Industrial communication networks - Network and system security - Part 1-1: Terminology, concepts and models

IEC/TS 62443-1-1:2009(E) is a technical specification which defines the terminology, concepts and models for Industrial Automation and Control Systems (IACS) security. It establishes the basis for the remaining standards in the IEC 62443 series.

General Information

Status
Published
Publication Date
29-Jul-2009
Current Stage
PPUB - Publication issued
Start Date
15-Sep-2009
Completion Date
30-Jul-2009
Ref Project

Buy Standard

Technical specification
IEC TS 62443-1-1:2009 - Industrial communication networks - Network and system security - Part 1-1: Terminology, concepts and models
English language
81 pages
sale 15% off
Preview
sale 15% off
Preview
Technical specification
IEC TS 62443-1-1:2009 - Industrial communication networks - Network and system security - Part 1-1: Terminology, concepts and models
English language
81 pages
sale 15% off
Preview
sale 15% off
Preview

Standards Content (Sample)


IEC/TS 62443-1-1 ®
Edition 1.0 2009-07
TECHNICAL
SPECIFICATION
colour
inside
Industrial communication networks – Network and system security –
Part 1-1: Terminology, concepts and models

IEC/TS 62443-1-1:2009(E)
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by
any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from either IEC or
IEC's member National Committee in the country of the requester.
If you have any questions about IEC copyright or have an enquiry about obtaining additional rights to this publication,
please contact the address below or your local IEC member National Committee for further information.

Droits de reproduction réservés. Sauf indication contraire, aucune partie de cette publication ne peut être reproduite
ni utilisée sous quelque forme que ce soit et par aucun procédé, électronique ou mécanique, y compris la photocopie
et les microfilms, sans l'accord écrit de la CEI ou du Comité national de la CEI du pays du demandeur.
Si vous avez des questions sur le copyright de la CEI ou si vous désirez obtenir des droits supplémentaires sur cette
publication, utilisez les coordonnées ci-après ou contactez le Comité national de la CEI de votre pays de résidence.

IEC Central Office
3, rue de Varembé
CH-1211 Geneva 20
Switzerland
Email: 0Hinmail@iec.ch
Web: 1Hwww.iec.ch
About IEC publications
The technical content of IEC publications is kept under constant review by the IEC. Please make sure that you have the
latest edition, a corrigenda or an amendment might have been published.
ƒ Catalogue of IEC publications: 2Hwww.iec.ch/searchpub
The IEC on-line Catalogue enables you to search by a variety of criteria (reference number, text, technical committee,…).
It also gives information on projects, withdrawn and replaced publications.
ƒ IEC Just Published: 3Hwww.iec.ch/online_news/justpub
Stay up to date on all new IEC publications. Just Published details twice a month all new publications released. Available
on-line and also by email.
ƒ Electropedia: 4Hwww.electropedia.org
The world's leading online dictionary of electronic and electrical terms containing more than 20 000 terms and definitions
in English and French, with equivalent terms in additional languages. Also known as the International Electrotechnical
Vocabulary online.
ƒ Customer Service Centre: 5Hwww.iec.ch/webstore/custserv
If you wish to give us your feedback on this publication or need further assistance, please visit the Customer Service
Centre FAQ or contact us:
Email: 6Hcsc@iec.ch
Tel.: +41 22 919 02 11
Fax: +41 22 919 03 00
IEC/TS 62443-1-1 ®
Edition 1.0 2009-07
TECHNICAL
SPECIFICATION
colour
inside
Industrial communication networks – Network and system security –
Part 1-1: Terminology, concepts and models

INTERNATIONAL
ELECTROTECHNICAL
COMMISSION
PRICE CODE
XC
ICS 25.040.40; 33.040.040; 35.040 ISBN 978-2-88910-710-0
– 2 – TS 62443-1-1 © IEC:2009(E)
CONTENTS
FOREWORD.5
INTRODUCTION.7
1 Scope.8
1.1 General .8
1.2 Included functionality .8
1.3 Systems and interfaces.8
1.4 Activity-based criteria .9
1.5 Asset-based criteria.9
2 Normative references.10
3 Terms, definitions and abbreviations .10
3.1 General .10
3.2 Terms and definitions .10
3.3 Abbreviations.26
4 The situation.27
4.1 General .27
4.2 Current systems .27
4.3 Current trends .28
4.4 Potential impact.28
5 Concepts .29
5.1 General .29
5.2 Security objectives.29
5.3 Foundational requirements .30
5.4 Defence in depth .30
5.5 Security context.30
5.6 Threat-risk assessment .32
5.6.1 General .32
5.6.2 Assets .32
5.6.3 Vulnerabilities .34
5.6.4 Risk.34
5.6.5 Threats.36
5.6.6 Countermeasures .38
5.7 Security program maturity.39
5.7.1 Overview .39
5.7.2 Maturity phases .42
5.8 Policies .45
5.8.1 Overview .45
5.8.2 Enterprise level policy .46
5.8.3 Operational policies and procedures .47
5.8.4 Topics covered by policies and procedures .47
5.9 Security zones .50
5.9.1 General .50
5.9.2 Determining requirements .50
5.10 Conduits.51
5.10.1 General .51
5.10.2 Channels .52
5.11 Security levels .53

