THIS COPY OF A FULL OR ABRIDGED ISA PUBLICATION IS TO BE USED SOLELY FOR THE PURPOSES OF
FURTHER DEVELOPMENT OF ISA STANDARDS. IT MAY NOT BE OFFERED FOR FURTHER REPRODUCTION
OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
Copyright © by the International Society of Automaton. All rights reserved. Not for resale. Printed in
the United States of America. No part of this publication may be reproduced, stored in a retrieval
system, or transmitted, in any form or by any means (electronic, mechanical, photocopying, recording, or
otherwise), without the prior written permission of the Publisher.
ISA
67 Alexander Drive
P. O. Box 12277
Research Triangle Park, North Carolina 27709
USA
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
New versions will be generated periodically as individual documents are revised.
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
FOR USE AND REVIEW ONLY BY MEMBERS OF ISA99 AND APPROVED PARTIES:
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
New versions will be generated periodically as individual documents are revised.
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
This page intentionally left blank
ISA‑62443-2-2, D1E4, April 2013
–3–
ISA99, WG02, TG02
1
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
ISA‑62443-2-2
Security for industrial automation and control systems
Implementation Guidance for and IACS Security Management System
Draft 1, Edit 4
April 2013
Text appearing red italics should be considered editorial comments,
provided as an aid in the preparation of the document. It will be
removed before the draft is completed.
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
New versions will be generated periodically as individual documents are revised.
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
2
ISA
67 Alexander Drive
P. O. Box 12277
Research Triangle Park, NC 27709 USA
–4–
ISA
Security for industrial automation and control systems
<Document Title>
ISBN: -to-be-assigned-
Copyright © 2011 by ISA. All rights reserved. Not for resale. Printed in the United States of
America.
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
New versions will be generated periodically as individual documents are revised.
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
ISA‑62443-2-2, D1E4, April 2013
ISA99, WG02, TG02
21
22
23
–5–
ISA99, WG02, TG02
24
PREFACE
25
26
This preface, as well as all footnotes and annexes, is included for information purposes and is not
part of ISA-62443.02.02.
27
28
29
30
31
32
This document has been prepared as part of the service of ISA, the International Society of
Automation, toward a goal of uniformity in the field of instrumentation. To be of real value, this
document should not be static but should be subject to periodic review. Toward this end, the
Society welcomes all comments and criticisms and asks that they be addressed to the Secretary,
Standards and Practices Board; ISA; 67 Alexander Drive; P. O. Box 122 77; Research Triangle
Park, NC 27709; Telephone (919) 549-8411; Fax (919) 549-8288; E-mail: standards@isa.org.
33
34
35
36
37
38
39
40
41
42
The ISA Standards and Practices Department is aware of the growing need for attention to the
metric system of units in general and the Internatio nal System of Units (SI) in particular, in the
preparation of instrumentation standards. The Department is further aware of the benefits to USA
users of ISA standards of incorporating suitable references to the SI (and the metric system) in
their business and professional dealings with other countries. Toward this end, this Department
will endeavor to introduce SI-acceptable metric units in all new and revised standards,
recommended practices and technical reports to the greatest extent possible. Standard f or Use of
the International System of Units (SI): The Modern Metric System, published by the American
Society for Testing and Materials as IEEE/ASTM SI 10-97, and future revisions, will be the
reference guide for definitions, symbols, abbreviations, and co nversion factors.
43
44
45
46
47
It is the policy of ISA to encourage and welcome the participation of all concerned individuals and
interests in the development of ISA standards, recommended practices and technical reports.
Participation in the ISA standards-making process by an individual in no way constitutes
endorsement by the employer of that individual, of ISA or of any of the standards, recommended
practices and technical reports that ISA develops.
48
49
50
51
52
CAUTION – ISA adheres to the policy of the American National Standa rds Institute with
regard to patents. If ISA is informed of an existing patent that is required for use of the
standard, it will require the owner of the patent to either grant a royalty -free license for use
of the patent by users complying with the standard or a license on reasonable terms and
conditions that are free from unfair discrimination.
53
54
55
56
57
58
59
60
Even if ISA is unaware of any patent covering this Standard, the user is cautioned that
implementation of the standard may require use of techniques, processes or materials
covered by patent rights. ISA takes no position on the existence or validity of any patent
rights that may be involved in implementing the standard. ISA is not responsible for
identifying all patents that may require a license before implementati on of the standard or
for investigating the validity or scope of any patents brought to its attention. The user
should carefully investigate relevant patents before using the standard for the user’s
intended application.
61
62
63
However, ISA asks that anyone reviewing this standard who is aware of any patents that
may impact implementation of the standard notify the ISA Standards and Practices
Department of the patent and its owner.
64
65
66
67
68
69
70
Additionally, the use of this standard may involve hazardous materials, operat ions or
equipment. The standard cannot anticipate all possible applications or address all possible
safety issues associated with use in hazardous conditions. The user of this standard must
exercise sound professional judgment concerning its use and applic ability under the
user’s particular circumstances. The user must also consider the applicability of any
governmental regulatory limitations and established safety and health practices before
implementing this standard.
71
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
New versions will be generated periodically as individual documents are revised.
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
ISA‑62443-2-2, D1E4, April 2013
ISA‑62443-2-2, D1E4, April 2013
72
73
–6–
ISA99, WG02, TG02
The following people served as active members of ISA99, Working Group 02, Task Group 02 for
the preparation of this document:
Name
Company
Contributor
<WG/TG Leader’s Name>, WG/TG
Chair
<WG/TG Leader’s Company>
X
<Editor’s Name>, Lead Editor
<Editor’s Company>
X
Reviewer
74
75
76
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
New versions will be generated periodically as individual documents are revised.
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
<Member & Reviewer Names >
ISA‑62443-2-2, D1E4, April 2013
–7–
ISA99, WG02, TG02
CONTENTS
77
79
PREFACE ............................................................................................................................... 5
80
FORWORD ........................................................................................................................... 12
81
INTRODUCTION ................................................................................................................... 13
82
83
84
1
Context ........................................................................................................................... 13
Audience ........................................................................................................................ 13
Scope ............................................................................................................................. 15
85
2
Normative references ..................................................................................................... 15
86
3
Terms, definitions, abbreviated terms, acronyms, and conventions ................................. 16
4
3.1 Terms and definitions ............................................................................................ 16
3.2 Abbreviated terms and acronyms ........................................................................... 18
3.3 Conventions .......................................................................................................... 19
Overview ........................................................................................................................ 21
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
4.1
4.2
5
Structure ............................................................................................................... 21
Information security management in IACS ............................................................. 21
4.2.1 Goal .......................................................................................................... 21
4.2.2 IACS assets to be protected ...................................................................... 21
4.2.3 Establishment of information security management.................................... 22
Security Policy ................................................................................................................ 23
5.1
6
Introduction ........................................................................................................... 23
5.1.1 {Requirement} ........................................................................................... 23
Organization of Security ................................................................................................. 23
6.1
6.2
7
Introduction ........................................................................................................... 23
Internal Organization ............................................................................................. 23
6.2.1 {Requirement} ........................................................................................... 23
6.3 External Parties ..................................................................................................... 23
6.3.1 {Requirement} ........................................................................................... 23
Asset Management ......................................................................................................... 24
7.1
7.2
8
Introduction ........................................................................................................... 24
Responsibility for Assets ....................................................................................... 24
7.2.1 {Requirement} ........................................................................................... 24
7.3 Information Classification ...................................................................................... 24
7.3.1 {Requirement} ........................................................................................... 24
Human Resources Security ............................................................................................ 24
8.1
8.2
Prior to Employment .............................................................................................. 24
8.1.1 Roles and responsibilities .......................................................................... 24
8.1.2 Screening .................................................................................................. 25
8.1.3 Terms and conditions of employment ......................................................... 26
During Employment ............................................................................................... 27
8.2.1 Management responsibilities ...................................................................... 27
8.2.2 Information security awareness, education, and training ............................ 28
8.2.3 Disciplinary process ................................................................................... 29
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
New versions will be generated periodically as individual documents are revised.
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
78
ISA‑62443-2-2, D1E4, April 2013
ISA99, WG02, TG02
8.3
9
Termination or Change of Employment .................................................................. 29
8.3.1 Termination responsibilities ....................................................................... 29
8.3.2 Return of assets ........................................................................................ 29
8.3.3 Removal of access rights ........................................................................... 29
Physical and Environmental Security .............................................................................. 30
125
126
127
128
129
130
131
132
133
134
135
136
9.1
9.2
Introduction ........................................................................................................... 30
Secure Areas ........................................................................................................ 30
9.2.1 {Requirement} ........................................................................................... 30
9.3 Equipment Security ............................................................................................... 30
9.3.1 Physical Access Authorizations ................................................................. 30
9.3.2 Physical Access Control ............................................................................ 31
9.3.3 Access Control for Communication Medium ............................................... 31
9.3.4 Access Control for Display Medium ............................................................ 32
9.3.5 Monitoring Physical Access ....................................................................... 32
9.3.6 Visitor Control ............................................................................................ 32
9.3.7 Access Records ......................................................................................... 32
10 Communications and Operations Management ............................................................... 33
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
10.1 Introduction ........................................................................................................... 33
10.2 Operational Procedures and Responsibilities ......................................................... 33
10.2.1 Automated Marking .................................................................................... 33
10.3 Third Party Service Delivery Management ............................................................. 33
10.3.1 {Requirement} ........................................................................................... 33
10.4 System planning and acceptance .......................................................................... 33
10.4.1 {Requirement} ........................................................................................... 33
10.5 Protection against malicious and mobile code ....................................................... 34
10.5.1 Malicious Code Protection ......................................................................... 34
10.5.2 Security Alerts and Advisories ................................................................... 34
10.6 Backup .................................................................................................................. 34
10.6.1 {Requirement} ........................................................................................... 34
10.7 Network Security Management .............................................................................. 35
10.7.1 {Requirement} ........................................................................................... 35
10.8 Media Handling ..................................................................................................... 35
10.8.1 Media Protection Policy and Procedures .................................................... 35
10.8.2 Media Access ............................................................................................ 35
10.8.3 Media Labeling .......................................................................................... 36
10.8.4 Media Storage ........................................................................................... 36
10.8.5 Media Transport ........................................................................................ 37
10.8.6 Media Sanitization and Disposal ................................................................ 38
10.8.7 Access Control for Display Medium ............................................................ 38
10.8.8 Public Key Infrastructure Certificates ......................................................... 38
10.9 Exchange of Information ........................................................................................ 39
10.9.1 {Requirement} ........................................................................................... 39
10.10 Electronic Commerce Services .............................................................................. 39
10.10.1 {Requirement} ........................................................................................... 39
10.11 Monitoring ............................................................................................................. 39
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
New versions will be generated periodically as individual documents are revised.
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
120
121
122
123
124
–8–
–9–
ISA99, WG02, TG02
165
166
167
168
169
10.11.1 Audit and Accountability Policy and Procedures ......................................... 39
10.11.2 Auditable Events........................................................................................ 40
10.11.3 Audit Monitoring, Analysis and Reporting ................................................... 40
10.11.4 Audit Record Retention .............................................................................. 40
11 Access Control ............................................................................................................... 41
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
11.1 Introduction ........................................................................................................... 41
11.2 Business Requirement ........................................................................................... 41
11.2.1 Access Control Policy and Procedures ...................................................... 41
11.2.2 System and Information Integrity Policy and Procedures ............................ 41
11.2.3 Flaw Remediation ...................................................................................... 42
11.3 User Access Management ..................................................................................... 42
11.3.1 Account Management ................................................................................ 42
11.3.2 Separation of Duties .................................................................................. 43
11.4 User Responsibilities ............................................................................................. 43
11.4.1 {Requirement} ........................................................................................... 43
11.5 Network Access Control ........................................................................................ 44
11.5.1 Least Privilege ........................................................................................... 44
11.5.2 Permitted Actions Without Identification or Authentication ......................... 44
11.5.3 Remote Access.......................................................................................... 44
11.5.4 Use of External Information Systems ......................................................... 45
11.6 Operating System Access Control ......................................................................... 45
11.6.1 {Requirement} ........................................................................................... 45
11.7 Application and Information Access Control ........................................................... 46
11.7.1 {Requirement} ........................................................................................... 46
11.8 Mobile Computing and Teleworking ....................................................................... 46
11.8.1 Wireless Access Restrictions ..................................................................... 46
11.8.2 Use Control for Portable and Mobile Devices ............................................. 46
11.8.3 Mobile Code .............................................................................................. 47
11.8.4 Supervision and Review – Use Control ...................................................... 47
11.8.5 Identification and Authentication Policy and Procedures ............................ 47
11.8.6 Identifier Management ............................................................................... 48
11.8.7 Authenticator Management ........................................................................ 48
11.8.8 Software and Information Integrity ............................................................. 49
11.8.9 Information Input Restrictions .................................................................... 49
11.8.10 Error Handling ........................................................................................... 49
11.8.11 Information Output Handling and Retention ............................................... 50
11.8.12 Boundary Protection .................................................................................. 50
12 Systems acquisition, development and maintenance ...................................................... 51
203
204
205
206
207
208
209
12.1 Introduction ........................................................................................................... 51
12.2 Security requirements of information systems ........................................................ 51
12.2.1 {Requirement} ........................................................................................... 51
12.3 Correct Processing in Applications ........................................................................ 51
12.3.1 {Requirement} ........................................................................................... 51
12.4 Cryptographic Controls .......................................................................................... 51
12.4.1 Cryptographic Module Validation ............................................................... 51
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
New versions will be generated periodically as individual documents are revised.
