Iec62443 2 2

IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
FOR USE AND REVIEW ONLY BY MEMBERS OF ISA99 AND APPROVED PARTIES:
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
THIS COPY OF A FULL OR ABRIDGED ISA PUBLICATION IS TO BE USED SOLELY FOR THE PURPOSES OF
New versions will be generated periodically as individual documents are revised.

FURTHER DEVELOPMENT OF ISA STANDARDS. IT MAY NOT BE OFFERED FOR FURTHER REPRODUCTION
OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
Copyright © by the International Society of Automaton. All rights reserved. Not for resale. Printed in
the United States of America. No part of this publication may be reproduced, stored in a retrieval
system, or transmitted, in any form or by any means (electronic, mechanical, photocopying, recording, or
otherwise), without the prior written permission of the Publisher.
ISA
67 Alexander Drive
P. O. Box 12277
Research Triangle Park, North Carolina 27709
USA
This page intentionally left blank
ISA‑62443-2-2, D1E4, April 2013 –3– ISA99, WG02, TG02
3
4
5
6
7
8
9
10
11
12
13
14

15
16
17
18
19
20 ISA‑62443-2-2
Security for industrial automation and control systems
Implementation Guidance for and IACS Security Management System
Draft 1, Edit 4
April 2013
Text appearing red italics should be considered editorial comments,

provided as an aid in the preparation of the document. It will be
removed before the draft is completed.
23
22
21
ISA
ISA
America.
P. O. Box 12277
<Document Title>
67 Alexander Drive
ISBN: -to-be-assigned-
ISA‑62443-2-2, D1E4, April 2013
Research Triangle Park, NC 27709 USA

–4–
Security for industrial automation and control systems

ISA99, WG02, TG02
Copyright © 2011 by ISA. All rights reserved. Not for resale. Printed in the United States of
24 PREFACE
25 This preface, as well as all footnotes and annexes, is included for information purposes and is not
26 part of ISA-62443.02.02.
27 This document has been prepared as part of the service of ISA, the International Society of
28 Automation, toward a goal of uniformity in the field of instrumentation. To be of real value, this
29 document should not be static but should be subject to periodic review. Toward this end, the
30 Society welcomes all comments and criticisms and asks that they be addressed to the Secretary,
31 Standards and Practices Board; ISA; 67 Alexander Drive; P. O. Box 122 77; Research Triangle
32 Park, NC 27709; Telephone (919) 549-8411; Fax (919) 549-8288; E-mail: standards@isa.org.
33 The ISA Standards and Practices Department is aware of the growing need for attention to the
34 metric system of units in general and the Internatio nal System of Units (SI) in particular, in the
35 preparation of instrumentation standards. The Department is further aware of the benefits to USA
36 users of ISA standards of incorporating suitable references to the SI (and the metric system) in

37 their business and professional dealings with other countries. Toward this end, this Department
38 will endeavor to introduce SI-acceptable metric units in all new and revised standards,
39 recommended practices and technical reports to the greatest extent possible. Standard f or Use of
40 the International System of Units (SI): The Modern Metric System, published by the American
41 Society for Testing and Materials as IEEE/ASTM SI 10-97, and future revisions, will be the
42 reference guide for definitions, symbols, abbreviations, and co nversion factors.
43 It is the policy of ISA to encourage and welcome the participation of all concerned individuals and
44 interests in the development of ISA standards, recommended practices and technical reports.
45 Participation in the ISA standards-making process by an individual in no way constitutes
46 endorsement by the employer of that individual, of ISA or of any of the standards, recommended
47 practices and technical reports that ISA develops.
48 CAUTION – ISA adheres to the policy of the American National Standa rds Institute with
49 regard to patents. If ISA is informed of an existing patent that is required for use of the
50 standard, it will require the owner of the patent to either grant a royalty -free license for use
51 of the patent by users complying with the standard or a license on reasonable terms and
52 conditions that are free from unfair discrimination.
53 Even if ISA is unaware of any patent covering this Standard, the user is cautioned that
54 implementation of the standard may require use of techniques, processes or materials
55 covered by patent rights. ISA takes no position on the existence or validity of any patent
56 rights that may be involved in implementing the standard. ISA is not responsible for
57 identifying all patents that may require a license before implementati on of the standard or
58 for investigating the validity or scope of any patents brought to its attention. The user
59 should carefully investigate relevant patents before using the standard for the user’s
60 intended application.
61 However, ISA asks that anyone reviewing this standard who is aware of any patents that
62 may impact implementation of the standard notify the ISA Standards and Practices
63 Department of the patent and its owner.
64 Additionally, the use of this standard may involve hazardous materials, operat ions or
65 equipment. The standard cannot anticipate all possible applications or address all possible
66 safety issues associated with use in hazardous conditions. The user of this standard must
67 exercise sound professional judgment concerning its use and applic ability under the
68 user’s particular circumstances. The user must also consider the applicability of any
69 governmental regulatory limitations and established safety and health practices before
70 implementing this standard.
71
72 The following people served as active members of ISA99, Working Group 02, Task Group 02 for
73 the preparation of this document:
Name Company Contributor Reviewer

<WG/TG Leader’s Name>, WG/TG
<WG/TG Leader’s Company> X
Chair
<Editor’s Name>, Lead Editor <Editor’s Company> X
<Member & Reviewer Names >
74
75
76
77 CONTENTS
78
79 PREFACE ............................................................................................................................... 5
80 FORWORD ........................................................................................................................... 12
81 INTRODUCTION ................................................................................................................... 13
82 Context ........................................................................................................................... 13
83 Audience ........................................................................................................................ 13
84 1 Scope ............................................................................................................................. 15
85 2 Normative references ..................................................................................................... 15
86 3 Terms, definitions, abbreviated terms, acronyms, and conventions ................................. 16
87 3.1 Terms and definitions ............................................................................................ 16

88 3.2 Abbreviated terms and acronyms ........................................................................... 18
89 3.3 Conventions .......................................................................................................... 19
90 4 Overview ........................................................................................................................ 21
91 4.1 Structure ............................................................................................................... 21
92 4.2 Information security management in IACS ............................................................. 21
93 4.2.1 Goal .......................................................................................................... 21
94 4.2.2 IACS assets to be protected ...................................................................... 21
95 4.2.3 Establishment of information security management.................................... 22
96 5 Security Policy ................................................................................................................ 23
97 5.1 Introduction ........................................................................................................... 23
98 5.1.1 {Requirement} ........................................................................................... 23
99 6 Organization of Security ................................................................................................. 23
100 6.1 Introduction ........................................................................................................... 23
101 6.2 Internal Organization ............................................................................................. 23
102 6.2.1 {Requirement} ........................................................................................... 23
103 6.3 External Parties ..................................................................................................... 23
104 6.3.1 {Requirement} ........................................................................................... 23
105 7 Asset Management ......................................................................................................... 24
106 7.1 Introduction ........................................................................................................... 24
107 7.2 Responsibility for Assets ....................................................................................... 24
108 7.2.1 {Requirement} ........................................................................................... 24
109 7.3 Information Classification ...................................................................................... 24
110 7.3.1 {Requirement} ........................................................................................... 24
111 8 Human Resources Security ............................................................................................ 24
112 8.1 Prior to Employment .............................................................................................. 24
113 8.1.1 Roles and responsibilities .......................................................................... 24
114 8.1.2 Screening .................................................................................................. 25
115 8.1.3 Terms and conditions of employment ......................................................... 26
116 8.2 During Employment ............................................................................................... 27
117 8.2.1 Management responsibilities ...................................................................... 27
118 8.2.2 Information security awareness, education, and training ............................ 28
119 8.2.3 Disciplinary process ................................................................................... 29
120 8.3 Termination or Change of Employment .................................................................. 29

121 8.3.1 Termination responsibilities ....................................................................... 29
122 8.3.2 Return of assets ........................................................................................ 29
123 8.3.3 Removal of access rights ........................................................................... 29
124 9 Physical and Environmental Security .............................................................................. 30
125 9.1
Introduction ........................................................................................................... 30
126 9.2
Secure Areas ........................................................................................................ 30
127 9.2.1 {Requirement} ........................................................................................... 30
128 9.3 Equipment Security ............................................................................................... 30
129 9.3.1 Physical Access Authorizations ................................................................. 30
130 9.3.2 Physical Access Control ............................................................................ 31
131 9.3.3 Access Control for Communication Medium ............................................... 31
132 9.3.4 Access Control for Display Medium ............................................................ 32

133 9.3.5 Monitoring Physical Access ....................................................................... 32
134 9.3.6 Visitor Control ............................................................................................ 32
135 9.3.7 Access Records ......................................................................................... 32
136 10 Communications and Operations Management ............................................................... 33
137 10.1 Introduction ........................................................................................................... 33
138 10.2 Operational Procedures and Responsibilities ......................................................... 33
139 10.2.1 Automated Marking .................................................................................... 33
140 10.3 Third Party Service Delivery Management ............................................................. 33
141 10.3.1 {Requirement} ........................................................................................... 33
142 10.4 System planning and acceptance .......................................................................... 33
143 10.4.1 {Requirement} ........................................................................................... 33
144 10.5 Protection against malicious and mobile code ....................................................... 34
145 10.5.1 Malicious Code Protection ......................................................................... 34
146 10.5.2 Security Alerts and Advisories ................................................................... 34
147 10.6 Backup .................................................................................................................. 34
148 10.6.1 {Requirement} ........................................................................................... 34
149 10.7 Network Security Management .............................................................................. 35
150 10.7.1 {Requirement} ........................................................................................... 35
151 10.8 Media Handling ..................................................................................................... 35
152 10.8.1 Media Protection Policy and Procedures .................................................... 35
153 10.8.2 Media Access ............................................................................................ 35
154 10.8.3 Media Labeling .......................................................................................... 36
155 10.8.4 Media Storage ........................................................................................... 36
156 10.8.5 Media Transport ........................................................................................ 37
157 10.8.6 Media Sanitization and Disposal ................................................................ 38
158 10.8.7 Access Control for Display Medium ............................................................ 38
159 10.8.8 Public Key Infrastructure Certificates ......................................................... 38
160 10.9 Exchange of Information ........................................................................................ 39
161 10.9.1 {Requirement} ........................................................................................... 39
162 10.10 Electronic Commerce Services .............................................................................. 39
163 10.10.1 {Requirement} ........................................................................................... 39
164 10.11 Monitoring ............................................................................................................. 39
165 10.11.1 Audit and Accountability Policy and Procedures ......................................... 39

166 10.11.2 Auditable Events........................................................................................ 40
167 10.11.3 Audit Monitoring, Analysis and Reporting ................................................... 40
168 10.11.4 Audit Record Retention .............................................................................. 40
169 11 Access Control ............................................................................................................... 41
170 11.1 Introduction ........................................................................................................... 41
171 11.2 Business Requirement ........................................................................................... 41
172 11.2.1 Access Control Policy and Procedures ...................................................... 41
173 11.2.2 System and Information Integrity Policy and Procedures ............................ 41
174 11.2.3 Flaw Remediation ...................................................................................... 42
175 11.3 User Access Management ..................................................................................... 42
176 11.3.1 Account Management ................................................................................ 42
177 11.3.2 Separation of Duties .................................................................................. 43

178 11.4 User Responsibilities ............................................................................................. 43
179 11.4.1 {Requirement} ........................................................................................... 43
180 11.5 Network Access Control ........................................................................................ 44
181 11.5.1 Least Privilege ........................................................................................... 44
182 11.5.2 Permitted Actions Without Identification or Authentication ......................... 44
183 11.5.3 Remote Access.......................................................................................... 44
184 11.5.4 Use of External Information Systems ......................................................... 45
185 11.6 Operating System Access Control ......................................................................... 45
186 11.6.1 {Requirement} ........................................................................................... 45
187 11.7 Application and Information Access Control ........................................................... 46
188 11.7.1 {Requirement} ........................................................................................... 46
189 11.8 Mobile Computing and Teleworking ....................................................................... 46
190 11.8.1 Wireless Access Restrictions ..................................................................... 46
191 11.8.2 Use Control for Portable and Mobile Devices ............................................. 46
192 11.8.3 Mobile Code .............................................................................................. 47
193 11.8.4 Supervision and Review – Use Control ...................................................... 47
194 11.8.5 Identification and Authentication Policy and Procedures ............................ 47
195 11.8.6 Identifier Management ............................................................................... 48
196 11.8.7 Authenticator Management ........................................................................ 48
197 11.8.8 Software and Information Integrity ............................................................. 49
198 11.8.9 Information Input Restrictions .................................................................... 49
199 11.8.10 Error Handling ........................................................................................... 49
200 11.8.11 Information Output Handling and Retention ............................................... 50
201 11.8.12 Boundary Protection .................................................................................. 50
202 12 Systems acquisition, development and maintenance ...................................................... 51
203 12.1 Introduction ........................................................................................................... 51
204 12.2 Security requirements of information systems ........................................................ 51
205 12.2.1 {Requirement} ........................................................................................... 51
206 12.3 Correct Processing in Applications ........................................................................ 51
207 12.3.1 {Requirement} ........................................................................................... 51
208 12.4 Cryptographic Controls .......................................................................................... 51
209 12.4.1 Cryptographic Module Validation ............................................................... 51
ISA‑62443-2-2, D1E4, April 2013 – 10 – ISA99, WG02, TG02
210 12.5 Security of System Files ........................................................................................ 51

211 12.5.1 {Requirement} ........................................................................................... 51
212 12.6 Security in development and support processes .................................................... 52
213 12.6.1 {Requirement} ........................................................................................... 52
214 12.7 Technical vulnerability management ...................................................................... 52
215 12.7.1 Configuration Management Policy and Procedures .................................... 52
216 12.7.2 Baseline Configuration ............................................................................... 52
217 12.7.3 Configuration Change Control .................................................................... 53
218 12.7.4 Monitoring Configuration Changes ............................................................. 53
219 12.7.5 Access Restrictions for Change ................................................................. 54
220 12.7.6 Network and Security Configuration Settings ............................................. 54
221 12.7.7 IACS Component Inventory ........................................................................ 54
222 12.7.8 System Maintenance Policy and Procedures .............................................. 55

223 12.7.9 Controlled Maintenance ............................................................................. 55
224 12.7.10 Maintenance Tools .................................................................................... 56
225 12.7.11 Remote Maintenance ................................................................................. 56
226 12.7.12 Maintenance Personnel ............................................................................. 57
227 12.7.13 Timely Maintenance ................................................................................... 57
228 13 Incident Management ..................................................................................................... 58
229 13.1 Introduction ........................................................................................................... 58
230 13.2 Reporting Security Events and Weaknesses .......................................................... 58
231 13.2.1 {Requirement} ........................................................................................... 58
232 13.3 Management of Incidents and Improvements ......................................................... 58
233 13.3.1 Incident Response Policy and Procedures ................................................. 58
234 13.3.2 Incident Response Training ....................................................................... 58
235 13.3.3 Incident Response Testing and Exercises .................................................. 59
236 13.3.4 Incident Handling ....................................................................................... 59
237 13.3.5 Incident Monitoring .................................................................................... 59
238 13.3.6 Incident Reporting ..................................................................................... 60
239 13.3.7 Incident Response Assistance ................................................................... 60
240 13.3.8 IACS Monitoring Tools and Techniques ..................................................... 60
241 14 Business Continuity Management ................................................................................... 62
242 14.1 Introduction ........................................................................................................... 62
243 14.2 Security Aspects.................................................................................................... 62
244 14.2.1 Contingency Planning Policy and Procedures ............................................ 62
245 14.2.2 Contingency Plan ...................................................................................... 62
246 14.2.3 Contingency Training ................................................................................. 63
247 14.2.4 Contingency Plan Testing and Exercises ................................................... 63
248 14.2.5 Contingency Plan Update .......................................................................... 64
249 14.2.6 Alternate Storage Site ............................................................................... 64
250 14.2.7 Alternate Control Site ................................................................................ 64
251 14.2.8 IACS Backup ............................................................................................. 65
252 14.2.9 IACS Recovery and Reconstruction ........................................................... 65
253 14.2.10 Power Equipment and Cabling ................................................................... 66
254 14.3 Telecommunications Services ............................................................................... 66
255 14.3.1 Emergency Shutoff .................................................................................... 66