TS 62443-1-1 © IEC:2009(E) – 3 –
5.11.1 General .53
5.11.2 Types of security levels.53
5.11.3 Factors influencing SL(achieved) of a zone or conduit .55
5.11.4 Impact of countermeasures and inherent security properties of
devices and systems.57
5.12 Security level lifecycle.57
5.12.1 General .57
5.12.2 Assess phase .58
5.12.3 Develop and implement phase .59
5.12.4 Maintain phase .60
6 Models .61
6.1 General .61
6.2 Reference models .62
6.2.1 Overview .62
6.2.2 Reference model levels.63
6.3 Asset models.65
6.3.1 Overview .65
6.3.2 Enterprise.68
6.3.3 Geographic sites.68
6.3.4 Area .68
6.3.5 Lines, units, cells, vehicles.68
6.3.6 Supervisory control equipment .68
6.3.7 Control equipment .68
6.3.8 Field I/O network .69
6.3.9 Sensors and actuators .69
6.3.10 Equipment under control .69
6.4 Reference architecture .69
6.5 Zone and conduit model.69
6.5.1 General .69
6.5.2 Defining security zones .70
6.5.3 Zone identification .70
6.5.4 Zone characteristics.74
6.5.5 Defining conduits .76
6.5.6 Conduit characteristics.77
6.6 Model relationships.79
Bibliography .81

Figure 1 – Comparison of objectives between IACS and general IT systems .29
Figure 2 – Context element relationships .31
Figure 3 – Context model .31
Figure 4 – Integration of business and IACS cybersecurity.40
Figure 5 – Cybersecurity level over time .40
Figure 6 – Integration of resources to develop the CSMS.41
Figure 7 – Conduit example.52
Figure 8 – Security level lifecycle.58
Figure 9 – Security level lifecycle – Assess phase .59
Figure 10 – Security level lifecycle – Implement phase .60
Figure 11 – Security level lifecycle – Maintain phase.61

– 4 – TS 62443-1-1 © IEC:2009(E)
Figure 12 – Reference model for IEC 62443 standards .62
Figure 13 – SCADA reference model .63
Figure 14 – Process manufacturing asset
...


IEC/TS 62443-1-1 ®
Edition 1.0 2009-07
TECHNICAL
SPECIFICATION
colour
inside
Industrial communication networks – Network and system security –
Part 1-1: Terminology, concepts and models

IEC/TS 62443-1-1:2009(E)
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by
any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from either IEC or
IEC's member National Committee in the country of the requester.
If you have any questions about IEC copyright or have an enquiry about obtaining additional rights to this publication,
please contact the address below or your local IEC member National Committee for further information.

Droits de reproduction réservés. Sauf indication contraire, aucune partie de cette publication ne peut être reproduite
ni utilisée sous quelque forme que ce soit et par aucun procédé, électronique ou mécanique, y compris la photocopie
et les microfilms, sans l'accord écrit de la CEI ou du Comité national de la CEI du pays du demandeur.
Si vous avez des questions sur le copyright de la CEI ou si vous désirez obtenir des droits supplémentaires sur cette
publication, utilisez les coordonnées ci-après ou contactez le Comité national de la CEI de votre pays de résidence.

IEC Central Office
3, rue de Varembé
CH-1211 Geneva 20
Switzerland
Email: 0Hinmail@iec.ch
Web: 1Hwww.iec.ch
About IEC publications
The technical content of IEC publications is kept under constant review by the IEC. Please make sure that you have the
latest edition, a corrigenda or an amendment might have been published.
ƒ Catalogue of IEC publications: 2Hwww.iec.ch/searchpub
The IEC on-line Catalogue enables you to search by a variety of criteria (reference number, text, technical committee,…).
It also gives information on projects, withdrawn and replaced publications.
ƒ IEC Just Published: 3Hwww.iec.ch/online_news/justpub
Stay up to date on all new IEC publications. Just Published details twice a month all new publications released. Available
on-line and also by email.
ƒ Electropedia: 4Hwww.electropedia.org
The world's leading online dictionary of electronic and electrical terms containing more than 20 000 terms and definitions
in English and French, with equivalent terms in additional languages. Also known as the International Electrotechnical
Vocabulary online.
ƒ Customer Service Centre: 5Hwww.iec.ch/webstore/custserv
If you wish to give us your feedback on this publication or need further assistance, please visit the Customer Service
Centre FAQ or contact us:
Email: 6Hcsc@iec.ch
Tel.: +41 22 919 02 11
Fax: +41 22 919 03 00
IEC/TS 62443-1-1 ®
Edition 1.0 2009-07
TECHNICAL
SPECIFICATION
colour
inside
Industrial communication networks – Network and system security –
Part 1-1: Terminology, concepts and models