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
ISA‑62443-2-2, D1E4, April 2013
– 10 –
ISA99, WG02, TG02
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
12.5 Security of System Files ........................................................................................ 51
12.5.1 {Requirement} ........................................................................................... 51
12.6 Security in development and support processes .................................................... 52
12.6.1 {Requirement} ........................................................................................... 52
12.7 Technical vulnerability management ...................................................................... 52
12.7.1 Configuration Management Policy and Procedures .................................... 52
12.7.2 Baseline Configuration ............................................................................... 52
12.7.3 Configuration Change Control .................................................................... 53
12.7.4 Monitoring Configuration Changes ............................................................. 53
12.7.5 Access Restrictions for Change ................................................................. 54
12.7.6 Network and Security Configuration Settings ............................................. 54
12.7.7 IACS Component Inventory ........................................................................ 54
12.7.8 System Maintenance Policy and Procedures .............................................. 55
12.7.9 Controlled Maintenance ............................................................................. 55
12.7.10 Maintenance Tools .................................................................................... 56
12.7.11 Remote Maintenance ................................................................................. 56
12.7.12 Maintenance Personnel ............................................................................. 57
12.7.13 Timely Maintenance ................................................................................... 57
13 Incident Management ..................................................................................................... 58
229
230
231
232
233
234
235
236
237
238
239
240
241
13.1 Introduction ........................................................................................................... 58
13.2 Reporting Security Events and Weaknesses .......................................................... 58
13.2.1 {Requirement} ........................................................................................... 58
13.3 Management of Incidents and Improvements ......................................................... 58
13.3.1 Incident Response Policy and Procedures ................................................. 58
13.3.2 Incident Response Training ....................................................................... 58
13.3.3 Incident Response Testing and Exercises .................................................. 59
13.3.4 Incident Handling ....................................................................................... 59
13.3.5 Incident Monitoring .................................................................................... 59
13.3.6 Incident Reporting ..................................................................................... 60
13.3.7 Incident Response Assistance ................................................................... 60
13.3.8 IACS Monitoring Tools and Techniques ..................................................... 60
14 Business Continuity Management ................................................................................... 62
242
243
244
245
246
247
248
249
250
251
252
253
254
14.1 Introduction ........................................................................................................... 62
14.2 Security Aspects.................................................................................................... 62
14.2.1 Contingency Planning Policy and Procedures ............................................ 62
14.2.2 Contingency Plan ...................................................................................... 62
14.2.3 Contingency Training ................................................................................. 63
14.2.4 Contingency Plan Testing and Exercises ................................................... 63
14.2.5 Contingency Plan Update .......................................................................... 64
14.2.6 Alternate Storage Site ............................................................................... 64
14.2.7 Alternate Control Site ................................................................................ 64
14.2.8 IACS Backup ............................................................................................. 65
14.2.9 IACS Recovery and Reconstruction ........................................................... 65
14.2.10 Power Equipment and Cabling ................................................................... 66
14.3 Telecommunications Services ............................................................................... 66
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
New versions will be generated periodically as individual documents are revised.
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
ISA‑62443-2-2, D1E4, April 2013
ISA‑62443-2-2, D1E4, April 2013
– 11 –
ISA99, WG02, TG02
14.3.1
14.3.2
14.3.3
14.3.4
14.3.5
14.3.6
15 Compliance
Emergency Shutoff .................................................................................... 66
Emergency Power...................................................................................... 67
Emergency Lighting ................................................................................... 67
Fire Protection ........................................................................................... 67
Temperature and Humidity Controls ........................................................... 68
Water Damage Protection .......................................................................... 68
.................................................................................................................... 68
262
263
264
15.1 General ................................................................................................................. 68
15.1.1 {Requirement} ........................................................................................... 68
Annex A (informative) Foundational Requirements ................................................................ 70
265
266
267
268
269
270
271
272
273
A.1
A.2
A.3
A.4
A.5
A.6
A.7
A.8
Annex B
274
275
B.1 Overview ............................................................................................................... 72
BIBLIOGRAPHY ................................................................................................................... 73
Overview ............................................................................................................... 70
FR1 A CCESS C ONTROL ............................................................................................ 70
FR2 U SE C ONTROL ................................................................................................. 70
FR3 D ATA I NTEGRITY .............................................................................................. 70
FR4 D ATA C ONFIDENTIALITY .................................................................................... 70
FR5 R ESTRICT D ATA F LOW ...................................................................................... 71
FR6 T IMELY R ESPONSE TO AN E VENT ....................................................................... 71
FR7 R ESOURCE A VAILABILITY ................................................................................... 71
(informative) - Mapping Controls to Foundational Requirements ............................. 72
276
277
No table of figures entries found.
278
No table of figures entries found.
279
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
New versions will be generated periodically as individual documents are revised.
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
255
256
257
258
259
260
261
ISA‑62443-2-2, D1E4, April 2013
– 12 –
ISA99, WG02, TG02
280
FORWORD
281
282
283
284
This standard is part of a series that addresses the issue of security for industrial automation and control systems. It
has been developed by Working Group 02, Task Group 02 of the ISA99 committee.
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
SKELETON NOTE The forward should only be a few lines and should indicate the basic premise of the document and
why it is important. It should also indicate if this document supersedes or modifies any other document.
The following information comes from the IEC Directives.
The foreword shall appear in each document. It shall not contain requirements, recommendations, figures or tables.
It consists of a general part and a specific part. The general part (supplied by the Central Secretariat of ISO or by the
Central Office of the IEC, as appropriate) gives information relating to the organization responsible and to
International Standards in general, i.e.
a) the designation and name of the committee that prepared the document,
b) information regarding the approval of the document, and
c) information regarding the drafting conventions used, co mprising a reference to this part of the ISO/IEC Directives.
The specific part (supplied by the committee secretariat) shall give a statement of significant technical changes from
any previous edition of the document and as many of the following as are appropriate:
d) an indication of any other international organization that has contributed to the preparation of the document;
e) a statement that the document cancels and replaces other documents in whole or in part;
f) the relationship of the document to other documents (see 5.2.1.3);
g) in IEC, an indication of the next stability date (see ISO/IEC Directives, IEC Supplement, 2010, 3.4).
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
New versions will be generated periodically as individual documents are revised.
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
302
This standard addresses the requirements for the operation of an effective cyber security program within the context of
the foundational requirements defined in ISA‑62443-1-1.
ISA‑62443-2-2, D1E4, April 2013
– 13 –
ISA99, WG02, TG02
INTRODUCTION
303
The format of this document follows the ISO/IEC requirements discussed in ISO/IEC Directives, Pa rt 2. [12] 1
The ISO/IEC Directives specify the format of this document as well as the use of terms like “shall”, “should”,
and “may”. The use of those terms for the requirements specified in Clause Error! Reference source not f
ound. of this document use the conventions discussed in the ISO/IEC Directives, Appendix H.
304
305
306
307
308
309
NOTE
310
Context
311
312
313
314
315
Industrial automation and control system (IACS) organizations increasingly use commercial -offthe-shelf (COTS) networked devices that are inexpensive, efficient and highly automated. These
devices and networking technologies provide an increased opportunity for cyber attack against
the IACS equipment. This weakness may lead to health, safety and environmenta l (HSE)
consequences in deployed systems.
316
317
318
319
320
321
Organizations deploying pre-existing information technology (IT) and business cyber security
solutions to address IACS security may not fully comprehend the results of this decision. While
many business IT applications and security solutions can be applied to IACS, they need to be
applied in the correct way to eliminate inadvertent consequences. For this reason, the approach
used to define system requirements needs to be based on a combination of functional and
consequence analysis, and often an awareness of operational issues as well.
322
323
324
325
326
327
328
The primary goal of the ISA‑99 series is to provide a flexible framework that facilitates
addressing current and future vulnerabilities in IACS and applying necessary mitigations in a
systematic, defensible manner. It is important to understand that the intention of the ISA ‑99
series is to build extensions to enterprise security that adapt the requirements for IT business
systems and combine them with the unique requirements that embrac e the strong availability
needed by IACS. The ISA‑99 committee has made every effort to avoid building unique stovepipe
security architectures for IACS.
329
330
331
332
This International Standard provides interpretation guidelines for the implementation and
management of information security management for Industrial Automation and Control Systems
(IACS). The approach used is consistent with ISO/IEC 27002 (Code of practice for information
security management).
333
334
335
336
337
IACS security goals focus on system availability, plant prote ction, plant operations (even if in a
degraded mode), and time-critical system response. IT security goals often do not place the same
emphasis on these factors. They may be more concerned with protecting information rather than
physical assets. These different goals need to be clearly stated as security objectives regardless
of the degree of plant integration achieved.
338
339
340
This document assumes that a security program has been established in accordance with
ISA‑99.02.01 and that patch management is implemented consistent with the recommendations
detailed in ISA‑TR99.02.03.
341
Audience
342
343
344
345
346
The audience for the information in this standard includes asset owners, those responsible for
information security; system vendors, auditors, and application content providers, with a common
set of general security control objectives based on ISO/IEC 27002, IACS specific controls, and
information security management guidelines allowing for the selection and implementation of
such controls.
347
—————————
1 Numbers in square brackets refer to the Bibliography.
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
New versions will be generated periodically as individual documents are revised.
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
The initial content of this section is based on similar material from other standards in the ISA99 series. This is provided
only as a starting point.
ISA‑62443-2-2, D1E4, April 2013
368
369
ISA99, WG02, TG02
SKELETON NOTE For most documents in the ISA-99 series, the Introduction will probably be labeled as Clause 0,
since there are sub-clauses included. This is common. The Introduction should be limited to no more than 2
pages and should contain no figures. If figures are needed, then that section sh ould be moved to Clause 4+ or
an Annex. If you need a Clause 0, you will need to edit the “iecstd_us.dotm” and change starting number for
the Heading style to start at 0. After that, make sure that the styles reload into the Skeleton file and change
the style of the Introduction section header to Heading instead of Heading (Nonumber).
The Introduction should indicate major similarities or relationships between the document and existing ISO/IEC
documents. It does not have to include detailed explanations, bu t should give the reader some context in
relation to other documents.
The following information comes from the IEC Directives.
The introduction is an optional preliminary element used, if required, to give specific information or commentary about
the technical content of the document, and about the reasons prompting its preparation. It shall not contain
requirements.
Whenever alternative solutions are adopted internationally in a document and preferences for the different alternatives
provided, the reasons for the preferences shall be explained in the introduction [see A.6 d)]. Where patent
rights have been identified in a document, the introduction shall include an appropriate notice. See Annex F
for further information.
The introduction shall not be numbered unless there is a need to create numbered subdivisions. In this case, it shall be
numbered 0, with subclauses being numbered 0.1, 0.2, etc. Any numbered figure, table, displayed formula or
footnote shall be numbered normally beginning with 1.
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
New versions will be generated periodically as individual documents are revised.
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
– 14 –
ISA‑62443-2-2, D1E4, April 2013
– 15 –
ISA99, WG02, TG02
1
371
372
The initial content of this section is based on similar material from other standards in the ISA99 series. This is provided
only as a starting point.
373
374
375
376
377
378
This standard addresses the operation of an effective IACS cyber security program. Aspects of
this operation are examined in the context of the foundational requirements (FRs) described in
ISA‑99.01.01. The requirements and controls would be used by various members of the industrial
automation and control systems (IACS) community along with the defined zones an d conduits for
the system under consideration (SuC) while developing the appropriate technical system target
security assurance level (SAL), SAL-T(system), for a specific asset.
379
380
381
382
383
384
385
386
387
388
389
390
391
SKELETON NOTE Clause 1 shall always be the Scope. This is a short statement that describes the scope of this
document only. It does not list the overall scope of ISA -99. That has been described in other documents and
does not need to be repeated here.
The following information comes from the IEC Directives.
This element shall appear at the beginning of each document and define without ambiguity the subject of the document
and the aspects covered, thereby indicating the limits of applicability of the document or particular parts of it.
It shall not contain requirements.
In documents that are subdivided into parts, the scope of each part shall define the subject of that part of the document
only.
The scope shall be succinct so that it can be used as a summary for bibliographic purposes.
This element shall be worded as a series of statements of fact. Forms of expression such as the following shall be
used:
“This International Standard
the dimensions of … "
- specifies {a method of … "
the characteristics of … "
a system for … "
- establishes {
general principles for … "
392
393
394
395
396
397
398
399
Scope
— gives guidelines for …”
— defines terms …”
Statements of applicability of the document shall be introduced by wording such as:
“This International Standard is applicable to …”
The wording shall be altered as a function of the document type concerned, i.e. International Standard, Technical
Specification, Publicly Available Specification, Technical Report or Guide.
400
2
Normative references
401
402
403
The following referenced documents are indispensable for the application of this document. For
dated references, only the edition cited applies. For undated references, the latest edition of the
referenced document (including any amendments) applies.
404
405
406
The following referenced documents are indispensable for the application of this document. For
dated references, only the edition cited applies. F or undated references, the latest edition of the
referenced document (including any amendments) applies.
407
408
ISA‑99.01.01 – Security for industrial and automation control systems: Terminology, concepts
and models
409
410
ISA‑99.02.01 – Security for industrial and automation control system: Establishing an industrial
automation and control systems security program
411
412
ISA‑99.03.02 – Security for industrial and automation control system: Security assurance levels
for zones and conduits
413
414
SKELETON NOTE Generally, in the ISA-99 series, there is only 1 completely normative document, ISA -99.01.01. If
there are others, put them here as well. Normative references shall be International Standards documents of
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
New versions will be generated periodically as individual documents are revised.
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
370
ISA‑62443-2-2, D1E4, April 2013
415
416
– 16 –
ISA99, WG02, TG02
some sort. Even though a document gets listed here, it will also be liste d in the Bibliography along with all the
other documents.
