Industrial communication networks - Network and system security - Part 2-1: Establishing an industrial automation and control system security program

IEC 62443-2-1:2010 defines the elements necessary to establish a cyber security management system (CSMS) for industrial automation and control systems (IACS) and provides guidance on how to develop those elements. This standard uses the broad definition and scope of what constitutes an IACS described in IEC/TS 62443-1-1. The elements of a CSMS described in this standard are mostly policy, procedure, practice and personnel related, describing what shall or should be included in the final CSMS for the organization. This bilingual version (2012-04) corresponds to the monolingual English version, published in 2010-11.

Réseaux industriels de communication - Sécurité dans les réseaux et les systèmes - Partie 2-1: Etablissement d'un programme de sécurité pour les systèmes d'automatisation et de commande industrielles

La CEI 62443-2-1:2010 définit les éléments nécessaires à l'établissement d'un système de gestion de la cyber-sécurité (CSMS) pour les systèmes d'automatisation et de commande (IACS) industriels et fournit des indications sur la façon de développer ces éléments. La présente norme utilise, au sens large, la définition et le domaine d'application de ce qui constitue un IACS décrit dans la CEI/TS 62443-1-1. Les éléments d'un CSMS décrits dans la présente norme sont essentiellement liés aux politiques, aux procédures, aux pratiques et au personnel; ils correspondent à ce doit être inclus ou à ce qu'il convient d'inclure dans le CSMS final de l'organisation. La présente version bilingue (2012-04) correspond à la version anglaise monolingue publiée en 2010-11.

General Information

Status
Published
Publication Date
09-Nov-2010
Current Stage
Ref Project

Relations

Buy Standard

Standard
IEC 62443-2-1:2010 - Industrial communication networks - Network and system security - Part 2-1: Establishing an industrial automation and control system security program Released:11/10/2010 Isbn:9782889122066
English language
159 pages
sale 15% off
Preview
sale 15% off
Preview
Standard
IEC 62443-2-1:2010 - Industrial communication networks - Network and system security - Part 2-1: Establishing an industrial automation and control system security program
English and French language
338 pages
sale 15% off
Preview
sale 15% off
Preview

Standards Content (Sample)


IEC 62443-2-1 ®
Edition 1.0 2010-11
INTERNATIONAL
STANDARD
colour
inside
Industrial communication networks – Network and system security –
Part 2-1: Establishing an industrial automation and control system security
program
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form
or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from
either IEC or IEC's member National Committee in the country of the requester.
If you have any questions about IEC copyright or have an enquiry about obtaining additional rights to this publication,
please contact the address below or your local IEC member National Committee for further information.

IEC Central Office
3, rue de Varembé
CH-1211 Geneva 20
Switzerland
Email: inmail@iec.ch
Web: www.iec.ch
About the IEC
The International Electrotechnical Commission (IEC) is the leading global organization that prepares and publishes
International Standards for all electrical, electronic and related technologies.

