Professional Documents
Culture Documents
Iec62443 2 2
Iec62443 2 2
Iec62443 2 2
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
FOR USE AND REVIEW ONLY BY MEMBERS OF ISA99 AND APPROVED PARTIES:
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
THIS COPY OF A FULL OR ABRIDGED ISA PUBLICATION IS TO BE USED SOLELY FOR THE PURPOSES OF
Copyright © by the International Society of Automaton. All rights reserved. Not for resale. Printed in
the United States of America. No part of this publication may be reproduced, stored in a retrieval
system, or transmitted, in any form or by any means (electronic, mechanical, photocopying, recording, or
otherwise), without the prior written permission of the Publisher.
ISA
67 Alexander Drive
P. O. Box 12277
Research Triangle Park, North Carolina 27709
USA
This page intentionally left blank
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
New versions will be generated periodically as individual documents are revised.
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
ISA‑62443-2-2, D1E4, April 2013 –3– ISA99, WG02, TG02
3
4
5
6
7
8
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
9
10
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
11
12
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
13
14
Draft 1, Edit 4
April 2013
ISA
ISA
America.
P. O. Box 12277
<Document Title>
67 Alexander Drive
ISBN: -to-be-assigned-
ISA‑62443-2-2, D1E4, April 2013
Copyright © 2011 by ISA. All rights reserved. Not for resale. Printed in the United States of
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
New versions will be generated periodically as individual documents are revised.
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
ISA‑62443-2-2, D1E4, April 2013 –5– ISA99, WG02, TG02
24 PREFACE
25 This preface, as well as all footnotes and annexes, is included for information purposes and is not
26 part of ISA-62443.02.02.
27 This document has been prepared as part of the service of ISA, the International Society of
28 Automation, toward a goal of uniformity in the field of instrumentation. To be of real value, this
29 document should not be static but should be subject to periodic review. Toward this end, the
30 Society welcomes all comments and criticisms and asks that they be addressed to the Secretary,
31 Standards and Practices Board; ISA; 67 Alexander Drive; P. O. Box 122 77; Research Triangle
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
32 Park, NC 27709; Telephone (919) 549-8411; Fax (919) 549-8288; E-mail: standards@isa.org.
33 The ISA Standards and Practices Department is aware of the growing need for attention to the
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
34 metric system of units in general and the Internatio nal System of Units (SI) in particular, in the
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
35 preparation of instrumentation standards. The Department is further aware of the benefits to USA
36 users of ISA standards of incorporating suitable references to the SI (and the metric system) in
43 It is the policy of ISA to encourage and welcome the participation of all concerned individuals and
44 interests in the development of ISA standards, recommended practices and technical reports.
45 Participation in the ISA standards-making process by an individual in no way constitutes
46 endorsement by the employer of that individual, of ISA or of any of the standards, recommended
47 practices and technical reports that ISA develops.
48 CAUTION – ISA adheres to the policy of the American National Standa rds Institute with
49 regard to patents. If ISA is informed of an existing patent that is required for use of the
50 standard, it will require the owner of the patent to either grant a royalty -free license for use
51 of the patent by users complying with the standard or a license on reasonable terms and
52 conditions that are free from unfair discrimination.
53 Even if ISA is unaware of any patent covering this Standard, the user is cautioned that
54 implementation of the standard may require use of techniques, processes or materials
55 covered by patent rights. ISA takes no position on the existence or validity of any patent
56 rights that may be involved in implementing the standard. ISA is not responsible for
57 identifying all patents that may require a license before implementati on of the standard or
58 for investigating the validity or scope of any patents brought to its attention. The user
59 should carefully investigate relevant patents before using the standard for the user’s
60 intended application.
61 However, ISA asks that anyone reviewing this standard who is aware of any patents that
62 may impact implementation of the standard notify the ISA Standards and Practices
63 Department of the patent and its owner.
64 Additionally, the use of this standard may involve hazardous materials, operat ions or
65 equipment. The standard cannot anticipate all possible applications or address all possible
66 safety issues associated with use in hazardous conditions. The user of this standard must
67 exercise sound professional judgment concerning its use and applic ability under the
68 user’s particular circumstances. The user must also consider the applicability of any
69 governmental regulatory limitations and established safety and health practices before
70 implementing this standard.
71
ISA‑62443-2-2, D1E4, April 2013 –6– ISA99, WG02, TG02
72 The following people served as active members of ISA99, Working Group 02, Task Group 02 for
73 the preparation of this document:
74
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
75
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
76
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
New versions will be generated periodically as individual documents are revised.
ISA‑62443-2-2, D1E4, April 2013 –7– ISA99, WG02, TG02
77 CONTENTS
78
79 PREFACE ............................................................................................................................... 5
80 FORWORD ........................................................................................................................... 12
81 INTRODUCTION ................................................................................................................... 13
82 Context ........................................................................................................................... 13
83 Audience ........................................................................................................................ 13
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
84 1 Scope ............................................................................................................................. 15
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
85 2 Normative references ..................................................................................................... 15
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
86 3 Terms, definitions, abbreviated terms, acronyms, and conventions ................................. 16
87 3.1 Terms and definitions ............................................................................................ 16
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
128 9.3 Equipment Security ............................................................................................... 30
129 9.3.1 Physical Access Authorizations ................................................................. 30
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
130 9.3.2 Physical Access Control ............................................................................ 31
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
131 9.3.3 Access Control for Communication Medium ............................................... 31
132 9.3.4 Access Control for Display Medium ............................................................ 32
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
173 11.2.2 System and Information Integrity Policy and Procedures ............................ 41
174 11.2.3 Flaw Remediation ...................................................................................... 42
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
175 11.3 User Access Management ..................................................................................... 42
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
176 11.3.1 Account Management ................................................................................ 42
177 11.3.2 Separation of Duties .................................................................................. 43
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
218 12.7.4 Monitoring Configuration Changes ............................................................. 53
219 12.7.5 Access Restrictions for Change ................................................................. 54
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
220 12.7.6 Network and Security Configuration Settings ............................................. 54
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
221 12.7.7 IACS Component Inventory ........................................................................ 54
222 12.7.8 System Maintenance Policy and Procedures .............................................. 55
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
263 15.1.1 {Requirement} ........................................................................................... 68
264 Annex A (informative) Foundational Requirements ................................................................ 70
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
265 A.1 Overview ............................................................................................................... 70
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
266 A.2 FR1 A CCESS C ONTROL ............................................................................................ 70
267 A.3 FR2 U SE C ONTROL ................................................................................................. 70
279
ISA‑62443-2-2, D1E4, April 2013 – 12 – ISA99, WG02, TG02
280 FORWORD
281 This standard is part of a series that addresses the issue of security for industrial automation and control systems. It
282 has been developed by Working Group 02, Task Group 02 of the ISA99 committee.
283 This standard addresses the requirements for the operation of an effective cyber security program within the context of
284 the foundational requirements defined in ISA‑62443-1-1.
285 SKELETON NOTE The forward should only be a few lines and should indicate the basic premise of the document and
286 why it is important. It should also indicate if this document supersedes or modifies any other document.