417
3
Terms, definitions, abbreviated terms, acronyms, and conventions
418
419
The initial content of this section is based on similar material from other standards in the ISA99 series. This is provided
only as a starting point.
420
3.1
421
422
For the purposes of this document, the terms and definitions given in ISA‑62443-1-1 and the
following apply.
423
424
425
426
3.1.1
authentication
verifying the identity of an IACS user, often as a prerequisite to allowing access to resources in
an information system
427
428
429
3.1.2
authenticity
property of being genuine and being able to be verified and trusted
430
NOTE
431
432
433
434
3.1.3
automatic
pertaining to a process or equipment that, under specified conditions, functions without human
intervention
435
[IEV number 351-21-40]
436
437
438
3.1.4
availability
ensuring timely and reliable access to and use of information
439
[FIPS 199]
440
441
442
443
3.1.5
communication channel
logical or physical point-to-point or point-to-multipoint data flow between components in one zone
to one or more components in another zone
444
445
446
447
3.1.6
confidentiality
preserving authorized restrictions on information access and disclosure, including means fo r
protecting personal privacy and proprietary information
448
[FIPS 199]
449
450
451
452
3.1.7
connection
association established between two or more endpoints which supports the transfer of IACS specific data
453
454
455
3.1.8
consequence
outcome of an event
456
457
458
459
3.1.9
environment
aggregate of external procedures, conditions, and objects affecting the development, operation
and maintenance of IACS
It may also be defined as confidence in the validity of a transmission, a message, or message o riginator.
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
New versions will be generated periodically as individual documents are revised.
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
Terms and definitions
– 17 –
ISA99, WG02, TG02
460
461
462
3.1.10
event
occurrence or change of a particular set of circumstances
463
464
465
466
3.1.11
external information systems
hardware, software components and repositories that are connecte d by some means or
embedded within the component
467
468
469
470
3.1.12
IACS user
entity (including human users, processes and devices) that performs a function in the IACS or a
component used by the IACS
471
472
473
3.1.13
impact
evaluated consequence of a particular event
474
475
476
3.1.14
industrial automation and control system
system which controls the manufacturing process within a defined set of operational limits
477
478
479
480
3.1.15
integrity
guarding against improper information modification or destruction, and includes ensuring
information non-repudiation and authenticity
481
[FIPS 199]
482
483
484
485
486
3.1.16
local access
any access to an organizational IACS by an IACS user communicating through an internal,
organization-controlled network (such as a local area network) or directly to the IACS without the
use of a network
487
488
489
490
491
3.1.17
non-repudiation
assurance that the sender of information is provided with proof of delivery and all recipients are
provided with proof of the sender’s identity, so the sender cannot deny having sent the
information and the recipient cannot deny having received the information
492
493
494
495
3.1.18
remote access
any access to an IACS by an IACS user communicating through an external, non -organizationcontrolled network (such as the Internet)
496
497
498
499
3.1.19
remote session
session initiated whenever an IACS is accessed by a human user communicating across the
boundary of a zone defined by the asset owner based on their risk assessment
500
501
502
503
3.1.20
role
set of connected behaviors, privileges and obligations associated to IACS users in a given
situation
504
NOTE 1
The privileges to perform certain operations are assigned to specific ro les.
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
New versions will be generated periodically as individual documents are revised.
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
ISA‑62443-2-2, D1E4, April 2013
ISA‑62443-2-2, D1E4, April 2013
– 18 –
ISA99, WG02, TG02
505
506
507
508
NOTE 2
509
510
511
512
513
3.1.21
security assurance level
measure of confidence that computer systems and data are free from vulnerabilities, either
intentionally designed computer components or accidently inserted at any time during its
lifecycle, and that the computer systems functions in the intended manner
514
515
516
517
3.1.22
session
semi-permanent, stateful,
communicating devices
518
NOTE
519
520
521
522
523
3.1.23
threat
any circumstance or event with the potential to adversely affect organizational operations
(including mission, functions, image or reputation), organizational assets, IACS or individuals via
unauthorized access, destruction, disclosure, modification of dat a and/or denial of service
524
525
526
527
3.1.24
trust
belief that an operation or data transaction source or process is secure and will perform as
intended
528
529
530
3.1.25
untrusted
entity that has not met predefined requirements to be trusted
531
532
533
534
535
536
537
538
3.1.26
vulnerability
539
3.2
540
This subclause defines the abbreviated terms and acronyms used in this document.
Role definitions must be distinguished in infrastructure role definitions (within a process), functional role
definitions (part of an entity functions) or organizational role definition (a person position). A functional role
may be associated with privileges and confer responsibility and authority on a user assigned to that role
interactive
information
interchange
between
two
or
more
Typically a session has a clearly defined start process and end process.
weakness in an IACS function, procedure, internal control or implementation that could be exploited or triggered by a
threat source
SKELETON NOTE Only add in the reference at the end of the term if it relates directly to something from an
international standard. IEC seems to dislike referencing national standards documents (ISA, NIST, NERC,
NEMA, etc.). Only include these references if there is an ISO/IEC, NATO, etc. reference. Also, if the reference
is not exactly from the reference, indicate something like “Adapted from … ”.
Abbreviated terms and acronyms
AC
Access Control
AES
Advanced encryption standard
API
Application programming interface
CA
Certification authority
CIP
Critical infrastructure protection
COTS
Commercial-off-the-shelf
DC
Data confidentiality
DI
Data integrity
DMZ
Demilitarized zone
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
New versions will be generated periodically as individual documents are revised.
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
Adapted from [ISO/IEC 1st WD 24760: 2005 -10-01]
– 19 –
DoS
Denial of service
FR
Foundational requirement
FTP
File transfer protocol
HSE
Health, safety, and environmental
HTTP
Hypertext transfer protocol
IACS
Industrial automation and control system(s)
ID
Identifier
IDS
Intrusion detection system
IEC
International Electrotechnical Commission
IEEE
Institute of Electrical and Electronics Engineers
IM
Instant messaging
IPS
Intrusion prevention system
ISO
International Organization for Standardization
IT
Information technology
NERC
North American Electric Reliability Corporation
NIST
U.S. National Institute of Standards and Technology
PDF
Portable document format
RA
Resource availability
RDF
Restrict data flow
RE
Requirement enhancement
SAL
Security assurance level
SIS
Safety instrumented system
SP
Special Publication (from NIST)
SR
System requirement
SuC
System under consideration
TRE
Timely response to an event
UC
Use control
US-CERT
U.S. Computer Emergency Readiness Team
USB
Universal serial bus
VoIP
Voice over internet protocol
ISA99, WG02, TG02
541
3.3
Conventions
542
543
544
545
546
Much of the content of this standard is expressed in the form of specific requirements or controls.
Each of these has a baseline requirement and zero or more requirement enhancements to
strengthen security assurance. Rationale and supplemental guidance may be provided for each
baseline requirement, and for any associated enhancement as is deemed necessary, to provide
clarity to the reader.
547
548
SKELETON NOTE This sub-clause is where specific conventions used in the document, like specific clause/sub clause formatting, special text conventions, or any other things that the reader should know in order to read
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
New versions will be generated periodically as individual documents are revised.
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
ISA‑62443-2-2, D1E4, April 2013
549
550
– 20 –
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
New versions will be generated periodically as individual documents are revised.
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
ISA‑62443-2-2, D1E4, April 2013
ISA99, WG02, TG02
the document. The reader may still need some introduction to conventions used throughout the document, but
this sub-clause allows for a greater explanation in one place.
551
ISA‑62443-2-2, D1E4, April 2013
– 21 –
ISA99, WG02, TG02
552
4
Overview
553
4.1
554
555
556
The content of this standard has been organized in a manner similar to that used in ISO/IEC
27002. In cases where objectives and controls specified in ISO/IEC 27002 are applicable without
a need for any additional information, only a reference is provided to ISO/IEC 27002.
557
558
559
560
In cases where controls need additional guidance spec ific to IACS, the ISO/IEC 27002 control
and implementation guidance is repeated without modification, followed by the IACS specific
guidance related to this control. IACS specific guidance and information is included in the
following clauses:
561
– Organization of information security (clause 6)
562
– Asset management (clause 7)
563
– Human resources security (clause 8)
564
– Physical and environmental security (clause 9)
565
– Communications and operations management (clause 10)
566
– Access control (clause 11)
567
– Information systems acquisition, development and maintenance (clause 12)
568
– Information security incident management (clause 13)
569
– Business continuity management (clause 14)
570
4.2
571
4.2.1
572
573
574
575
Industrial control systems and associated networks are faced with security threats from a wide
range of sources, including computer-assisted fraud, espionage, sabotage, vandalism,
information leakage, earthquake, fire or flood. These security threats may originate from inside or
outside the control systems environment resulting in damage to the organization.
576
577
578
579
Once the security of an IACS is compromised, for example by unauthorized access, the system or
the equipment under control may suffer damage. Therefore, it is essential for an asset owner to
ensure its security by continuously improving its related programs in accordance with ISO/IEC
27001.
580
581
582
583
584
Effective IACS security is achieved by implementing a suitable set of controls based on those
described in this standard. These controls need to be established, implemen ted, monitored,
reviewed and improved in facilities, services and applications. The successful deployment of
security controls will better enable meeting the security and business objectives of the
organization to be met.
585
4.2.2
586
587
588
In order to establish information security management, it is essential for an asset owner to clarify
and identify all IACS related assets. The clarification of attributes and importance of the assets
makes it possible to implement appropriate controls.
Information security management in IACS
Goal
IACS assets to be protected
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
New versions will be generated periodically as individual documents are revised.
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
Structure
ISA‑62443-2-2, D1E4, April 2013
– 22 –
ISA99, WG02, TG02
589
4.2.3
Establishment of information security management
590
4.2.3.1
591
592
It is essential for asset owners to identify their security requirements. There are three main
sources of security requirements as follows:
593
594
595
a) What is derived from assessing risks to IAC S operation, taking into account the overall
business strategy and objectives. Through risk assessment, threats to assets are identified,
vulnerability to and likelihood of occurrence is evaluated and potential impact is estimated;
596
597
b) The legal, statutory, regulatory, and contractual requirements that asset owners have to
satisfy, and the socio-cultural environment;
598
599
c) The particular set of principles, objective and business requirements for information processing
that an asset owner has developed to support its operations.
600
4.2.3.2
601
602
603
604
605
Security requirements are identified by a methodical assessment of security risks. Expenditure on
controls needs to be balanced against the business harm likely to result from security failures.
The results of the risk assessment will help to guide and determine the appropriate management
action and priorities for managing information security risks, and for implementing controls
selected to protect against these risks.
606
607
Risk assessment should be repeated periodically to address any changes that might influence the
risk assessment results.
608
4.2.3.3
609
610
611
Once security requirements and risks have been identified and decisions for the treatment of
risks have been made, appropriate controls should be selected and implemented to ensure risks
are reduced to an acceptable level.
612
613
614
615
This standard provides guidance and IACS specific controls, in addition to general information
security management, taking account of IACS specific requirements. Therefore, asset owners are
recommended to select controls from this guideline and implement them. In addition, new controls
can be designed to meet specific needs as appropriate.
616
617
618
619
The selection of security controls is dependent upon organizational decisions based on the
criteria for risk acceptance, risk treatment options, and the general risk management approach
applied by asset owners, and should also be subject to all relevant national and international
legislation and regulations.
620
4.2.3.4
621
622
Experience has shown that the following factors are often critical to the successful
implementation of information security in an industrial automation and control system :
623
624
a) information security policy, objectives, and activities t hat reflect business objectives and the
specific characteristics of an IACS;
625
626
b) an approach and framework to implementing, maintaining, monitoring, and improving
information security that is consistent with the organizational culture;
627
c) visible support and commitment from all levels of managem ent;
628
d) a good understanding of the security requirements, risk assessment, and risk management;
629
630
e) effective marketing of information security to all managers, employees, and other parties to
achieve awareness;
Assessing security risks
Selecting controls
Critical success factors
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
New versions will be generated periodically as individual documents are revised.
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
How to establish security requirements
– 23 –
ISA99, WG02, TG02
631
632
f) distribution of guidance on information security policy and standards to all managers,
employees and other parties;
633
g) provision to fund information security management activities;
634
h) providing appropriate awareness, training, and education;
635
i) establishing an effective information security inci dent management process;
636
637
j) implementation of a measurement system that is used to evaluate performance in information
security management and feedback suggestions for improvement.
638
5
639
5.1
640
5.1.1
Security Policy
Introduction
641
{Requirement}
Requirement:
642
643
Foundational Requirement:
644
Rationale/Supplemental Guidance:
645
Requirement Enhancements:
646
647
6
Organization of Security
648
6.1
Introduction
650
6.2
Internal Organization
651
6.2.1
649
652
{Requirement}
Requirement:
653
654
Foundational Requirement:
655
Rationale/Supplemental Guidance:
656
Requirement Enhancements:
657
658
6.3
659
6.3.1
660
External Parties
{Requirement}
Requirement:
661
662
Foundational Requirement:
663
Rationale/Supplemental Guidance:
664
Requirement Enhancements:
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
New versions will be generated periodically as individual documents are revised.
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
ISA‑62443-2-2, D1E4, April 2013
ISA‑62443-2-2, D1E4, April 2013
– 24 –
ISA99, WG02, TG02
665
666
7
Asset Management
667
7.1
Introduction
669
7.2
Responsibility for Assets
670
7.2.1
668
671
Requirement:
672
673
Foundational Requirement:
674
Rationale/Supplemental Guidance:
675
Requirement Enhancements:
676
677
7.3
Information Classification
678
7.3.1
679
{Requirement}
Requirement:
680
681
Foundational Requirement:
682
Rationale/Supplemental Guidance:
683
Requirement Enhancements:
684
685
8
Human Resources Security
686
8.1 Prior to Employment
687
688
689
Objective: To ensure that employees, contractors and third party users understand their
responsibilities, and are suitable for the roles they are considered for, and to reduce the risk of
theft, fraud or misuse of facilities.