About IEC publications
The technical content of IEC publications is kept under constant review by the IEC. Please make sure that you have the
latest edition, a corrigenda or an amendment might have been published.
§ Catalogue of IEC publications: www.iec.ch/searchpub
The IEC on-line Catalogue enables you to search by a variety of criteria (reference number, text, technical committee,…).
It also gives information on projects, withdrawn and replaced publications.
§ IEC Just Published: www.iec.ch/online_news/justpub
Stay up to date on all new IEC publications. Just Published details twice a month all new publications released. Available
on-line and also by email.
§ Electropedia: www.electropedia.org
The world's leading online dictionary of electronic and electrical terms containing more than 20 000 terms and definitions
in English and French, with equivalent terms in additional languages. Also known as the International Electrotechnical
Vocabulary online.
§ Customer Service Centre: www.iec.ch/webstore/custserv
If you wish to give us your feedback on this publication or need further assistance, please visit the Customer Service
Centre FAQ or contact us:
Email: csc@iec.ch
Tel.: +41 22 919 02 11
Fax: +41 22 919 03 00
IEC 62443-2-1 ®
Edition 1.0 2010-11
INTERNATIONAL
STANDARD
colour
inside
Industrial communication networks – Network and system security –
Part 2-1: Establishing an industrial automation and control system security
program
INTERNATIONAL
ELECTROTECHNICAL
COMMISSION
PRICE CODE
XG
ICS 25.040.40; 33.040 ISBN 978-2-88912-206-6
– 2 – 62443-2-1 Ó IEC:2010(E)
CONTENTS
FOREW ORD . 5
0 INTRODUCTION . 7
0.1 Ov erv iew . 7
0.2 A cyber security management system for IACS . 7
0.3 Relationship between this document and ISO/IEC 17799 and ISO/IEC 27001 . 7
1 Sc o pe . 9
2 Normative references . 9
3 Terms, definitions, abbreviated terms, acronyms, and conventions . 9
3.1 Terms and definitions . 9
3.2 Abbreviated terms and acronyms . 14
3.3 Conventions . 16
4 Elements of a cyber security management system . 16
4.1 Ov erv iew . 16
4.2 Category: Risk analysis . 18
4.2.1 Description of category . 18
4.2.2 Element: Business rationale . 18
4.2.3 Element: Risk identification, classification and assessment . 18
4.3 Category: Addressing risk with the CSMS . 20
4.3.1 Description of category . 20
4.3.2 Element group: Security policy, organization and awareness . 20
4.3.3 Element group: Selected security countermeasures . 25
4.3.4 Element group: Implementation . 32
4.4 Category: Monitoring and improving the CSMS . 36
4.4.1 Description of category . 36
4.4.2 Element: Conformance . 36
4.4.3 Element: Review, improve and maintain the CSMS . 37
Annex A (informative) Guidance for developing the elements of a CSMS . 39
Annex B (informative) Process to develop a CSMS . 140
Annex C (informative) Mapping of requirements to ISO/IEC 27001 . 148
Bibliography . 156

Figure 1 – Graphical view of elements of a cyber security management system . 17
Figure 2 – Graphical view of category: Risk analysis . 18
Figure 3 – Graphical view of element group: Security policy, organization and
awareness . 20
Figure 4 – Graphical view of element group: Selected security countermeasures . 25
Figure 5 – Graphical view of element group: Implementation . 32
Figure 6 – Graphical view of category: Monitoring and improving the CSMS . 36
Figure A.1 – Graphical view of elements of a cyber security management system . 40
Figure A.2 – Graphical view of category: Risk analysis . 40
Figure A.3 – Reported attacks on computer systems through 2004 (source: CERT) . 44
Figure A.4 – Sample logical IACS data collection sheet . 57
Figure A.5 – Example of a graphically rich logical network diagram . 59

62443-2-1 Ó IEC:2010(E) – 3 –
Figure A.6 – Graphical view of element group: Security policy, organization, and
awareness . 66
Figure A.7 – Graphical view of element group: Selected security countermeasures . 82
Figure A.8 – Reference architecture alignment with an example segmented
architecture . 90
Figure A.9 – Reference SCADA architecture alignment with an example segmented
architecture . 93
Figure A.10 – Access control: Account administration . 95
Figure A.11 – Access control: Authentication . 98
Figure A.12 – Access control: Authorization . 103
Figure A.13 – Graphical view of element group: Implementation . 106
Figure A.14 – Security level lifecycle model: Assess phase . 109
Figure A.15 – Corporate security zone template architecture. 112
Figure A.16 – Security zones for an example IACS . 113
Figure A.17 – Security level lifecycle model: Develop and implement phase . 116
Figure A.18 – Security level lifecycle model: Maintain phase . 120
Figure A.19 – Graphical view of category: Monitoring and improving the CSMS . 133
Figure B.1 – Top level activities for establishing a CSMS . 140
Figure B.2 – Activities and dependencies for activity: Initiate CSMS program. 142
Figure B.3 – Activities and dependencies for activity: High-level risk assessment . 143
Figure B.4 – Activities and dependencies for activity: Detailed risk assessment . 144
Figure B.5 – Activities and dependencies for activity: Establish security policy,
organization and awareness . 144
Figure B.6 – Training and assignment of organization responsibilities . 145
Figure B.7 – Activities and dependencies for activity: Select and implement
countermeasures . 146
Figure B.8 – Activities and dependencies for activity: Maintain the CSMS . 147