287 The following information comes from the IEC Directives.
288
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
The foreword shall appear in each document. It shall not contain requirements, recommendations, figures or tables.
289 It consists of a general part and a specific part. The general part (supplied by the Central Secretariat of ISO or by the
290 Central Office of the IEC, as appropriate) gives information relating to the organization responsible and to
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
291 International Standards in general, i.e.
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
292 a) the designation and name of the committee that prepared the document,
293 b) information regarding the approval of the document, and
303 INTRODUCTION
304 NOTE The format of this document follows the ISO/IEC requirements discussed in ISO/IEC Directives, Pa rt 2. [12] 1
305 The ISO/IEC Directives specify the format of this document as well as the use of terms like “shall”, “should”,
306 and “may”. The use of those terms for the requirements specified in Clause Error! Reference source not f
307 ound. of this document use the conventions discussed in the ISO/IEC Directives, Appendix H.
308 The initial content of this section is based on similar material from other standards in the ISA99 series. This is provided
309 only as a starting point.
310 Context
311 Industrial automation and control system (IACS) organizations increasingly use commercial -off-
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
312 the-shelf (COTS) networked devices that are inexpensive, efficient and highly automated. These
313 devices and networking technologies provide an increased opportunity for cyber attack against
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
314 the IACS equipment. This weakness may lead to health, safety and environmenta l (HSE)
315 consequences in deployed systems.
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
316 Organizations deploying pre-existing information technology (IT) and business cyber security
322 The primary goal of the ISA‑99 series is to provide a flexible framework that facilitates
323 addressing current and future vulnerabilities in IACS and applying necessary mitigations in a
324 systematic, defensible manner. It is important to understand that the intention of the ISA ‑99
325 series is to build extensions to enterprise security that adapt the requirements for IT business
326 systems and combine them with the unique requirements that embrac e the strong availability
327 needed by IACS. The ISA‑99 committee has made every effort to avoid building unique stovepipe
328 security architectures for IACS.
329 This International Standard provides interpretation guidelines for the implementation and
330 management of information security management for Industrial Automation and Control Systems
331 (IACS). The approach used is consistent with ISO/IEC 27002 (Code of practice for information
332 security management).
333 IACS security goals focus on system availability, plant prote ction, plant operations (even if in a
334 degraded mode), and time-critical system response. IT security goals often do not place the same
335 emphasis on these factors. They may be more concerned with protecting information rather than
336 physical assets. These different goals need to be clearly stated as security objectives regardless
337 of the degree of plant integration achieved.
338 This document assumes that a security program has been established in accordance with
339 ISA‑99.02.01 and that patch management is implemented consistent with the recommendations
340 detailed in ISA‑TR99.02.03.
341 Audience
342 The audience for the information in this standard includes asset owners, those responsible for
343 information security; system vendors, auditors, and application content providers, with a common
344 set of general security control objectives based on ISO/IEC 27002, IACS specific controls, and
345 information security management guidelines allowing for the selection and implementation of
346 such controls.
347
—————————
1 Numbers in square brackets refer to the Bibliography.
ISA‑62443-2-2, D1E4, April 2013 – 14 – ISA99, WG02, TG02
348 SKELETON NOTE For most documents in the ISA-99 series, the Introduction will probably be labeled as Clause 0,
349 since there are sub-clauses included. This is common. The Introduction should be limited to no more than 2
350 pages and should contain no figures. If figures are needed, then that section sh ould be moved to Clause 4+ or
351 an Annex. If you need a Clause 0, you will need to edit the “iecstd_us.dotm” and change starting number for
352 the Heading style to start at 0. After that, make sure that the styles reload into the Skeleton file and change
353 the style of the Introduction section header to Heading instead of Heading (Nonumber).
354 The Introduction should indicate major similarities or relationships between the document and existing ISO/IEC
355 documents. It does not have to include detailed explanations, bu t should give the reader some context in
356 relation to other documents.
357 The following information comes from the IEC Directives.
358 The introduction is an optional preliminary element used, if required, to give specific information or commentary about
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
359 the technical content of the document, and about the reasons prompting its preparation. It shall not contain
360 requirements.
361
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
Whenever alternative solutions are adopted internationally in a document and preferences for the different alternatives
362 provided, the reasons for the preferences shall be explained in the introduction [see A.6 d)]. Where patent
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
363 rights have been identified in a document, the introduction shall include an appropriate notice. See Annex F
364 for further information.
368
369
ISA‑62443-2-2, D1E4, April 2013 – 15 – ISA99, WG02, TG02
370 1 Scope
371 The initial content of this section is based on similar material from other standards in the ISA99 series. This is provided
372 only as a starting point.
373 This standard addresses the operation of an effective IACS cyber security program. Aspects of
374 this operation are examined in the context of the foundational requirements (FRs) described in
375 ISA‑99.01.01. The requirements and controls would be used by various members of the industrial
376 automation and control systems (IACS) community along with the defined zones an d conduits for
377 the system under consideration (SuC) while developing the appropriate technical system target
378 security assurance level (SAL), SAL-T(system), for a specific asset.
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
379 SKELETON NOTE Clause 1 shall always be the Scope. This is a short statement that describes the scope of this
380 document only. It does not list the overall scope of ISA -99. That has been described in other documents and
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
381 does not need to be repeated here.
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
382 The following information comes from the IEC Directives.
383 This element shall appear at the beginning of each document and define without ambiguity the subject of the document
404 The following referenced documents are indispensable for the application of this document. For
405 dated references, only the edition cited applies. F or undated references, the latest edition of the
406 referenced document (including any amendments) applies.
407 ISA‑99.01.01 – Security for industrial and automation control systems: Terminology, concepts
408 and models
409 ISA‑99.02.01 – Security for industrial and automation control system: Establishing an industrial
410 automation and control systems security program
411 ISA‑99.03.02 – Security for industrial and automation control system: Security assurance levels
412 for zones and conduits
413 SKELETON NOTE Generally, in the ISA-99 series, there is only 1 completely normative document, ISA -99.01.01. If
414 there are others, put them here as well. Normative references shall be International Standards documents of
ISA‑62443-2-2, D1E4, April 2013 – 16 – ISA99, WG02, TG02
415 some sort. Even though a document gets listed here, it will also be liste d in the Bibliography along with all the
416 other documents.