690
691
Security responsibilities should be addressed prior to e mployment in adequate job descriptions
and in terms and conditions of employment.
692
693
All candidates for employment, contractors and third party users should be adequately screened,
especially for sensitive jobs.
694
695
Employees, contractors and third party users of information processing facilities should sign an
agreement on their security roles and responsibilities.
696
8.1.1
697
Control
698
699
Security roles and responsibilities of employees, contractors and third party users should be
defined and documented in accordance with the organization’s information security policy.
700
Implementation guidance
Roles and responsibilities
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
New versions will be generated periodically as individual documents are revised.
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
{Requirement}
ISA‑62443-2-2, D1E4, April 2013
ISA99, WG02, TG02
Security roles and responsibilities should include the requirement to:
702
703
a) implement and act in accordance with the organization’s information security policies (see
5.1);
704
705
b) protect assets from unauthorized access, disclosure, modification, destruction or
interference;
706
c) execute particular security processes or activities;
707
d) ensure responsibility is assigned to the individual for actions taken;
708
e) report security events or potential events or other security risks to the organization.
709
710
Security roles and responsibilities should be defined and clearly communicated to job candidates
during the pre-employment process.
711
IACS-specific implementation guidance
712
713
714
715
Facilities should appoint staff who have the right credentials or appropriate knowledge and skills
to be in charge of the supervision of matters related to the installation, maintenance and
operation of IACS. The relevant staff should be notified of their assigned roles and
responsibilities.
716
Other Information
717
718
719
Job descriptions can be used to document security roles and responsibilities. Security roles and
responsibilities for individuals not engaged via the organization’s employment process, e.g.
engaged via a third party organization, should also be clearly defined and communicated.
720
721
Requirement:
722
723
Foundational Requirement:
724
Rationale/Supplemental Guidance:
725
Requirement Enhancements:
726
727
8.1.2
Screening
728
Control
729
730
731
732
Background verification checks on all candidates for employment, contractors, and third party
users should be carried out in accordance with relevant laws, regulations and ethics, and
proportional to the business requirements, the classification of the information to be accessed,
and the perceived risks.
733
Implementation guidance
734
735
Verification checks should take into account all relevant privacy, protection of personal data
and/or employment based legislation, and should, where permitted, include the following:
736
a) availability of satisfactory character references, e.g. one business and one per sonal;
737
b) a check (for completeness and accuracy) of the applicant’s curriculum vitae;
738
c) confirmation of claimed academic and professional qualifications;
739
d) independent identity check (passport or similar document);
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
New versions will be generated periodically as individual documents are revised.
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
701
– 25 –
– 26 –
ISA99, WG02, TG02
740
e) more detailed checks, such as credit checks or checks of criminal records.
741
742
743
744
Where a job, either on initial appointment or on promotion, involves the person having access to
information processing facilities, and in particular if these are handling sensitive information, e.g.
financial information or highly confidential information, the organization should also consider
further, more detailed checks.
745
746
Procedures should define criteria and limitations for verification checks, e.g. who is eligible to
screen people, and how, when and why verification checks a re carried out.
747
748
749
750
751
752
A screening process should also be carried out for contractors, and third party users. Where
contractors are provided through an agency the contract with the agency should clearly specify
the agency’s responsibilities for screening and the notification procedures they need to follow if
screening has not been completed or if the results give cause for doubt or concern. In the same
way, the agreement with the third party (see also 6.2.3) should clearly specify all responsibilities
and notification procedures for screening.
753
754
755
756
Information on all candidates being considered for positions within the organization should be
collected and handled in accordance with any appropriate legislation existing in the relevant
jurisdiction. Depending on applicable legislation, the candidates should be informed beforehand
about the screening activities.
757
IACS-specific implementation guidance
758
759
760
Facilities should also consider further, more detailed checks for job positions that give staff
access to IACS that have been assessed as critical and thus require higher levels of security.
[wording?]
761
8.1.3
762
Control
763
764
765
As part of their contractual obligation, employees, contractors and third party users should agree
and sign the terms and conditions of their employment contract, which should state their and the
organization’s responsibilities for information security.
766
Implementation guidance
767
768
The terms and conditions of employment should reflect the organization’s security policy in
addition to clarifying and stating:
769
770
771
a) that all employees, contractors and third party users who are given access to sensitive
information should sign a confidentiality or non-disclosure agreement prior to being given
access to information processing facilities;
772
773
b) the employee’s, contractor’s and any other user’s legal responsibilities and rights, e.g.
regarding copyright laws or data protection legislation (see also 15.1.1 and 15.1.2);
774
775
776
c) responsibilities for the classification of information and management of organizational assets
associated with information systems and services handled by the employee, contractor or
third party user (see also 7.2.1 and 10.7.3);
777
778
d) responsibilities of the employee, contractor or third party user for the handling of information
received from other companies or external parties;
779
780
781
e) responsibilities of the organization for the handling of personal information, including personal
information created as a result of, or in the course of, employment with the organization (see
also 15.1.4);
782
783
f)
Terms and conditions of employment
responsibilities that are extended outside the organization’s premises and outside normal
working hours, e.g. in the case of home-working (see also 9.2.5 and 11.7.1);
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
New versions will be generated periodically as individual documents are revised.
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
ISA‑62443-2-2, D1E4, April 2013
– 27 –
ISA99, WG02, TG02
784
785
g) actions to be taken if the employee, contractor or third party user disregards the
organization’s security requirements (see also 8.2.3).
786
787
788
The organization should ensure that employees, contractors and third party users agree to terms
and conditions concerning information security appropriate to the nature and extent of access
they will have to the organization’s assets associated with information systems and services.
789
790
Where appropriate, responsibilities contained within the terms and conditions of employment
should continue for a defined period after the end of the employment (see also 8.3).
791
IACS-specific implementation guidance
792
793
Facilities should clarify and state the responsibilities for maintaining IACS availability, plant
protection, plant operations (even if in a degraded mode), and time -critical system response.
794
Other Information
795
796
797
798
799
800
A code of conduct may be used to cover the employee’s, contractor’s or third party user’s
responsibilities regarding confidentiality, data protection, ethics, appropriate use of the
organization’s equipment and facilities, as well as reputable practices expected by the
organization. The contractor or third party users may be associated with an external organization
that may in turn be required to enter in contractual arrangements on behalf of the contracted
individual.
801
8.2 During Employment
802
803
804
805
Objective: To ensure that employees, contractors and third party users are aware of information
security threats and concerns, their responsibilities and liabilities, and are equipped to support
organizational security policy in the course of their normal work, and to reduce the risk of human
error.
806
807
Management responsibilities should be defined to ensure that security is applied throughout an
individual’s employment within the organization.
808
809
810
811
An adequate level of awareness, education, and training in security procedures and the correct
use of information processing facilities should be provided to all employees, contractors and third
party users to minimize possible security risks. A formal disciplinary process for handling security
breaches should be established.
812
8.2.1
813
Control
814
815
Management should require employees, contractors and third party users to apply security in
accordance with established policies and procedures of the organization.
816
Implementation guidance
817
818
Management responsibilities should include ensuring that employees, contractor s and third party
users:
819
820
a) are properly briefed on their information security roles and responsibilities prior to being
granted access to sensitive information or information systems;
821
b) are provided with guidelines to state security expectations of their role within the organization;
822
c) are motivated to fulfil the security policies of the organization;
823
824
d) achieve a level of awareness on security relevant to their roles and responsibilities within the
organization (see also 8.2.2);
Management responsibilities
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
New versions will be generated periodically as individual documents are revised.
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
ISA‑62443-2-2, D1E4, April 2013
ISA‑62443-2-2, D1E4, April 2013
– 28 –
ISA99, WG02, TG02
825
826
e) conform to the terms and conditions of employment, which includes the organization’s
information security policy and appropriate methods of working;
827
f)
continue to have the appropriate skills and qualifications.
829
IACS-specific implementation guidance
830
831
Management should ensure that individuals responsible for operating and maintaining IACS are
included in the above mentioned activities
832
Other Information
833
834
835
If employees, contractors and third party users are not made aware of their security
responsibilities, they can cause considerable damage to an organization. Motivated personnel are
likely to be more reliable and cause less information security incidents.
836
837
838
Poor management may cause personnel to feel undervalued resulting in a negative security
impact to the organization. For example, poor management may lead to security being neglected
or potential misuse of the organization’s assets.
839
Requirement:
840
Foundational Requirement:
841
Rationale/Supplemental Guidance:
842
Requirement Enhancements:
843
8.2.2
Information security awareness, education, and training
844
Control
845
846
847
All employees of the organization and, where relevant, contractors and third party users should
receive appropriate awareness training and regular updates in organizational policies and
procedures, as relevant for their job function.
848
Implementation guidance
849
850
851
Awareness training should commence with a formal induction process designed to introduce the
organization’s security policies and expectations before access to information or services is
granted.
852
853
854
Ongoing training should include security requirements, legal responsibilities and business
controls, as well as training in the correct use of information processing facilities e.g. log -on
procedure, use of software packages and information on the disciplinary process (see 8.2.3).
855
IACS-specific implementation guidance
856
857
858
Individuals responsible for operating and maintaining IACS should be included in the above
mentioned activities and, where necessary, specific training should be developed for individuals
in these roles.
859
Other Information
860
861
862
863
The security awareness, education, and training activities should be suitable and relevant to the
person’s role, responsibilities and skills, and should include information on known threats, who to
contact for further security advice and the proper channels for reporting inf ormation security
incidents (see also 13.1).
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
New versions will be generated periodically as individual documents are revised.
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
828
ISA‑62443-2-2, D1E4, April 2013
– 29 –
ISA99, WG02, TG02
864
865
Training to enhance awareness is intended to allow individuals to recognize information security
problems and incidents, and respond according to the needs of their work role.
866
8.2.3
867
The control objective and the contents from ISO/IEC 27002 clause 8.2.3 apply.
868
8.3 Termination or Change of Employment
869
870
Objective: To ensure that employees, contractors and third party users exit an organization or
change employment in an orderly manner.
871
872
873
Responsibilities should be in place to ensure an employee’s, contractor’s or third party user’s exit
from the organization is managed, and that the return of all equipment and the removal of all
access rights are completed.
874
875
876
Change of responsibilities and employments within an organization should be managed as the
termination of the respective responsibility or employment in line with this section, and any new
employments should be managed as described in section 8.1.
877
8.3.1
878
The control objective and the contents from ISO/IEC 27002 clause 8.3 .1 apply.
879
8.3.2
880
The control objective and the contents from ISO/IEC 27002 clause 8.3.2 apply.
881
8.3.3
882
Control
883
884
885
The access rights of all employees, contractors and third party users to information and
information processing facilities should be removed upon termination of their employment,
contract or agreement, or adjusted upon change.
886
Implementation guidance
887
888
889
890
891
892
893
894
895
Upon termination, the access rights of an individual to assets associ ated with information
systems and services should be reconsidered. This will determine whether it is necessary to
remove access rights. Changes of an employment should be reflected in removal of all access
rights that were not approved for the new employment. The access rights that should be removed
or adapted include physical and logical access, keys, identification cards, information processing
facilities (see also 11.2.4), subscriptions, and removal from any documentation that identifies
them as a current member of the organization. If a departing employee, contractor or third party
user has known passwords for accounts remaining active, these should be changed upon
termination or change of employment, contract or agreement.
896
897
898
Access rights for information assets and information processing facilities should be reduced or
removed before the employment terminates or changes, depending on the evaluation of risk
factors such as:
899
900
a) whether the termination or change is initiated by the employee, contractor or third party user,
or by management and the reason of termination;
Termination responsibilities
Return of assets
Removal of access rights
901
f)
the current responsibilities of the employee, contractor or any other user;
902
g) the value of the assets currently accessible.
903
904
IACS-specific implementation guidance
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
New versions will be generated periodically as individual documents are revised.
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
Disciplinary process
– 30 –
ISA99, WG02, TG02
905
906
Other risk factors to be considered when reducing or removing access rights should include risks
associated with disruption to IACS availability, plant protection, and plant operations.
907
Other Information
908
909
910
911
912
In certain circumstances access rights may be allocated on the basis of being available to more
people than the departing employee, contractor or third party user, e.g. group IDs. In such
circumstances, departing individuals should be removed from any group access lists and
arrangements should be made to advise all other employees, contractors and third party users
involved to no longer share this information with the person departing.
913
914
915
In cases of management-initiated termination, disgruntled employees, contractors or third party
users may deliberately corrupt information or sabotage information processing facilities. In cases
of persons resigning, they may be tempted to collect information for future use.
916
917
9
918
9.1
Physical and Environmental Security
Introduction
919
920
9.2 Secure Areas
921
9.2.1
922
{Requirement}
Requirement:
923
924
Foundational Requirement:
925
Rationale/Supplemental Guidance:
926
Requirement Enhancements:
927
928
9.3 Equipment Security
929
9.3.1
Physical Access Authorizations
930
Requirement:
931
932
933
934
935
The organization shall develop and keeps current a list of personnel with authorized
access to the facility where the IACS resides ( except for those areas within the facility
officially designated as publicly accessible) and issues assigns appropriate authorization
credentials. Designated officials within the organization review and approve the access
list and authorization credentials [Assignment: organization-defined frequency].