256 14.3.2 Emergency Power...................................................................................... 67
257 14.3.3 Emergency Lighting ................................................................................... 67
258 14.3.4 Fire Protection ........................................................................................... 67
259 14.3.5 Temperature and Humidity Controls ........................................................... 68
260 14.3.6 Water Damage Protection .......................................................................... 68
261 15 Compliance .................................................................................................................... 68
262 15.1 General ................................................................................................................. 68
263 15.1.1 {Requirement} ........................................................................................... 68
264 Annex A (informative) Foundational Requirements ................................................................ 70
265 A.1 Overview ............................................................................................................... 70
266 A.2 FR1 A CCESS C ONTROL ............................................................................................ 70
267 A.3 FR2 U SE C ONTROL ................................................................................................. 70

268 A.4 FR3 D ATA I NTEGRITY .............................................................................................. 70
269 A.5 FR4 D ATA C ONFIDENTIALITY .................................................................................... 70
270 A.6 FR5 R ESTRICT D ATA F LOW ...................................................................................... 71
271 A.7 FR6 T IMELY R ESPONSE TO AN E VENT ....................................................................... 71
272 A.8 FR7 R ESOURCE A VAILABILITY ................................................................................... 71
273 Annex B (informative) - Mapping Controls to Foundational Requirements ............................. 72
274 B.1 Overview ............................................................................................................... 72
275 BIBLIOGRAPHY ................................................................................................................... 73
276
277 No table of figures entries found.
278 No table of figures entries found.
279
280 FORWORD
281 This standard is part of a series that addresses the issue of security for industrial automation and control systems. It
282 has been developed by Working Group 02, Task Group 02 of the ISA99 committee.
283 This standard addresses the requirements for the operation of an effective cyber security program within the context of
284 the foundational requirements defined in ISA‑62443-1-1.
285 SKELETON NOTE The forward should only be a few lines and should indicate the basic premise of the document and
286 why it is important. It should also indicate if this document supersedes or modifies any other document.
287 The following information comes from the IEC Directives.
288
The foreword shall appear in each document. It shall not contain requirements, recommendations, figures or tables.
289 It consists of a general part and a specific part. The general part (supplied by the Central Secretariat of ISO or by the
290 Central Office of the IEC, as appropriate) gives information relating to the organization responsible and to
291 International Standards in general, i.e.
292 a) the designation and name of the committee that prepared the document,
293 b) information regarding the approval of the document, and

294 c) information regarding the drafting conventions used, co mprising a reference to this part of the ISO/IEC Directives.
295 The specific part (supplied by the committee secretariat) shall give a statement of significant technical changes from
296 any previous edition of the document and as many of the following as are appropriate:
297 d) an indication of any other international organization that has contributed to the preparation of the document;
298 e) a statement that the document cancels and replaces other documents in whole or in part;
299 f) the relationship of the document to other documents (see 5.2.1.3);
300 g) in IEC, an indication of the next stability date (see ISO/IEC Directives, IEC Supplement, 2010, 3.4).
301
302
303 INTRODUCTION
304 NOTE The format of this document follows the ISO/IEC requirements discussed in ISO/IEC Directives, Pa rt 2. [12] 1
305 The ISO/IEC Directives specify the format of this document as well as the use of terms like “shall”, “should”,
306 and “may”. The use of those terms for the requirements specified in Clause Error! Reference source not f
307 ound. of this document use the conventions discussed in the ISO/IEC Directives, Appendix H.
308 The initial content of this section is based on similar material from other standards in the ISA99 series. This is provided
309 only as a starting point.
310 Context
311 Industrial automation and control system (IACS) organizations increasingly use commercial -off-
312 the-shelf (COTS) networked devices that are inexpensive, efficient and highly automated. These
313 devices and networking technologies provide an increased opportunity for cyber attack against
314 the IACS equipment. This weakness may lead to health, safety and environmenta l (HSE)
315 consequences in deployed systems.
316 Organizations deploying pre-existing information technology (IT) and business cyber security

317 solutions to address IACS security may not fully comprehend the results of this decision. While
318 many business IT applications and security solutions can be applied to IACS, they need to be
319 applied in the correct way to eliminate inadvertent consequences. For this reason, the approach
320 used to define system requirements needs to be based on a combination of functional and
321 consequence analysis, and often an awareness of operational issues as well.
322 The primary goal of the ISA‑99 series is to provide a flexible framework that facilitates
323 addressing current and future vulnerabilities in IACS and applying necessary mitigations in a
324 systematic, defensible manner. It is important to understand that the intention of the ISA ‑99
325 series is to build extensions to enterprise security that adapt the requirements for IT business
326 systems and combine them with the unique requirements that embrac e the strong availability
327 needed by IACS. The ISA‑99 committee has made every effort to avoid building unique stovepipe
328 security architectures for IACS.
329 This International Standard provides interpretation guidelines for the implementation and
330 management of information security management for Industrial Automation and Control Systems
331 (IACS). The approach used is consistent with ISO/IEC 27002 (Code of practice for information
332 security management).
333 IACS security goals focus on system availability, plant prote ction, plant operations (even if in a
334 degraded mode), and time-critical system response. IT security goals often do not place the same
335 emphasis on these factors. They may be more concerned with protecting information rather than
336 physical assets. These different goals need to be clearly stated as security objectives regardless
337 of the degree of plant integration achieved.
338 This document assumes that a security program has been established in accordance with
339 ISA‑99.02.01 and that patch management is implemented consistent with the recommendations
340 detailed in ISA‑TR99.02.03.
341 Audience
342 The audience for the information in this standard includes asset owners, those responsible for
343 information security; system vendors, auditors, and application content providers, with a common
344 set of general security control objectives based on ISO/IEC 27002, IACS specific controls, and
345 information security management guidelines allowing for the selection and implementation of
346 such controls.
347
—————————
1 Numbers in square brackets refer to the Bibliography.
348 SKELETON NOTE For most documents in the ISA-99 series, the Introduction will probably be labeled as Clause 0,
349 since there are sub-clauses included. This is common. The Introduction should be limited to no more than 2
350 pages and should contain no figures. If figures are needed, then that section sh ould be moved to Clause 4+ or
351 an Annex. If you need a Clause 0, you will need to edit the “iecstd_us.dotm” and change starting number for
352 the Heading style to start at 0. After that, make sure that the styles reload into the Skeleton file and change
353 the style of the Introduction section header to Heading instead of Heading (Nonumber).
354 The Introduction should indicate major similarities or relationships between the document and existing ISO/IEC
355 documents. It does not have to include detailed explanations, bu t should give the reader some context in
356 relation to other documents.
358 The introduction is an optional preliminary element used, if required, to give specific information or commentary about
359 the technical content of the document, and about the reasons prompting its preparation. It shall not contain
360 requirements.
361
Whenever alternative solutions are adopted internationally in a document and preferences for the different alternatives
362 provided, the reasons for the preferences shall be explained in the introduction [see A.6 d)]. Where patent
363 rights have been identified in a document, the introduction shall include an appropriate notice. See Annex F
364 for further information.

365 The introduction shall not be numbered unless there is a need to create numbered subdivisions. In this case, it shall be
366 numbered 0, with subclauses being numbered 0.1, 0.2, etc. Any numbered figure, table, displayed formula or
367 footnote shall be numbered normally beginning with 1.
368
369
370 1 Scope
373 This standard addresses the operation of an effective IACS cyber security program. Aspects of
374 this operation are examined in the context of the foundational requirements (FRs) described in
375 ISA‑99.01.01. The requirements and controls would be used by various members of the industrial
376 automation and control systems (IACS) community along with the defined zones an d conduits for
377 the system under consideration (SuC) while developing the appropriate technical system target
378 security assurance level (SAL), SAL-T(system), for a specific asset.
379 SKELETON NOTE Clause 1 shall always be the Scope. This is a short statement that describes the scope of this
380 document only. It does not list the overall scope of ISA -99. That has been described in other documents and
381 does not need to be repeated here.
383 This element shall appear at the beginning of each document and define without ambiguity the subject of the document

384 and the aspects covered, thereby indicating the limits of applicability of the document or particular parts of it.
385 It shall not contain requirements.
386 In documents that are subdivided into parts, the scope of each part shall define the subject of that part of the document
387 only.
388 The scope shall be succinct so that it can be used as a summary for bibliographic purposes.
389 This element shall be worded as a series of statements of fact. Forms of expression such as the following shall be
390 used:
391 “This International Standard
the dimensions of … "
392 - specifies {a method of … "
the characteristics of … "
a system for … "
393 - establishes {
general principles for … "
394 — gives guidelines for …”
395 — defines terms …”
396 Statements of applicability of the document shall be introduced by wording such as:
397 “This International Standard is applicable to …”
398 The wording shall be altered as a function of the document type concerned, i.e. International Standard, Technical
399 Specification, Publicly Available Specification, Technical Report or Guide.
400 2 Normative references

401 The following referenced documents are indispensable for the application of this document. For
402 dated references, only the edition cited applies. For undated references, the latest edition of the
403 referenced document (including any amendments) applies.
404 The following referenced documents are indispensable for the application of this document. For
405 dated references, only the edition cited applies. F or undated references, the latest edition of the
406 referenced document (including any amendments) applies.
407 ISA‑99.01.01 – Security for industrial and automation control systems: Terminology, concepts
408 and models
409 ISA‑99.02.01 – Security for industrial and automation control system: Establishing an industrial
410 automation and control systems security program
411 ISA‑99.03.02 – Security for industrial and automation control system: Security assurance levels
412 for zones and conduits
413 SKELETON NOTE Generally, in the ISA-99 series, there is only 1 completely normative document, ISA -99.01.01. If
414 there are others, put them here as well. Normative references shall be International Standards documents of
415 some sort. Even though a document gets listed here, it will also be liste d in the Bibliography along with all the
416 other documents.
417 3 Terms, definitions, abbreviated terms, acronyms, and conventions

420 3.1 Terms and definitions
421 For the purposes of this document, the terms and definitions given in ISA‑62443-1-1 and the
422 following apply.
423 3.1.1
424 authentication
425 verifying the identity of an IACS user, often as a prerequisite to allowing access to resources in
426 an information system

427 3.1.2
428 authenticity
429 property of being genuine and being able to be verified and trusted
430 NOTE It may also be defined as confidence in the validity of a transmission, a message, or message o riginator.
431 3.1.3
432 automatic
433 pertaining to a process or equipment that, under specified conditions, functions without human
434 intervention
435 [IEV number 351-21-40]
436 3.1.4
437 availability
438 ensuring timely and reliable access to and use of information
439 [FIPS 199]
440 3.1.5
441 communication channel
442 logical or physical point-to-point or point-to-multipoint data flow between components in one zone
443 to one or more components in another zone
444 3.1.6
445 confidentiality
446 preserving authorized restrictions on information access and disclosure, including means fo r
447 protecting personal privacy and proprietary information
448 [FIPS 199]
449 3.1.7
450 connection
451 association established between two or more endpoints which supports the transfer of IACS -
452 specific data
453 3.1.8
454 consequence
455 outcome of an event
456 3.1.9
457 environment
458 aggregate of external procedures, conditions, and objects affecting the development, operation
459 and maintenance of IACS
460 3.1.10
461 event
462 occurrence or change of a particular set of circumstances
463 3.1.11
464 external information systems
465 hardware, software components and repositories that are connecte d by some means or
466 embedded within the component
467 3.1.12
468 IACS user
469 entity (including human users, processes and devices) that performs a function in the IACS or a
470 component used by the IACS
471 3.1.13
472 impact

473 evaluated consequence of a particular event
474 3.1.14
475 industrial automation and control system
476 system which controls the manufacturing process within a defined set of operational limits
477 3.1.15
478 integrity
479 guarding against improper information modification or destruction, and includes ensuring
480 information non-repudiation and authenticity
481 [FIPS 199]
482 3.1.16
483 local access
484 any access to an organizational IACS by an IACS user communicating through an internal,
485 organization-controlled network (such as a local area network) or directly to the IACS without the
486 use of a network
487 3.1.17
488 non-repudiation
489 assurance that the sender of information is provided with proof of delivery and all recipients are
490 provided with proof of the sender’s identity, so the sender cannot deny having sent the
491 information and the recipient cannot deny having received the information
492 3.1.18
493 remote access
494 any access to an IACS by an IACS user communicating through an external, non -organization-
495 controlled network (such as the Internet)
496 3.1.19
497 remote session
498 session initiated whenever an IACS is accessed by a human user communicating across the
499 boundary of a zone defined by the asset owner based on their risk assessment
500 3.1.20
501 role
502 set of connected behaviors, privileges and obligations associated to IACS users in a given
503 situation
504 NOTE 1 The privileges to perform certain operations are assigned to specific ro les.
505 NOTE 2 Role definitions must be distinguished in infrastructure role definitions (within a process), functional role
506 definitions (part of an entity functions) or organizational role definition (a person position). A functional role
507 may be associated with privileges and confer responsibility and authority on a user assigned to that role
508 Adapted from [ISO/IEC 1st WD 24760: 2005 -10-01]
509 3.1.21
510 security assurance level
511 measure of confidence that computer systems and data are free from vulnerabilities, either
512 intentionally designed computer components or accidently inserted at any time during its
513 lifecycle, and that the computer systems functions in the intended manner
514 3.1.22
515 session
516 semi-permanent, stateful, interactive information interchange between two or more
517 communicating devices
518 NOTE Typically a session has a clearly defined start process and end process.

519 3.1.23
520 threat
521 any circumstance or event with the potential to adversely affect organizational operations
522 (including mission, functions, image or reputation), organizational assets, IACS or individuals via
523 unauthorized access, destruction, disclosure, modification of dat a and/or denial of service
524 3.1.24
525 trust
526 belief that an operation or data transaction source or process is secure and will perform as
527 intended
528 3.1.25
529 untrusted
530 entity that has not met predefined requirements to be trusted
531 3.1.26
532 vulnerability
533 weakness in an IACS function, procedure, internal control or implementation that could be exploited or triggered by a
534 threat source
535 SKELETON NOTE Only add in the reference at the end of the term if it relates directly to something from an
536 international standard. IEC seems to dislike referencing national standards documents (ISA, NIST, NERC,
537 NEMA, etc.). Only include these references if there is an ISO/IEC, NATO, etc. reference. Also, if the reference
538 is not exactly from the reference, indicate something like “Adapted from … ”.
539 3.2 Abbreviated terms and acronyms

540 This subclause defines the abbreviated terms and acronyms used in this document.
AC Access Control
AES Advanced encryption standard
API Application programming interface
CA Certification authority
CIP Critical infrastructure protection
COTS Commercial-off-the-shelf
DC Data confidentiality
DI Data integrity
DMZ Demilitarized zone
DoS Denial of service

FR Foundational requirement
FTP File transfer protocol
HSE Health, safety, and environmental
HTTP Hypertext transfer protocol
IACS Industrial automation and control system(s)
ID Identifier
IDS Intrusion detection system
IEC International Electrotechnical Commission
IEEE Institute of Electrical and Electronics Engineers

IM Instant messaging
IPS Intrusion prevention system
ISO International Organization for Standardization
IT Information technology
NERC North American Electric Reliability Corporation
NIST U.S. National Institute of Standards and Technology
PDF Portable document format
RA Resource availability
RDF Restrict data flow
RE Requirement enhancement
SAL Security assurance level
SIS Safety instrumented system
SP Special Publication (from NIST)
SR System requirement
SuC System under consideration
TRE Timely response to an event
UC Use control
US-CERT U.S. Computer Emergency Readiness Team
USB Universal serial bus
VoIP Voice over internet protocol
541 3.3 Conventions

542 Much of the content of this standard is expressed in the form of specific requirements or controls.
543 Each of these has a baseline requirement and zero or more requirement enhancements to
544 strengthen security assurance. Rationale and supplemental guidance may be provided for each
545 baseline requirement, and for any associated enhancement as is deemed necessary, to provide
546 clarity to the reader.
547 SKELETON NOTE This sub-clause is where specific conventions used in the document, like specific clause/sub -
548 clause formatting, special text conventions, or any other things that the reader should know in order to read
551
550
549
ISA‑62443-2-2, D1E4, April 2013
– 20 –
this sub-clause allows for a greater explanation in one place.