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
423 3.1.1
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
424 authentication
425 verifying the identity of an IACS user, often as a prerequisite to allowing access to resources in
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
426 an information system
444 3.1.6
445 confidentiality
446 preserving authorized restrictions on information access and disclosure, including means fo r
447 protecting personal privacy and proprietary information
448 [FIPS 199]
449 3.1.7
450 connection
451 association established between two or more endpoints which supports the transfer of IACS -
452 specific data
453 3.1.8
454 consequence
455 outcome of an event
456 3.1.9
457 environment
458 aggregate of external procedures, conditions, and objects affecting the development, operation
459 and maintenance of IACS
ISA‑62443-2-2, D1E4, April 2013 – 17 – ISA99, WG02, TG02
460 3.1.10
461 event
462 occurrence or change of a particular set of circumstances
463 3.1.11
464 external information systems
465 hardware, software components and repositories that are connecte d by some means or
466 embedded within the component
467 3.1.12
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
468 IACS user
469 entity (including human users, processes and devices) that performs a function in the IACS or a
470 component used by the IACS
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
471 3.1.13
472 impact
474 3.1.14
475 industrial automation and control system
476 system which controls the manufacturing process within a defined set of operational limits
477 3.1.15
478 integrity
479 guarding against improper information modification or destruction, and includes ensuring
480 information non-repudiation and authenticity
481 [FIPS 199]
482 3.1.16
483 local access
484 any access to an organizational IACS by an IACS user communicating through an internal,
485 organization-controlled network (such as a local area network) or directly to the IACS without the
486 use of a network
487 3.1.17
488 non-repudiation
489 assurance that the sender of information is provided with proof of delivery and all recipients are
490 provided with proof of the sender’s identity, so the sender cannot deny having sent the
491 information and the recipient cannot deny having received the information
492 3.1.18
493 remote access
494 any access to an IACS by an IACS user communicating through an external, non -organization-
495 controlled network (such as the Internet)
496 3.1.19
497 remote session
498 session initiated whenever an IACS is accessed by a human user communicating across the
499 boundary of a zone defined by the asset owner based on their risk assessment
500 3.1.20
501 role
502 set of connected behaviors, privileges and obligations associated to IACS users in a given
503 situation
504 NOTE 1 The privileges to perform certain operations are assigned to specific ro les.
ISA‑62443-2-2, D1E4, April 2013 – 18 – ISA99, WG02, TG02
505 NOTE 2 Role definitions must be distinguished in infrastructure role definitions (within a process), functional role
506 definitions (part of an entity functions) or organizational role definition (a person position). A functional role
507 may be associated with privileges and confer responsibility and authority on a user assigned to that role
508 Adapted from [ISO/IEC 1st WD 24760: 2005 -10-01]
509 3.1.21
510 security assurance level
511 measure of confidence that computer systems and data are free from vulnerabilities, either
512 intentionally designed computer components or accidently inserted at any time during its
513 lifecycle, and that the computer systems functions in the intended manner
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
514 3.1.22
515 session
516 semi-permanent, stateful, interactive information interchange between two or more
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
517 communicating devices
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
518 NOTE Typically a session has a clearly defined start process and end process.
524 3.1.24
525 trust
526 belief that an operation or data transaction source or process is secure and will perform as
527 intended
528 3.1.25
529 untrusted
530 entity that has not met predefined requirements to be trusted
531 3.1.26
532 vulnerability
533 weakness in an IACS function, procedure, internal control or implementation that could be exploited or triggered by a
534 threat source
535 SKELETON NOTE Only add in the reference at the end of the term if it relates directly to something from an
536 international standard. IEC seems to dislike referencing national standards documents (ISA, NIST, NERC,
537 NEMA, etc.). Only include these references if there is an ISO/IEC, NATO, etc. reference. Also, if the reference
538 is not exactly from the reference, indicate something like “Adapted from … ”.
AC Access Control
AES Advanced encryption standard
API Application programming interface
CA Certification authority
CIP Critical infrastructure protection
COTS Commercial-off-the-shelf
DC Data confidentiality
DI Data integrity
DMZ Demilitarized zone
ISA‑62443-2-2, D1E4, April 2013 – 19 – ISA99, WG02, TG02
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
IDS Intrusion detection system
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
IEC International Electrotechnical Commission
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
IEEE Institute of Electrical and Electronics Engineers
the document. The reader may still need some introduction to conventions used throughout the document, but
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
New versions will be generated periodically as individual documents are revised.
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
ISA‑62443-2-2, D1E4, April 2013 – 21 – ISA99, WG02, TG02
552 4 Overview
553 4.1 Structure
554 The content of this standard has been organized in a manner similar to that used in ISO/IEC
555 27002. In cases where objectives and controls specified in ISO/IEC 27002 are applicable without
556 a need for any additional information, only a reference is provided to ISO/IEC 27002.
557 In cases where controls need additional guidance spec ific to IACS, the ISO/IEC 27002 control
558 and implementation guidance is repeated without modification, followed by the IACS specific
559 guidance related to this control. IACS specific guidance and information is included in the
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
560 following clauses:
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
561
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
562 – Asset management (clause 7)
576 Once the security of an IACS is compromised, for example by unauthorized access, the system or
577 the equipment under control may suffer damage. Therefore, it is essential for an asset owner to
578 ensure its security by continuously improving its related programs in accordance with ISO/IEC
579 27001.
580 Effective IACS security is achieved by implementing a suitable set of controls based on those
581 described in this standard. These controls need to be established, implemen ted, monitored,
582 reviewed and improved in facilities, services and applications. The successful deployment of
583 security controls will better enable meeting the security and business objectives of the
584 organization to be met.
593 a) What is derived from assessing risks to IAC S operation, taking into account the overall
594 business strategy and objectives. Through risk assessment, threats to assets are identified,
595 vulnerability to and likelihood of occurrence is evaluated and potential impact is estimated;
596 b) The legal, statutory, regulatory, and contractual requirements that asset owners have to
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
597 satisfy, and the socio-cultural environment;
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
598 c) The particular set of principles, objective and business requirements for information processing
599 that an asset owner has developed to support its operations.
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
600 4.2.3.2 Assessing security risks
606 Risk assessment should be repeated periodically to address any changes that might influence the
607 risk assessment results.
612 This standard provides guidance and IACS specific controls, in addition to general information
613 security management, taking account of IACS specific requirements. Therefore, asset owners are
614 recommended to select controls from this guideline and implement them. In addition, new controls
615 can be designed to meet specific needs as appropriate.
616 The selection of security controls is dependent upon organizational decisions based on the
617 criteria for risk acceptance, risk treatment options, and the general risk management approach
618 applied by asset owners, and should also be subject to all relevant national and international
619 legislation and regulations.
623 a) information security policy, objectives, and activities t hat reflect business objectives and the
624 specific characteristics of an IACS;
627 c) visible support and commitment from all levels of managem ent;
628 d) a good understanding of the security requirements, risk assessment, and risk management;
629 e) effective marketing of information security to all managers, employees, and other parties to
630 achieve awareness;
ISA‑62443-2-2, D1E4, April 2013 – 23 – ISA99, WG02, TG02
631 f) distribution of guidance on information security policy and standards to all managers,
632 employees and other parties;
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
638 5 Security Policy
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
639 5.1 Introduction
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
640 5.1.1 {Requirement}
665
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
671 Requirement:
672
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
673 Foundational Requirement:
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
674 Rationale/Supplemental Guidance:
690 Security responsibilities should be addressed prior to e mployment in adequate job descriptions
691 and in terms and conditions of employment.
692 All candidates for employment, contractors and third party users should be adequately screened,
693 especially for sensitive jobs.
694 Employees, contractors and third party users of information processing facilities should sign an
695 agreement on their security roles and responsibilities.
698 Security roles and responsibilities of employees, contractors and third party users should be
699 defined and documented in accordance with the organization’s information security policy.