936
Foundational Requirement:
937
938
939
940
Rationale/Supplemental Guidance: Appropriate authorization credentials include, for
example, badges, identification cards, smart cards, key pads codes or biometric
attributes. The organization promptly removes from the access list personnel no longer
requiring access to the facility where the IACS resides.
941
Requirement Enhancements:
942
943
(1) Authorized access shall be adjusted for assignments in restricted areas or for
personnel dismissal.
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
New versions will be generated periodically as individual documents are revised.
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
ISA‑62443-2-2, D1E4, April 2013
– 31 –
ISA‑62443-2-2, D1E4, April 2013
9.3.2
Physical Access Control
945
Requirement:
946
947
948
949
950
951
The organization shall control all physical access points (including designated entry/exit
points) to the facility where the IACS resides (except for those areas within the facility
officially designated as publicly accessible) and verifies individual access authorizations
before granting access to the facility. The organization controls access to areas officially
designated as publicly accessible, as appropriate, in accordance with the organization’s
assessment of risk.
952
Foundational Requirement:
953
954
955
956
957
958
959
960
961
962
963
964
Rationale/Supplemental Guidance: The organization uses physical access devices (e.g.,
keys, locks, combinations, card readers) and/or guards to control entry to facilities
containing IACS. The organization secures keys, combinations, and other access devices
and inventories those devices regularly. The organization changes combinations and
keys: (i) periodically; and (ii) when keys are lost, combinations are compromised, or
individuals are transferred or terminated. Workstations and associated peripherals
connected to (and part of) an organizational IACS may be located in areas designated as
publicly accessible with access to such devices being appropriately controlled. The
organization considers IACS safety and security interdependencies. The organization
considers access requirements in emergency situations. During an emergency-related
event, the organization may restrict access to IACS facilities and assets to authorized
individuals only.
965
Requirement Enhancements:
966
967
968
(1) The organization controls physical access to the IACS independent of the physical
access controls for the facility. Identity verification is required for entry to the most
secured IACS spaces.
969
970
971
972
973
974
975
976
977
978
Rationale/Supplemental Guidance: This requirement enhancement, in general, applies to
server rooms, communications centers, telecom munication spaces, control rooms,
instrument rack rooms, remote control rooms or any other areas within a facility containing
large concentrations of IACS components or components with a higher impact level than
that of the majority of the facility. The intent is to provide an additional layer of physical
security for those areas where the organization may be more vulnerable due to the
concentration of IACS components or the impact level of the components.
The
requirement enhancement is not intended to apply to workstations or peripheral devices
that are typically dispersed throughout the facility and used routinely by organizational
personnel.
979
FR1 Access Control
9.3.3 Access Control for Communication Medium
980
Requirement:
981
982
The organization shall control physical access to IACS distr ibution and communication
lines within local organizational facilities.
983
Foundational Requirement:
984
985
986
987
988
989
990
Rationale/Supplemental Guidance: Physical protections applied to IACS distribution and
communication lines help prevent accidental damage, disruption, and ph ysical tampering.
Additionally, physical protections are necessary to help prevent eavesdropping or in
transit modification of unencrypted communications. Protective measures to control
physical access to IACS distribution and communication lines include : (i) including
endpoints or any access point contained in locked wiring closets; (ii) disconnected or
locked spare jacks; and/or (iii) protection of cabling by conduit or cable trays.
991
Requirement Enhancements: None.
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
New versions will be generated periodically as individual documents are revised.
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
944
ISA99, WG02, TG02
ISA‑62443-2-2, D1E4, April 2013
ISA99, WG02, TG02
9.3.4 Access Control for Display Medium
993
Requirement:
994
995
The organization shall control physical access to IACS devices that display information to
prevent unauthorized individuals from observing the display output.
996
Foundational Requirement:
997
Rationale/Supplemental Guidance: None.
998
Requirement Enhancements:
999
1000
1001
(1) Access displays shall be placed in such a manner to prevent others from viewing the
display of clear text access information.
9.3.5 Monitoring Physical Access
1002
Requirement:
1003
1004
The organization shall monitor physical access to the IACS to detect and respond to
physical security incidents.
1005
Foundational Requirement:
1006
1007
1008
1009
Rationale/Supplemental Guidance:
The organization reviews physical access logs
periodically and investigates apparent security violations or s uspicious physical access
activities. Response to detected physical security incidents is part of the organization’s
incident response capability.
1010
Requirement Enhancements:
1011
1012
(1) The organization monitors real-time physical intrusion alarms and surveillance
equipment.
1013
1014
(2) The organization employs automated mechanisms to r ecognize potential intrusions
and initiate appropriate response actions.
1015
9.3.6 Visitor Control
1016
Requirement:
1017
1018
1019
The organization shall control physical access to the IACS by authenticating visitors
before authorizing access to the facility where the IACS resides oth er than areas
designated as publicly accessible.
1020
Foundational Requirement:
1021
1022
Rationale/Supplemental Guidance:
Personnel without permanent authorization or
permanent duties, including physical access to an IACS, are considered a visitor.
1023
Requirement Enhancements:
1024
(1) The organization escorts visitors and monitors visitor activity.
1025
9.3.7 Access Records
1026
Requirement:
1027
1028
1029
1030
1031
1032
The organization shall maintain visitor access records to the facility where the IACS
resides (except for those areas within the facility officially designated as publicly
accessible).The detailed contents of these records are to be defined by the asset owner
and their respective security policy. Designated officials within the organization review
the visitor access records [Assignment: organization-defined frequency] and maintain
those records for [Assignment: organization-defined periodicity]. .
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
New versions will be generated periodically as individual documents are revised.
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
992
– 32 –
– 33 –
ISA99, WG02, TG02
1033
Foundational Requirement:
1034
1035
1036
1037
1038
Rationale/Supplemental Guidance:
These logs are intended to support forensic
investigation. Useful attributes would include: (i) name and organization of the person
visiting; (ii) signature of the visitor; (iii) form of identification; (iv) date of access; (v) time
of entry and departure; (vi) purpose of visit; and (vii) name and organization of person
visited..
1039
Requirement Enhancements:
1040
1041
(1) The organization employs automated mechanisms to facilitate the maintenance and
review of access records.
1042
1043
(2) The organization maintains a record of all physical access, both visitor and authorized
individuals.
1044
10 Communications and Operations Management
1045
10.1
Introduction
1046
1047
10.2 Operational Procedures and Responsibilities
1048
10.2.1 Automated Marking
1049
Requirement:
1050
1051
The IACS shall mark output using standard naming conventions to identify any special
dissemination, handling, or distribution instructions .
1052
Foundational Requirement:
1053
1054
Rationale/Supplemental Guidance: Automated marking refers to markings employed on
external media (e.g., hardcopy documents output from the IACS).
1055
Requirement Enhancements: None.
1056
10.3 Third Party Service Delivery Management
1057
10.3.1
1058
{Requirement}
Requirement:
1059
1060
Foundational Requirement:
1061
Rationale/Supplemental Guidance:
1062
Requirement Enhancements:
1063
1064
10.4 System planning and acceptance
1065
10.4.1
1066
{Requirement}
Requirement:
1067
1068
Foundational Requirement:
1069
Rationale/Supplemental Guidance:
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
New versions will be generated periodically as individual documents are revised.
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
ISA‑62443-2-2, D1E4, April 2013
ISA‑62443-2-2, D1E4, April 2013
1070
– 34 –
ISA99, WG02, TG02
Requirement Enhancements:
1071
1072
10.5 Protection against malicious and mobile code
1073
10.5.1 Malicious Code Protection
1075
1076
1077
Requirement:
The organization updates malicious code protection mechanisms (including the latest virus
definitions) whenever new releases are available in accordance with organizationa l
configuration management policy and procedures.
1078
Foundational Requirement:
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
Rationale/Supplemental Guidance: The organization considers using malicious code
protection software products from multiple vendors (e.g., using one vendor for boundary
devices and servers and another vendor for workstations). The organization also
considers the receipt of false positives during malicious code detection and eradication
and the resulting potential affect on the availability of the IACS. Updates are scheduled to
occur during planned IACS outages. The organization considers IACS vendor
recommendations for malicious code protection. To reduce malicious code, organizations
remove the functions and services that should not be employed on the IACS (e.g., Voice
Over Internet Protocol, Instant Messaging, File Transfer Protocol, Hyper Text Transfer
Protocol, electronic mail, file sharing).
1089
Requirement Enhancements: None.
1090
10.5.2 Security Alerts and Advisories
1091
1092
1093
Requirement:
The organization shall receive IACS security alerts/advisories on a regular basis, issues
alerts/advisories to appropriate personnel, and takes appropriate actions in response.
1094
Foundational Requirement:
1095
1096
1097
1098
1099
1100
Rationale/Supplemental Guidance: The organization documents the types of actions to
be taken in response to security alerts/advisories. The organization also maintains
contact with special interest groups (e.g., inform ation security forums) that: (i) facilitate
sharing of security-related information (e.g., threats, vulnerabilities, and latest security
technologies); (ii) provide access to advice from security professionals; and (iii) improve
knowledge of security best practices.
1101
Requirement Enhancements:
1102
1103
(1) The organization employs automated mechanisms to make security alert and advisory
information available throughout the organization as needed.
1104
10.6 Backup
1105
10.6.1
1106
{Requirement}
Requirement:
1107
1108
Foundational Requirement:
1109
Rationale/Supplemental Guidance:
1110
Requirement Enhancements:
1111
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
New versions will be generated periodically as individual documents are revised.
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
1074
ISA‑62443-2-2, D1E4, April 2013
1112
10.7 Network Security Management
1113
10.7.1
1114
– 35 –
ISA99, WG02, TG02
{Requirement}
Requirement:
1116
Foundational Requirement:
1117
Rationale/Supplemental Guidance:
1118
Requirement Enhancements:
1119
1120
10.8 Media Handling
1121
10.8.1 Media Protection Policy and Procedures
1122
Requirement:
1123
1124
1125
1126
1127
The organization shall develop, disseminate, and periodically reviews/updates: (i) a
formal, documented, media protection policy that addresses purpose, scope, roles,
responsibilities, management commitment, coordination among organizational entities,
and compliance; and (ii) formal, documented procedures to facilitate the implementation
of the media protection policy and associated media protection requirements.
1128
Foundational Requirement:
1129
1130
1131
1132
1133
Rationale/Supplemental Guidance: The media protection policy and procedures are
consistent with applicable laws, directives, policies, regulations, standards, and guidance.
The media protection policy can be included as part of the general information security
policy for the organization. Media protection procedures can be developed for the
security program in general, and for a particular IACS, when required.
1134
Requirement Enhancements: None.
1135
1136
10.8.2 Media Access
1137
Requirement:
1138
The organization shall restrict access to IACS media to authorized individuals.
1139
Foundational Requirement:
1140
1141
1142
1143
1144
1145
Rationale/Supplemental Guidance:
IACS media includes both digital media (e.g.,
diskettes, magnetic tapes, external/removable hard drives, flash/thumb drives, compact
disks, digital video disks) and non-digital media (e.g., paper, microfilm). This requirement
also applies to portable and mobile computing and communications devices with
information storage capability (e.g., notebook computers, personal digital assistants,
cellular telephones).
1146
1147
1148
1149
1150
1151
1152
1153
1154
An organizational assessment of risk guides the sel ection of media and associated
information contained on that media requiring restricted access. Organizations document
in policy and procedures, the media requiring restricted access, individuals authorized to
access the media, and the specific measures t aken to restrict access. The rigor with
𝑡𝑎𝑟𝑔𝑒𝑡
which this requirement is applied is commensurate with the 𝑆𝑠𝑦𝑠𝑡𝑒𝑚 categorization of the
information contained on the media. For example, fewer protection measures are needed
for media containing information determined by the organization to be in the public
domain, to be publicly releasable, or to have limited or no adverse impact on the
organization or individuals if accessed by other than authorized personnel. In these
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
New versions will be generated periodically as individual documents are revised.
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
1115
– 36 –
ISA99, WG02, TG02
1155
1156
situations, it is assumed that the physical access requirements where the media resides
provide adequate protection.
1157
Requirement Enhancements:
1158
1159
(1) The organization employs automated mechanisms to restrict access to media storage
areas and to audit access attempts and access granted.
1160
1161
1162
1163
1164
1165
Foundational Requirement:
Rationale/Supplemental Guidance:
This requirement enhancement is primarily
applicable to designated media storage areas within an organization where a
significant volume of media is stored and is not intended to apply to every lo cation
where some media is stored (e.g., in individual offices).
1166
10.8.3 Media Labeling
1167
Requirement:
1168
1169
1170
1171
1172
The organization shall: (i) affix external labels to removable IACS media and IACS output
indicating the distribution limitations, handling caveats and applicable security markings (if
any) of the information; and (ii) exempt [Assignment: organization-defined list of media
types or hardware components] from labeling so long as they remain within [ Assignment:
organization-defined protected environment].
1173
Foundational Requirement:
1174
1175
1176
1177
1178
Rationale/Supplemental Guidance: An organizational assessment of
selection of media requiring labeling. Organizations document in policy
the media requiring labeling and the specific measures taken to afford
The rigor with which this requirement is applied is commensurate
categorization of the information contained on the media.
1179
Requirement Enhancements: None.
1180
risk guides the
and procedures,
such protection.
𝑡𝑎𝑟𝑔𝑒𝑡
with the 𝑆𝑠𝑦𝑠𝑡𝑒𝑚
10.8.4 Media Storage
1181
Requirement:
1182
1183
The organization shall physically control and securely store IACS media within controlled
areas.
1184
Foundational Requirement:
1185
1186
1187
1188
1189
1190
Rationale/Supplemental Guidance:
IACS media includes both digital media (e.g.,
diskettes, magnetic tapes, external/removable hard drives, flash/thumb drives, compact
disks, digital video disks) and non-digital media (e.g., paper, microfilm). A controlled area
is any area or space for which the organization has confidence that the physical and
procedural protections provided are sufficient to meet the requirements established for
protecting the information and/or IACS.