ISA99, WG02, TG02
the document. The reader may still need some introduction to conventions used throughout the document, but
552 4 Overview
553 4.1 Structure
554 The content of this standard has been organized in a manner similar to that used in ISO/IEC
555 27002. In cases where objectives and controls specified in ISO/IEC 27002 are applicable without
556 a need for any additional information, only a reference is provided to ISO/IEC 27002.
557 In cases where controls need additional guidance spec ific to IACS, the ISO/IEC 27002 control
558 and implementation guidance is repeated without modification, followed by the IACS specific
559 guidance related to this control. IACS specific guidance and information is included in the
560 following clauses:
– Organization of information security (clause 6)
561
562 – Asset management (clause 7)

563 – Human resources security (clause 8)
564 – Physical and environmental security (clause 9)
565 – Communications and operations management (clause 10)
566 – Access control (clause 11)
567 – Information systems acquisition, development and maintenance (clause 12)
568 – Information security incident management (clause 13)
569 – Business continuity management (clause 14)
570 4.2 Information security management in IACS

571 4.2.1 Goal
572 Industrial control systems and associated networks are faced with security threats from a wide
573 range of sources, including computer-assisted fraud, espionage, sabotage, vandalism,
574 information leakage, earthquake, fire or flood. These security threats may originate from inside or
575 outside the control systems environment resulting in damage to the organization.
576 Once the security of an IACS is compromised, for example by unauthorized access, the system or
577 the equipment under control may suffer damage. Therefore, it is essential for an asset owner to
578 ensure its security by continuously improving its related programs in accordance with ISO/IEC
579 27001.
580 Effective IACS security is achieved by implementing a suitable set of controls based on those
581 described in this standard. These controls need to be established, implemen ted, monitored,
582 reviewed and improved in facilities, services and applications. The successful deployment of
583 security controls will better enable meeting the security and business objectives of the
584 organization to be met.
585 4.2.2 IACS assets to be protected

586 In order to establish information security management, it is essential for an asset owner to clarify
587 and identify all IACS related assets. The clarification of attributes and importance of the assets
588 makes it possible to implement appropriate controls.
589 4.2.3 Establishment of information security management

590 4.2.3.1 How to establish security requirements
591 It is essential for asset owners to identify their security requirements. There are three main
592 sources of security requirements as follows:
593 a) What is derived from assessing risks to IAC S operation, taking into account the overall
594 business strategy and objectives. Through risk assessment, threats to assets are identified,
595 vulnerability to and likelihood of occurrence is evaluated and potential impact is estimated;
596 b) The legal, statutory, regulatory, and contractual requirements that asset owners have to
597 satisfy, and the socio-cultural environment;
598 c) The particular set of principles, objective and business requirements for information processing
599 that an asset owner has developed to support its operations.
600 4.2.3.2 Assessing security risks

601 Security requirements are identified by a methodical assessment of security risks. Expenditure on
602 controls needs to be balanced against the business harm likely to result from security failures.
603 The results of the risk assessment will help to guide and determine the appropriate management
604 action and priorities for managing information security risks, and for implementing controls
605 selected to protect against these risks.
606 Risk assessment should be repeated periodically to address any changes that might influence the
607 risk assessment results.
608 4.2.3.3 Selecting controls

609 Once security requirements and risks have been identified and decisions for the treatment of
610 risks have been made, appropriate controls should be selected and implemented to ensure risks
611 are reduced to an acceptable level.
612 This standard provides guidance and IACS specific controls, in addition to general information
613 security management, taking account of IACS specific requirements. Therefore, asset owners are
614 recommended to select controls from this guideline and implement them. In addition, new controls
615 can be designed to meet specific needs as appropriate.
616 The selection of security controls is dependent upon organizational decisions based on the
617 criteria for risk acceptance, risk treatment options, and the general risk management approach
618 applied by asset owners, and should also be subject to all relevant national and international
619 legislation and regulations.
620 4.2.3.4 Critical success factors

621 Experience has shown that the following factors are often critical to the successful
622 implementation of information security in an industrial automation and control system :
623 a) information security policy, objectives, and activities t hat reflect business objectives and the
624 specific characteristics of an IACS;
625 b) an approach and framework to implementing, maintaining, monitoring, and improving

626 information security that is consistent with the organizational culture;
627 c) visible support and commitment from all levels of managem ent;
628 d) a good understanding of the security requirements, risk assessment, and risk management;
629 e) effective marketing of information security to all managers, employees, and other parties to
630 achieve awareness;
631 f) distribution of guidance on information security policy and standards to all managers,
632 employees and other parties;
633 g) provision to fund information security management activities;
634 h) providing appropriate awareness, training, and education;
635 i) establishing an effective information security inci dent management process;
636 j) implementation of a measurement system that is used to evaluate performance in information

637 security management and feedback suggestions for improvement.
638 5 Security Policy
639 5.1 Introduction
640 5.1.1 {Requirement}

641 Requirement:
642
643 Foundational Requirement:
644 Rationale/Supplemental Guidance:
645 Requirement Enhancements:

646
647 6 Organization of Security

649
650 6.2 Internal Organization

652 Requirement:
653

657
658 6.3 External Parties
660 Requirement:
661

665
666 7 Asset Management

668
669 7.2 Responsibility for Assets

671 Requirement:
672

676
677 7.3 Information Classification
679 Requirement:
680

684
685 8 Human Resources Security

686 8.1 Prior to Employment
687 Objective: To ensure that employees, contractors and third party users understand their
688 responsibilities, and are suitable for the roles they are considered for, and to reduce the risk of
689 theft, fraud or misuse of facilities.
690 Security responsibilities should be addressed prior to e mployment in adequate job descriptions
691 and in terms and conditions of employment.
692 All candidates for employment, contractors and third party users should be adequately screened,
693 especially for sensitive jobs.
694 Employees, contractors and third party users of information processing facilities should sign an
695 agreement on their security roles and responsibilities.
696 8.1.1 Roles and responsibilities

697 Control
698 Security roles and responsibilities of employees, contractors and third party users should be
699 defined and documented in accordance with the organization’s information security policy.
700 Implementation guidance

701 Security roles and responsibilities should include the requirement to:
702 a) implement and act in accordance with the organization’s information security policies (see
703 5.1);
704 b) protect assets from unauthorized access, disclosure, modification, destruction or
705 interference;
706 c) execute particular security processes or activities;
707 d) ensure responsibility is assigned to the individual for actions taken;
708 e) report security events or potential events or other security risks to the organization.
709 Security roles and responsibilities should be defined and clearly communicated to job candidates
710 during the pre-employment process.
711 IACS-specific implementation guidance

712 Facilities should appoint staff who have the right credentials or appropriate knowledge and skills
713 to be in charge of the supervision of matters related to the installation, maintenance and
714 operation of IACS. The relevant staff should be notified of their assigned roles and
715 responsibilities.
716 Other Information
717 Job descriptions can be used to document security roles and responsibilities. Security roles and
718 responsibilities for individuals not engaged via the organization’s employment process, e.g.
719 engaged via a third party organization, should also be clearly defined and communicated.
720
721 Requirement:
722

726
727 8.1.2 Screening
728 Control
729 Background verification checks on all candidates for employment, contractors, and third party
730 users should be carried out in accordance with relevant laws, regulations and ethics, and
731 proportional to the business requirements, the classification of the information to be accessed,
732 and the perceived risks.
734 Verification checks should take into account all relevant privacy, protection of personal data
735 and/or employment based legislation, and should, where permitted, include the following:
736 a) availability of satisfactory character references, e.g. one business and one per sonal;
737 b) a check (for completeness and accuracy) of the applicant’s curriculum vitae;
738 c) confirmation of claimed academic and professional qualifications;
739 d) independent identity check (passport or similar document);
740 e) more detailed checks, such as credit checks or checks of criminal records.
741 Where a job, either on initial appointment or on promotion, involves the person having access to
742 information processing facilities, and in particular if these are handling sensitive information, e.g.
743 financial information or highly confidential information, the organization should also consider
744 further, more detailed checks.
745 Procedures should define criteria and limitations for verification checks, e.g. who is eligible to
746 screen people, and how, when and why verification checks a re carried out.
747 A screening process should also be carried out for contractors, and third party users. Where
748 contractors are provided through an agency the contract with the agency should clearly specify
749 the agency’s responsibilities for screening and the notification procedures they need to follow if
750 screening has not been completed or if the results give cause for doubt or concern. In the same
751 way, the agreement with the third party (see also 6.2.3) should clearly specify all responsibilities
752 and notification procedures for screening.

753 Information on all candidates being considered for positions within the organization should be
754 collected and handled in accordance with any appropriate legislation existing in the relevant
755 jurisdiction. Depending on applicable legislation, the candidates should be informed beforehand
756 about the screening activities.
758 Facilities should also consider further, more detailed checks for job positions that give staff
759 access to IACS that have been assessed as critical and thus require higher levels of security.
760 [wording?]
761 8.1.3 Terms and conditions of employment

762 Control
763 As part of their contractual obligation, employees, contractors and third party users should agree
764 and sign the terms and conditions of their employment contract, which should state their and the
765 organization’s responsibilities for information security.
767 The terms and conditions of employment should reflect the organization’s security policy in
768 addition to clarifying and stating:
769 a) that all employees, contractors and third party users who are given access to sensitive
770 information should sign a confidentiality or non-disclosure agreement prior to being given
771 access to information processing facilities;
772 b) the employee’s, contractor’s and any other user’s legal responsibilities and rights, e.g.
773 regarding copyright laws or data protection legislation (see also 15.1.1 and 15.1.2);
774 c) responsibilities for the classification of information and management of organizational assets
775 associated with information systems and services handled by the employee, contractor or
776 third party user (see also 7.2.1 and 10.7.3);
777 d) responsibilities of the employee, contractor or third party user for the handling of information
778 received from other companies or external parties;
779 e) responsibilities of the organization for the handling of personal information, including personal
780 information created as a result of, or in the course of, employment with the organization (see
781 also 15.1.4);
782 f) responsibilities that are extended outside the organization’s premises and outside normal
783 working hours, e.g. in the case of home-working (see also 9.2.5 and 11.7.1);
784 g) actions to be taken if the employee, contractor or third party user disregards the
785 organization’s security requirements (see also 8.2.3).
786 The organization should ensure that employees, contractors and third party users agree to terms
787 and conditions concerning information security appropriate to the nature and extent of access
788 they will have to the organization’s assets associated with information systems and services.
789 Where appropriate, responsibilities contained within the terms and conditions of employment
790 should continue for a defined period after the end of the employment (see also 8.3).
792 Facilities should clarify and state the responsibilities for maintaining IACS availability, plant
793 protection, plant operations (even if in a degraded mode), and time -critical system response.

795 A code of conduct may be used to cover the employee’s, contractor’s or third party user’s
796 responsibilities regarding confidentiality, data protection, ethics, appropriate use of the
797 organization’s equipment and facilities, as well as reputable practices expected by the
798 organization. The contractor or third party users may be associated with an external organization
799 that may in turn be required to enter in contractual arrangements on behalf of the contracted
800 individual.
801 8.2 During Employment

802 Objective: To ensure that employees, contractors and third party users are aware of information
803 security threats and concerns, their responsibilities and liabilities, and are equipped to support
804 organizational security policy in the course of their normal work, and to reduce the risk of human
805 error.
806 Management responsibilities should be defined to ensure that security is applied throughout an
807 individual’s employment within the organization.
808 An adequate level of awareness, education, and training in security procedures and the correct
809 use of information processing facilities should be provided to all employees, contractors and third
810 party users to minimize possible security risks. A formal disciplinary process for handling security
811 breaches should be established.
812 8.2.1 Management responsibilities

813 Control
814 Management should require employees, contractors and third party users to apply security in
815 accordance with established policies and procedures of the organization.
817 Management responsibilities should include ensuring that employees, contractor s and third party
818 users:
819 a) are properly briefed on their information security roles and responsibilities prior to being
820 granted access to sensitive information or information systems;
821 b) are provided with guidelines to state security expectations of their role within the organization;
822 c) are motivated to fulfil the security policies of the organization;
823 d) achieve a level of awareness on security relevant to their roles and responsibilities within the
824 organization (see also 8.2.2);
825 e) conform to the terms and conditions of employment, which includes the organization’s
826 information security policy and appropriate methods of working;
827 f) continue to have the appropriate skills and qualifications.
828
830 Management should ensure that individuals responsible for operating and maintaining IACS are
831 included in the above mentioned activities
833 If employees, contractors and third party users are not made aware of their security
834 responsibilities, they can cause considerable damage to an organization. Motivated personnel are
835 likely to be more reliable and cause less information security incidents.

836 Poor management may cause personnel to feel undervalued resulting in a negative security
837 impact to the organization. For example, poor management may lead to security being neglected
838 or potential misuse of the organization’s assets.
839 Requirement:

843 8.2.2 Information security awareness, education, and training
844 Control
845 All employees of the organization and, where relevant, contractors and third party users should
846 receive appropriate awareness training and regular updates in organizational policies and
847 procedures, as relevant for their job function.
849 Awareness training should commence with a formal induction process designed to introduce the
850 organization’s security policies and expectations before access to information or services is
851 granted.
852 Ongoing training should include security requirements, legal responsibilities and business
853 controls, as well as training in the correct use of information processing facilities e.g. log -on
854 procedure, use of software packages and information on the disciplinary process (see 8.2.3).
856 Individuals responsible for operating and maintaining IACS should be included in the above
857 mentioned activities and, where necessary, specific training should be developed for individuals
858 in these roles.
860 The security awareness, education, and training activities should be suitable and relevant to the
861 person’s role, responsibilities and skills, and should include information on known threats, who to
862 contact for further security advice and the proper channels for reporting inf ormation security
863 incidents (see also 13.1).
864 Training to enhance awareness is intended to allow individuals to recognize information security
865 problems and incidents, and respond according to the needs of their work role.
866 8.2.3 Disciplinary process

867 The control objective and the contents from ISO/IEC 27002 clause 8.2.3 apply.
868 8.3 Termination or Change of Employment

869 Objective: To ensure that employees, contractors and third party users exit an organization or
870 change employment in an orderly manner.
871 Responsibilities should be in place to ensure an employee’s, contractor’s or third party user’s exit
872 from the organization is managed, and that the return of all equipment and the removal of all
873 access rights are completed.
874 Change of responsibilities and employments within an organization should be managed as the
875 termination of the respective responsibility or employment in line with this section, and any new

876 employments should be managed as described in section 8.1.
877 8.3.1 Termination responsibilities

878 The control objective and the contents from ISO/IEC 27002 clause 8.3 .1 apply.
879 8.3.2 Return of assets

880 The control objective and the contents from ISO/IEC 27002 clause 8.3.2 apply.
881 8.3.3 Removal of access rights

882 Control
883 The access rights of all employees, contractors and third party users to information and
884 information processing facilities should be removed upon termination of their employment,
885 contract or agreement, or adjusted upon change.
887 Upon termination, the access rights of an individual to assets associ ated with information
888 systems and services should be reconsidered. This will determine whether it is necessary to
889 remove access rights. Changes of an employment should be reflected in removal of all access
890 rights that were not approved for the new employment. The access rights that should be removed
891 or adapted include physical and logical access, keys, identification cards, information processing
892 facilities (see also 11.2.4), subscriptions, and removal from any documentation that identifies
893 them as a current member of the organization. If a departing employee, contractor or third party
894 user has known passwords for accounts remaining active, these should be changed upon
895 termination or change of employment, contract or agreement.
896 Access rights for information assets and information processing facilities should be reduced or
897 removed before the employment terminates or changes, depending on the evaluation of risk
898 factors such as:
899 a) whether the termination or change is initiated by the employee, contractor or third party user,
900 or by management and the reason of termination;
901 f) the current responsibilities of the employee, contractor or any other user;
902 g) the value of the assets currently accessible.
903
905 Other risk factors to be considered when reducing or removing access rights should include risks
906 associated with disruption to IACS availability, plant protection, and plant operations.
908 In certain circumstances access rights may be allocated on the basis of being available to more
909 people than the departing employee, contractor or third party user, e.g. group IDs. In such
910 circumstances, departing individuals should be removed from any group access lists and
911 arrangements should be made to advise all other employees, contractors and third party users
912 involved to no longer share this information with the person departing.
913 In cases of management-initiated termination, disgruntled employees, contractors or third party
914 users may deliberately corrupt information or sabotage information processing facilities. In cases
915 of persons resigning, they may be tempted to collect information for future use.
916

917 9 Physical and Environmental Security
919
920 9.2 Secure Areas

922 Requirement:
923

927
928 9.3 Equipment Security
929 9.3.1 Physical Access Authorizations
930 Requirement:
931 The organization shall develop and keeps current a list of personnel with authorized
932 access to the facility where the IACS resides ( except for those areas within the facility
933 officially designated as publicly accessible) and issues assigns appropriate authorization
934 credentials. Designated officials within the organization review and approve the access
935 list and authorization credentials [Assignment: organization-defined frequency].
937 Rationale/Supplemental Guidance: Appropriate authorization credentials include, for

938 example, badges, identification cards, smart cards, key pads codes or biometric
939 attributes. The organization promptly removes from the access list personnel no longer
940 requiring access to the facility where the IACS resides.