Table 1 – Business rationale: Requirements . 18
Table 2 – Risk identification, classification and assessment: Requirements . 19
Table 3 – CSMS scope: Requirements . 21
Table 4 – Organizing for security: Requirements . 22
Table 5 – Staff training and security awareness: Requirements . 22
Table 6 – Business continuity plan: Requirements . 23
Table 7 – Security policies and procedures: Requirements . 24
Table 8 – Personnel security: Requirements . 26
Table 9 – Physical and environmental security: Requirements. 27
Table 10 – Network segmentation: Requirements . 28
Table 11 – Access control – Account administration: Requirements . 29
Table 12 – Access control – Authentication: Requirements . 30
Table 13 – Access control – Authorization: Requirements . 31
Table 14 – Risk management and implementation: Requirements . 33
Table 15 – System development and maintenance: Requirements . 33
Table 16 – Information and document management: Requirements . 34
Table 17 – Incident planning and response: Requirements . 35

– 4 – 62443-2-1 Ó IEC:2010(E)
Table 18 – Conformance: Requirements . 37
Table 19 – Review, improve and maintain the CSMS: Requirements . 38
Table A.1 – Typical likelihood scale . 52
Table A.2 – Typical consequence scale . 54
Table A.3 – Typical risk level matrix . 55
Table A.4 – Example countermeasures and practices based on IACS risk levels . 107
Table A.5 – Example IACS asset table with assessment results . 110
Table A.6 – Example IACS asset table with assessment results and risk levels . 110
Table A.7 – Target security levels for an example IACS . 114
Table C.1 – Mapping of requirements in this standard to ISO/IEC 27001 references . 148
Table C.2 – Mapping of ISO/IEC 27001 requirements to this standard . 152

62443-2-1 Ó IEC:2010(E) – 5 –
INTERNATIONAL ELECTROTECHNICAL COMMISSION
____________
INDUSTRIAL COMMUNICATION NETWORKS –
NETWORK AND SYSTEM SECURITY –
Part 2-1: Establishing an industrial automation
and control system security program

FOREWORD
1) The International Electrotechnical Commission (IEC) is a worldwide organization for standardization comprising
all national electrotechnical committees (IEC National Committees). The object of IEC is to promote
international co-operation on all questions concerning standardization in the electrical and electronic fields. To
this end and in addition to other activities, IEC publishes International Standards, Technical Specifications,
Technical Reports, Publicly Available Specifications (PAS) and Guides (hereafter referred to as “IEC
Publication(s)”). Their preparation is entrusted to technical committees; any IEC National Committee interested
in the subject dealt with may participate in this preparatory work. International, governmental and non-
governmental organizations liaising with the IEC also participate in this preparation. IEC collaborates closely
with the International Organization for Standardization (ISO) in accordance with conditions determined by
...


IEC 62443-2-1 ®
Edition 1.0 2010-11
INTERNATIONAL
STANDARD
NORME
INTERNATIONALE
colour
inside
Industrial communication networks – Network and system security –
Part 2-1: Establishing an industrial automation and control system security
program
Réseaux industriels de communication – Sécurité dans les réseaux et les
systèmes –
Partie 2-1: Etablissement d’un programme de sécurité pour les systèmes
d’automatisation et de commande industrielles

All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form
or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from
either IEC or IEC's member National Committee in the country of the requester.
If you have any questions about IEC copyright or have an enquiry about obtaining additional rights to this publication,
please contact the address below or your local IEC member National Committee for further information.

Droits de reproduction réservés. Sauf indication contraire, aucune partie de cette publication ne peut être reproduite ni
utilisée sous quelque forme que ce soit et par aucun procédé, électronique ou mécanique, y compris la photocopie et les
microfilms, sans l'accord écrit de la CEI ou du Comité national de la CEI du pays du demandeur.
Si vous avez des questions sur le copyright de la CEI ou si vous désirez obtenir des droits supplémentaires sur cette
publication, utilisez les coordonnées ci-après ou contactez le Comité national de la CEI de votre pays de résidence.