1191
1192
1193
This requirement applies to portable and mobile computing and communications devices
with information storage capability (e.g., notebook computers, personal digital assistants,
cellular telephones, telephone systems (voicemail only)).
1194
1195
1196
1197
1198
1199
1200
Organizations document in policy and procedures, the media requiring physical protection
and the specific measures taken to afford such protection. The rigor with which this
𝑡𝑎𝑟𝑔𝑒𝑡
requirement is applied is commensurate with the 𝑆𝑠𝑦𝑠𝑡𝑒𝑚 categorization of the information
contained on the media. For example, fewer protection measures are needed for media
containing information determined by the organization to have limited or no adverse
impact on the organization or individuals if accessed by non -authorized personnel. The
assumption is that the physical access controls to the facility where the media resides
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
New versions will be generated periodically as individual documents are revised.
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
ISA‑62443-2-2, D1E4, April 2013
– 37 –
ISA99, WG02, TG02
1201
1202
1203
provide adequate protection. The organization protects IACS media identified by the
organization until the media are destroyed or sanitized using approved equipment,
techniques, and procedures.
1204
1205
1206
1207
1208
As part of a defense-in-depth protection strategy, the organization considers routinely
encrypting data at rest on selected secondary storage device s. The organization
implements effective cryptographic key management in support of secondary storage
encryption and provides protections to maintain the availability of the information in the
event of the loss of cryptographic keys by IACS users.
1209
Requirement Enhancements: None.
1210
10.8.5 Media Transport
1211
Requirement:
1212
1213
1214
The organization shall protect and control IACS media during transport outside of
controlled areas and restricts the activities associated with transport of such media to
authorized personnel.
1215
Foundational Requirement:
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
Rationale/Supplemental Guidance:
IACS media includes both digital media (e.g.,
diskettes, tapes, removable hard drives, flash/thumb drives, compact disks, digital video
disks) and non-digital media (e.g., paper, microfilm). A c ontrolled area is any area or
space for which the organization has confidence that the physical and procedural
protections provided are sufficient to meet the requirements established for protecting the
information and/or IACS. This requirement also applies to portable and mobile computing
and communications devices with information storage capability (e.g., notebook
computers, personal digital assistants, cellular telephones) that are transported outside of
controlled areas. Telephone systems are also co nsidered IACS and may have the
capability to store information on internal media (e.g., on voicemail systems). Since
telephone systems do not have, in most cases, the identification, authentication, and
access control mechanisms typically employed in othe r IACS, organizational personnel
exercise extreme caution in the types of information stored on telephone voicemail
systems that are transported outside of controlled areas. An organizational assessment
of risk guides the selection of media and associated information contained on that media
requiring protection during transport. Organizations document in policy and procedures,
the media requiring protection during transport and the specific measures taken to protect
such transported media.
The rigor with which this requirement is applied is
𝑡𝑎𝑟𝑔𝑒𝑡
commensurate with the 𝑆𝑠𝑦𝑠𝑡𝑒𝑚 categorization of the information contained on the media.
An organizational assessment of risk also guides the selection and use of appropriate
storage containers for transporting non-digital media. Authorized transport and courier
personnel may include individuals from outside the organization (e.g., U.S. Postal Service
or a commercial transport or delivery service).
1239
Requirement Enhancements:
1240
1241
1242
(1) The organization protects digital and non-digital media during transport outside of
controlled areas using [Assignment: organization-defined security measures, e.g.,
locked container, cryptography].
1243
1244
1245
1246
1247
1248
Rationale/Supplemental Guidance: Physical and technical security measures for the
protection of digital and non-digital media are approved by the organization,
𝑡𝑎𝑟𝑔𝑒𝑡
commensurate with the 𝑆𝑠𝑦𝑠𝑡𝑒𝑚 categorization of the information residing on the media,
and consistent with applicable laws, directives, policies, regulations, standards, and
guidance. Cryptographic mechanisms can provide confidentiality and/or integrity
protections depending upon the mechanisms used.
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
New versions will be generated periodically as individual documents are revised.
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
ISA‑62443-2-2, D1E4, April 2013
– 38 –
ISA99, WG02, TG02
1249
1250
(2) The organization documents, where appropriate, activities associated with the
transport of IACS media using [Assignment: organization-defined system of records].
1251
1252
1253
Rationale/Supplemental Guidance:
Organizations establish documentation
requirements for activities associated with the transport of IACS media in accordance
with the organizational assessment of risk.
1254
(3) The organization employs an identified custodian at all times to transport IACS media.
1255
1256
1257
Rationale/Supplemental Guidance:
Organizations establish documentation
requirements for activities associated with the transport of IACS media in accordance
with the organizational assessment of risk.
1258
10.8.6 Media Sanitization and Disposal
1259
Requirement:
1260
1261
The organization shall sanitize IACS media, both digital and non-digital, prior to disposal
or release for reuse.
1262
Foundational Requirement:
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
Rationale/Supplemental Guidance:
Sanitization is the process used to remove
information from IACS media such that there is reasonable assurance, in proporti on to the
confidentiality of the information, that the information cannot be retrieved or
reconstructed. Sanitization techniques, including clearing, purging, and destroying media
information, prevent the disclosure of organizational information to unauth orized
individuals when such media is reused or disposed. The organization uses its discretion
on sanitization techniques and procedures for media containing information deemed to be
in the public domain or publicly releasable, or deemed to have no advers e impact on the
organization or individuals if released for reuse or disposed. The National Security
Agency provides media sanitization guidance and maintains a listing of approved
sanitization products at http://www.nsa.gov/ia/government/mdg.cfm .
1274
Requirement Enhancements:
1275
1276
(1) The organization tracks, documents, and verifies media sanitization and disposal
actions.
1277
1278
(2) The organization periodically tests sanitization equipment and procedures to verify
correct performance.
1279
10.8.7 Access Control for Display Medium
1280
Requirement:
1281
1282
The organization shall control physical access to IACS devices that display information to
prevent unauthorized individuals from observing the display output.
1283
Foundational Requirement:
1284
Rationale/Supplemental Guidance: None.
1285
1286
1287
Requirement Enhancements: None.
1288
10.8.8 Public Key Infrastructure Certificates
1289
Requirement:
1290
1291
Where public key cryptography is utilized, the organization shall determine what
appropriate interfaces are required with existing public key infrastructure under an
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
New versions will be generated periodically as individual documents are revised.
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
ISA‑62443-2-2, D1E4, April 2013
– 39 –
ISA99, WG02, TG02
1292
1293
appropriate certificate policy or obtains public key certificates under an appropriate
certificate policy from an approved service provider.
1294
Foundational Requirement:
1295
1296
1297
1298
Rationale/Supplemental Guidance: Registration to receive a public key certificate needs
to include authorization by a supervisor or a responsible official and needs to be
accomplished using a secure process that verifies the identity of the certificate holder and
ensures that the certificate is issued to the intended party.
1299
Requirement Enhancements: None.
1300
10.9 Exchange of Information
1301
10.9.1
1302
{Requirement}
Requirement:
1303
1304
Foundational Requirement:
1305
Rationale/Supplemental Guidance:
1306
Requirement Enhancements:
1307
1308
10.10 Electronic Commerce Services
1309
10.10.1 {Requirement}
1310
Requirement:
1311
1312
Foundational Requirement:
1313
Rationale/Supplemental Guidance:
1314
Requirement Enhancements:
1315
1316
10.11 Monitoring
1317
10.11.1 Audit and Accountability Policy and Procedures
1318
Requirement:
1319
1320
1321
1322
1323
The organization shall develop, disseminate, and periodically reviews/updates: (i) a
formal, documented, audit and accountability policy that addresses purpos e, scope, roles,
responsibilities, management commitment, coordination among organizational entities,
and compliance; and (ii) formal, documented procedures to facilitate the implementation
of the audit and accountability policy and associated audit and ac countability controls.
1324
Foundational Requirement:
1325
1326
1327
1328
1329
1330
Rationale/Supplemental Guidance: The audit and accountability policy and procedures
are consistent with applicable laws, directives, policies, regulations, standards, and
guidance. The audit and accountability policy can be included as part of the general
information security policy for the organization. Audit and accountability procedures can
be developed for the security program in general, and for a particular IACS, when
required. The parameters to be monitored are a local matter. Of those parameters it is
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
New versions will be generated periodically as individual documents are revised.
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
ISA‑62443-2-2, D1E4, April 2013
ISA‑62443-2-2, D1E4, April 2013
– 40 –
ISA99, WG02, TG02
1331
1332
strongly recommended to consider false-positives (e.g. how many times did an authorized
entity get hindered or prevented from performing its function ).
1333
Requirement Enhancements: None.
1335
1336
1337
10.11.2 Auditable Events
Requirement:
The organization periodically reviews and updates the list of orga nization-defined auditable
events.
1338
Foundational Requirement:
1339
1340
1341
1342
1343
1344
1345
Rationale/Supplemental Guidance:
The purpose of this requirement is to identify
important events which need to be audited as significant and relevant to the security of
the IACS. The security audit function is usually coordinated with the network health and
status monitoring function which may be in a different zone. Commonly recognized and
accepted checklists and configuration guides should be considered when compiling a list
of auditable events. The organization defines auditable events that are adequate to
support after-the-fact investigations of security incidents.
1346
Requirement Enhancements: None.
1347
10.11.3 Audit Monitoring, Analysis and Reporting
1348
Requirement:
1349
1350
1351
The organization shall regularly review/analyze IACS audit records for indications of
inappropriate or unusual activity, investigates suspicious activity or suspected violations,
reports findings to appropriate officials, and takes necessary actions.
1352
Foundational Requirement:
1353
1354
1355
1356
Rationale/Supplemental Guidance: Organizations increase the level of audit monitoring
and analysis activity within the IACS whenever there is an indication of increased risk to
organizational operations, organizational assets, or individuals based on law enforcement
information, intelligence information, or other credible sources of information.
1357
Requirement Enhancements:
1358
1359
1360
(1) The organization employs automated mechanisms to integrate audit monitoring,
analysis, and reporting into an overall process for investigation and res ponse to
suspicious activities.
1361
1362
1363
1364
(2) The organization employs automated mechanisms to alert security personnel of the
following inappropriate or unusual activities with security implications: [ Assignment:
organization-defined list of inappropriate or unusual ac tivities that are to result in
alerts].
1365
10.11.4 Audit Record Retention
1366
Requirement:
1367
1368
1369
The organization shall retain audit records for [Assignment: organization-defined time
period] to provide support for after-the-fact investigations of security incidents and to meet
regulatory and organizational information retention requirements.
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
New versions will be generated periodically as individual documents are revised.
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
1334
– 41 –
ISA99, WG02, TG02
1370
Foundational Requirement:
1371
1372
1373
Rationale/Supplemental Guidance: The organization retains audit records until it is
determined that they are no longer needed for administrative, legal, audit , or other
operational purposes.
1374
Requirement Enhancements: None.
1375
11 Access Control
1376
11.1
Introduction
1377
1378
11.2 Business Requirement
1379
11.2.1 Access Control Policy and Procedures
1380
Requirement:
1381
1382
1383
1384
1385
The organization shall develop, disseminate, and periodically reviews/updates: (i) a
formal, documented, access control policy that addresses purpose, scope, roles,
responsibilities, management commitment, coordination among organizational entities,
and compliance; and (ii) formal, documented procedures to facilitate the implementation
of the access control policy and associated access controls.
1386
Foundational Requirement:
1387
1388
1389
1390
1391
1392
Rationale/Supplemental Guidance:
The access control policy and procedures are
consistent with applicable laws, directives, policies, regulations, standards, and guidance
and in alignment with the security requirements of the IACS(s). The access control policy
can be included as part of the general information security policy for the organization.
Access control procedures can be developed for the security program in gener al, and for
a particular IACS, when required.
1393
Requirement Enhancements: None.
1394
11.2.2 System and Information Integrity Policy and Procedures
1395
Requirement:
1396
1397
1398
1399
1400
1401
The organization shall develop, disseminate, and periodically reviews/updates: (i) a
formal, documented, system and information integrity policy that addresses purpose,
scope, roles, responsibilities, management commitment, coordination among
organizational entities, and compliance; and (ii) formal, documented procedures to
facilitate the implementation of the s ystem and information integrity policy and associated
system and information integrity requirements.
1402
Foundational Requirement:
1403
1404
1405
1406
1407
1408
Rationale/Supplemental Guidance: The system and information integrity policy and
procedures are consistent with applicable laws, directives, policies, regulations,
standards, and guidance. The system and information integrity policy can be included as
part of the general information security policy for the organization.
System and
information integrity procedures can be developed for the security program in general,
and for a particular IACS, when required.
1409
Requirement Enhancements: None.
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
New versions will be generated periodically as individual documents are revised.
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
ISA‑62443-2-2, D1E4, April 2013
ISA‑62443-2-2, D1E4, April 2013
ISA99, WG02, TG02
11.2.3 Flaw Remediation
1411
Requirement:
1412
The organization shall identify, report, and correct IACS flaws.
1413
Foundational Requirement:
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
Rationale/Supplemental Guidance: The organization identifies IACS containing software
affected by recently announced software flaws (and potential vulnerabilities resulting from
those flaws). The organization (or the software developer/vendor in the case of software
developed and maintained by a vendor/contractor) promptly installs newly released
security relevant patches, service packs, and hot fixes, and tests patches, service packs,
and hot fixes for effectiveness and potential side effects on the organization’s IACS before
installation.