942 (1) Authorized access shall be adjusted for assignments in restricted areas or for
943 personnel dismissal.
944 9.3.2 Physical Access Control

945 Requirement:
946 The organization shall control all physical access points (including designated entry/exit
947 points) to the facility where the IACS resides (except for those areas within the facility
948 officially designated as publicly accessible) and verifies individual access authorizations
949 before granting access to the facility. The organization controls access to areas officially
950 designated as publicly accessible, as appropriate, in accordance with the organization’s
951 assessment of risk.
952 Foundational Requirement: FR1 Access Control
953 Rationale/Supplemental Guidance: The organization uses physical access devices (e.g.,
954 keys, locks, combinations, card readers) and/or guards to control entry to facilities
955 containing IACS. The organization secures keys, combinations, and other access devices
956 and inventories those devices regularly. The organization changes combinations and
957 keys: (i) periodically; and (ii) when keys are lost, combinations are compromised, or

958 individuals are transferred or terminated. Workstations and associated peripherals
959 connected to (and part of) an organizational IACS may be located in areas designated as
960 publicly accessible with access to such devices being appropriately controlled. The
961 organization considers IACS safety and security interdependencies. The organization
962 considers access requirements in emergency situations. During an emergency-related
963 event, the organization may restrict access to IACS facilities and assets to authorized
964 individuals only.

966 (1) The organization controls physical access to the IACS independent of the physical
967 access controls for the facility. Identity verification is required for entry to the most
968 secured IACS spaces.
969 Rationale/Supplemental Guidance: This requirement enhancement, in general, applies to
970 server rooms, communications centers, telecom munication spaces, control rooms,
971 instrument rack rooms, remote control rooms or any other areas within a facility containing
972 large concentrations of IACS components or components with a higher impact level than
973 that of the majority of the facility. The intent is to provide an additional layer of physical
974 security for those areas where the organization may be more vulnerable due to the
975 concentration of IACS components or the impact level of the components. The
976 requirement enhancement is not intended to apply to workstations or peripheral devices
977 that are typically dispersed throughout the facility and used routinely by organizational
978 personnel.
979 9.3.3 Access Control for Communication Medium
980 Requirement:
981 The organization shall control physical access to IACS distr ibution and communication
982 lines within local organizational facilities.
984 Rationale/Supplemental Guidance: Physical protections applied to IACS distribution and

985 communication lines help prevent accidental damage, disruption, and ph ysical tampering.
986 Additionally, physical protections are necessary to help prevent eavesdropping or in
987 transit modification of unencrypted communications. Protective measures to control
988 physical access to IACS distribution and communication lines include : (i) including
989 endpoints or any access point contained in locked wiring closets; (ii) disconnected or
990 locked spare jacks; and/or (iii) protection of cabling by conduit or cable trays.
991 Requirement Enhancements: None.

992 9.3.4 Access Control for Display Medium

993 Requirement:
994 The organization shall control physical access to IACS devices that display information to
995 prevent unauthorized individuals from observing the display output.
997 Rationale/Supplemental Guidance: None.
999 (1) Access displays shall be placed in such a manner to prevent others from viewing the
1000 display of clear text access information.
1001 9.3.5 Monitoring Physical Access
1002 Requirement:

1003 The organization shall monitor physical access to the IACS to detect and respond to
1004 physical security incidents.
1006 Rationale/Supplemental Guidance: The organization reviews physical access logs
1007 periodically and investigates apparent security violations or s uspicious physical access
1008 activities. Response to detected physical security incidents is part of the organization’s
1009 incident response capability.

1011 (1) The organization monitors real-time physical intrusion alarms and surveillance
1012 equipment.
1013 (2) The organization employs automated mechanisms to r ecognize potential intrusions
1014 and initiate appropriate response actions.
1015 9.3.6 Visitor Control
1016 Requirement:
1017 The organization shall control physical access to the IACS by authenticating visitors
1018 before authorizing access to the facility where the IACS resides oth er than areas
1019 designated as publicly accessible.
1021 Rationale/Supplemental Guidance: Personnel without permanent authorization or

1022 permanent duties, including physical access to an IACS, are considered a visitor.

1024 (1) The organization escorts visitors and monitors visitor activity.
1025 9.3.7 Access Records
1026 Requirement:
1027 The organization shall maintain visitor access records to the facility where the IACS
1028 resides (except for those areas within the facility officially designated as publicly
1029 accessible).The detailed contents of these records are to be defined by the asset owner
1030 and their respective security policy. Designated officials within the organization review
1031 the visitor access records [Assignment: organization-defined frequency] and maintain
1032 those records for [Assignment: organization-defined periodicity]. .
1034 Rationale/Supplemental Guidance: These logs are intended to support forensic

1035 investigation. Useful attributes would include: (i) name and organization of the person
1036 visiting; (ii) signature of the visitor; (iii) form of identification; (iv) date of access; (v) time
1037 of entry and departure; (vi) purpose of visit; and (vii) name and organization of person
1038 visited..

1040 (1) The organization employs automated mechanisms to facilitate the maintenance and
1041 review of access records.
1042 (2) The organization maintains a record of all physical access, both visitor and authorized
1043 individuals.
1044 10 Communications and Operations Management

1046
1047 10.2 Operational Procedures and Responsibilities
1048 10.2.1 Automated Marking
1049 Requirement:
1050 The IACS shall mark output using standard naming conventions to identify any special
1051 dissemination, handling, or distribution instructions .
1053 Rationale/Supplemental Guidance: Automated marking refers to markings employed on

1054 external media (e.g., hardcopy documents output from the IACS).
1056 10.3 Third Party Service Delivery Management

1058 Requirement:
1059

1063
1064 10.4 System planning and acceptance
1066 Requirement:
1067


1071
1072 10.5 Protection against malicious and mobile code
1073 10.5.1 Malicious Code Protection
1074 Requirement:
1075 The organization updates malicious code protection mechanisms (including the latest virus
1076 definitions) whenever new releases are available in accordance with organizationa l
1077 configuration management policy and procedures.
1079 Rationale/Supplemental Guidance: The organization considers using malicious code
1080 protection software products from multiple vendors (e.g., using one vendor for boundary
1081 devices and servers and another vendor for workstations). The organization also

1082 considers the receipt of false positives during malicious code detection and eradication
1083 and the resulting potential affect on the availability of the IACS. Updates are scheduled to
1084 occur during planned IACS outages. The organization considers IACS vendor
1085 recommendations for malicious code protection. To reduce malicious code, organizations
1086 remove the functions and services that should not be employed on the IACS (e.g., Voice
1087 Over Internet Protocol, Instant Messaging, File Transfer Protocol, Hyper Text Transfer
1088 Protocol, electronic mail, file sharing).

1090 10.5.2 Security Alerts and Advisories
1091 Requirement:
1092 The organization shall receive IACS security alerts/advisories on a regular basis, issues
1093 alerts/advisories to appropriate personnel, and takes appropriate actions in response.
1095 Rationale/Supplemental Guidance: The organization documents the types of actions to

1096 be taken in response to security alerts/advisories. The organization also maintains
1097 contact with special interest groups (e.g., inform ation security forums) that: (i) facilitate
1098 sharing of security-related information (e.g., threats, vulnerabilities, and latest security
1099 technologies); (ii) provide access to advice from security professionals; and (iii) improve
1100 knowledge of security best practices.

1102 (1) The organization employs automated mechanisms to make security alert and advisory
1103 information available throughout the organization as needed.
1104 10.6 Backup
1106 Requirement:
1107

1111
1112 10.7 Network Security Management

1114 Requirement:
1115
1119
1120 10.8 Media Handling
1121 10.8.1 Media Protection Policy and Procedures

1122 Requirement:
1123 The organization shall develop, disseminate, and periodically reviews/updates: (i) a
1124 formal, documented, media protection policy that addresses purpose, scope, roles,
1125 responsibilities, management commitment, coordination among organizational entities,
1126 and compliance; and (ii) formal, documented procedures to facilitate the implementation
1127 of the media protection policy and associated media protection requirements.
1129 Rationale/Supplemental Guidance: The media protection policy and procedures are
1130 consistent with applicable laws, directives, policies, regulations, standards, and guidance.
1131 The media protection policy can be included as part of the general information security
1132 policy for the organization. Media protection procedures can be developed for the
1133 security program in general, and for a particular IACS, when required.
1135
1136 10.8.2 Media Access
1137 Requirement:
1138 The organization shall restrict access to IACS media to authorized individuals.
1140 Rationale/Supplemental Guidance: IACS media includes both digital media (e.g.,
1141 diskettes, magnetic tapes, external/removable hard drives, flash/thumb drives, compact
1142 disks, digital video disks) and non-digital media (e.g., paper, microfilm). This requirement
1143 also applies to portable and mobile computing and communications devices with
1144 information storage capability (e.g., notebook computers, personal digital assistants,
1145 cellular telephones).
1146 An organizational assessment of risk guides the sel ection of media and associated
1147 information contained on that media requiring restricted access. Organizations document
1148 in policy and procedures, the media requiring restricted access, individuals authorized to
1149 access the media, and the specific measures t aken to restrict access. The rigor with
𝑡𝑎𝑟𝑔𝑒𝑡
1150 which this requirement is applied is commensurate with the 𝑆𝑠𝑦𝑠𝑡𝑒𝑚 categorization of the
1151 information contained on the media. For example, fewer protection measures are needed
1152 for media containing information determined by the organization to be in the public
1153 domain, to be publicly releasable, or to have limited or no adverse impact on the
1154 organization or individuals if accessed by other than authorized personnel. In these
1155 situations, it is assumed that the physical access requirements where the media resides
1156 provide adequate protection.

1158 (1) The organization employs automated mechanisms to restrict access to media storage
1159 areas and to audit access attempts and access granted.
1161 Rationale/Supplemental Guidance: This requirement enhancement is primarily
1162 applicable to designated media storage areas within an organization where a
1163 significant volume of media is stored and is not intended to apply to every lo cation
1164 where some media is stored (e.g., in individual offices).
1165
1166 10.8.3 Media Labeling
1167 Requirement:

1168 The organization shall: (i) affix external labels to removable IACS media and IACS output
1169 indicating the distribution limitations, handling caveats and applicable security markings (if
1170 any) of the information; and (ii) exempt [Assignment: organization-defined list of media
1171 types or hardware components] from labeling so long as they remain within [ Assignment:
1172 organization-defined protected environment].
1174 Rationale/Supplemental Guidance: An organizational assessment of risk guides the

1175 selection of media requiring labeling. Organizations document in policy and procedures,
1176 the media requiring labeling and the specific measures taken to afford such protection.
1177 The rigor with which this requirement is applied is commensurate with the 𝑆𝑠𝑦𝑠𝑡𝑒𝑚
1178 categorization of the information contained on the media.
1180 10.8.4 Media Storage

1181 Requirement:
1182 The organization shall physically control and securely store IACS media within controlled
1183 areas.
1186 diskettes, magnetic tapes, external/removable hard drives, flash/thumb drives, compact
1187 disks, digital video disks) and non-digital media (e.g., paper, microfilm). A controlled area
1188 is any area or space for which the organization has confidence that the physical and
1189 procedural protections provided are sufficient to meet the requirements established for
1190 protecting the information and/or IACS.
1191 This requirement applies to portable and mobile computing and communications devices
1192 with information storage capability (e.g., notebook computers, personal digital assistants,
1193 cellular telephones, telephone systems (voicemail only)).
1194 Organizations document in policy and procedures, the media requiring physical protection
1195 and the specific measures taken to afford such protection. The rigor with which this
1196 requirement is applied is commensurate with the 𝑆𝑠𝑦𝑠𝑡𝑒𝑚 categorization of the information
1197 contained on the media. For example, fewer protection measures are needed for media
1198 containing information determined by the organization to have limited or no adverse
1199 impact on the organization or individuals if accessed by non -authorized personnel. The
1200 assumption is that the physical access controls to the facility where the media resides
1201 provide adequate protection. The organization protects IACS media identified by the
1202 organization until the media are destroyed or sanitized using approved equipment,
1203 techniques, and procedures.
1204 As part of a defense-in-depth protection strategy, the organization considers routinely
1205 encrypting data at rest on selected secondary storage device s. The organization
1206 implements effective cryptographic key management in support of secondary storage
1207 encryption and provides protections to maintain the availability of the information in the
1208 event of the loss of cryptographic keys by IACS users.
1210 10.8.5 Media Transport
1211 Requirement:
1212 The organization shall protect and control IACS media during transport outside of

1213 controlled areas and restricts the activities associated with transport of such media to
1214 authorized personnel.
1217 diskettes, tapes, removable hard drives, flash/thumb drives, compact disks, digital video
1218 disks) and non-digital media (e.g., paper, microfilm). A c ontrolled area is any area or
1219 space for which the organization has confidence that the physical and procedural
1220 protections provided are sufficient to meet the requirements established for protecting the
1221 information and/or IACS. This requirement also applies to portable and mobile computing
1222 and communications devices with information storage capability (e.g., notebook
1223 computers, personal digital assistants, cellular telephones) that are transported outside of
1224 controlled areas. Telephone systems are also co nsidered IACS and may have the
1225 capability to store information on internal media (e.g., on voicemail systems). Since
1226 telephone systems do not have, in most cases, the identification, authentication, and
1227 access control mechanisms typically employed in othe r IACS, organizational personnel
1228 exercise extreme caution in the types of information stored on telephone voicemail
1229 systems that are transported outside of controlled areas. An organizational assessment
1230 of risk guides the selection of media and associated information contained on that media
1231 requiring protection during transport. Organizations document in policy and procedures,
1232 the media requiring protection during transport and the specific measures taken to protect
1233 such transported media. The rigor with which this requirement is applied is
1234 commensurate with the 𝑆𝑠𝑦𝑠𝑡𝑒𝑚 categorization of the information contained on the media.
1235 An organizational assessment of risk also guides the selection and use of appropriate
1236 storage containers for transporting non-digital media. Authorized transport and courier
1237 personnel may include individuals from outside the organization (e.g., U.S. Postal Service
1238 or a commercial transport or delivery service).