701 Security roles and responsibilities should include the requirement to:
702 a) implement and act in accordance with the organization’s information security policies (see
703 5.1);
704 b) protect assets from unauthorized access, disclosure, modification, destruction or
705 interference;
706 c) execute particular security processes or activities;
707 d) ensure responsibility is assigned to the individual for actions taken;
708 e) report security events or potential events or other security risks to the organization.
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
709 Security roles and responsibilities should be defined and clearly communicated to job candidates
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
710 during the pre-employment process.
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
711 IACS-specific implementation guidance
717 Job descriptions can be used to document security roles and responsibilities. Security roles and
718 responsibilities for individuals not engaged via the organization’s employment process, e.g.
719 engaged via a third party organization, should also be clearly defined and communicated.
720
721 Requirement:
722
723 Foundational Requirement:
729 Background verification checks on all candidates for employment, contractors, and third party
730 users should be carried out in accordance with relevant laws, regulations and ethics, and
731 proportional to the business requirements, the classification of the information to be accessed,
732 and the perceived risks.
734 Verification checks should take into account all relevant privacy, protection of personal data
735 and/or employment based legislation, and should, where permitted, include the following:
736 a) availability of satisfactory character references, e.g. one business and one per sonal;
737 b) a check (for completeness and accuracy) of the applicant’s curriculum vitae;
738 c) confirmation of claimed academic and professional qualifications;
739 d) independent identity check (passport or similar document);
ISA‑62443-2-2, D1E4, April 2013 – 26 – ISA99, WG02, TG02
740 e) more detailed checks, such as credit checks or checks of criminal records.
741 Where a job, either on initial appointment or on promotion, involves the person having access to
742 information processing facilities, and in particular if these are handling sensitive information, e.g.
743 financial information or highly confidential information, the organization should also consider
744 further, more detailed checks.
745 Procedures should define criteria and limitations for verification checks, e.g. who is eligible to
746 screen people, and how, when and why verification checks a re carried out.
747 A screening process should also be carried out for contractors, and third party users. Where
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
748 contractors are provided through an agency the contract with the agency should clearly specify
749 the agency’s responsibilities for screening and the notification procedures they need to follow if
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
750 screening has not been completed or if the results give cause for doubt or concern. In the same
751 way, the agreement with the third party (see also 6.2.3) should clearly specify all responsibilities
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
752 and notification procedures for screening.
758 Facilities should also consider further, more detailed checks for job positions that give staff
759 access to IACS that have been assessed as critical and thus require higher levels of security.
760 [wording?]
763 As part of their contractual obligation, employees, contractors and third party users should agree
764 and sign the terms and conditions of their employment contract, which should state their and the
765 organization’s responsibilities for information security.
767 The terms and conditions of employment should reflect the organization’s security policy in
768 addition to clarifying and stating:
769 a) that all employees, contractors and third party users who are given access to sensitive
770 information should sign a confidentiality or non-disclosure agreement prior to being given
771 access to information processing facilities;
772 b) the employee’s, contractor’s and any other user’s legal responsibilities and rights, e.g.
773 regarding copyright laws or data protection legislation (see also 15.1.1 and 15.1.2);
774 c) responsibilities for the classification of information and management of organizational assets
775 associated with information systems and services handled by the employee, contractor or
776 third party user (see also 7.2.1 and 10.7.3);
777 d) responsibilities of the employee, contractor or third party user for the handling of information
778 received from other companies or external parties;
779 e) responsibilities of the organization for the handling of personal information, including personal
780 information created as a result of, or in the course of, employment with the organization (see
781 also 15.1.4);
782 f) responsibilities that are extended outside the organization’s premises and outside normal
783 working hours, e.g. in the case of home-working (see also 9.2.5 and 11.7.1);
ISA‑62443-2-2, D1E4, April 2013 – 27 – ISA99, WG02, TG02
784 g) actions to be taken if the employee, contractor or third party user disregards the
785 organization’s security requirements (see also 8.2.3).
786 The organization should ensure that employees, contractors and third party users agree to terms
787 and conditions concerning information security appropriate to the nature and extent of access
788 they will have to the organization’s assets associated with information systems and services.
789 Where appropriate, responsibilities contained within the terms and conditions of employment
790 should continue for a defined period after the end of the employment (see also 8.3).
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
792 Facilities should clarify and state the responsibilities for maintaining IACS availability, plant
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
793 protection, plant operations (even if in a degraded mode), and time -critical system response.
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
794 Other Information
806 Management responsibilities should be defined to ensure that security is applied throughout an
807 individual’s employment within the organization.
808 An adequate level of awareness, education, and training in security procedures and the correct
809 use of information processing facilities should be provided to all employees, contractors and third
810 party users to minimize possible security risks. A formal disciplinary process for handling security
811 breaches should be established.
814 Management should require employees, contractors and third party users to apply security in
815 accordance with established policies and procedures of the organization.
817 Management responsibilities should include ensuring that employees, contractor s and third party
818 users:
819 a) are properly briefed on their information security roles and responsibilities prior to being
820 granted access to sensitive information or information systems;
821 b) are provided with guidelines to state security expectations of their role within the organization;
822 c) are motivated to fulfil the security policies of the organization;
823 d) achieve a level of awareness on security relevant to their roles and responsibilities within the
824 organization (see also 8.2.2);
ISA‑62443-2-2, D1E4, April 2013 – 28 – ISA99, WG02, TG02
825 e) conform to the terms and conditions of employment, which includes the organization’s
826 information security policy and appropriate methods of working;
827 f) continue to have the appropriate skills and qualifications.
828
829 IACS-specific implementation guidance
830 Management should ensure that individuals responsible for operating and maintaining IACS are
831 included in the above mentioned activities
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
832 Other Information
833 If employees, contractors and third party users are not made aware of their security
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
834 responsibilities, they can cause considerable damage to an organization. Motivated personnel are
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
835 likely to be more reliable and cause less information security incidents.
839 Requirement:
840 Foundational Requirement:
845 All employees of the organization and, where relevant, contractors and third party users should
846 receive appropriate awareness training and regular updates in organizational policies and
847 procedures, as relevant for their job function.
849 Awareness training should commence with a formal induction process designed to introduce the
850 organization’s security policies and expectations before access to information or services is
851 granted.
852 Ongoing training should include security requirements, legal responsibilities and business
853 controls, as well as training in the correct use of information processing facilities e.g. log -on
854 procedure, use of software packages and information on the disciplinary process (see 8.2.3).
856 Individuals responsible for operating and maintaining IACS should be included in the above
857 mentioned activities and, where necessary, specific training should be developed for individuals
858 in these roles.
860 The security awareness, education, and training activities should be suitable and relevant to the
861 person’s role, responsibilities and skills, and should include information on known threats, who to
862 contact for further security advice and the proper channels for reporting inf ormation security
863 incidents (see also 13.1).
ISA‑62443-2-2, D1E4, April 2013 – 29 – ISA99, WG02, TG02
864 Training to enhance awareness is intended to allow individuals to recognize information security
865 problems and incidents, and respond according to the needs of their work role.
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
871 Responsibilities should be in place to ensure an employee’s, contractor’s or third party user’s exit
872 from the organization is managed, and that the return of all equipment and the removal of all
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
873 access rights are completed.