Flaws discovered during security assessments, continuous monitoring,
incident response activities, or IACS error handling are also addressed expeditiously.
Flaw remediation is incorporated into configuration management as an emergency
change. The flaw remediation process shall be consistent with certification, safety and
regulatory testing requirements.
1425
Requirement Enhancements:
1426
1427
(1) The organization centrally manages the flaw remediation process and installs updates
automatically.
1428
1429
1430
(2) The organization employs automated mechanisms to periodically and upon demand
determine the state of IACS components with regard to flaw remediation.
1431
11.3 User Access Management
1432
11.3.1 Account Management
1433
Foundational Requirement:
1434
Requirement:
1435
1436
The organization reviews accounts [Assignment: organization-defined frequency, at least
annually]. A history of account changes shall be maintained if only manually.
1437
Foundational Requirement:
1438
1439
1440
1441
1442
1443
1444
Rationale/Supplemental Guidance: Account management might include (i.e., individual,
role, and system, device-based, and system), establishment of conditions for group
membership, and assignment of associated authorizations. In certain IACS instances,
where the organization has determined that individual accounts are unnecessary from a
risk-analysis and/or regulatory aspect, shared accounts are acceptable as long as
adequate compensating controls (such as limited physical access) are in place and
documented.
1445
1446
1447
Non-user accounts (sometimes termed service accounts) that are utilized for process -toprocess communication (for example, an HMI connecting to a database) typically requires
different security policies from human user accounts.
1448
1449
The organization identifies authorized users of the IACS and specifies access
rights/privileges. The organization grants access to the IACS based on:
1450
1451
(i)
a valid need-to-know/need-to-share that is determined by assigned
official duties and satisfying all functional and security criteria; and
1452
1453
(ii)
Intended system usage. The organization requires proper identification
for requests to establish accounts and approves all such requests.
1454
1455
(iii)
The organization specifically authorizes and monitors the use of
guest/anonymous accounts and removes, disables, or otherwise secures
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
New versions will be generated periodically as individual documents are revised.
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
1410
– 42 –
ISA‑62443-2-2, D1E4, April 2013
ISA99, WG02, TG02
unnecessary accounts. Account managers are notified when IACS
users are terminated or transferred and associated accounts are
removed, disabled, or otherwise secured.
1459
1460
1461
1462
1463
(iv)
Account managers are also notified when users’ IACS usage or need -toknow/need-to-share changes. In cases where accounts are role-based,
i.e., the workstation, hardware, and/or field devices define a user role,
access to the IACS includes physical security policies and procedures
based on organization risk assessment.
1464
1465
1466
1467
1468
1469
(v)
In cases where physical access to the workstation, hardware, and/or
field devices predefine privileges, the organization implements physical
security policies, and procedures based on organization risk
assessment. Account management may include additional account types
(e.g., role-based, device-based, attribute-based). The organization
removes, changes, disables, or otherwise secures default accounts.
1470
Requirement Enhancements:
1471
1472
1473
(1) The organization has policies and procedures to terminate guest or temporary
accounts after [Assignment: organization-defined time period for each type of
account].
1474
1475
(2) The organization has policies and procedures to disable inactive accounts after
[Assignment: organization-defined time period].
1476
1477
(3) The organization employs mechanisms to audit account creation, Modification,
disabling, and termination actions and to notify, as required, appropriate individuals.
1478
11.3.2 Separation of Duties
1479
Foundational Requirement:
1480
Requirement:
1481
1482
When assigning permissions and/or roles to users, the organization shall obey the
separation of duties as outlined in their security policy.
1483
Foundational Requirement:
1484
1485
1486
Rationale/Supplemental Guidance: The organization establishes appropriate divisions of
responsibility and separates duties as needed to eliminate conflicts of interest in the
responsibilities and duties of individuals. Examples of separation of duties incl ude:
1487
1488
(i)
mission functions and distinct IACS support functions are divided among
different individuals/roles
1489
1490
1491
(ii)
different individuals perform IACS support functions (e.g., system
management,
systems programming,
quality assurance/testing,
configuration management, and network security)
1492
1493
(iii)
security personnel who administer access control functions do not
administer audit functions
1494
1495
Requirement Enhancements: None.
(4)
1496
11.4 User Responsibilities
1497
11.4.1
1498
{Requirement}
Requirement:
1499
1500
Foundational Requirement:
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
New versions will be generated periodically as individual documents are revised.
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
1456
1457
1458
– 43 –
ISA‑62443-2-2, D1E4, April 2013
1501
Rationale/Supplemental Guidance:
1502
Requirement Enhancements:
– 44 –
ISA99, WG02, TG02
1504
11.5 Network Access Control
1505
11.5.1 Least Privilege
1506
Foundational Requirement:
1507
Requirement:
1508
1509
1510
The organization shall enforce set of rights/privileges or accesses as required by ISA 99.02.xx needed by asset owner (or processes acting on behalf of asset owners) for the
performance of specified tasks.
1511
Foundational Requirement:
1512
1513
1514
1515
Rationale/Supplemental Guidance:
The organization employs the concept of least
privilege for specific duties and IACS (zones and conduits) in accordance with risk
assessments as necessary to adequately mitigate risk to organizational operations,
organizational assets, and individuals.
1516
Requirement Enhancements: None.
1517
11.5.2 Permitted Actions Without Identification or Authentication
1518
Foundational Requirement:
1519
Requirement:
1520
1521
1522
The organization shall identify and document (log) specific IACS user actions that can be
performed on the IACS without additional identification or authentication, if and only if
prior identification and authentication have already occurred.
1523
Foundational Requirement:
1524
1525
1526
Rationale/Supplemental Guidance: The organization may allow limited IACS user activity
without identification and authentication for corrective actions (e.g., emergency). The
intent is to prevent repeated unnecessary identification and/or authe ntication.
1527
Requirement Enhancements:
1528
1529
(1) The organization permits actions to be performed without identification and
authentication only to the extent necessary to accomplish mission objectives.
1530
1531
11.5.3 Remote Access
1532
Foundational Requirement:
1533
Requirement:
1534
The organization shall authorize all methods of remote access to the IACS.
1535
Foundational Requirement:
1536
1537
1538
1539
1540
Rationale/Supplemental Guidance: Remote access is any access to an IACS by an IACS
user (human user, process, or device) communicating through an external, no norganization-controlled network (e.g., the Internet). Examples of remote access methods
include dial-up, broadband, and wireless. Remote access to IACS component locations
(e.g., control center, field locations) is only enabled when approved by the org anization.
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
New versions will be generated periodically as individual documents are revised.
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
1503
ISA‑62443-2-2, D1E4, April 2013
– 45 –
ISA99, WG02, TG02
1541
Requirement Enhancements:
1542
1543
(1) The organization controls all remote accesses through a limited number of managed
access control points.
1544
1545
1546
(2) The organization permits remote access for privileged functions only for compelling
operational needs and documents the rationale for such access in the security plan for
the IACS.
11.5.4 Use of External Information Systems
1548
Foundational Requirement:
1549
Requirement:
1550
1551
1552
The organization shall establish terms and conditions for authorized individuals to: (i)
access the IACS from an external information system; and (ii) process, store, and/or
transmit organization-controlled information using an external information system.
1553
Foundational Requirement:
1554
1555
1556
1557
1558
1559
1560
1561
Rationale/Supplemental Guidance: External information systems are information systems
or components of information systems that are outside of the accreditation boundary
established by the organization and for which the organization typically has no direct
control over the application of required security controls or the assessment of secu rity
control effectiveness. External information systems include, but are not limited to,
personally owned information systems (e.g., computers, cellular telephones, or personal
digital assistants); privately owned computing and communications devices res ident in
commercial or public facilities (e.g., hotels, convention centers, or airports).
1562
1563
1564
1565
1566
1567
1568
1569
Authorized individuals include organizational personnel, contractors, or any other
individuals with authorized access to the organizational IACS.
The organization
establishes terms and conditions for the use of external information systems in
accordance with organizational security policies and procedures.
The terms and
conditions address as a minimum; (i) the types of applications that can be accessed on
the organizational IACS from the external information system; and (ii) the maximum
𝑐𝑎𝑝𝑎𝑏𝑙𝑒
𝑆𝑠𝑦𝑠𝑡𝑒𝑚 category of information that can be transmitted to or processed and stored on the
external information system.
1570
Requirement Enhancements:
1571
1572
1573
1574
1575
1576
1577
(1) The organization prohibits authorized individuals from using an external information
system to access the IACS or to process, store, or transmit organization -controlled
information except in situations where the organization: (i) can verify the employment
of required security controls on the external system as specified in the organization’s
information security policy and system security plan; or (ii) has approved IACS
connection or processing agreements with the organizational entity hosting the
external information system.
1578
1579
(2) The organization provides a domain of filtered control for access by external IACS
users, and limits access only to this domain.
1580
1581
(3) The organization provides a separate domain of information for read -only or
download-only access by external IACS users and limits access only to this domain.
1582
11.6 Operating System Access Control
1583
11.6.1
1584
{Requirement}
Requirement:
1585
1586
Foundational Requirement:
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
New versions will be generated periodically as individual documents are revised.
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
1547
ISA‑62443-2-2, D1E4, April 2013
1587
Rationale/Supplemental Guidance:
1588
Requirement Enhancements:
– 46 –
ISA99, WG02, TG02
1589
1590
11.7 Application and Information Access Control
1591
11.7.1
Requirement:
1593
1594
Foundational Requirement:
1595
Rationale/Supplemental Guidance:
1596
Requirement Enhancements:
1597
1598
11.8 Mobile Computing and Teleworking
1599
11.8.1 Wireless Access Restrictions
1600
Foundational Requirement:
1601
Requirement:
1602
The organization shall produce implementation guidance for wireless technologies.
1603
1604
1605
1606
1607
1608
Foundational Requirement:
Rationale/Supplemental Guidance: Wireless technologies include, but are not limited to,
microwave, satellite, packet radio [UHF/VHF], 802.11x, 802.15.4 (ZigBee, WirelessHART,
ISA100.11a), and Bluetooth.
1609
1610
(1) The organization shall deploy continuous passive monitoring for unauthorized wireless
access points and takes appropriate action if such access points are discovered.
1611
1612
1613
1614
1615
1616
1617
Foundational Requirement:
Rationale/Supplemental Guidance: At the time of publication of this document, these
access points are typically based on 802.11x technology. In the future, this will
change and thus other wireless technologies will need to be monitored as well.
Regardless, organizations should conduct a thorough scan for unauthorized wireless
access points in facilities containing high-impact IACS. The scan should involve the
entire facility, not just areas containing a high -impact IACS.
1618
Requirement Enhancements:
11.8.2 Use Control for Portable and Mobile Devices
1619
Foundational Requirement:
1620
Requirement:
1621
1622
The organization shall produce implementation guidance for organization -controlled
portable and mobile devices.
1623
Foundational Requirement:
1624
1625
1626
Rationale/Supplemental Guidance: Portable and mobile devices may introduce undesired
network traffic, malware and/or information exposure, and thus there should be specific
control associated with their usage in the typical IACS environment.
1627
1628
Portable and mobile devices (e.g., notebook c omputers, personal digital assistants,
cellular telephones, and other computing and communications devices with network
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
New versions will be generated periodically as individual documents are revised.
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
1592
{Requirement}
– 47 –
ISA99, WG02, TG02
1629
1630
1631
1632
1633
1634
1635
connectivity are only allowed access to the IACS in accordance with organizational
security policies and procedures. Security policies and procedures include device
identification and authentication, implementation of mandatory protective software (e.g.,
malicious code detection, firewall), configuration management, scanning devices for
malicious code, updating virus protection software, scanning for critical software updates
and patches, conducting primary operating system (and possibly other resident software)
integrity checks, and disabling unnecessary hardware (e.g., wireless, infrared).
1636
1637
Requirement Enhancements: None.
1638
11.8.3 Mobile Code
1639
Foundational Requirement:
1640
Requirement:
1641
1642
The organization shall produce implementation guidance regarding the use of mobile code
technologies based on the potential to cause damage to the IACS.
1643
Foundational Requirement:
1644
1645
1646
1647
1648
1649
1650
1651
Rationale/Supplemental Guidance: Mobile code technologies include, for example, Java,
JavaScript, ActiveX, PDF, Postscript, Shockwave movies, Flash animations, and
VBScript. Usage restrictions and implementation guidance apply to both the selection and
use of mobile code installed on servers and mobile code downloaded and executed on
individual workstations. Control procedures prevent the development, acquisition, or
introduction of unacceptable mobile code within the IACS. For example, mobile code
exchanges might be disallowed directly with the IACS, but rather in a controlled adjacent
information environment maintained by IACS personnel.
1652
Requirement Enhancements: None.
1653
11.8.4 Supervision and Review – Use Control
1654
Foundational Requirement:
1655
Requirement:
1656
1657
The organization shall supervise and review the activities of IACS users with respect to
the enforcement and usage of IACS assets.
1658
Foundational Requirement:
1659
1660
1661
1662
1663
1664
1665
1666
1667
Rationale/Supplemental Guidance: The organization reviews audit records (e.g., user
activity logs) for inappropriate activities in accordance wit h organizational procedures.
The organization investigates any unusual IACS -related activities and periodically reviews
changes to access authorizations. The organization reviews more frequently the activities
of IACS users with significant IACS roles and responsibilities. The extent of the audit
record reviews is based on the impact level of the IACS. For example, for low -impact
systems, it is not intended that security logs be reviewed frequently for every workstation,
but rather at central points such as a web proxy or email servers and when specific
circumstances warrant review of other audit records.
1668
1669
1670
1671
Requirement Enhancements:
(1) The organization develops a baseline of normal IACS user behavior, allowable
variances and employs automated mechanisms to facilitate the review of user
activities.