1240 (1) The organization protects digital and non-digital media during transport outside of
1241 controlled areas using [Assignment: organization-defined security measures, e.g.,
1242 locked container, cryptography].
1243 Rationale/Supplemental Guidance: Physical and technical security measures for the
1244 protection of digital and non-digital media are approved by the organization,
1245 commensurate with the 𝑆𝑠𝑦𝑠𝑡𝑒𝑚 categorization of the information residing on the media,
1246 and consistent with applicable laws, directives, policies, regulations, standards, and
1247 guidance. Cryptographic mechanisms can provide confidentiality and/or integrity
1248 protections depending upon the mechanisms used.
1249 (2) The organization documents, where appropriate, activities associated with the
1250 transport of IACS media using [Assignment: organization-defined system of records].
1251 Rationale/Supplemental Guidance: Organizations establish documentation
1252 requirements for activities associated with the transport of IACS media in accordance
1253 with the organizational assessment of risk.
1254 (3) The organization employs an identified custodian at all times to transport IACS media.
1255 Rationale/Supplemental Guidance: Organizations establish documentation
1256 requirements for activities associated with the transport of IACS media in accordance
1257 with the organizational assessment of risk.
1258 10.8.6 Media Sanitization and Disposal
1259 Requirement:
1260 The organization shall sanitize IACS media, both digital and non-digital, prior to disposal

1261 or release for reuse.
1263 Rationale/Supplemental Guidance: Sanitization is the process used to remove

1264 information from IACS media such that there is reasonable assurance, in proporti on to the
1265 confidentiality of the information, that the information cannot be retrieved or
1266 reconstructed. Sanitization techniques, including clearing, purging, and destroying media
1267 information, prevent the disclosure of organizational information to unauth orized
1268 individuals when such media is reused or disposed. The organization uses its discretion
1269 on sanitization techniques and procedures for media containing information deemed to be
1270 in the public domain or publicly releasable, or deemed to have no advers e impact on the
1271 organization or individuals if released for reuse or disposed. The National Security
1272 Agency provides media sanitization guidance and maintains a listing of approved
1273 sanitization products at http://www.nsa.gov/ia/government/mdg.cfm .

1275 (1) The organization tracks, documents, and verifies media sanitization and disposal
1276 actions.
1277 (2) The organization periodically tests sanitization equipment and procedures to verify
1278 correct performance.
1279 10.8.7 Access Control for Display Medium

1280 Requirement:
1281 The organization shall control physical access to IACS devices that display information to
1282 prevent unauthorized individuals from observing the display output.

1286
1287
1288 10.8.8 Public Key Infrastructure Certificates
1289 Requirement:
1290 Where public key cryptography is utilized, the organization shall determine what
1291 appropriate interfaces are required with existing public key infrastructure under an
1292 appropriate certificate policy or obtains public key certificates under an appropriate
1293 certificate policy from an approved service provider.
1295 Rationale/Supplemental Guidance: Registration to receive a public key certificate needs

1296 to include authorization by a supervisor or a responsible official and needs to be
1297 accomplished using a secure process that verifies the identity of the certificate holder and
1298 ensures that the certificate is issued to the intended party.
1300 10.9 Exchange of Information
1302 Requirement:

1303

1307
1308 10.10 Electronic Commerce Services
1310 Requirement:
1311

1315
1316 10.11 Monitoring
1317 10.11.1 Audit and Accountability Policy and Procedures
1318 Requirement:
1320 formal, documented, audit and accountability policy that addresses purpos e, scope, roles,
1323 of the audit and accountability policy and associated audit and ac countability controls.
1325 Rationale/Supplemental Guidance: The audit and accountability policy and procedures
1326 are consistent with applicable laws, directives, policies, regulations, standards, and
1327 guidance. The audit and accountability policy can be included as part of the general
1328 information security policy for the organization. Audit and accountability procedures can
1329 be developed for the security program in general, and for a particular IACS, when
1330 required. The parameters to be monitored are a local matter. Of those parameters it is
1331 strongly recommended to consider false-positives (e.g. how many times did an authorized
1332 entity get hindered or prevented from performing its function ).
1334 10.11.2 Auditable Events

1335 Requirement:
1336 The organization periodically reviews and updates the list of orga nization-defined auditable
1337 events.
1339 Rationale/Supplemental Guidance: The purpose of this requirement is to identify
1340 important events which need to be audited as significant and relevant to the security of
1341 the IACS. The security audit function is usually coordinated with the network health and

1342 status monitoring function which may be in a different zone. Commonly recognized and
1343 accepted checklists and configuration guides should be considered when compiling a list
1344 of auditable events. The organization defines auditable events that are adequate to
1345 support after-the-fact investigations of security incidents.
1347 10.11.3 Audit Monitoring, Analysis and Reporting

1348 Requirement:
1349 The organization shall regularly review/analyze IACS audit records for indications of
1350 inappropriate or unusual activity, investigates suspicious activity or suspected violations,
1351 reports findings to appropriate officials, and takes necessary actions.
1353 Rationale/Supplemental Guidance: Organizations increase the level of audit monitoring

1354 and analysis activity within the IACS whenever there is an indication of increased risk to
1355 organizational operations, organizational assets, or individuals based on law enforcement
1356 information, intelligence information, or other credible sources of information.

1358 (1) The organization employs automated mechanisms to integrate audit monitoring,
1359 analysis, and reporting into an overall process for investigation and res ponse to
1360 suspicious activities.
1361 (2) The organization employs automated mechanisms to alert security personnel of the
1362 following inappropriate or unusual activities with security implications: [ Assignment:
1363 organization-defined list of inappropriate or unusual ac tivities that are to result in
1364 alerts].
1365 10.11.4 Audit Record Retention
1366 Requirement:
1367 The organization shall retain audit records for [Assignment: organization-defined time
1368 period] to provide support for after-the-fact investigations of security incidents and to meet
1369 regulatory and organizational information retention requirements.
1371 Rationale/Supplemental Guidance: The organization retains audit records until it is

1372 determined that they are no longer needed for administrative, legal, audit , or other
1373 operational purposes.
1375 11 Access Control
1377
1378 11.2 Business Requirement
1379 11.2.1 Access Control Policy and Procedures

1380 Requirement:
1382 formal, documented, access control policy that addresses purpose, scope, roles,
1385 of the access control policy and associated access controls.
1387 Rationale/Supplemental Guidance: The access control policy and procedures are
1388 consistent with applicable laws, directives, policies, regulations, standards, and guidance
1389 and in alignment with the security requirements of the IACS(s). The access control policy
1390 can be included as part of the general information security policy for the organization.
1391 Access control procedures can be developed for the security program in gener al, and for
1392 a particular IACS, when required.
1394 11.2.2 System and Information Integrity Policy and Procedures

1395 Requirement:
1397 formal, documented, system and information integrity policy that addresses purpose,
1398 scope, roles, responsibilities, management commitment, coordination among
1399 organizational entities, and compliance; and (ii) formal, documented procedures to
1400 facilitate the implementation of the s ystem and information integrity policy and associated
1401 system and information integrity requirements.
1403 Rationale/Supplemental Guidance: The system and information integrity policy and
1404 procedures are consistent with applicable laws, directives, policies, regulations,
1405 standards, and guidance. The system and information integrity policy can be included as
1406 part of the general information security policy for the organization. System and
1407 information integrity procedures can be developed for the security program in general,
1408 and for a particular IACS, when required.

1410 11.2.3 Flaw Remediation

1411 Requirement:
1412 The organization shall identify, report, and correct IACS flaws.
1414 Rationale/Supplemental Guidance: The organization identifies IACS containing software

1415 affected by recently announced software flaws (and potential vulnerabilities resulting from
1416 those flaws). The organization (or the software developer/vendor in the case of software
1417 developed and maintained by a vendor/contractor) promptly installs newly released
1418 security relevant patches, service packs, and hot fixes, and tests patches, service packs,
1419 and hot fixes for effectiveness and potential side effects on the organization’s IACS before
1420 installation. Flaws discovered during security assessments, continuous monitoring,
1421 incident response activities, or IACS error handling are also addressed expeditiously.
1422 Flaw remediation is incorporated into configuration management as an emergency
1423 change. The flaw remediation process shall be consistent with certification, safety and

1424 regulatory testing requirements.

1426 (1) The organization centrally manages the flaw remediation process and installs updates
1427 automatically.
1428 (2) The organization employs automated mechanisms to periodically and upon demand
1429 determine the state of IACS components with regard to flaw remediation.
1430
1431 11.3 User Access Management
1432 11.3.1 Account Management
1434 Requirement:
1435 The organization reviews accounts [Assignment: organization-defined frequency, at least
1436 annually]. A history of account changes shall be maintained if only manually.
1438 Rationale/Supplemental Guidance: Account management might include (i.e., individual,
1439 role, and system, device-based, and system), establishment of conditions for group
1440 membership, and assignment of associated authorizations. In certain IACS instances,
1441 where the organization has determined that individual accounts are unnecessary from a
1442 risk-analysis and/or regulatory aspect, shared accounts are acceptable as long as
1443 adequate compensating controls (such as limited physical access) are in place and
1444 documented.
1445 Non-user accounts (sometimes termed service accounts) that are utilized for process -to-
1446 process communication (for example, an HMI connecting to a database) typically requires
1447 different security policies from human user accounts.
1448 The organization identifies authorized users of the IACS and specifies access
1449 rights/privileges. The organization grants access to the IACS based on:
1450 (i) a valid need-to-know/need-to-share that is determined by assigned
1451 official duties and satisfying all functional and security criteria; and
1452 (ii) Intended system usage. The organization requires proper identification
1453 for requests to establish accounts and approves all such requests.
1454 (iii) The organization specifically authorizes and monitors the use of
1455 guest/anonymous accounts and removes, disables, or otherwise secures
1456 unnecessary accounts. Account managers are notified when IACS

1457 users are terminated or transferred and associated accounts are
1458 removed, disabled, or otherwise secured.
1459 (iv) Account managers are also notified when users’ IACS usage or need -to-
1460 know/need-to-share changes. In cases where accounts are role-based,
1461 i.e., the workstation, hardware, and/or field devices define a user role,
1462 access to the IACS includes physical security policies and procedures
1463 based on organization risk assessment.
1464 (v) In cases where physical access to the workstation, hardware, and/or
1465 field devices predefine privileges, the organization implements physical
1466 security policies, and procedures based on organization risk
1467 assessment. Account management may include additional account types
1468 (e.g., role-based, device-based, attribute-based). The organization
1469 removes, changes, disables, or otherwise secures default accounts.

1471 (1) The organization has policies and procedures to terminate guest or temporary
1472 accounts after [Assignment: organization-defined time period for each type of
1473 account].
1474 (2) The organization has policies and procedures to disable inactive accounts after
1475 [Assignment: organization-defined time period].
1476 (3) The organization employs mechanisms to audit account creation, Modification,
1477 disabling, and termination actions and to notify, as required, appropriate individuals.
1478 11.3.2 Separation of Duties
1480 Requirement:
1481 When assigning permissions and/or roles to users, the organization shall obey the
1482 separation of duties as outlined in their security policy.
1484 Rationale/Supplemental Guidance: The organization establishes appropriate divisions of
1485 responsibility and separates duties as needed to eliminate conflicts of interest in the
1486 responsibilities and duties of individuals. Examples of separation of duties incl ude:
1487 (i) mission functions and distinct IACS support functions are divided among
1488 different individuals/roles
1489 (ii) different individuals perform IACS support functions (e.g., system
1490 management, systems programming, quality assurance/testing,
1491 configuration management, and network security)
1492 (iii) security personnel who administer access control functions do not
1493 administer audit functions

1495 (4)
1496 11.4 User Responsibilities
1498 Requirement:
1499

1503
1504 11.5 Network Access Control
1505 11.5.1 Least Privilege
1507 Requirement:
1508 The organization shall enforce set of rights/privileges or accesses as required by ISA -
1509 99.02.xx needed by asset owner (or processes acting on behalf of asset owners) for the
1510 performance of specified tasks.

1512 Rationale/Supplemental Guidance: The organization employs the concept of least
1513 privilege for specific duties and IACS (zones and conduits) in accordance with risk
1514 assessments as necessary to adequately mitigate risk to organizational operations,
1515 organizational assets, and individuals.
1517 11.5.2 Permitted Actions Without Identification or Authentication

1519 Requirement:
1520 The organization shall identify and document (log) specific IACS user actions that can be
1521 performed on the IACS without additional identification or authentication, if and only if
1522 prior identification and authentication have already occurred.
1524 Rationale/Supplemental Guidance: The organization may allow limited IACS user activity
1525 without identification and authentication for corrective actions (e.g., emergency). The
1526 intent is to prevent repeated unnecessary identification and/or authe ntication.

1528 (1) The organization permits actions to be performed without identification and
1529 authentication only to the extent necessary to accomplish mission objectives.
1530
1531 11.5.3 Remote Access
1533 Requirement:
1534 The organization shall authorize all methods of remote access to the IACS.
1536 Rationale/Supplemental Guidance: Remote access is any access to an IACS by an IACS

1537 user (human user, process, or device) communicating through an external, no n-
1538 organization-controlled network (e.g., the Internet). Examples of remote access methods
1539 include dial-up, broadband, and wireless. Remote access to IACS component locations
1540 (e.g., control center, field locations) is only enabled when approved by the org anization.

1542 (1) The organization controls all remote accesses through a limited number of managed
1543 access control points.
1544 (2) The organization permits remote access for privileged functions only for compelling
1545 operational needs and documents the rationale for such access in the security plan for
1546 the IACS.
1547 11.5.4 Use of External Information Systems

1549 Requirement:
1550 The organization shall establish terms and conditions for authorized individuals to: (i)
1551 access the IACS from an external information system; and (ii) process, store, and/or
1552 transmit organization-controlled information using an external information system.

1554 Rationale/Supplemental Guidance: External information systems are information systems
1555 or components of information systems that are outside of the accreditation boundary
1556 established by the organization and for which the organization typically has no direct
1557 control over the application of required security controls or the assessment of secu rity
1558 control effectiveness. External information systems include, but are not limited to,
1559 personally owned information systems (e.g., computers, cellular telephones, or personal
1560 digital assistants); privately owned computing and communications devices res ident in
1561 commercial or public facilities (e.g., hotels, convention centers, or airports).
1562 Authorized individuals include organizational personnel, contractors, or any other
1563 individuals with authorized access to the organizational IACS. The organization
1564 establishes terms and conditions for the use of external information systems in
1565 accordance with organizational security policies and procedures. The terms and
1566 conditions address as a minimum; (i) the types of applications that can be accessed on
1567 the organizational IACS from the external information system; and (ii) the maximum
𝑐𝑎𝑝𝑎𝑏𝑙𝑒
1568 𝑆𝑠𝑦𝑠𝑡𝑒𝑚 category of information that can be transmitted to or processed and stored on the
1569 external information system.

1571 (1) The organization prohibits authorized individuals from using an external information
1572 system to access the IACS or to process, store, or transmit organization -controlled
1573 information except in situations where the organization: (i) can verify the employment
1574 of required security controls on the external system as specified in the organization’s
1575 information security policy and system security plan; or (ii) has approved IACS
1576 connection or processing agreements with the organizational entity hosting the
1577 external information system.
1578 (2) The organization provides a domain of filtered control for access by external IACS
1579 users, and limits access only to this domain.
1580 (3) The organization provides a separate domain of information for read -only or
1581 download-only access by external IACS users and limits access only to this domain.
1582 11.6 Operating System Access Control
1584 Requirement:
1585

1589
1590 11.7 Application and Information Access Control
1592 Requirement:
1593

1597
1598 11.8 Mobile Computing and Teleworking
1599 11.8.1 Wireless Access Restrictions
1601 Requirement:
1602 The organization shall produce implementation guidance for wireless technologies.
1604 Rationale/Supplemental Guidance: Wireless technologies include, but are not limited to,
1605 microwave, satellite, packet radio [UHF/VHF], 802.11x, 802.15.4 (ZigBee, WirelessHART,
1606 ISA100.11a), and Bluetooth.
1607
1609 (1) The organization shall deploy continuous passive monitoring for unauthorized wireless
1610 access points and takes appropriate action if such access points are discovered.
1612 Rationale/Supplemental Guidance: At the time of publication of this document, these
1613 access points are typically based on 802.11x technology. In the future, this will
1614 change and thus other wireless technologies will need to be monitored as well.
1615 Regardless, organizations should conduct a thorough scan for unauthorized wireless
1616 access points in facilities containing high-impact IACS. The scan should involve the
1617 entire facility, not just areas containing a high -impact IACS.
1618 11.8.2 Use Control for Portable and Mobile Devices
1620 Requirement:
1621 The organization shall produce implementation guidance for organization -controlled
1622 portable and mobile devices.
1624 Rationale/Supplemental Guidance: Portable and mobile devices may introduce undesired
1625 network traffic, malware and/or information exposure, and thus there should be specific
1626 control associated with their usage in the typical IACS environment.
1627 Portable and mobile devices (e.g., notebook c omputers, personal digital assistants,
1628 cellular telephones, and other computing and communications devices with network
1629 connectivity are only allowed access to the IACS in accordance with organizational
1630 security policies and procedures. Security policies and procedures include device
1631 identification and authentication, implementation of mandatory protective software (e.g.,
1632 malicious code detection, firewall), configuration management, scanning devices for
1633 malicious code, updating virus protection software, scanning for critical software updates
1634 and patches, conducting primary operating system (and possibly other resident software)
1635 integrity checks, and disabling unnecessary hardware (e.g., wireless, infrared).