INTERNATIONAL
ELECTROTECHNICAL
COMMISSION
PRICE CODE
XC
ICS 25.040.40; 33.040.040; 35.040 ISBN 978-2-88910-710-0
– 2 – TS 62443-1-1 © IEC:2009(E)
CONTENTS
FOREWORD.5
INTRODUCTION.7
1 Scope.8
1.1 General .8
1.2 Included functionality .8
1.3 Systems and interfaces.8
1.4 Activity-based criteria .9
1.5 Asset-based criteria.9
2 Normative references.10
3 Terms, definitions and abbreviations .10
3.1 General .10
3.2 Terms and definitions .10
3.3 Abbreviations.26
4 The situation.27
4.1 General .27
4.2 Current systems .27
4.3 Current trends .28
4.4 Potential impact.28
5 Concepts .29
5.1 General .29
5.2 Security objectives.29
5.3 Foundational requirements .30
5.4 Defence in depth .30
5.5 Security context.30
5.6 Threat-risk assessment .32
5.6.1 General .32
5.6.2 Assets .32
5.6.3 Vulnerabilities .34
5.6.4 Risk.34
5.6.5 Threats.36
5.6.6 Countermeasures .38
5.7 Security program maturity.39
5.7.1 Overview .39
5.7.2 Maturity phases .42
5.8 Policies .45
5.8.1 Overview .45
5.8.2 Enterprise level policy .46
5.8.3 Operational policies and procedures .47
5.8.4 Topics covered by policies and procedures .47
5.9 Security zones .50
5.9.1 General .50
5.9.2 Determining requirements .50
5.10 Conduits.51
5.10.1 General .51
5.10.2 Channels .52
5.11 Security levels .53

TS 62443-1-1 © IEC:2009(E) – 3 –
5.11.1 General .53
5.11.2 Types of security levels.53
5.11.3 Factors influencing SL(achieved) of a zone or conduit .55
5.11.4 Impact of countermeasures and inherent security properties of
devices and systems.57
5.12 Security level lifecycle.57
5.12.1 General .57
5.12.2 Assess phase .58
5.12.3 Develop and implement phase .59
5.12.4 Maintain phase .60
6 Models .61
6.1 General .61
6.2 Reference models .62
6.2.1 Overview .62
6.2.2 Reference model levels.63
6.3 Asset models.65
6.3.1 Overview .65
6.3.2 Enterprise.68
6.3.3 Geographic sites.68
6.3.4 Area .68
6.3.5 Lines, units, cells, vehicles.68
6.3.6 Supervisory control equipment .68
6.3.7 Control equipment .68
6.3.8 Field I/O network .69
6.3.9 Sensors and actuators .69
6.3.10 Equipment under control .69
6.4 Reference architecture .69
6.5 Zone and conduit model.69
6.5.1 General .69
6.5.2 Defining security zones .70
6.5.3 Zone identification .70
6.5.4 Zone characteristics.74
6.5.5 Defining conduits .76
6.5.6 Conduit characteristics.77
6.6 Model relationships.79
Bibliography .81

Figure 1 – Comparison of objectives between IACS and general IT systems .29
Figure 2 – Context element relationships .31
Figure 3 – Context model .31
Figure 4 – Integration of business and IACS cybersecurity.40
Figure 5 – Cybersecurity level over time .40
Figure 6 – Integration of resources to develop the CSMS.41
Figure 7 – Conduit example.52
Figure 8 – Security level lifecycle.58
Figure 9 – Security level lifecycle – Assess phase .59
Figure 10 – Security level lifecycle – Implement phase .60
Figure 11 – Security level lifecycle – Maintain phase.61

– 4 – TS 62443-1-1 © IEC:2009(E)
Figure 12 – Reference model for IEC 62443 standards .62
Figure 13 – SCADA reference model .63
Figure 14 – Process manufacturing asset
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.