IEC Central Office Tel.: +41 22 919 02 11
3, rue de Varembé Fax: +41 22 919 03 00
CH-1211 Geneva 20 info@iec.ch
Switzerland www.iec.ch
About the IEC
The International Electrotechnical Commission (IEC) is the leading global organization that prepares and publishes
International Standards for all electrical, electronic and related technologies.

About IEC publications
The technical content of IEC publications is kept under constant review by the IEC. Please make sure that you have the
latest edition, a corrigenda or an amendment might have been published.

Useful links:
IEC publications search - www.iec.ch/searchpub Electropedia - www.electropedia.org
The advanced search enables you to find IEC publications The world's leading online dictionary of electronic and
by a variety of criteria (reference number, text, technical electrical terms containing more than 30 000 terms and
committee,…). definitions in English and French, with equivalent terms in
It also gives information on projects, replaced and additional languages. Also known as the International
withdrawn publications. Electrotechnical Vocabulary (IEV) on-line.

IEC Just Published - webstore.iec.ch/justpublished Customer Service Centre - webstore.iec.ch/csc
Stay up to date on all new IEC publications. Just Published If you wish to give us your feedback on this publication
details all new publications released. Available on-line and or need further assistance, please contact the
also once a month by email. Customer Service Centre: csc@iec.ch.

A propos de la CEI
La Commission Electrotechnique Internationale (CEI) est la première organisation mondiale qui élabore et publie des
Normes internationales pour tout ce qui a trait à l'électricité, à l'électronique et aux technologies apparentées.

A propos des publications CEI
Le contenu technique des publications de la CEI est constamment revu. Veuillez vous assurer que vous possédez
l’édition la plus récente, un corrigendum ou amendement peut avoir été publié.

Liens utiles:
Recherche de publications CEI - www.iec.ch/searchpub Electropedia - www.electropedia.org
La recherche avancée vous permet de trouver des Le premier dictionnaire en ligne au monde de termes
publications CEI en utilisant différents critères (numéro de électroniques et électriques. Il contient plus de 30 000
référence, texte, comité d’études,…). termes et définitions en anglais et en français, ainsi que
Elle donne aussi des informations sur les projets et les les termes équivalents dans les langues additionnelles.
publications remplacées ou retirées. Egalement appelé Vocabulaire Electrotechnique
International (VEI) en ligne.
Just Published CEI - webstore.iec.ch/justpublished
Service Clients - webstore.iec.ch/csc
Restez informé sur les nouvelles publications de la CEI.
Just Published détaille les nouvelles publications parues. Si vous désirez nous donner des commentaires sur
Disponible en ligne et aussi une fois par mois par email. cette publication ou si vous avez des questions
contactez-nous: csc@iec.ch.
IEC 62443-2-1 ®
Edition 1.0 2010-11
INTERNATIONAL
STANDARD
NORME
INTERNATIONALE
colour
inside
Industrial communication networks – Network and system security –

Part 2-1: Establishing an industrial automation and control system security

program
Réseaux industriels de communication – Sécurité dans les réseaux et les

systèmes –
Partie 2-1: Etablissement d’un programme de sécurité pour les systèmes

d’automatisation et de commande industrielles

INTERNATIONAL
ELECTROTECHNICAL
COMMISSION
COMMISSION
ELECTROTECHNIQUE
PRICE CODE
INTERNATIONALE
XG
CODE PRIX
ICS 25.040.40; 33.040 ISBN 978-2-88912-037-6