1637
1638 11.8.3 Mobile Code
1640 Requirement:

1641 The organization shall produce implementation guidance regarding the use of mobile code
1642 technologies based on the potential to cause damage to the IACS.
1644 Rationale/Supplemental Guidance: Mobile code technologies include, for example, Java,
1645 JavaScript, ActiveX, PDF, Postscript, Shockwave movies, Flash animations, and
1646 VBScript. Usage restrictions and implementation guidance apply to both the selection and
1647 use of mobile code installed on servers and mobile code downloaded and executed on
1648 individual workstations. Control procedures prevent the development, acquisition, or
1649 introduction of unacceptable mobile code within the IACS. For example, mobile code
1650 exchanges might be disallowed directly with the IACS, but rather in a controlled adjacent
1651 information environment maintained by IACS personnel.

1653 11.8.4 Supervision and Review – Use Control
1655 Requirement:
1656 The organization shall supervise and review the activities of IACS users with respect to
1657 the enforcement and usage of IACS assets.
1659 Rationale/Supplemental Guidance: The organization reviews audit records (e.g., user
1660 activity logs) for inappropriate activities in accordance wit h organizational procedures.
1661 The organization investigates any unusual IACS -related activities and periodically reviews
1662 changes to access authorizations. The organization reviews more frequently the activities
1663 of IACS users with significant IACS roles and responsibilities. The extent of the audit
1664 record reviews is based on the impact level of the IACS. For example, for low -impact
1665 systems, it is not intended that security logs be reviewed frequently for every workstation,
1666 but rather at central points such as a web proxy or email servers and when specific
1667 circumstances warrant review of other audit records.

1669 (1) The organization develops a baseline of normal IACS user behavior, allowable
1670 variances and employs automated mechanisms to facilitate the review of user
1671 activities.
1672 11.8.5 Identification and Authentication Policy and Procedures
1674 Requirement:
1675 The organization shall develop, disseminate, and periodically review/update: (i) a formal,
1676 documented, identification and authentication policy that addresses purpose, scope, roles,
1679 of the identification and authentication policy and associated identification and
1680 authentication controls for IACS.
1682 Rationale/Supplemental Guidance: The organization ensures the identification and
1683 authentication policy and procedures are consistent with applicable laws, directives,
1684 policies, regulations, standards, and guidance. The identification and authentication policy
1685 can be included as part of the general security policy for the organization. Identification
1686 and authentication procedures can be developed for the security program in general, and
1687 for a particular IACS, when required.

1689
1690 11.8.6 Identifier Management

1692 Requirement:
1693 The organization shall manage identifiers by user, group, role, and/or system interface. An
1694 appropriate organization official or group is responsible for authorizing the issuance of
1695 user identifiers, issuing the user identifier to the intended party, and archiving user
1696 identifiers.
1698 Rationale/Supplemental Guidance: Identifiers are distinguished from the privileges which
1699 they permit an entity to perform within a specific IACS control domain/zone (see also 2.6,
1700 Authenticator Management). Where users function as a single group (e.g., control room
1701 operators), user identification may be role-based, group-based, or device-based. For
1702 some IACS, the capability for immediate operator interaction is critical. Local emergency
1703 actions for the IACS must not be hampered by identification requirements. Access to
1704 these systems may be restricted by appropriate compensating security mechanism s.
1705 Identifiers may be required on portions of the IACS but not necessarily the entire system.
1706 For very high SAL level IACS the requirement for maximum control is increased, not
1707 decreased. Security measures that have the potential to cause loss of control in process
1708 operations are not acceptable. In these cases, to maintain the higher SAL levels,
1709 compensating measures external to the IACS (e.g. additional physical security measure s
1710 and/or enhanced personnel background checks) will be needed. In these cases, it may be
1711 possible to see a normally high SAL level IACS at a lower SAL 1 or 2 rating, depending
1712 upon the compensating controls. Lockout or loss of control due to security mea sures is
1713 not acceptable in high availability IACS.
1714
1716 (1) The organization shall verify the identity of each IACS user. This verification may
1717 be maintained separately from the IACS (such as by the appropriate HR group).
1718
1719 11.8.7 Authenticator Management

1721 Requirement:
1722 The organization shall establish administrative procedures for initial authenticator distribution, for
1723 lost/compromised, or damaged authenticators, and for revoking authenticators.
1725 Rationale/Supplemental Guidance: IACS authenticators include, for example, tokens,
1726 Public Key certificates, biometrics, passwords, physical keys, and key cards. IACS users
1727 should take reasonable measures to safeguard authenticators including maintainin g
1728 possession of their individual authenticators, not loaning or sharing authenticators with
1729 others, and reporting lost or compromised authenticators immediately. In the case of a
1730 process or device, such users should also take measures to protect their IAC S
1731 authenticators.
1732 If the IACS is required to have a high level of availability, measures must be taken to
1733 maintain this high level of availability (e.g. compensating physical controls, duplicate
1734 keys, supervisory override). Lockout or loss of control due to security measures is not

1735 acceptable.
1736
1738 11.8.8 Software and Information Integrity
1739 Requirement:
1740 The organization reassesses the integrity of software and information by performing [ Assignment:
1741 organization-defined frequency] integrity scans of the system.
1743 Rationale/Supplemental Guidance: This requirement complements related Access Control

1744 requirements. Access Control involves enforcing the roles, permissions, and use patterns
1745 as designed. Integrity verification methods are employed to detect, record, report, and
1746 protect against the effects of software and information tampering that may occur if other
1747 protection mechanisms (e.g. Access Control) have been circumvented.

1749
1750 11.8.9 Information Input Restrictions

1751 Requirement:
1752 Restrictions on entities authorized to input information to the IACS may extend beyond the
1753 typical access controls employed by the system and include limitations based on specific
1754 operational/project responsibilities.
1758 11.8.10 Error Handling

1759 Requirement:
1760 The extent to which the IACS identifies and handles error conditions shall be guided by
1761 organizational policy and operational requirements.
1765
1766 11.8.11 Information Output Handling and Retention

1767 Requirement:
1768 The organization shall handle and retain output from the IACS in accordance with
1769 applicable laws, directives, policies, regulations, standards, and operational requirements.

1773 11.8.12 Boundary Protection

1774 Requirement:
1775 The organization carefully considers the intrinsically shared nature of commercial
1776 telecommunications services in the implementation of security controls associated with
1777 the use of such services.

1779 Rationale/Supplemental Guidance: Commercial telecommunications services are
1780 commonly based on network components and consolidated management systems shared
1781 by all attached commercial customers, and may include third party provided access lines
1782 and other service elements. Consequently, such interconnecting communication services
1783 may represent sources of increased risk despite contract security provisions. Therefore,
1784 when this situation occurs, the organization either implements appropriate compensating
1785 security controls or explicitly accepts the additional risk.
1787 (1) The organization implements a managed interface (boundary protection devices in an
1788 effective security architecture) with any external telecommunication service,
1789 implementing controls appropriate to the required protection of the confidentiality and
1790 integrity of the information being transmitted.
1791
1792
1793 12 Systems acquisition, development and maintenance

1795
1796 12.2 Security requirements of information systems

1798 Requirement:
1799

1803
1804 12.3 Correct Processing in Applications
1806 Requirement:
1807

1811
1812 12.4 Cryptographic Controls
1813 12.4.1 Cryptographic Module Validation
1814 Requirement:
1815 If cryptography is required, the IACS shall employ validated cryptographic modules that
1816 applicable laws, directives, policies, regulations, standards, and guidance for
1817 authentication to a cryptographic module ma y require.
1819 Rationale/Supplemental Guidance: The use of cryptography is determined after careful

1820 consideration of the security needs and the potential ramifications on system
1821 performance. The procurement process most effective safeguard is to use a cryptographic
1822 module validated by a recognized 3 rd party authority, e.g. the Cryptographic Module
1823 Validation Program.

1825
1826 12.5 Security of System Files

1828 Requirement:
1829

1833
1834 12.6 Security in development and support processes
1836 Requirement:
1837

1841
1842 12.7 Technical vulnerability management
1843 12.7.1 Configuration Management Policy and Procedures
1844 Requirement:
1846 documented, configuration management policy that addresses purpose, scope, roles,
1849 of the configuration management policy and associated configuration management
1850 controls.
1852 Rationale/Supplemental Guidance: The configuration management policy and procedures

1853 are consistent with applicable laws, directives, policies, regulations, standards, and
1854 guidance. The configuration management policy can be included as part of the general
1855 information security policy for the organization. Co nfiguration management procedures
1856 can be developed for the security program in general, and for a particular IACS, when
1857 required.

1859
1860 12.7.2 Baseline Configuration

1861 Requirement:
1862 The organization shall develop, document, and maintain a current baseline configuration of the
1863 IACS.
1865 Rationale/Supplemental Guidance: This requirement establishes a baseline configuration

1866 for the IACS. The baseline configuration provides information about a particular
1867 component’s makeup (e.g., the standard software load for a workstation or notebook
1868 computer including updated patch information) and the component’s logical placement
1869 within the IACS architecture. The baseline configuration also provides the organization
1870 with a well-defined and documented specification to which the IACS is built and
1871 deviations, if required, are documented in support of mission needs/ objectives.

1873 (1) The organization updates the baseline configuration of the IACS as an integral part of
1874 IACS component installations.
1875 (2) The organization employs automated mechanisms to maintain an up -to-date,
1876 complete, accurate, and readily available baseline configuration of the IACS.
1877 12.7.3 Configuration Change Control
1878 Requirement:
1879 The organization shall authorize, document, and control changes to the IACS.

1881 Rationale/Supplemental Guidance: The organization manages configuration changes to
1882 the IACS using an organizationally approved process. Configuration change control
1883 involves the systematic proposal, justification, implementation, test/evaluation, review,
1884 and disposition of changes to the IACS, including upgrades and modifications.
1885 Configuration change control includes changes to the configuration settings for
1886 information technology products (e.g., operating systems, firewalls, routers). The
1887 organization includes emergency changes in the configuration change control process,
1888 including changes resulting from the remediation of flaws. The approvals to implement a
1889 change to the IACS include successful results from the security analysis of the change.
1890 The organization audits activities associated with configuration changes to the IACS.

1892 (1) The organization employs automated mechanisms to: (i) document proposed c hanges
1893 to the IACS; (ii) notify appropriate approval authorities; (iii) highlight approvals that
1894 have not been received in a timely manner; (iv) inhibit change until necessary
1895 approvals are received; and (v) document completed changes to the IACS.
1896 (2) The organization tests, validates, and documents changes (e.g., patches and updates)
1897 before implementing the changes on the operational IACS.
1899 Rationale/Supplemental Guidance: The organization ensures that testing does not
1900 interfere with IACS functions. The individual/group conducting the tests fully
1901 understands the organizational information security policies and procedures, the IACS
1902 security policies and procedures, and the specific health, safety, and environmental
1903 risks associated with a particular facility and/or process. A production IACS may need
1904 to be taken off-line, or replicated to the extent feasible, before testing can be
1905 conducted. If an IACS must be taken off-line for testing, the tests are scheduled to
1906 occur during planned IACS outages whenever possible. In situations where the
1907 organization cannot, for operational reasons, conduct live testing of a production
1908 IACS, the organization employs compensating controls (e.g., providing a replicated
1909 system to conduct testing).
1910 12.7.4 Monitoring Configuration Changes
1911 Requirement:
1912 The organization shall conduct security impact analyses to determine the effects of
1913 configuration changes.
1915 Rationale/Supplemental Guidance: Prior to change implementation, and as part of the

1916 change approval process, the organization analyzes changes to the IACS for potential
1917 adverse security consequences. After the IACS is changed (including upgrades and
1918 modifications), the organization checks the security features to verify that the features are
1919 still functioning properly. The organization audits activities associated with configuration
1920 changes to the IACS. Monitoring configuration changes and conducting security impact
1921 analyses are important elements with regard to the ongoing assessment o f security
1922 controls in the IACS.
1924
1925 12.7.5 Access Restrictions for Change
1926 Requirement:

1927 The organization shall: (i) approve individual access privileges and enforces physical and
1928 logical access restrictions associated with changes to the IACS; and (ii) generate, retain,
1929 and review records reflecting all such changes.
1931 Rationale/Supplemental Guidance: Planned or unplanned changes to the hardware,

1932 software, and/or firmware components of the IACS can have signif icant effects on the
1933 overall security of the system. Accordingly, only qualified and authorized individuals
1934 obtain access to IACS components for purposes of initiating changes, including upgrades
1935 and modifications.

1937 (1) The organization employs automated mechanisms to enforce access restrictions and
1938 support auditing of the enforcement actions.
1939
1940 12.7.6 Network and Security Configuration Settings

1941 Requirement:
1942 The IACS vendor shall provide guidelines for recommended network and securi ty configurations.
1943 The organization shall, based upon guidelines provided by the vendor: (i) establish
1944 mandatory network and security configuration settings for IACS components (ii) configure
1945 these settings to the most restrictive mode consistent with ope rational requirements; (iii)
1946 document these settings; and (iv) enforce these settings in all components of the IACS.
1948 Rationale/Supplemental Guidance: These configuration settings are the adjustable

1949 parameters of the IACS components.

1951 (1) The organization shall employ automated mechanisms to centrally manage, apply, and
1952 verify configuration settings.
1953
1954 12.7.7 IACS Component Inventory

1955 Requirement:
1956 The organization shall develop, document, and maintain a current inventor y of the
1957 components of the IACS and relevant ownership information.
1959 Rationale/Supplemental Guidance: The organization determines the appropriate level of

1960 granularity for the IACS components included in the inventory that are subj ect to
1961 management control (i.e., tracking, and reporting). The inventory of IACS components
1962 includes any information determined to be necessary by the organization to achieve
1963 effective property accountability (e.g., manufacturer, model number, serial numb er,
1964 software license information, system/component owner). The component inventory is
1965 consistent with the accreditation boundary of the IACS.
1967 (1) The organization updates the inventory of IACS components as an integral part of
1968 component installations.

1969 (2) The organization employs automated mechanisms to help maintain an up -to-date,
1970 complete, accurate, and readily available inventory of IACS components.
1971
1972 12.7.8 System Maintenance Policy and Procedures

1973 Requirement:
1975 documented, IACS maintenance policy that addresses purpose, scope, roles,
1978 of the IACS maintenance policy and associated system maintenance controls.
1980 Rationale/Supplemental Guidance: The IACS maintenance policy and procedures are
1982 The IACS maintenance policy can be included as part of the general information security
1983 policy for the organization. System maintenance procedures can be developed for the
1986
1987 12.7.9 Controlled Maintenance
1988 Requirement:
1989 The organization shall schedule, perform, document, and review records of routine preventative
1990 and regular maintenance (including repairs) on the components of the IACS in accordance
1991 with vendor, system integrator, and/or organizational specifications and requirements.
1993 Rationale/Supplemental Guidance: All maintenance activities to include routin e,

1994 scheduled maintenance and repairs are controlled; whether performed on site or remotely
1995 and whether the equipment is serviced on site or removed to another location.
1996 Organizational officials approve the removal of the IACS or IACS components from the
1997 facility when repairs are necessary. If the IACS or component of the system requires off -
1998 site repair, the organization removes all information from associated media using
1999 approved procedures. After maintenance is performed on the IACS, the organization
2000 checks all potentially affected security controls to verify that the controls are still
2001 functioning properly.