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
874 Change of responsibilities and employments within an organization should be managed as the
875 termination of the respective responsibility or employment in line with this section, and any new
883 The access rights of all employees, contractors and third party users to information and
884 information processing facilities should be removed upon termination of their employment,
885 contract or agreement, or adjusted upon change.
887 Upon termination, the access rights of an individual to assets associ ated with information
888 systems and services should be reconsidered. This will determine whether it is necessary to
889 remove access rights. Changes of an employment should be reflected in removal of all access
890 rights that were not approved for the new employment. The access rights that should be removed
891 or adapted include physical and logical access, keys, identification cards, information processing
892 facilities (see also 11.2.4), subscriptions, and removal from any documentation that identifies
893 them as a current member of the organization. If a departing employee, contractor or third party
894 user has known passwords for accounts remaining active, these should be changed upon
895 termination or change of employment, contract or agreement.
896 Access rights for information assets and information processing facilities should be reduced or
897 removed before the employment terminates or changes, depending on the evaluation of risk
898 factors such as:
899 a) whether the termination or change is initiated by the employee, contractor or third party user,
900 or by management and the reason of termination;
901 f) the current responsibilities of the employee, contractor or any other user;
902 g) the value of the assets currently accessible.
903
904 IACS-specific implementation guidance
ISA‑62443-2-2, D1E4, April 2013 – 30 – ISA99, WG02, TG02
905 Other risk factors to be considered when reducing or removing access rights should include risks
906 associated with disruption to IACS availability, plant protection, and plant operations.
908 In certain circumstances access rights may be allocated on the basis of being available to more
909 people than the departing employee, contractor or third party user, e.g. group IDs. In such
910 circumstances, departing individuals should be removed from any group access lists and
911 arrangements should be made to advise all other employees, contractors and third party users
912 involved to no longer share this information with the person departing.
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
913 In cases of management-initiated termination, disgruntled employees, contractors or third party
914 users may deliberately corrupt information or sabotage information processing facilities. In cases
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
915 of persons resigning, they may be tempted to collect information for future use.
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
916
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
953 Rationale/Supplemental Guidance: The organization uses physical access devices (e.g.,
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
954 keys, locks, combinations, card readers) and/or guards to control entry to facilities
955 containing IACS. The organization secures keys, combinations, and other access devices
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
956 and inventories those devices regularly. The organization changes combinations and
957 keys: (i) periodically; and (ii) when keys are lost, combinations are compromised, or
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
998 Requirement Enhancements:
999 (1) Access displays shall be placed in such a manner to prevent others from viewing the
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
1000 display of clear text access information.
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
1001 9.3.5 Monitoring Physical Access
1002 Requirement:
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
1041 review of access records.
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
1042 (2) The organization maintains a record of all physical access, both visitor and authorized
1043 individuals.
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
1044 10 Communications and Operations Management
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
1078 Foundational Requirement:
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
1079 Rationale/Supplemental Guidance: The organization considers using malicious code
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
1080 protection software products from multiple vendors (e.g., using one vendor for boundary
1081 devices and servers and another vendor for workstations). The organization also
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
1118 Requirement Enhancements:
1119
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
1120 10.8 Media Handling
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
1121 10.8.1 Media Protection Policy and Procedures
1129 Rationale/Supplemental Guidance: The media protection policy and procedures are
1130 consistent with applicable laws, directives, policies, regulations, standards, and guidance.
1131 The media protection policy can be included as part of the general information security
1132 policy for the organization. Media protection procedures can be developed for the
1133 security program in general, and for a particular IACS, when required.
1135
1136 10.8.2 Media Access
1137 Requirement:
1138 The organization shall restrict access to IACS media to authorized individuals.
1139 Foundational Requirement:
1140 Rationale/Supplemental Guidance: IACS media includes both digital media (e.g.,
1141 diskettes, magnetic tapes, external/removable hard drives, flash/thumb drives, compact
1142 disks, digital video disks) and non-digital media (e.g., paper, microfilm). This requirement
1143 also applies to portable and mobile computing and communications devices with
1144 information storage capability (e.g., notebook computers, personal digital assistants,
1145 cellular telephones).
1146 An organizational assessment of risk guides the sel ection of media and associated
1147 information contained on that media requiring restricted access. Organizations document
1148 in policy and procedures, the media requiring restricted access, individuals authorized to
1149 access the media, and the specific measures t aken to restrict access. The rigor with
𝑡𝑎𝑟𝑔𝑒𝑡
1150 which this requirement is applied is commensurate with the 𝑆𝑠𝑦𝑠𝑡𝑒𝑚 categorization of the
1151 information contained on the media. For example, fewer protection measures are needed
1152 for media containing information determined by the organization to be in the public
1153 domain, to be publicly releasable, or to have limited or no adverse impact on the
1154 organization or individuals if accessed by other than authorized personnel. In these
ISA‑62443-2-2, D1E4, April 2013 – 36 – ISA99, WG02, TG02
1155 situations, it is assumed that the physical access requirements where the media resides
1156 provide adequate protection.
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
1163 significant volume of media is stored and is not intended to apply to every lo cation
1164 where some media is stored (e.g., in individual offices).
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
1165
1166 10.8.3 Media Labeling
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
1167 Requirement:
1201 provide adequate protection. The organization protects IACS media identified by the
1202 organization until the media are destroyed or sanitized using approved equipment,
1203 techniques, and procedures.
1204 As part of a defense-in-depth protection strategy, the organization considers routinely
1205 encrypting data at rest on selected secondary storage device s. The organization
1206 implements effective cryptographic key management in support of secondary storage
1207 encryption and provides protections to maintain the availability of the information in the
1208 event of the loss of cryptographic keys by IACS users.
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
1210 10.8.5 Media Transport
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
1211 Requirement:
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
1212 The organization shall protect and control IACS media during transport outside of
1216 Rationale/Supplemental Guidance: IACS media includes both digital media (e.g.,
1217 diskettes, tapes, removable hard drives, flash/thumb drives, compact disks, digital video
1218 disks) and non-digital media (e.g., paper, microfilm). A c ontrolled area is any area or
1219 space for which the organization has confidence that the physical and procedural
1220 protections provided are sufficient to meet the requirements established for protecting the
1221 information and/or IACS. This requirement also applies to portable and mobile computing
1222 and communications devices with information storage capability (e.g., notebook
1223 computers, personal digital assistants, cellular telephones) that are transported outside of
1224 controlled areas. Telephone systems are also co nsidered IACS and may have the
1225 capability to store information on internal media (e.g., on voicemail systems). Since
1226 telephone systems do not have, in most cases, the identification, authentication, and
1227 access control mechanisms typically employed in othe r IACS, organizational personnel
1228 exercise extreme caution in the types of information stored on telephone voicemail
1229 systems that are transported outside of controlled areas. An organizational assessment
1230 of risk guides the selection of media and associated information contained on that media
1231 requiring protection during transport. Organizations document in policy and procedures,
1232 the media requiring protection during transport and the specific measures taken to protect
1233 such transported media. The rigor with which this requirement is applied is
𝑡𝑎𝑟𝑔𝑒𝑡
1234 commensurate with the 𝑆𝑠𝑦𝑠𝑡𝑒𝑚 categorization of the information contained on the media.