– 2 – 62443-2-1  IEC:2010
CONTENTS
FOREWORD . 5
0 INTRODUCTION . 7
0.1 Overview . 7
0.2 A cyber security management system for IACS . 7
0.3 Relationship between this standard and ISO/IEC 17799 and ISO/IEC 27001 . 7
1 Scope . 9
2 Normative references . 9
3 Terms, definitions, abbreviated terms, acronyms, and conventions . 9
3.1 Terms and definitions . 9
3.2 Abbreviated terms and acronyms . 14
3.3 Conventions . 16
4 Elements of a cyber security management system . 16
4.1 Overview . 16
4.2 Category: Risk analysis . 18
4.2.1 Description of category . 18
4.2.2 Element: Business rationale . 18
4.2.3 Element: Risk identification, classification and assessment . 18
4.3 Category: Addressing risk with the CSMS . 20
4.3.1 Description of category . 20
4.3.2 Element group: Security policy, organization and awareness . 20
4.3.3 Element group: Selected security countermeasures . 25
4.3.4 Element group: Implementation . 32
4.4 Category: Monitoring and improving the CSMS. 36
4.4.1 Description of category . 36
4.4.2 Element: Conformance . 36
4.4.3 Element: Review, improve and maintain the CSMS . 37
Annex A (informative) Guidance for developing the elements of a CSMS . 39
Annex B (informative) Process to develop a CSMS . 140
Annex C (informative) Mapping of requirements to ISO/IEC 27001 . 148
Bibliography . 156

Figure 1 – Graphical view of elements of a cyber security management system . 17
Figure 2 – Graphical view of category: Risk analysis. 18
Figure 3 – Graphical view of element group: Security policy, organization and
awareness . 20
Figure 4 – Graphical view of element group: Selected security countermeasures . 25
Figure 5 – Graphical view of element group: Implementation . 32
Figure 6 – Graphical view of category: Monitoring and improving the CSMS . 36
Figure A.1 – Graphical view of elements of a cyber security management system . 40
Figure A.2 – Graphical view of category: Risk analysis . 40
Figure A.3 – Reported attacks on computer systems through 2004 (source: CERT) . 44
Figure A.4 – Sample logical IACS data collection sheet . 57
Figure A.5 – Example of a graphically rich logical network diagram . 59

62443-2-1  IEC:2010 – 3 –
Figure A.6 – Graphical view of element group: Security policy, organization, and
awareness . 66
Figure A.7 – Graphical view of element group: Selected security countermeasures. 82
Figure A.8 – Reference architecture alignment with an example segmented
architecture. 90
Figure A.9 – Reference SCADA architecture alignment with an example segmented
architecture. 93
Figure A.10 – Access control: Account administration . 95
Figure A.11 – Access control: Authentication . 98
Figure A.12 – Access control: Authorization . 103
Figure A.13 – Graphical view of element group: Implementation . 106
Figure A.14 – Security level lifecycle model: Assess phase. 109
Figure A.15 – Corporate security zone template architecture . 112
Figure A.16 – Security zones for an example IACS . 113
Figure A.17 – Security level lifecycle model: Develop and implement phase . 116
Figure A.18 – Security level lifecycle model: Maintain phase . 120
Figure A.19 – Graphical view of category: Monitoring and improving the CSMS . 133
Figure B.1 – Top level activities for establishing a CSMS . 140
Figure B.2 – Activities and dependencies for activity: Initiate CSMS program . 142
Figure B.3 – Activities and dependencies for activity: High-level risk assessment . 143
Figure B.4 – Activities and dependencies for activity: Detailed risk assessment . 144
Figure B.5 – Activities and dependencies for activity: Establish security policy,
organization and awareness . 144
Figure B.6 – Training and assignment of organization responsibilities . 145
Figure B.7 – Activities and dependencies for activity: Select and implement
countermeasures . 146
Figure B.8 – Activities and dependencies for activity: Maintain the CSMS . 147

Table 1 – Business rationale: Requirements . 18
Table 2 – Risk identification, classification and assessment: Requirements . 19
Table 3 – CSMS scope: Requirements . 21
Table 4 – Organizing for security: Requirements . 22
Table 5 – Staff training and security awareness: Requirements . 22
Table 6 – Business continuity plan: Requirements . 23
Table 7 – Security policies and procedures: Requirements . 24
Table 8 – Personnel security: Requirements . 26
Table 9 – Physical and environmental security: Requirements . 27
Table 10 – Network segmentation: Requirements . 28
Table 11 – Access control –
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.