2003 (1) The organization maintains maintenance records for the IACS that include: (i) the date
2004 and time of maintenance; (ii) name of the individual performing the maintenance; (iii)
2005 name of escort, if necessary; (iv) a description of the maintenance performed; and (v)
2006 a list of equipment removed or replaced (including identification numbers, if
2007 applicable).
2008 (2) The organization employs automated mechanisms to schedule and conduct
2009 maintenance as required, and to create up-to date, accurate, complete, and available
2010 records of all maintenance actions, both needed and completed.
2011
2012 12.7.10 Maintenance Tools
2013 Requirement:
2014 The organization shall approve, control, and monitor the use of IACS maintenance tools and
2015 maintains the tools on an ongoing basis.
2017 Rationale/Supplemental Guidance: The intent of this requirement is to address hardware

2018 and software brought into the IACS specifically for diagnostic/repair actions (e.g., a
2019 hardware or software packet sniffer that is introduced for the purpose of a particular
2020 maintenance activity). Hardware and/or software components that may support IACS
2021 maintenance, yet are a part of the system (e.g., the software implementing “ping”, “ls”,
2022 “ipconfig” or the hardware and software implementing the monitoring port of an Ethernet
2023 switch) are not covered by this requirement.

2025 (1) The organization inspects all maintenance tools c arried into a facility by maintenance
2026 personnel for obvious improper modifications.
2028 Rationale/Supplemental Guidance: Maintenance tools include, for example,
2029 diagnostic and test equipment used to conduct maintenance on the IACS.
2030 (2) The organization checks all media containing diagnostic and test programs for
2031 malicious code before the media are used in the IACS.
2032 (3) The organization checks all maintenance equipment with the capability of retaining
2033 information so that no organizational information is written on the equipment or the
2034 equipment is appropriately sanitized before release; if the equipment cannot be
2035 sanitized, the equipment remains within the facility or is destroyed, unless an
2036 appropriate organization official explicitly authori zes an exception.
2037 (4) The organization employs automated mechanisms to restrict the use of maintenance
2038 tools to authorized personnel only.
2039
2040 12.7.11 Remote Maintenance

2041 Requirement:
2042 The organization shall authorize, monitor, and control any remotely executed maintenanc e and
2043 diagnostic activities, if employed.
2045 Rationale/Supplemental Guidance: Remote maintenance and diagnostic activities are

2046 conducted by individuals communicating through an external, non -organization-controlled
2047 network (e.g., the Internet). The use of remote maintenance and diagnostic tools is
2048 consistent with organizational policy and documented in the security plan for the IACS.
2049 The organization maintains records for all remote maintenance and diagnostic activities.
2050 Other techniques and/or controls to consider for improving the security of remote
2051 maintenance include: (i) encryption and decryption of communications; (ii) strong
2052 identification and authentication techniques; and (iii) remote disconnect verification.
2053 When remote maintenance is completed, the organization (or IACS in certain cases)
2054 terminates all sessions and remote connections invoked in the performance of that
2055 activity. If password-based authentication is used to accomplish remote maintenance, the
2056 organization changes the passwords following each remote maintenance service. The
2057 National Security Agency provides a listing of approved media sanitization products at
2058 http://www.nsa.gov/ia/government/mdg.cfm .

2060 (1) The organization audits all remote maintenance and diagnostic sessions and
2061 appropriate organizational personnel review the maintenanc e records of the remote
2062 sessions.
2063 (2) The organization addresses the installation and use of remote maintenance and
2064 diagnostic links in the security plan for the IACS.
2065
2066 12.7.12 Maintenance Personnel

2067 Requirement:
2068 The organization shall allow only authorized personnel to perform maintenance on the IACS.
2070 Rationale/Supplemental Guidance: Maintenance personnel (whether performing

2071 maintenance locally or remotely) have appropriate access authorizations to the IACS
2072 when maintenance activities allow access to organizational information or could result in a
2073 future compromise of confidentiality, integrity, or availability. When maintenance
2074 personnel do not have needed access authorizations, organizational personnel with
2075 appropriate access authorizations supervise maintenance personnel during the
2076 performance of maintenance activities on the IACS.
2078 12.7.13 Timely Maintenance

2079 Requirement:
2080 The organization shall obtain maintenance support and spare parts for [ Assignment: organization-
2081 defined list of key IACS components] within [Assignment: organization-defined time
2082 period] of failure.

ISA-62443.02.02, D1E4, April 2013 – 58 – ISA99, WG02, TG02
2086 13 Incident Management

2088
2089 13.2 Reporting Security Events and Weaknesses

2091 Requirement:
2092

2096
2097 13.3 Management of Incidents and Improvements
2098 13.3.1 Incident Response Policy and Procedures
2099 Requirement:
2100 The organization shall develop, disseminate, and periodically review/update: (i) a forma l,
2101 documented, incident response policy that addresses purpose, scope, roles,
2104 of the incident response policy and associated incident response controls.
2106 Rationale/Supplemental Guidance: The incident response policy and procedures are
2108 The incident response policy can be included as part of the general information security
2109 policy for the organization. Incident response procedures can be developed for the

2112
2113 13.3.2 Incident Response Training

2114 Requirement:
2115 The organization shall train personnel in their incident response roles and responsibilities with
2116 respect to the IACS and provides refresher training [ Assignment: organization-defined
2117 frequency, at least annually].

2121 (1) The organization incorporates simulated events into incident response training to
2122 facilitate effective response by personnel in crisis situations.
2123 (2) The organization employs automated mechanisms to provide a more thorough and
2124 realistic training environment.
2125
2126 13.3.3 Incident Response Testing and Exercises

2127 Requirement:
2128 The organization shall test and/or exercise the incident response capability for the IACS
2129 [Assignment: organization-defined frequency, at least annually ] using [Assignment:
2130 organization-defined tests and/or exercises] to determine the incident response
2131 effectiveness and documents the results.
2133 Rationale/Supplemental Guidance: None

2135 (1) The organization employs automated mechanisms to more thoroughly and effectively
2136 test/exercise the incident response capability.
2138 Rationale/Supplemental Guidance: Automated mechanisms can provide the ability to
2139 more thoroughly and effectively test or exercise the incident response ca pability by
2140 providing more complete coverage of incident response issues, selecting more
2141 realistic test/exercise scenarios and environments, and more effectively stressing the
2142 response capability.
2143 13.3.4 Incident Handling
2144 Requirement:
2145 The organization shall implement an incident handling capability for security incidents that
2146 includes preparation, detection and analysis, containment, eradication, and recovery.
2148 Rationale/Supplemental Guidance: Incident-related information can be obtained from a

2149 variety of sources including, but not limited to, audit monitoring, network monitoring,
2150 physical access monitoring, and user/administrator reports. The organization
2151 incorporates the lessons learned from ongoing incident handling activities into the incident
2152 response procedures and implements the procedures accordingly.

2154 (1) The organization employs automated mechanisms to support the incident handling
2155 process.
2156 13.3.5 Incident Monitoring
2157 Requirement:
2158 The organization shall track and document IACS security incidents on an ongoing basis.

2162 (1) The organization employs automated mechanisms to assist in the tracking of security
2163 incidents and in the collection and analysis of incident information.
2164 13.3.6 Incident Reporting

2165 Requirement:
2166 The organization shall promptly reports incident information to appropriate authorities.
2168 Rationale/Supplemental Guidance: The types of incident information reported, the

2169 content and timeliness of the reports, and the list of designated reporting authorities or
2170 organizations are consistent with applicable laws, directives, policies, regulations,
2171 standards, and guidance. The United States Computer Em ergency Readiness Team (US-
2172 CERT) maintains the IACS Security Center at http://www.uscert.gov/control_systems. In
2173 addition to incident information, weaknesses and vulnerabilities in the IACS are reported
2174 to appropriate organizational officials in a timely manner to prevent security incidents.

2176 (1) The organization employs automated mechanisms to assist in the reporting of security
2177 incidents.
2178 13.3.7 Incident Response Assistance
2179 Requirement:
2180 The organization shall provide an incident response support resource that offers advice and
2181 assistance to users of the IACS for the handling and reporting of security incidents. The
2182 support resource is an integral part of the organization’s incident respo nse capability.
2184 Rationale/Supplemental Guidance: Possible implementations of incident response

2185 support resources in an organization include a help desk or an assistance group and
2186 access to forensics services, when required.

2188 (1) The organization employs automated mechanisms to increase the availability of
2189 incident response-related information and support.
2190
2191 13.3.8 IACS Monitoring Tools and Techniques
2192 Requirement:
2193 The organization shall determine the required granularity of the information collected
2194 based upon its monitoring objectives and the capability of the IACS to support such
2195 activities. This includes monitoring inbound and outbound communications for unusual or
2196 unauthorized activities or conditions.
2198 Rationale/Supplemental Guidance: Organizations consult appropriate legal counsel with

2199 regard to all IACS monitoring activities. Organizations heighten the level of IACS
2200 monitoring activity whenever there is an indication of increas ed risk to organizational
2201 operations, organizational assets, or individuals based on law enforcement information,
2202 intelligence information, or other credible sources of information.

2204 (1) The organization interconnects and configures individual intrusion detection tools into a
2205 system wide intrusion detection system using common protocols.
2206
ISA‑62443-2-2, D1E4, April 2013
– 61 –
ISA99, WG02, TG02
2207 14 Business Continuity Management

2209
2210 14.2 Security Aspects

2211 14.2.1 Contingency Planning Policy and Procedures
2212 Requirement:
2213 The organization shall develop, disseminates, and periodically reviews/updates: (i) a
2214 formal, documented, contingency planning policy that addresses purpose, scope, roles,
2217 of the contingency planning policy and associated contingency planning controls.

2219 Rationale/Supplemental Guidance: The contingency planning policy and procedures are
2221 The contingency planning policy can be included as part of the general information
2222 security policy for the organization. Contingency planning procedures can be develop ed
2223 for the security program in general, and for a particular IACS, when required.
2225 14.2.2 Contingency Plan

2226 Requirement:
2227 The organization shall develop and implement a contingency plan for the IACS addressing
2228 contingency roles, responsibilities, assigned individuals with contact information, and
2229 activities associated with restoring the system after a disruption or failure. Designated
2230 officials within the organization review and approve the contingency plan and distribute
2231 copies of the plan to key contingency personnel.
2233 Rationale/Supplemental Guidance: The organization defines contingency plans for

2234 categories of disruptions or failures. In the event of a loss of processing within the IACS
2235 or communication with operational facilities, the IACS executes predetermined procedures
2236 (e.g., alert the operator of the failure and then do nothing, alert the operator and then
2237 safely shut down the industrial process, alert the operator and then maintain the last
2238 operational setting prior to failure). These examples are not exhaustive.

2240 (1) The organization coordinates contingency plan development with organizational
2241 elements responsible for related plans.
2243 Rationale/Supplemental Guidance: Examples of related plans include Business
2244 Continuity Plan, Disaster Recovery Plan, Continuity of Operations Plan, Business
2245 Recovery Plan, Incident Response Plan, and Emergency Action Plan.
2246 (2) The organization conducts capacity planning s o that necessary capacity for
2247 information processing, telecommunications, and environmental support exists during
2248 crisis situations.
2249 14.2.3 Contingency Training

2250 Requirement:
2251 The organization shall train personnel in their contingency roles and responsibilities w ith respect
2252 to the IACS and provides refresher training [Assignment: organization-defined frequency,
2253 at least annually].
2257 (1) The organization incorporates simulated events into contingency training to facilitate
2258 effective response by personnel in crisis situations.
2259 (2) The organization employs automated mechanisms to provide a more thorough and

2260 realistic training environment.
2261 14.2.4 Contingency Plan Testing and Exercises

2262 Requirement:
2263 The organization shall: (i) test and/or exercise the contingency plan for the IACS [ Assignment:
2264 organization-defined frequency, at least annually ] using [Assignment: organization-defined
2265 tests and/or exercises] to determine the plan’s effectiveness and the organization’s
2266 readiness to execute the plan; and (ii) review the contingency plan test/exercise results
2267 and initiates corrective actions.
2269 Rationale/Supplemental Guidance: There are several methods for testing and/or
2270 exercising contingency plans to identify potential weaknesses (e.g., full -scale contingency
2271 plan testing, functional/tabletop exercises). The depth and rigor of contingency plan
2272 testing and/or exercises increases with the 𝑆𝑠𝑦𝑠𝑡𝑒𝑚 level of the IACS. Contingency plan
2273 testing and/or exercises also include a determination of the effects on organizational
2274 operations and assets (e.g., reduction in mission capability) and individuals arising due to
2275 contingency operations in accordance with t he plan.

2277 (1) The organization coordinates contingency plan testing and/or exercises with
2278 organizational elements responsible for related plans.
2280 Rationale/Supplemental Guidance: Examples of related plans include Business
2281 Continuity Plan, Disaster Recovery Plan, Continuity of Operations Plan, Business
2282 Recovery Plan, Incident Response Plan, and Emergency Action Plan.
2283 (2) The organization tests/exercises the contingency plan at the alt ernate processing site
2284 to familiarize contingency personnel with the facility and available resources and to
2285 evaluate the site’s capabilities to support contingency operations.
2286 (3) The organization employs automated mechanisms to more thoroughly and effectivel y
2287 test/exercise the contingency plan by providing more complete coverage of
2288 contingency issues, selecting more realistic test/exercise scenarios and environments,
2289 and more effectively stressing the IACS and supported missions.
2290
2291 14.2.5 Contingency Plan Update

2292 Requirement:
2293 The organization shall review the contingency plan for the IACS [ Assignment: organization-
2294 defined frequency, at least annually] and revises the plan to address
2295 system/organizational changes or problems encountered during plan implementation,
2296 execution, or testing.
2298 Rationale/Supplemental Guidance: Organizational changes include changes in mission,
2299 functions, or business processes supported by the IACS. The organization communicates
2300 changes to appropriate organizational elements responsible for related plans (e.g.,
2301 Business Continuity Plan, Disaster Recovery Plan, Continuity of Operations Plan,

2302 Business Recovery Plan, Incident Response Plan, Emergency Action Plan).
2304
2305 14.2.6 Alternate Storage Site
2306 Requirement:
2307 The organization shall identify an alternate storage site and initiates necessary agreements to
2308 permit the storage of IACS backup information.
2310 Rationale/Supplemental Guidance: The frequency of IACS backups and the transfer rate
2311 of backup information to the alternate storage site (if so designated) are consistent with
2312 the organization’s recovery time objectives and recovery point objectives.

2314 (1) The organization identifies an alternate storage site that is geographically separated
2315 from the primary storage site so as not to be susceptible to the same hazards.
2316 (2) The organization configures the alternate storage site to facilitate timely and effective
2317 recovery operations.
2318 (3) The organization identifies potential accessibility problems to the alternate storage
2319 site in the event of an area-wide disruption or disaster and outlines explicit mitigation
2320 actions.
2321
2322 14.2.7 Alternate Control Site
2323 Requirement:
2324 The organization shall identify an alternate control site an d initiates necessary agreements to
2325 permit the resumption of IACS operations for critical mission/business functions within
2326 [Assignment: organization-defined time period] when the primary processing capabilities
2327 are unavailable.
2329 Rationale/Supplemental Guidance: Equipment and supplies required to resume

2330 operations within the organization-defined time period are either available at the alternate
2331 site or contracts are in place to support delivery to the site. Timeframes to resume IA CS
2332 operations are consistent with organization-established recovery time objectives.

