SIST-TP CLC IEC/TR 63069:2020
(Main)Industrial-process measurement, control and automation - Framework for functional safety and security (IEC/TR 63069:2019)
Industrial-process measurement, control and automation - Framework for functional safety and security (IEC/TR 63069:2019)
CLC-IEC/TR 63069 explains and provides guidance on the common application of IEC 61508 (all parts) and IEC 62443 (all parts) in the area of industrial-process measurement, control and automation. This document can apply to other industrial sectors where IEC 61508 (all parts) and IEC 62443 (all parts) are applied.
Industrielle Prozess-Leittechnik, Steuerungs- und Automatisierungstechnik - Rahmenbedingungen für Funktionale Sicherheit und IT-Sicherheit (IEC/TR 63069:2019)
Mesure, commande et automation dans les processus industriels – Cadre pour la sécurité et la sûreté fonctionnelle (IEC/TR 63069:2019)
Meritve, krmiljenje in avtomatizacija v industrijskih procesih - Ogrodje za funkcionalno varnost in zaščito (IEC/TR 63069:2019)
General Information
Standards Content (Sample)
SLOVENSKI STANDARD
SIST-TP CLC IEC/TR 63069:2020
01-julij-2020
Meritve, krmiljenje in avtomatizacija v industrijskih procesih - Ogrodje za
funkcionalno varnost in zaščito (IEC/TR 63069:2019)
Industrial-process measurement, control and automation - Framework for functional
safety and security (IEC/TR 63069:2019)
Industrielle Prozess-Leittechnik, Steuerungs- und Automatisierungstechnik -
Rahmenbedingungen für Funktionale Sicherheit und IT-Sicherheit (IEC/TR 63069:2019)
Mesure, commande et automation dans les processus industriels – Cadre pour la
sécurité et la sûreté fonctionnelle (IEC/TR 63069:2019)
Ta slovenski standard je istoveten z: CLC IEC/TR 63069:2020
ICS:
25.040.40 Merjenje in krmiljenje Industrial process
industrijskih postopkov measurement and control
SIST-TP CLC IEC/TR 63069:2020 en,fr,de
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.
---------------------- Page: 1 ----------------------
SIST-TP CLC IEC/TR 63069:2020
---------------------- Page: 2 ----------------------
SIST-TP CLC IEC/TR 63069:2020
TECHNICAL REPORT CLC IEC/TR 63069
RAPPORT TECHNIQUE
TECHNISCHER BERICHT
February 2020
ICS 13.110; 25.040.40; 29.020
English Version
Industrial-process measurement, control and automation -
Framework for functional safety and security
(IEC/TR 63069:2019)
Mesure, commande et automation dans les processus Industrielle Prozess-Leittechnik, Steuerungs- und
industriels – Cadre pour la sécurité et la sûreté fonctionnelle Automatisierungstechnik - Rahmenbedingungen für
(IEC/TR 63069:2019) Funktionale Sicherheit und IT-Sicherheit
(IEC/TR 63069:2019)
This Technical Report was approved by CENELEC on 2020-01-27.
CENELEC members are the national electrotechnical committees of Austria, Belgium, Bulgaria, Croatia, Cyprus, the Czech Republic,
Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, the
Netherlands, Norway, Poland, Portugal, Republic of North Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland,
Turkey and the United Kingdom.
European Committee for Electrotechnical Standardization
Comité Européen de Normalisation Electrotechnique
Europäisches Komitee für Elektrotechnische Normung
CEN-CENELEC Management Centre: Rue de la Science 23, B-1040 Brussels
© 2020 CENELEC All rights of exploitation in any form and by any means reserved worldwide for CENELEC Members.
Ref. No. CLC IEC/TR 63069:2020 E
---------------------- Page: 3 ----------------------
SIST-TP CLC IEC/TR 63069:2020
CLC IEC/TR 63069:2020 (E)
European foreword
This document (CLC IEC/TR 63069:2020) consists of the text of IEC/TR 63069:2019 prepared by
IEC/TC 65 "Industrial-process measurement, control and automation".
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CENELEC shall not be held responsible for identifying any or all such patent rights.
Endorsement notice
The text of the International Technical Report IEC/TR 63069:2019 was approved by CENELEC as a
In the official version, for Bibliography, the following notes have to be added for the standards
indicated:
IEC 61508-1 NOTE Harmonized as EN 61508-1
IEC 61508-2 NOTE Harmonized as EN 61508-2
IEC 61508-3 NOTE Harmonized as EN 61508-3
IEC 61508-4:2010 NOTE Harmonized as EN 61508-4:2010 (not modified)
IEC 61508-5:2010 NOTE Harmonized as EN 61508-5:2010 (not modified)
IEC 61511 (series) NOTE Harmonized as EN 61511 (series)
IEC 62443-2-4:2015 NOTE Harmonized as EN IEC 62443-2-4:2019 (not modified)
IEC 62443-3-3:2013 NOTE Harmonized as EN IEC 62443-3-3:2019 (not modified)
IEC 62443-4-1 NOTE Harmonized as EN IEC 62443-4-1
2
---------------------- Page: 4 ----------------------
SIST-TP CLC IEC/TR 63069:2020
CLC IEC/TR 63069:2020 (E)
Annex ZA
(normative)
Normative references to international publications
with their corresponding European publications
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments)
applies.
NOTE 1 Where an International Publication has been modified by common modifications, indicated by (mod), the relevant
EN/HD applies.
NOTE 2 Up-to-date information on the latest versions of the European Standards listed in this annex is available here:
www.cenelec.eu.
Publication Year Title EN/HD Year
IEC 61508 series Functional safety of EN 61508 series
electrical/electronic/programmable
electronic safety-related systems
IEC 62443 series Industrial communication networks - - series
Network and system security
3
---------------------- Page: 5 ----------------------
SIST-TP CLC IEC/TR 63069:2020
---------------------- Page: 6 ----------------------
SIST-TP CLC IEC/TR 63069:2020
IEC TR 63069
®
Edition 1.0 2019-05
TECHNICAL
REPORT
colour
inside
Industrial-process measurement, control and automation – Framework for
functional safety and security
INTERNATIONAL
ELECTROTECHNICAL
COMMISSION
ICS 13.110; 25.040.40; 29.020 ISBN 978-2-8322-6925-1
Warning! Make sure that you obtained this publication from an authorized distributor.
® Registered trademark of the International Electrotechnical Commission
---------------------- Page: 7 ----------------------
SIST-TP CLC IEC/TR 63069:2020
– 2 – IEC TR 63069:2019 IEC 2019
CONTENTS
FOREWORD . 4
INTRODUCTION . 6
0.1 Purpose of this document . 6
0.2 Background. 6
0.3 Issues on the terminology . 6
0.4 Target audience . 6
1 Scope . 7
2 Normative references . 7
3 Terms, definitions, symbols, abbreviated terms and conventions . 7
3.1 Terms and definitions defined for this document . 7
3.2 Abbreviated terms . 15
3.3 Explanation for common terms with different definitions . 15
4 Context of security related to functional safety . 20
4.1 Description of functions. 20
4.2 Security environment . 20
5 Guiding principles . 22
6 Life cycle recommendations for co-engineering . 22
6.1 General . 22
6.2 Managing security related safety aspects . 25
7 Risk assessment considerations . 25
7.1 Risk assessment at higher level . 25
7.2 Trade-off analysis . 26
7.3 Considerations for threat-risk assessment . 26
7.3.1 General . 26
7.3.2 Recommendations to the threat-risk assessment . 27
7.3.3 Considerations related to security countermeasures . 27
7.3.4 Vulnerabilities and examples of root causes . 27
7.4 Malevolent and unauthorized actions . 27
7.4.1 General . 27
7.4.2 Reasonably foreseeable misuse (safety) . 28
7.4.3 Prevention of malevolent and unauthorized actions (security) . 28
7.4.4 Combination of password protection measures . 28
8 Incident response readiness and incident handling . 28
8.1 General . 28
8.2 Incident response readiness . 28
8.3 Incident handling . 28
Bibliography . 30
Figure 1 – Overview of functions of an IACS . 20
Figure 2 – Safety domain and security domain . 21
Figure 3 – Security environment . 21
Figure 4 – Safety and security interaction . 23
Figure 5 – Safety and security risk assessments as part of a risk assessment at higher
level . 26
---------------------- Page: 8 ----------------------
SIST-TP CLC IEC/TR 63069:2020
IEC TR 63069:2019 IEC 2019 – 3 –
Table 1 – Terms with multiple definitions . 15
Table 2 – Recommended activities in life cycle stages . 24
---------------------- Page: 9 ----------------------
SIST-TP CLC IEC/TR 63069:2020
– 4 – IEC TR 63069:2019 IEC 2019
INTERNATIONAL ELECTROTECHNICAL COMMISSION
____________
INDUSTRIAL-PROCESS MEASUREMENT, CONTROL AND AUTOMATION –
FRAMEWORK FOR FUNCTIONAL SAFETY AND SECURITY
FOREWORD
1) The International Electrotechnical Commission (IEC) is a worldwide organization for standardization comprising
all national electrotechnical committees (IEC National Committees). The object of IEC is to promote
international co-operation on all questions concerning standardization in the electrical and electronic fields. To
this end and in addition to other activities, IEC publishes International Standards, Technical Specifications,
Technical Reports, Publicly Available Specifications (PAS) and Guides (hereafter referred to as "IEC
Publication(s)"). Their preparation is entrusted to technical committees; any IEC National Committee interested
in the subject dealt with may participate in this preparatory work. International, governmental and non-
governmental organizations liaising with the IEC also participate in this preparation. IEC collaborates closely
with the International Organization for Standardization (ISO) in accordance with conditions determined by
agreement between the two organizations.
2) The formal decisions or agreements of IEC on technical matters express, as nearly as possible, an international
consensus of opinion on the relevant subjects since each technical committee has representation from all
interested IEC National Committees.
3) IEC Publications have the form of recommendations for international use and are accepted by IEC National
Committees in that sense. While all reasonable efforts are made to ensure that the technical content of IEC
Publications is accurate, IEC cannot be held responsible for the way in which they are used or for any
misinterpretation by any end user.
4) In order to promote international uniformity, IEC National Committees undertake to apply IEC Publications
transparently to the maximum extent possible in their national and regional publications. Any divergence
between any IEC Publication and the corresponding national or regional publication shall be clearly indicated in
the latter.
5) IEC itself does not provide any attestation of conformity. Independent certification bodies provide conformity
assessment services and, in some areas, access to IEC marks of conformity. IEC is not responsible for any
services carried out by independent certification bodies.
6) All users should ensure that they have the latest edition of this publication.
7) No liability shall attach to IEC or its directors, employees, servants or agents including individual experts and
members of its technical committees and IEC National Committees for any personal injury, property damage or
other damage of any nature whatsoever, whether direct or indirect, or for costs (including legal fees) and
expenses arising out of the publication, use of, or reliance upon, this IEC Publication or any other IEC
Publications.
8) Attention is drawn to the Normative references cited in this publication. Use of the referenced publications is
indispensable for the correct application of this publication.
9) Attention is drawn to the possibility that some of the elements of this IEC Publication may be the subject of
patent rights. IEC shall not be held responsible for identifying any or all such patent rights.
The main task of IEC technical committees is to prepare International Standards. However, a
technical committee may propose the publication of a Technical Report when it has collected
data of a different kind from that which is normally published as an International Standard, for
example "state of the art".
IEC TR 63069 has been prepared by IEC technical committee TC 65: Industrial-process
measurement, control and automation.
The text of this Technical Report is based on the following documents:
Draft DTR Report on voting
65/698/DTR 65/713A/RVDTR
Full information on the voting for the approval of this Technical Report can be found in the
report on voting indicated in the above table.
This document has been drafted in accordance with the ISO/IEC Directives, Part 2.
---------------------- Page: 10 ----------------------
SIST-TP CLC IEC/TR 63069:2020
IEC TR 63069:2019 IEC 2019 – 5 –
The committee has decided that the contents of this document will remain unchanged until the
stability date indicated on the IEC website under "http://webstore.iec.ch" in the data related to
the specific document. At this date, the document will be
• reconfirmed,
• withdrawn,
• replaced by a revised edition, or
• amended.
A bilingual version of this publication may be issued at a later date.
IMPORTANT – The 'colour inside' logo on the cover page of this publication indicates
that it contains colours which are considered to be useful for the correct
understanding of its contents. Users should therefore print this document using a
colour printer.
---------------------- Page: 11 ----------------------
SIST-TP CLC IEC/TR 63069:2020
– 6 – IEC TR 63069:2019 IEC 2019
INTRODUCTION
0.1 Purpose of this document
Many sector specific guides, standards and technical specifications have been developed in
the fields of safety and security. However, a generic document for framework for safety and
security is largely expected by industry actors. Even the terms "safety" and "security" are
sometimes used for different meanings in these documents. As a result, it can be difficult to
apply them holistically at the same time to a manufacturing system.
0.2 Background
Security has become a new factor to be considered in system engineering. The parts of the
IEC 61508 series published in 2010 took into account that security can impact functional
safety.
In IEC TC 65 (Industrial-process measurement, control and automation), considerable
concerns arose with respect to the impacts of security incidents to safety functions in IACS
(industrial automation and control systems); many complex systems of that kind are becoming
connected systems (particularly by interaction based on wireless connectivity from
sensors/actuators to complete plants, grids, etc.) for maintenance and operations. The overall
question was: "How to design and manage safety and security – in cooperation, integrated, or
separate system?"
0.3 Issues on the terminology
Definitions of some terms, such as "safety", "security" and "risk", are sometimes different in
different documents. Although they are consistent in a set of documents in each area of safety
and security, they can be inconsistent when both standards are applied at the same time.
From these reasons, the terminology is carefully used in this document.
0.4 Target audience
The target audience of this document includes, but is not limited to,
– asset owners (including those responsible for concept and governance),
– system integrators (including those responsible for design and realisation),
– product suppliers (including those responsible for design and realisation),
– service providers (including operators and maintainers), and
– authorities (including those responsible for assessment and audit).
---------------------- Page: 12 ----------------------
SIST-TP CLC IEC/TR 63069:2020
IEC TR 63069:2019 IEC 2019 – 7 –
INDUSTRIAL-PROCESS MEASUREMENT, CONTROL AND AUTOMATION –
FRAMEWORK FOR FUNCTIONAL SAFETY AND SECURITY
1 Scope
This document explains and provides guidance on the common application of IEC 61508 (all
parts) and IEC 62443 (all parts) in the area of industrial-process measurement, control and
automation.
This document can apply to other industrial sectors where IEC 61508 (all parts) and
IEC 62443 (all parts) are applied.
NOTE Usage or reference of this document for industry specific sector standards is encouraged.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their
content constitutes requirements of this document. For dated references, only the edition
cited applies. For undated references, the latest edition of the referenced document (including
any amendments) applies.
IEC 61508 (all parts), Functional safety of electrical/electronic/programmable electronic
safety-related systems
IEC 62443 (all parts), Security for industrial automation and control systems
3 Terms, definitions, symbols, abbreviated terms and conventions
3.1 Terms and definitions defined for this document
For the purposes of this document, the following terms and definitions apply.
ISO and IEC maintain terminological databases for use in standardization at the following
addresses:
• IEC Electropedia: available at http://www.electropedia.org/
• ISO Online browsing platform: available at http://www.iso.org/obp
NOTE Within this document, new terms and definitions are created only if not provided by the IEC 61508 series or
the IEC 62443 series.
3.1.1
incident handling
actions of detecting, reporting, assessing, responding to, dealing with, and learning from
security incidents
[SOURCE: ISO/IEC 27035-1:2016, 3.6, modified – The words "information security incidents"
has been replaced by "security incidents".]
3.1.2
incident response
actions taken to mitigate or resolve a security incident, including those taken to protect and
restore the normal operational conditions of an IACS and the information stored in it
[SOURCE: ISO/IEC 27035-1:2016, 3.7, modified – The words "information security incident"
were replaced by "security incident", and "information system" was replaced by "IACS".]
---------------------- Page: 13 ----------------------
SIST-TP CLC IEC/TR 63069:2020
– 8 – IEC TR 63069:2019 IEC 2019
3.1.3
safety domain
safety activities carried out by assigned persons or organizations and their outcomes
according to IEC 61508 (all parts)
3.1.4
security domain
security activities carried out by assigned persons or organizations and their outcomes
according to IEC 62443 (all parts)
3.1.5
security environment
area of consideration where all relevant security countermeasures are in place and effective
3.1.6
access
ability and means to communicate with or otherwise interact with a system in order to use
system resources
Note 1 to entry: Access may involve physical access (authorization to be allowed physically in an area,
possession of a physical key lock, PIN code, or access card or biometric attributes that allow access) or logical
access (authorization to log in to a system and application, through a combination of logical and physical means).
[SOURCE: IEC TS 62443-1-1:2009, 3.2.1]
3.1.7
architecture
specific configuration of hardware and software elements in a system
[SOURCE: IEC 61508-4:2010, 3.3.4]
3.1.8
asset
physical or logical object owned by or under the custodial duties of an organization, having
either a perceived or actual value to the organization
Note 1 to entry: In the case of industrial automation and control systems the physical assets that have the largest
directly measurable value may be the equipment under control.
[SOURCE: IEC TS 62443-1-1:2009, 3.2.6]
3.1.9
attack
assault on a system that derives from an intelligent threat – i.e., an intelligent act that is a
deliberate attempt (especially in the sense of a method or technique) to evade security
services and violate the security policy of a system
Note 1 to entry: There are different commonly recognized classes of attack:
• An "active attack" attempts to alter system resources or affect their operation.
• A "passive attack" attempts to learn or make use of information from the system but does not affect system
resources.
• An "inside attack" is an attack initiated by an entity inside the security perimeter (an "insider") – i.e., an entity
that is authorized to access system resources but uses them in a way not approved by those who granted the
authorization.
• An "outside attack" is initiated from outside the perimeter, by an unauthorized or illegitimate user of the system
(including an insider attacking from outside the security perimeter). Potential outside attackers range from
amateur pranksters to organized criminals, international terrorists, and hostile governments.
[SOURCE: IEC TS 62443-1-1:2009, 3.2.9]
---------------------- Page: 14 ----------------------
SIST-TP CLC IEC/TR 63069:2020
IEC TR 63069:2019 IEC 2019 – 9 –
3.1.10
availability
ability of an item to be in a state to perform a required function under given conditions at a
given instant or over a given time interval, assuming that the required external resources are
provided
Note 1 to entry: This ability depends on the combined aspects of the reliability performance, the maintainability
performance and the maintenance support performance.
Note 2 to entry: Required external resources, other than maintenance resources do not affect the availability
performance of the item.
Note 3 to entry: In French the term "disponibilité" is also used in the sense of "instantaneous availability"."
[SOURCE: IEC TS 62443-1-1:2009, 3.2.16]
3.1.11
confidentiality
assurance that information is not disclosed to unauthorized individuals, processes, or devices
[SOURCE: IEC TS 62443-1-1:2009, 3.2.28]
3.1.12
countermeasure
action, device, procedure, or technique that reduces a threat, a vulnerability, or an attack by
eliminating or preventing it, by minimizing the harm it can cause, or by discovering and
reporting it so that corrective action can be taken
Note 1 to entry: The term "control" is also used to describe this concept in some contexts. The term
countermeasure has been chosen for IEC TS 62443-1-1 to avoid confusion with the term "control" in the context of
process control.
Note 2 to entry: The words "minimizing the harm" in this definition do not relate to functional safety.
[SOURCE: IEC TS 62443-1-1:2009, 3.2.33, modified – Addition of Note 2 to entry.]
3.1.13
dangerous failure
failure of an element and/or subsystem and/or system that plays a part in implementing the
safety function that:
a) prevents a safety function from operating when required (demand mode) or causes a
safety function to fail (continuous mode) such that the EUC is put into a hazardous or
potentially hazardous state; or
b) decreases the probability that the safety function operates correctly when required
[SOURCE: IEC 61508-4:2010, 3.6.7]
3.1.14
defence in depth
provision of multiple security protections, especially in layers, with the intent to delay if not
prevent an attack
Note 1 to entry: Defence in depth implies layers of security and detection, even on single systems, and provides
the following features:
• attackers are faced with breaking through or bypassing each layer without being detected;
• a flaw in one layer can be mitigated by capabilities in other layers;
• a system security becomes a set of layers within the overall network security.
[SOURCE: IEC TS 62443-1-1:2009, 3.2.40]
---------------------- Page: 15 ----------------------
SIST-TP CLC IEC/TR 63069:2020
– 10 – IEC TR 63069:2019 IEC 2019
3.1.15
essential function
function or capability that is required to maintain health, safety, the environment and
availability for the equipment under control
Note 1 to entry: Essential functions include, but are not limited to, the safety instrumented function (SIF), the
control function and the ability of the operator to view and manipulate the equipment under control. The loss of
essential functions is commonly termed loss of protection, loss of control and loss of view respectively. In some
industries additional functions such as history may be considered essential.
[SOURCE: IEC 62443-3-3:2013, 3.1.22]
3.1.16
functional safety
part of the overall safety relating to the EUC and the EUC control system that depends on the
correct functioning of the E/E/PE safety-related systems and other risk reduction measures
[SOURCE: IEC 61508-4:2010, 3.1.12]
3.1.17
harm
physical injury or damage to the health of people or damage to property or the environment
[SOURCE: IEC 61508-4:2010, 3.1.1]
3.1.18
hazard
potential source of harm
Note 1 to entry: The term includes danger to persons arising within a short time scale (for example, fire and
explosion) and also those that have a long-term effect on a person’s health (for example, release of a toxic
substance).
[SOURCE: IEC 61508-4:2010, 3.1.2]
3.1.19
incident
event that is not part of the expected operation of a system or service that causes or may
cause, an interruption to, or a reduction in, the quality of the service provided by the system
[SOURCE: IEC 62443-2-1:2010, 3.1.18]
3.1.20
industrial automation and control systems
IACS
collection of personnel, hardware, and software that can affect or influence the safe, secure,
and reliable operation of an industrial process
Note 1 to entry: These systems include, but are not limited to:
• industrial control systems, including distributed control systems (DCSs), programmable logic controllers
(PLCs), remote terminal units (RTUs), intelligent electronic devices, supervisory control and data acquisition
(SCADA), networked electronic sensing and control, and monitoring and diagnostic systems. (In this context,
process control systems include basic process control system and safety instrumented system (SIS) functions,
whether they are physically separate or integrated.)
• associated information systems such as advanced or multivariable control, online optimizers, dedicated
equipment monitors, graphical interfaces, process historians, manufacturing execution systems, and plant
information management systems.
• associated internal, human, network, or machine interfaces used to provide control, safety, and manufacturing
operations functionality to continuous, batch, discrete, and other processes.
[SOURCE: IEC TS 62443-1-1:2009, 3.2.57]
---------------------- Page: 16 ----------------------
SIST-TP CLC IEC/TR 63069:2020
IEC TR 63069:2019 IEC 2019 – 11 –
3.1.21
integrity
quality of a system reflecting the logical correctness and reliability of the operating system,
the logical completeness of the hardware and software implementing the protection
mechanisms, and the consistency of the data structures and occurrence of the stored data
Note 1 to entry: In a formal security mode, integrity is often interpreted more narrowly to mean protection against
unauthorized modification or destruction of information.
[SOURCE: IEC TS 62443-1-1:2009, 3
...
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.