1235 An organizational assessment of risk also guides the selection and use of appropriate
1236 storage containers for transporting non-digital media. Authorized transport and courier
1237 personnel may include individuals from outside the organization (e.g., U.S. Postal Service
1238 or a commercial transport or delivery service).
1249 (2) The organization documents, where appropriate, activities associated with the
1250 transport of IACS media using [Assignment: organization-defined system of records].
1251 Rationale/Supplemental Guidance: Organizations establish documentation
1252 requirements for activities associated with the transport of IACS media in accordance
1253 with the organizational assessment of risk.
1254 (3) The organization employs an identified custodian at all times to transport IACS media.
1255 Rationale/Supplemental Guidance: Organizations establish documentation
1256 requirements for activities associated with the transport of IACS media in accordance
1257 with the organizational assessment of risk.
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
1258 10.8.6 Media Sanitization and Disposal
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
1259 Requirement:
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
1260 The organization shall sanitize IACS media, both digital and non-digital, prior to disposal
1292 appropriate certificate policy or obtains public key certificates under an appropriate
1293 certificate policy from an approved service provider.
1294 Foundational Requirement:
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
1300 10.9 Exchange of Information
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
1301 10.9.1 {Requirement}
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
1302 Requirement:
1325 Rationale/Supplemental Guidance: The audit and accountability policy and procedures
1326 are consistent with applicable laws, directives, policies, regulations, standards, and
1327 guidance. The audit and accountability policy can be included as part of the general
1328 information security policy for the organization. Audit and accountability procedures can
1329 be developed for the security program in general, and for a particular IACS, when
1330 required. The parameters to be monitored are a local matter. Of those parameters it is
ISA‑62443-2-2, D1E4, April 2013 – 40 – ISA99, WG02, TG02
1331 strongly recommended to consider false-positives (e.g. how many times did an authorized
1332 entity get hindered or prevented from performing its function ).
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
1338 Foundational Requirement:
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
1339 Rationale/Supplemental Guidance: The purpose of this requirement is to identify
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
1340 important events which need to be audited as significant and relevant to the security of
1341 the IACS. The security audit function is usually coordinated with the network health and
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
1376 11.1 Introduction
1377
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
1378 11.2 Business Requirement
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
1379 11.2.1 Access Control Policy and Procedures
1387 Rationale/Supplemental Guidance: The access control policy and procedures are
1388 consistent with applicable laws, directives, policies, regulations, standards, and guidance
1389 and in alignment with the security requirements of the IACS(s). The access control policy
1390 can be included as part of the general information security policy for the organization.
1391 Access control procedures can be developed for the security program in gener al, and for
1392 a particular IACS, when required.
1403 Rationale/Supplemental Guidance: The system and information integrity policy and
1404 procedures are consistent with applicable laws, directives, policies, regulations,
1405 standards, and guidance. The system and information integrity policy can be included as
1406 part of the general information security policy for the organization. System and
1407 information integrity procedures can be developed for the security program in general,
1408 and for a particular IACS, when required.
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
1418 security relevant patches, service packs, and hot fixes, and tests patches, service packs,
1419 and hot fixes for effectiveness and potential side effects on the organization’s IACS before
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
1420 installation. Flaws discovered during security assessments, continuous monitoring,
1421 incident response activities, or IACS error handling are also addressed expeditiously.
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
1422 Flaw remediation is incorporated into configuration management as an emergency
1423 change. The flaw remediation process shall be consistent with certification, safety and
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
1465 field devices predefine privileges, the organization implements physical
1466 security policies, and procedures based on organization risk
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
1467 assessment. Account management may include additional account types
1468 (e.g., role-based, device-based, attribute-based). The organization
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
1469 removes, changes, disables, or otherwise secures default accounts.
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
1508 The organization shall enforce set of rights/privileges or accesses as required by ISA -
1509 99.02.xx needed by asset owner (or processes acting on behalf of asset owners) for the
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
1510 performance of specified tasks.
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
1511 Foundational Requirement:
1530
1531 11.5.3 Remote Access
1532 Foundational Requirement:
1533 Requirement:
1534 The organization shall authorize all methods of remote access to the IACS.
1535 Foundational Requirement:
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
1549 Requirement:
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
1550 The organization shall establish terms and conditions for authorized individuals to: (i)
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
1551 access the IACS from an external information system; and (ii) process, store, and/or
1552 transmit organization-controlled information using an external information system.
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
1594 Foundational Requirement:
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
1595 Rationale/Supplemental Guidance:
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
1596 Requirement Enhancements:
1624 Rationale/Supplemental Guidance: Portable and mobile devices may introduce undesired
1625 network traffic, malware and/or information exposure, and thus there should be specific
1626 control associated with their usage in the typical IACS environment.
1627 Portable and mobile devices (e.g., notebook c omputers, personal digital assistants,
1628 cellular telephones, and other computing and communications devices with network
ISA‑62443-2-2, D1E4, April 2013 – 47 – ISA99, WG02, TG02
1629 connectivity are only allowed access to the IACS in accordance with organizational
1630 security policies and procedures. Security policies and procedures include device
1631 identification and authentication, implementation of mandatory protective software (e.g.,
1632 malicious code detection, firewall), configuration management, scanning devices for
1633 malicious code, updating virus protection software, scanning for critical software updates
1634 and patches, conducting primary operating system (and possibly other resident software)
1635 integrity checks, and disabling unnecessary hardware (e.g., wireless, infrared).
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
1638 11.8.3 Mobile Code
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
1639 Foundational Requirement:
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
1640 Requirement:
1644 Rationale/Supplemental Guidance: Mobile code technologies include, for example, Java,
1645 JavaScript, ActiveX, PDF, Postscript, Shockwave movies, Flash animations, and
1646 VBScript. Usage restrictions and implementation guidance apply to both the selection and
1647 use of mobile code installed on servers and mobile code downloaded and executed on
1648 individual workstations. Control procedures prevent the development, acquisition, or
1649 introduction of unacceptable mobile code within the IACS. For example, mobile code
1650 exchanges might be disallowed directly with the IACS, but rather in a controlled adjacent
1651 information environment maintained by IACS personnel.
1659 Rationale/Supplemental Guidance: The organization reviews audit records (e.g., user
1660 activity logs) for inappropriate activities in accordance wit h organizational procedures.
1661 The organization investigates any unusual IACS -related activities and periodically reviews
1662 changes to access authorizations. The organization reviews more frequently the activities
1663 of IACS users with significant IACS roles and responsibilities. The extent of the audit
1664 record reviews is based on the impact level of the IACS. For example, for low -impact
1665 systems, it is not intended that security logs be reviewed frequently for every workstation,
1666 but rather at central points such as a web proxy or email servers and when specific
1667 circumstances warrant review of other audit records.
1674 Requirement:
1675 The organization shall develop, disseminate, and periodically review/update: (i) a formal,
1676 documented, identification and authentication policy that addresses purpose, scope, roles,
1677 responsibilities, management commitment, coordination among organizational entities,
1678 and compliance; and (ii) formal, documented procedures to facilitate the implementation
1679 of the identification and authentication policy and associated identification and
1680 authentication controls for IACS.