2334 (1) The organization identifies an alternate processing site that is geographically
2335 separated from the primary processing site so as not to be suscep tible to the same
2336 hazards.
2337 (2) The organization identifies potential accessibility problems to the alternate processing
2338 site in the event of an area-wide disruption or disaster and outlines explicit mitigation
2339 actions.
2340 (3) The organization develops alternate processing site agreements that contain priority-
2341 of-service provisions in accordance with the organization’s availability requirements.
2342 (4) The organization fully configures the alternate processing site so that it is ready to be
2343 used as the operational site supporting a minimum required operational capability.

2344 14.2.8 IACS Backup
2345 Requirement:
2346 The frequency of IACS backups and the transfer rate of backup information to alternate storage
2347 sites (if so designated) shall be consistent with the organization’s recovery time objectives
2348 and recovery point objectives.
2350 Rationale/Supplemental Guidance: Availability of up-to-date backups is essential for
2351 recovery from IACS failure and mis-configuration. Automating this function ensures that
2352 all required files are captured, reducing operator overhead.
2353 An organizational assessment of risk guides the use of encryption for backup information.
2354 While integrity and availability are the primary concerns for system backup information,
2355 protecting backup information from unauthorized disclosure is also an important
2356 consideration depending on the type of informati on residing on the backup media and the
2357 𝑆𝑠𝑦𝑠𝑡𝑒𝑚 level.
2359 (1) The organization selectively uses backup information in the restoration of IACS
2360 functions as part of contingency plan testing.
2361 (2) The organization stores backup copies of the operating system and other critical IACS
2362 software in a separate facility or in a fire-rated container that is not collocated with the
2363 operational software.
2364 14.2.9 IACS Recovery and Reconstruction
2365 Requirement:
2366 None.
2368 Rationale/Supplemental Guidance: IACS recovery and reconstitution to a known secure

2369 state means that all system parameters (either default or organization -established) are set
2370 to secure values, security-critical patches are reinstalled, security-related configuration
2371 settings are reestablished, system documentation and operating procedures are available,
2372 application and system software is reinstalled and configured with secure settings,
2373 information from the most recent, known secure backups is loaded, and the sy stem is fully
2374 tested and functional.

2376 (1) The organization shall include a full recovery and reconstitution of the IACS as part of
2377 contingency plan testing.
2378 14.2.10 Power Equipment and Cabling

2379 Requirement:
2380 The organization shall protect power equipment and power cabling for the IACS from
2381 damage and destruction.

2385 (1) The organization employs redundant and parallel power cabling paths.
2386 14.3 Telecommunications Services
2387 Requirement:
2388 The organization shall identify primary and alternate telecommunications services to support the
2389 IACS and initiates necessary agreements to permit the resumption of system operations
2390 for critical mission/business functions within [ Assignment: organization-defined time
2391 period] when the primary telecommunications capabilities are unavailable.
2393 Rationale/Supplemental Guidance: In the event that the primary and/or alternate
2394 telecommunications services are provided by a common carrier, the organization requests
2395 Telecommunications Service Priority (TSP) for all telecommunications services used for
2396 national security emergency preparedness (see http://tsp.ncs.gov for a full explanation of
2397 the TSP program).

2399 (1) The organization develops primary and alternate telecommunications service
2400 agreements that contain priority-of-service provisions in accordance with the
2401 organization’s availability requirements.
2402 (2) The organization obtains alternate telecommunications services that do not share a
2403 single point of failure with primary telecommunications services.
2404 (3) The organization obtains alternate telecommunications service providers that are
2405 sufficiently separated from primary service providers so as not to be su sceptible to the
2406 same hazards.
2407 (4) The organization requires primary and alternate telecommunications service providers
2408 to have adequate contingency plans.
2409
2410 14.3.1 Emergency Shutoff

2411 Requirement:
2412 The IACS shall provide, for specific locations within a facility containing concentrations of
2413 IACS resources, the capability of shutting off power to any IACS component that may be
2414 malfunctioning or threatened without endangering personnel by requiring them to
2415 approach the equipment.
2417 Rationale/Supplemental Guidance: Facilities containing concentrations of IACS resources

2418 may include, for example, data centers, server rooms, and mainframe rooms. Emergency
2419 shutoff capabilities are typically integrated with SIS systems, if present (e.g. automated
2420 fail-safe shutdown sequences).

2422 (1) The IACS shall protect the emergency power -off capability from accidental or
2423 unauthorized activation.
2424
2425 14.3.2 Emergency Power
2426 Requirement:
2427 The organization shall provide a short-term uninterruptible power supply to facilitate an
2428 orderly shutdown of the IACS in the event of a primary power source loss.


2432 (1) The organization provides a long-term alternate power supply for the IACS that is
2433 capable of maintaining minimally required operational capability in the event of an
2434 extended loss of the primary power source.
2435 (2) The organization provides a long-term alternate power supply for the IACS that is self -
2436 contained and not reliant on external power generation.
2437
2438 14.3.3 Emergency Lighting

2439 Requirement:
2440 The organization shall employ and maintains automatic emergency lighting that activates
2441 in the event of a power outage or disruption and that covers emergency exits and
2442 evacuation routes.
2446
2447 14.3.4 Fire Protection
2448 Requirement:
2449 The organization shall employ and maintain fire suppression and detection
2450 devices/systems that can be activated in the event of a fire.
2452 Rationale/Supplemental Guidance: Fire suppression and detection devices/systems

2453 include, but are not limited to, sprinkler systems, handheld fire extinguishers, fixed fire
2454 hoses, and smoke detectors.

2456 (1) The organization employs fire detection devices/systems that activate automatically
2457 and notify the organization and emergency responders in the event of a fire.
2458 (2) The organization employs fire suppression devices/systems that provide automatic
2459 notification of any activation to the organization and emergency responders.
2460 (3) The organization employs an automatic fire suppression capability in facilities that are
2461 not staffed on a continuous basis.
2462
2463 14.3.5 Temperature and Humidity Controls
2464 Requirement:
2465 The organization shall regularly maintain, within acceptable levels, and monitor the
2466 temperature and humidity within the facility where the IACS resides.


2470
2471 14.3.6 Water Damage Protection

2472 Requirement:
2473 The organization shall protect the IACS from water damage resulting from broken
2474 plumbing lines or other sources of water leakage by providing master shutoff valves that
2475 are accessible, working properly, and known to key personnel.

2479 (1) The organization employs mechanisms that, without the need for manual intervention,
2480 protect the IACS from water damage in the event of a significant water leak.
2481
2482 15 Compliance
2483 15.1 General
2485 Requirement:
2486

2490
2491
2492
2493
ISA‑62443-2-2, D1E4, April 2013
– 69 –
ISA99, WG02, TG02
2494 Annex A
2495 (informative)
2496 Foundational Requirements
2497 A.1 Overview
2498 This annex is intended to provide guidance to the reader as to the relevance of the SRs.
2499 A.2 FR1 ACCESS CONTROL
2500 Identify and authenticate IACS users (incl. human users, processes, and devices), assign them to
2501 a pre-defined role, and allow them access to the system or assets.
2502
2503 Rationale: Asset owners will have to develop a list of IACS users and to determine for each
2504 device the required level of access control protection. The goal of access control is to protect the
2505 system by verifying the identity of a user requesting the access to a de vice of the system before

2506 activating the communication. Recommendations and guidelines should include mechanisms that
2507 will operate in mixed modes; e.g. some devices on a communication channel require strong
2508 access control, i.e. strong authentication mechanism and others do not. By extension, access
2509 control requirements need to be extended to data at rest.
2510
2511 A.3 FR2 USE C ONTROL

2512 Enforce the assigned privileges of an authenticated IACS user to perform the requested action on
2513 the system or assets, and monitor the use of these privileges.
2514
2515 Rationale: Asset owners will have to assign to each IACS user the privileges defining the
2516 authorized use of the system. The goal of use control is to protect against unauthorized actions
2517 on IACS resources by verifying if the necessary privileges are granted before allowing performing
2518 the action. Examples of actions are read or write data, download program, set configuration, etc.
2519 Recommendations and guidelines should include mechanisms that will operate in mixed modes;
2520 e.g. some IACS resources require strong use control protection, i.e. restrictive privileges and
2521 others do not. By extension, use control requirements need to be extended to data at rest .
2522 A.4 FR3 D ATA I NTEGRITY

2523 Ensure the integrity of information on communication channels and in data repositories to prevent
2524 unauthorized manipulation.
2525
2526 Rationale: Using the organization’s risk assessment methodology, asset owners will “select”
2527 communication channels that require strong integrity protection. Derived prescriptive
2528 recommendations and guidelines should include mechanisms that will operate in mixed modes;
2529 e.g. some communication channels require strong integrity protection and others do not. By
2530 extension, data integrity requirements need to be extended to data at rest; i.e. protecting the
2531 integrity of data that resides in selected repositories.
2532 A.5 FR4 D ATA CONFIDENTIALITY

2533 Ensure the confidentiality of information on communication channels and in data repositories to
2534 prevent dissemination.
2535 Rationale: Some IACS generated information whether at rest or in transit is of

2536 confidential/sensitive nature. This implies that some communication channels and data -stores
2537 require protection against eavesdropping and unauthorized access.
2538 A.6 FR5 RESTRICT D ATA F LOW

2539 Segment the system via zones and conduits to limit the unnecessary flow of data.
2540
2541 Rationale: Using the organization’s risk assessment methodology, asset owners will determine
2542 necessary information flow restrictions and thus by extension determine the configuration of the
2543 conduits used to deliver these data. Derived prescriptive recommendations and guidelines
2544 should include mechanisms that range from disconnecting control networks from business or
2545 public networks to using stateful firewalls and DMZ to manage the flow of information.
2546 A.7 FR6 T IMELY R ESPONSE TO AN EVENT
2547 Respond to security violations by notifying the proper authority, reporting needed forensic
2548 evidence of the violation, and taking timely corrective action when incidents are discovered.
2549
2550 Rationale: Using the organization’s risk assessment methodology, asset owners will establish

2551 policies and proper lines of communication and control needed to respond to security violations.
2552 Derived prescriptive recommendations and guidelines shou ld include mechanisms that collect,
2553 report and automatically correlate the forensic evidence to ensure timely corrective action. The
2554 use of monitoring tools and techniques must not adversely affect the operational performance of
2555 the IACS.
2556
2557 A.8 FR7 RESOURCE AVAILABILITY

2558 Ensure the availability of the system or assets against the denial of essential services.
2559
2560 Rationale: The aim of this series of System Requirements is to ensure that the system is resilient
2561 against various types of Denial of Service events. Thi s includes the unavailability of system
2562 functionality at various levels.
2563
2564 Annex B
2565 (informative)
2566 -
2567 Mapping Controls to Foundational Requirements
2568 B.1 Overview
2569 This annex is intended to provide guidance to the reader as to the relevance of the specific
2570 controls to the various foundational requirements.
2571 NOTE This annex will be completed as part of the final document generation after the primary content has been
2572 finalized.
2573
2574
2575 BIBLIOGRAPHY
2576 NOTE This bibliography includes references to sources used in the creation of this standard as well as references to
2577 sources that may aid the reader in developing a greater understanding of cyber security as a whole and
2578 developing a management system. Not all references in this bibliography are referred to throughout the text of
2579 this standard. The references have been broken down into different categories depending on the type of
2580 source they are.
2581 References to other parts, both existing and anticipated, of the ISA‑62443 series:
2582 NOTE Some of these references are normative references (see Clause 2), published documents, in development, or
2583 anticipated. They are all listed here for completeness of the a nticipated parts of the ISA‑62443 series.
2584 [1] ANSI/ISA‑62443-1-1-2007, Security for industrial automation and control systems:
2585 Terminology, concepts and models

2586 [2] ANSI/ISA‑TR62443-1-2, Security for industrial automation and control systems: Master
2587 glossary of terms and abbreviations
2588 [3] ANSI/ISA‑62443-1-3, Security for industrial automation and control systems: System
2589 security compliance metrics
2590 [4] ANSI/ISA‑62443-2-1-2009, Security for industrial automation and control systems:
2591 Establishing an industrial automation and control system security program
2592 [5] ANSI/ISA‑TR62443-2-3, Security for industrial automation and control systems: Patch
2593 management in the IACS environment
2594 [6] ANSI/ISA‑TR62443-3-1-2007, Security for industrial autom ation and control systems:
2595 Security technologies for industrial automation and control systems
2596 [7] ANSI/ISA‑62443-3-2, Security for industrial automation and control systems: Target
2597 security assurance levels for zones and conduits
2598 [8] ANSI/ISA‑62443-3-3, Security for industrial automation and control systems: System
2599 security requirements and security assurance levels
2600 [9] ANSI/Error! Unknown document property name., Security for industrial automation and
2601 control systems: Product development requirements
2602 [10] ANSI/ISA‑62443-4-1, Security for industrial automation and control systems: Embedded
2603 devices
2604 [11] ANSI/ISA‑62443-4-2, Security for industrial automation and control systems: Host devices
2605 Other standards references:
2606 [12] ISO/IEC Directives, Part 2, Rules for the structure and drafting of International Standards
2607
2608
2609
ISA-62443.02.02, D1E4, April 2013
– 74 –
ISA99, WG02, TG02

Iec62443 2 2

Uploaded by

Copyright:

Available Formats

You might also like

Iec62443 2 2

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Iec62443 2 2

Uploaded by

Copyright:

Available Formats

IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT

New versions will be generated periodically as individual documents are revised.

New versions will be generated periodically as individual documents are revised.

Security for industrial automation and control systems

Implementation Guidance for and IACS Security Management System

Text appearing red italics should be considered editorial comments,

Research Triangle Park, NC 27709 USA

Security for industrial automation and control systems

New versions will be generated periodically as individual documents are revised.

Name Company Contributor Reviewer

New versions will be generated periodically as individual documents are revised.

120 8.3 Termination or Change of Employment .................................................................. 29

New versions will be generated periodically as individual documents are revised.

165 10.11.1 Audit and Accountability Policy and Procedures ......................................... 39

New versions will be generated periodically as individual documents are revised.

210 12.5 Security of System Files ........................................................................................ 51

New versions will be generated periodically as individual documents are revised.

255 14.3.1 Emergency Shutoff .................................................................................... 66

New versions will be generated periodically as individual documents are revised.

New versions will be generated periodically as individual documents are revised.

New versions will be generated periodically as individual documents are revised.

New versions will be generated periodically as individual documents are revised.

New versions will be generated periodically as individual documents are revised.

400 2 Normative references

417 3 Terms, definitions, abbreviated terms, acronyms, and conventions

New versions will be generated periodically as individual documents are revised.

New versions will be generated periodically as individual documents are revised.

New versions will be generated periodically as individual documents are revised.

539 3.2 Abbreviated terms and acronyms

DoS Denial of service

New versions will be generated periodically as individual documents are revised.

541 3.3 Conventions

this sub-clause allows for a greater explanation in one place.

– Organization of information security (clause 6)

New versions will be generated periodically as individual documents are revised.

564 – Physical and environmental security (clause 9)

565 – Communications and operations management (clause 10)

566 – Access control (clause 11)

567 – Information systems acquisition, development and maintenance (clause 12)

568 – Information security incident management (clause 13)

569 – Business continuity management (clause 14)

570 4.2 Information security management in IACS

585 4.2.2 IACS assets to be protected

589 4.2.3 Establishment of information security management

New versions will be generated periodically as individual documents are revised.

608 4.2.3.3 Selecting controls

620 4.2.3.4 Critical success factors

625 b) an approach and framework to implementing, maintaining, monitoring, and improving

633 g) provision to fund information security management activities;

634 h) providing appropriate awareness, training, and education;

635 i) establishing an effective information security inci dent management process;

636 j) implementation of a measurement system that is used to evaluate performance in information

New versions will be generated periodically as individual documents are revised.

644 Rationale/Supplemental Guidance:

645 Requirement Enhancements:

647 6 Organization of Security

650 6.2 Internal Organization

655 Rationale/Supplemental Guidance: