 62443-1-1 ed.1.0)
automation solution control system and any complementary hardware and software
components that have been installed and configured to operate in an IACS (IEC 62443-2-4
ed.1.0)
communication channel specific logical or physical communication link between assets (IEC
62443-3-3 ed.1.0)
conduit logical grouping of communication channels, connecting two or more zones, that share
common security requirements (IEC 62443-3-3 ed.1.0)
CM configuration management
cybersecurity actions required to preclude unauthorized use of, denial of service to,
modifications to, disclosure of, loss of revenue from, or destruction of critical systems or
informational assets (IEC/TS 62443-1-1 ed.1.0)
encryption cryptographic transformation of plaintext into ciphertext that conceals the data’s
original meaning to prevent it from being known or used (IEC/TS 62443-1-1 ed.1.0)
enterprise system collection of information technology elements (i.e., hardware, software and
services) installed with the intent to facilitate an organization’s business process or processes
(administrative or project) (IEC/TS 62443-1-1 ed.1.0)
hardcoded credential a value, such as a password, token, private or shared cryptographic key
used for authentication, that is -
IACS industrial automation and control systems; collection of personnel, hardware, and
software that can affect or influence the safe, secure, and reliable operation of an industrial
process (IEC/TS 62443-1-1 ed.1.0)
product supplier manufacturer of hardware and/or software product (IEC 62443-3-3 ed.1.0)
RE requirement enhancement
risk expectation of loss expressed as the probability that a particular threat will exploit a
particular vulnerability with a particular consequence (IEC/TS 62443-1-1 ed.1.0)
security zone grouping of logical or physical assets that share common security requirements
(IEC/TS 62443-1-1 ed.1.0)
service provider organization (internal or external organization, manufacturer, etc.) that has
agreed to undertake responsibility for providing a given support service and obtaining, when
specified, supplies in accordance with an agreement (IEC 62443-3-3 ed.1.0)
trust confidence that an operation, data transaction source, network or software process can be
relied upon to behave as expected (IEC 62443-3-3 ed.1.0)
All definitions from IEC/TS 62443-1-1 ed.1.0 are Copyright © 2009 IEC Geneva,
Switzerland. www.iec.ch
All definitions from IEC 62443-2-4 ed.1.0 are Copyright © 2017 IEC Geneva,
Switzerland. www.iec.ch
All definitions from IEC 62443-3-3 ed.1.0 are Copyright © 2013 IEC Geneva,
Switzerland. www.iec.ch
The system requirements specification shall incorporate the baseline cybersecurity system
requirements and this shall be demonstrated in the CM gates submissions.
The automation solution shall comply with the baseline cybersecurity system requirements and
all additional cybersecurity system requirements determined following the application of
T MU SY 10013 PR.
The baseline cybersecurity system requirements include all security level 2 (SL2) capabilities in
IEC 62443-3-3 Industrial communication networks - Network and system security - Part 3-3:
System security requirements and security levels.
Notes:
System requirements are expressed in IEC 62443-3-3 as technical security capabilities, which
shall be implemented as technical countermeasures.
• they are dedicated to the IACS system under consideration (SuC) and not shared with
other systems, including enterprise systems, IACS, or external service provider systems
• they are operated and maintained in accordance with IACS SuC policies and procedures
Notes:
2. Portable and mobile devices may use untrusted networks, if trust of the
communication channel is established – see Section 5.2.
Trusted portable and mobile devices may be used to operate or maintain devices within an
IACS.
Untrusted portable and mobile devices shall not be physically or logically connected to the IACS
SuC.
The baseline cybersecurity system requirements for trusted portable and mobile devices include
the following additional system requirements from IEC 62443-3-3 that shall be complied with:
• SR 2.3 RE 1 – Use control for portable and mobile devices – Enforcement of security
status of portable and mobile devices
Networks may be considered trusted if all of the following conditions are satisfied:
• all communication assets comprising the network are dedicated to the IACS SuC and not
shared with other systems, including enterprise systems, IACS, or external service provider
systems
• they are operated and maintained in accordance with IACS SuC policies and procedures
• they are wholly within a single physical security zone, that is, they do not cross a physical
security zone boundary
• trusted networks
The baseline cybersecurity system requirements for use of untrusted networks include the
following additional system requirements from IEC 62443-3-3 that shall be complied with:
Implicitly, the asset owner places trust in the product supplier that the product hardware and
software components are as designed. However the supply chain itself is deemed untrusted
and so trust of the delivered hardware and software components shall be established.
Notes:
1. The requirements in this section have been adapted from the Senate of the United
States Bill S.1691 — 115th Congress (2017-2018) Internet of Things (IoT)
Cybersecurity Improvement Act of 2017.
2. As part of the IEC 62443 series, the IEC are developing standards for secure
product development. These standards will be reviewed for adoption and tailored
conformance for TfNSW following publication.
The system integrator shall obtain written certification from product suppliers that all proposed
devices meet the following:
• do not contain any hardware or software component with any unremediated security
vulnerabilities known to the manufacturer or supplier, or published on any publically
accessible vulnerability database such as MITRE Common Vulnerabilities and Exposures
(CVE®)
The system integrator shall obtain the following written information from product suppliers that
describe for all proposed devices:
If the product supplier becomes aware of any security vulnerability during security support, they
shall do the following:
• notify the asset owner, operator and maintainer of the security vulnerability within five
business days
• notify CERT Australia of the security vulnerability within five business days for restricted
information sharing amongst partner organisations
Preliminary design and detailed design shall incorporate the baseline cybersecurity
countermeasures and this shall be demonstrated in the CM gates submissions.
Transport standards contain requirements for technical cybersecurity countermeasures that may
address the baseline cybersecurity system requirements.
Where technical cybersecurity countermeasures are not stated in Transport standards, they
shall be developed in accordance with the Australian Government Information Security Manual
(ISM) and Australian Government Protective Security Policy Framework (PSPF).
ISM controls applicable to unclassified information, indicated by 'UD' may be applied to IACS.
ISM controls applicable to security classified information, indicated by 'P', 'C', 'S' or 'TS', do not
apply to IACS.
Configuration information held with asset and configuration management databases shall be
sourced to programmatically configure applicable technical countermeasures.