1681 Foundational Requirement:
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
1682 Rationale/Supplemental Guidance: The organization ensures the identification and
1683 authentication policy and procedures are consistent with applicable laws, directives,
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
1684 policies, regulations, standards, and guidance. The identification and authentication policy
1685 can be included as part of the general security policy for the organization. Identification
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
1686 and authentication procedures can be developed for the security program in general, and
1687 for a particular IACS, when required.
1721 Requirement:
1722 The organization shall establish administrative procedures for initial authenticator distribution, for
1723 lost/compromised, or damaged authenticators, and for revoking authenticators.
1724 Foundational Requirement:
1725 Rationale/Supplemental Guidance: IACS authenticators include, for example, tokens,
1726 Public Key certificates, biometrics, passwords, physical keys, and key cards. IACS users
1727 should take reasonable measures to safeguard authenticators including maintainin g
1728 possession of their individual authenticators, not loaning or sharing authenticators with
1729 others, and reporting lost or compromised authenticators immediately. In the case of a
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
1730 process or device, such users should also take measures to protect their IAC S
1731 authenticators.
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
1732 If the IACS is required to have a high level of availability, measures must be taken to
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
1733 maintain this high level of availability (e.g. compensating physical controls, duplicate
1734 keys, supervisory override). Lockout or loss of control due to security measures is not
1760 The extent to which the IACS identifies and handles error conditions shall be guided by
1761 organizational policy and operational requirements.
ISA‑62443-2-2, D1E4, April 2013 – 50 – ISA99, WG02, TG02
1765
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
1768 The organization shall handle and retain output from the IACS in accordance with
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
1769 applicable laws, directives, policies, regulations, standards, and operational requirements.
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
1770 Foundational Requirement:
1775 The organization carefully considers the intrinsically shared nature of commercial
1776 telecommunications services in the implementation of security controls associated with
1777 the use of such services.
1792
ISA‑62443-2-2, D1E4, April 2013 – 51 – ISA99, WG02, TG02
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
1799
1800 Foundational Requirement:
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
1801 Rationale/Supplemental Guidance:
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
1802 Requirement Enhancements:
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
1836 Requirement:
1837
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
1838 Foundational Requirement:
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
1839 Rationale/Supplemental Guidance:
1870 with a well-defined and documented specification to which the IACS is built and
1871 deviations, if required, are documented in support of mission needs/ objectives.
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
1878 Requirement:
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
1879 The organization shall authorize, document, and control changes to the IACS.
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
1880 Foundational Requirement:
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
1924
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
1925 12.7.5 Access Restrictions for Change
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
1926 Requirement:
1956 The organization shall develop, document, and maintain a current inventor y of the
1957 components of the IACS and relevant ownership information.
1958 Foundational Requirement:
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
1965 consistent with the accreditation boundary of the IACS.
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
1966 Requirement Enhancements:
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
1967 (1) The organization updates the inventory of IACS components as an integral part of
1968 component installations.
1980 Rationale/Supplemental Guidance: The IACS maintenance policy and procedures are
1981 consistent with applicable laws, directives, policies, regulations, standards, and guidance.
1982 The IACS maintenance policy can be included as part of the general information security
1983 policy for the organization. System maintenance procedures can be developed for the
1984 security program in general, and for a particular IACS, when required.
1986
1987 12.7.9 Controlled Maintenance
1988 Requirement:
1989 The organization shall schedule, perform, document, and review records of routine preventative
1990 and regular maintenance (including repairs) on the components of the IACS in accordance
1991 with vendor, system integrator, and/or organizational specifications and requirements.
1992 Foundational Requirement:
2000 checks all potentially affected security controls to verify that the controls are still
2001 functioning properly.
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
2008 (2) The organization employs automated mechanisms to schedule and conduct
2009 maintenance as required, and to create up-to date, accurate, complete, and available
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
2010 records of all maintenance actions, both needed and completed.
2011
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
New versions will be generated periodically as individual documents are revised.
2012 12.7.10 Maintenance Tools
2013 Requirement:
2014 The organization shall approve, control, and monitor the use of IACS maintenance tools and
2015 maintains the tools on an ongoing basis.
2016 Foundational Requirement:
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
2053 When remote maintenance is completed, the organization (or IACS in certain cases)
2054 terminates all sessions and remote connections invoked in the performance of that
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
2055 activity. If password-based authentication is used to accomplish remote maintenance, the
2056 organization changes the passwords following each remote maintenance service. The
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
2057 National Security Agency provides a listing of approved media sanitization products at
2058 http://www.nsa.gov/ia/government/mdg.cfm .
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
2092
2093 Foundational Requirement:
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
2094 Rationale/Supplemental Guidance:
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
2095 Requirement Enhancements:
2106 Rationale/Supplemental Guidance: The incident response policy and procedures are
2107 consistent with applicable laws, directives, policies, regulations, standards, and guidance.
2108 The incident response policy can be included as part of the general information security
2109 policy for the organization. Incident response procedures can be developed for the
2110 security program in general, and for a particular IACS, when required.
2125
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
2132 Foundational Requirement:
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
2133 Rationale/Supplemental Guidance: None
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
2134 Requirement Enhancements:
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
2172 CERT) maintains the IACS Security Center at http://www.uscert.gov/control_systems. In
2173 addition to incident information, weaknesses and vulnerabilities in the IACS are reported
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
2174 to appropriate organizational officials in a timely manner to prevent security incidents.
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
2175 Requirement Enhancements:
2190
2191 13.3.8 IACS Monitoring Tools and Techniques
2192 Requirement:
2193 The organization shall determine the required granularity of the information collected
2194 based upon its monitoring objectives and the capability of the IACS to support such
2195 activities. This includes monitoring inbound and outbound communications for unusual or
2196 unauthorized activities or conditions.
2197 Foundational Requirement:
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
New versions will be generated periodically as individual documents are revised.
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
ISA-62443.02.02, D1E4, April 2013 – 62 – ISA99, WG02, TG02
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
2213 The organization shall develop, disseminates, and periodically reviews/updates: (i) a
2214 formal, documented, contingency planning policy that addresses purpose, scope, roles,
2215 responsibilities, management commitment, coordination among organizational entities,
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
2216 and compliance; and (ii) formal, documented procedures to facilitate the implementation
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
2217 of the contingency planning policy and associated contingency planning controls.
2218 Foundational Requirement:
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
2256 Requirement Enhancements:
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
2257 (1) The organization incorporates simulated events into contingency training to facilitate
2258 effective response by personnel in crisis situations.
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
2259 (2) The organization employs automated mechanisms to provide a more thorough and
2269 Rationale/Supplemental Guidance: There are several methods for testing and/or
2270 exercising contingency plans to identify potential weaknesses (e.g., full -scale contingency
2271 plan testing, functional/tabletop exercises). The depth and rigor of contingency plan
𝑡𝑎𝑟𝑔𝑒𝑡
2272 testing and/or exercises increases with the 𝑆𝑠𝑦𝑠𝑡𝑒𝑚 level of the IACS. Contingency plan
2273 testing and/or exercises also include a determination of the effects on organizational
2274 operations and assets (e.g., reduction in mission capability) and individuals arising due to
2275 contingency operations in accordance with t he plan.
2290
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
2297 Foundational Requirement:
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
2298 Rationale/Supplemental Guidance: Organizational changes include changes in mission,
2299 functions, or business processes supported by the IACS. The organization communicates
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
2300 changes to appropriate organizational elements responsible for related plans (e.g.,
2301 Business Continuity Plan, Disaster Recovery Plan, Continuity of Operations Plan,
2304
2305 14.2.6 Alternate Storage Site
2306 Requirement:
2307 The organization shall identify an alternate storage site and initiates necessary agreements to
2308 permit the storage of IACS backup information.
2309 Foundational Requirement:
2310 Rationale/Supplemental Guidance: The frequency of IACS backups and the transfer rate
2311 of backup information to the alternate storage site (if so designated) are consistent with
2312 the organization’s recovery time objectives and recovery point objectives.
2321
2322 14.2.7 Alternate Control Site
2323 Requirement:
2324 The organization shall identify an alternate control site an d initiates necessary agreements to
2325 permit the resumption of IACS operations for critical mission/business functions within
2326 [Assignment: organization-defined time period] when the primary processing capabilities
2327 are unavailable.
2328 Foundational Requirement:
2331 site or contracts are in place to support delivery to the site. Timeframes to resume IA CS
2332 operations are consistent with organization-established recovery time objectives.
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
2339 actions.
2340 (3) The organization develops alternate processing site agreements that contain priority-
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
2341 of-service provisions in accordance with the organization’s availability requirements.
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
2342 (4) The organization fully configures the alternate processing site so that it is ready to be
2343 used as the operational site supporting a minimum required operational capability.
2366 None.
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
2382 Foundational Requirement:
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
2383 Rationale/Supplemental Guidance: None.
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
2384 Requirement Enhancements:
2393 Rationale/Supplemental Guidance: In the event that the primary and/or alternate
2394 telecommunications services are provided by a common carrier, the organization requests
2395 Telecommunications Service Priority (TSP) for all telecommunications services used for
2396 national security emergency preparedness (see http://tsp.ncs.gov for a full explanation of
2397 the TSP program).
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
2425 14.3.2 Emergency Power
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
2426 Requirement:
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
2427 The organization shall provide a short-term uninterruptible power supply to facilitate an
2428 orderly shutdown of the IACS in the event of a primary power source loss.
2446
2447 14.3.4 Fire Protection
2448 Requirement:
2449 The organization shall employ and maintain fire suppression and detection
2450 devices/systems that can be activated in the event of a fire.
2451 Foundational Requirement:
2456 (1) The organization employs fire detection devices/systems that activate automatically
2457 and notify the organization and emergency responders in the event of a fire.
2458 (2) The organization employs fire suppression devices/systems that provide automatic
2459 notification of any activation to the organization and emergency responders.
2460 (3) The organization employs an automatic fire suppression capability in facilities that are
2461 not staffed on a continuous basis.
2462
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
2464 Requirement:
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
2465 The organization shall regularly maintain, within acceptable levels, and monitor the
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
2466 temperature and humidity within the facility where the IACS resides.
2467 Foundational Requirement:
2482 15 Compliance
2483 15.1 General
2484 15.1.1 {Requirement}
2485 Requirement:
2486
2487 Foundational Requirement:
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
New versions will be generated periodically as individual documents are revised.
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
ISA-62443.02.02, D1E4, April 2013 – 70 – ISA99, WG02, TG02
2494 Annex A
2495 (informative)
2496 Foundational Requirements
2497 A.1 Overview
2498 This annex is intended to provide guidance to the reader as to the relevance of the SRs.
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
2500 Identify and authenticate IACS users (incl. human users, processes, and devices), assign them to
2501 a pre-defined role, and allow them access to the system or assets.
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
2502
2503 Rationale: Asset owners will have to develop a list of IACS users and to determine for each
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
2504 device the required level of access control protection. The goal of access control is to protect the
2505 system by verifying the identity of a user requesting the access to a de vice of the system before
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
2546 A.7 FR6 T IMELY R ESPONSE TO AN EVENT
2547 Respond to security violations by notifying the proper authority, reporting needed forensic
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
2548 evidence of the violation, and taking timely corrective action when incidents are discovered.
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
2549
2550 Rationale: Using the organization’s risk assessment methodology, asset owners will establish
2564 Annex B
2565 (informative)
2566 -
2567 Mapping Controls to Foundational Requirements
2568 B.1 Overview
2569 This annex is intended to provide guidance to the reader as to the relevance of the specific
2570 controls to the various foundational requirements.
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
2571 NOTE This annex will be completed as part of the final document generation after the primary content has been
2572 finalized.
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
2573
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
New versions will be generated periodically as individual documents are revised.
ISA‑62443-2-2, D1E4, April 2013 – 73 – ISA99, WG02, TG02
2574
2575 BIBLIOGRAPHY
2576 NOTE This bibliography includes references to sources used in the creation of this standard as well as references to
2577 sources that may aid the reader in developing a greater understanding of cyber security as a whole and
2578 developing a management system. Not all references in this bibliography are referred to throughout the text of
2579 this standard. The references have been broken down into different categories depending on the type of
2580 source they are.
2581 References to other parts, both existing and anticipated, of the ISA‑62443 series:
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
2582 NOTE Some of these references are normative references (see Clause 2), published documents, in development, or
2583 anticipated. They are all listed here for completeness of the a nticipated parts of the ISA‑62443 series.
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
2584 [1] ANSI/ISA‑62443-1-1-2007, Security for industrial automation and control systems:
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
2585 Terminology, concepts and models
2588 [3] ANSI/ISA‑62443-1-3, Security for industrial automation and control systems: System
2589 security compliance metrics
2590 [4] ANSI/ISA‑62443-2-1-2009, Security for industrial automation and control systems:
2591 Establishing an industrial automation and control system security program
2592 [5] ANSI/ISA‑TR62443-2-3, Security for industrial automation and control systems: Patch
2593 management in the IACS environment
2594 [6] ANSI/ISA‑TR62443-3-1-2007, Security for industrial autom ation and control systems:
2595 Security technologies for industrial automation and control systems
2596 [7] ANSI/ISA‑62443-3-2, Security for industrial automation and control systems: Target
2597 security assurance levels for zones and conduits
2598 [8] ANSI/ISA‑62443-3-3, Security for industrial automation and control systems: System
2599 security requirements and security assurance levels
2600 [9] ANSI/Error! Unknown document property name., Security for industrial automation and
2601 control systems: Product development requirements
2602 [10] ANSI/ISA‑62443-4-1, Security for industrial automation and control systems: Embedded
2603 devices
2604 [11] ANSI/ISA‑62443-4-2, Security for industrial automation and control systems: Host devices
2606 [12] ISO/IEC Directives, Part 2, Rules for the structure and drafting of International Standards
2607
2608
2609
ISA-62443.02.02, D1E4, April 2013
– 74 –
ISA99, WG02, TG02
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
New versions will be generated periodically as individual documents are revised.
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.