1672
1673
11.8.5 Identification and Authentication Policy and Procedures
Foundational Requirement:
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
New versions will be generated periodically as individual documents are revised.
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
ISA‑62443-2-2, D1E4, April 2013
– 48 –
ISA99, WG02, TG02
1674
Requirement:
1675
1676
1677
1678
1679
1680
The organization shall develop, disseminate, and periodically review/update: (i) a formal,
documented, identification and authentication policy that addresses purpose, scope, roles,
responsibilities, management commitment, coordination among organizational entities,
and compliance; and (ii) formal, documented procedures to facilitate the implementation
of the identification and authentication policy and associated identification and
authentication controls for IACS.
1681
Foundational Requirement:
1682
1683
1684
1685
1686
1687
Rationale/Supplemental Guidance:
The organization ensures the identification and
authentication policy and procedures are consistent with applicable laws, directives,
policies, regulations, standards, and guidance. The identification and authentication policy
can be included as part of the general security policy for the organization. Identification
and authentication procedures can be developed for the security program in general, and
for a particular IACS, when required.
1688
1689
Requirement Enhancements: None.
1690
11.8.6 Identifier Management
1691
Foundational Requirement:
1692
Requirement:
1693
1694
1695
1696
The organization shall manage identifiers by user, group, role, and/or system interface. An
appropriate organization official or group is responsible for authorizing the issuance of
user identifiers, issuing the user identifier to the intended party, and archiving user
identifiers.
1697
Foundational Requirement:
1698
1699
1700
1701
1702
1703
1704
1705
Rationale/Supplemental Guidance: Identifiers are distinguished from the privileges which
they permit an entity to perform within a specific IACS control domain/zone (see also 2.6,
Authenticator Management). Where users function as a single group (e.g., control room
operators), user identification may be role-based, group-based, or device-based. For
some IACS, the capability for immediate operator interaction is critical. Local emergency
actions for the IACS must not be hampered by identification requirements. Access to
these systems may be restricted by appropriate compensating security mechanism s.
Identifiers may be required on portions of the IACS but not necessarily the entire system.
1706
1707
1708
1709
1710
1711
1712
1713
1714
1715
For very high SAL level IACS the requirement for maximum control is increased, not
decreased. Security measures that have the potential to cause loss of control in process
operations are not acceptable. In these cases, to maintain the higher SAL levels,
compensating measures external to the IACS (e.g. additional physical security measure s
and/or enhanced personnel background checks) will be needed. In these cases, it may be
possible to see a normally high SAL level IACS at a lower SAL 1 or 2 rating, depending
upon the compensating controls. Lockout or loss of control due to security mea sures is
not acceptable in high availability IACS.
1716
1717
1718
(1) The organization shall verify the identity of each IACS user. This verification may
be maintained separately from the IACS (such as by the appropriate HR group).
1719
1720
Requirement Enhancements:
11.8.7 Authenticator Management
Foundational Requirement:
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
New versions will be generated periodically as individual documents are revised.
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
ISA‑62443-2-2, D1E4, April 2013
ISA‑62443-2-2, D1E4, April 2013
1722
1723
ISA99, WG02, TG02
Requirement:
The organization shall establish administrative procedures for initial authenticator distribution, for
lost/compromised, or damaged authenticators, and for revoking authenticators.
1724
Foundational Requirement:
1725
1726
1727
1728
1729
1730
1731
Rationale/Supplemental Guidance: IACS authenticators include, for example, tokens,
Public Key certificates, biometrics, passwords, physical keys, and key cards. IACS users
should take reasonable measures to safeguard authenticators including maintainin g
possession of their individual authenticators, not loaning or sharing authenticators with
others, and reporting lost or compromised authenticators immediately. In the case of a
process or device, such users should also take measures to protect their IAC S
authenticators.
1732
1733
1734
1735
1736
1737
If the IACS is required to have a high level of availability, measures must be taken to
maintain this high level of availability (e.g. compensating physical controls, duplicate
keys, supervisory override). Lockout or loss of control due to security measures is not
acceptable.
1738
1739
1740
1741
Requirement Enhancements: None.
11.8.8 Software and Information Integrity
Requirement:
The organization reassesses the integrity of software and information by performing [ Assignment:
organization-defined frequency] integrity scans of the system.
1742
Foundational Requirement:
1743
1744
1745
1746
1747
Rationale/Supplemental Guidance: This requirement complements related Access Control
requirements. Access Control involves enforcing the roles, permissions, and use patterns
as designed. Integrity verification methods are employed to detect, record, report, and
protect against the effects of software and information tampering that may occur if other
protection mechanisms (e.g. Access Control) have been circumvented.
1748
Requirement Enhancements: None.
1749
1750
11.8.9 Information Input Restrictions
1751
Requirement:
1752
1753
1754
Restrictions on entities authorized to input information to the IACS may extend beyond the
typical access controls employed by the system and include limitations based on specific
operational/project responsibilities.
1755
Foundational Requirement:
1756
Rationale/Supplemental Guidance: None.
1757
Requirement Enhancements: None.
1758
11.8.10 Error Handling
1759
Requirement:
1760
1761
The extent to which the IACS identifies and handles error conditions shall be guided by
organizational policy and operational requirements.
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
New versions will be generated periodically as individual documents are revised.
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
1721
– 49 –
ISA‑62443-2-2, D1E4, April 2013
– 50 –
1762
Foundational Requirement:
1763
Rationale/Supplemental Guidance: None.
1764
Requirement Enhancements: None.
ISA99, WG02, TG02
1765
11.8.11 Information Output Handling and Retention
1767
Requirement:
1768
1769
The organization shall handle and retain output from the IACS in accordance with
applicable laws, directives, policies, regulations, standards, and operational requirements.
1770
Foundational Requirement:
1771
Rationale/Supplemental Guidance: None.
1772
Requirement Enhancements: None.
1773
11.8.12 Boundary Protection
1774
Requirement:
1775
1776
1777
The organization carefully considers the intrinsically shared nature of commercial
telecommunications services in the implementation of security controls associated with
the use of such services.
1778
Foundational Requirement:
1779
1780
1781
1782
1783
1784
1785
Rationale/Supplemental Guidance:
Commercial telecommunications services are
commonly based on network components and consolidated management systems shared
by all attached commercial customers, and may include third party provided access lines
and other service elements. Consequently, such interconnecting communication services
may represent sources of increased risk despite contract security provisions. Therefore,
when this situation occurs, the organization either implements appropriate compensating
security controls or explicitly accepts the additional risk.
1786
Requirement Enhancements:
1787
1788
1789
1790
(1) The organization implements a managed interface (boundary protection devices in an
effective security architecture) with any external telecommunication service,
implementing controls appropriate to the required protection of the confidentiality and
integrity of the information being transmitted.
1791
1792
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
New versions will be generated periodically as individual documents are revised.
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
1766
ISA‑62443-2-2, D1E4, April 2013
– 51 –
1793
12 Systems acquisition, development and maintenance
1794
12.1
ISA99, WG02, TG02
Introduction
1795
1796
12.2 Security requirements of information systems
1797
12.2.1
Requirement:
1799
1800
Foundational Requirement:
1801
Rationale/Supplemental Guidance:
1802
Requirement Enhancements:
1803
1804
12.3 Correct Processing in Applications
1805
12.3.1
1806
{Requirement}
Requirement:
1807
1808
Foundational Requirement:
1809
Rationale/Supplemental Guidance:
1810
Requirement Enhancements:
1811
1812
12.4 Cryptographic Controls
1813
12.4.1 Cryptographic Module Validation
1814
1815
1816
1817
Requirement:
If cryptography is required, the IACS shall employ validated cryptographic modules that
applicable laws, directives, policies, regulations, standards, and guidance for
authentication to a cryptographic module ma y require.
1818
Foundational Requirement:
1819
1820
1821
1822
1823
Rationale/Supplemental Guidance: The use of cryptography is determined after careful
consideration of the security needs and the potential ramifications on system
performance. The procurement process most effective safeguard is to use a cryptographic
module validated by a recognized 3 rd party authority, e.g. the Cryptographic Module
Validation Program.
1824
Requirement Enhancements: None.
1825
1826
12.5 Security of System Files
1827
12.5.1
1828
1829
{Requirement}
Requirement:
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
New versions will be generated periodically as individual documents are revised.
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
1798
{Requirement}
ISA‑62443-2-2, D1E4, April 2013
1830
Foundational Requirement:
1831
Rationale/Supplemental Guidance:
1832
Requirement Enhancements:
– 52 –
ISA99, WG02, TG02
1833
1834
12.6 Security in development and support processes
1835
12.6.1
Requirement:
1837
1838
Foundational Requirement:
1839
Rationale/Supplemental Guidance:
1840
Requirement Enhancements:
1841
1842
12.7 Technical vulnerability management
1843
12.7.1 Configuration Management Policy and Procedures
1844
Requirement:
1845
1846
1847
1848
1849
1850
The organization shall develop, disseminate, and periodically review/update: (i) a formal,
documented, configuration management policy that addresses purpose, scope, roles,
responsibilities, management commitment, coordination among organizational entities,
and compliance; and (ii) formal, documented procedures to facilitate the implementation
of the configuration management policy and associated configuration management
controls.
1851
Foundational Requirement:
1852
1853
1854
1855
1856
1857
Rationale/Supplemental Guidance: The configuration management policy and procedures
are consistent with applicable laws, directives, policies, regulations, standards, and
guidance. The configuration management policy can be included as part of the general
information security policy for the organization. Co nfiguration management procedures
can be developed for the security program in general, and for a particular IACS, when
required.
1858
1859
Requirement Enhancements: None.
1860
1861
1862
1863
12.7.2 Baseline Configuration
Requirement:
The organization shall develop, document, and maintain a current baseline configuration of the
IACS.
1864
Foundational Requirement:
1865
1866
1867
1868
1869
Rationale/Supplemental Guidance: This requirement establishes a baseline configuration
for the IACS.
The baseline configuration provides information about a particular
component’s makeup (e.g., the standard software load for a workstation or notebook
computer including updated patch information) and the component’s logical placement
within the IACS architecture. The baseline configuration also provides the organization
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
New versions will be generated periodically as individual documents are revised.
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
1836
{Requirement}
– 53 –
ISA99, WG02, TG02
1870
1871
with a well-defined and documented specification to which the IACS is built and
deviations, if required, are documented in support of mission needs/ objectives.
1872
Requirement Enhancements:
1873
1874
(1) The organization updates the baseline configuration of the IACS as an integral part of
IACS component installations.
1875
1876
(2) The organization employs automated mechanisms to maintain an up -to-date,
complete, accurate, and readily available baseline configuration of the IACS.
1877
1878
1879
12.7.3 Configuration Change Control
Requirement:
The organization shall authorize, document, and control changes to the IACS.
1880
Foundational Requirement:
1881
1882
1883
1884
1885
1886
1887
1888
1889
1890
Rationale/Supplemental Guidance: The organization manages configuration changes to
the IACS using an organizationally approved process. Configuration change control
involves the systematic proposal, justification, implementation, test/evaluation, review,
and disposition of changes to the IACS, including upgrades and modifications.
Configuration change control includes changes to the configuration settings for
information technology products (e.g., operating systems, firewalls, routers).
The
organization includes emergency changes in the configuration change control process,
including changes resulting from the remediation of flaws. The approvals to implement a
change to the IACS include successful results from the security analysis of the change.
The organization audits activities associated with configuration changes to the IACS.
1891
Requirement Enhancements:
1892
1893
1894
1895
(1) The organization employs automated mechanisms to: (i) document proposed c hanges
to the IACS; (ii) notify appropriate approval authorities; (iii) highlight approvals that
have not been received in a timely manner; (iv) inhibit change until necessary
approvals are received; and (v) document completed changes to the IACS.
1896
1897
(2) The organization tests, validates, and documents changes (e.g., patches and updates)
before implementing the changes on the operational IACS.
1898
1899
1900
1901
1902
1903
1904
1905
1906
1907
1908
1909
Foundational Requirement:
Rationale/Supplemental Guidance: The organization ensures that testing does not
interfere with IACS functions. The individual/group conducting the tests fully
understands the organizational information security policies and procedures, the IACS
security policies and procedures, and the specific health, safety, and environmental
risks associated with a particular facility and/or process. A production IACS may need
to be taken off-line, or replicated to the extent feasible, before testing can be
conducted. If an IACS must be taken off-line for testing, the tests are scheduled to
occur during planned IACS outages whenever possible. In situations where the
organization cannot, for operational reasons, conduct live testing of a production
IACS, the organization employs compensating controls (e.g., providing a replicated
system to conduct testing).
1910
12.7.4 Monitoring Configuration Changes
1911
Requirement:
1912
1913
The organization shall conduct security impact analyses to determine the effects of
configuration changes.
1914
Foundational Requirement:
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
New versions will be generated periodically as individual documents are revised.
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
ISA‑62443-2-2, D1E4, April 2013
– 54 –
ISA99, WG02, TG02
1915
1916
1917
1918
1919
1920
1921
1922
Rationale/Supplemental Guidance: Prior to change implementation, and as part of the
change approval process, the organization analyzes changes to the IACS for potential
adverse security consequences. After the IACS is changed (including upgrades and
modifications), the organization checks the security features to verify that the features are
still functioning properly. The organization audits activities associated with configuration
changes to the IACS. Monitoring configuration changes and conducting security impact
analyses are important elements with regard to the ongoing assessment o f security
controls in the IACS.
1923
1924
Requirement Enhancements: None.
1925
12.7.5 Access Restrictions for Change
1926
Requirement:
1927
1928
1929
The organization shall: (i) approve individual access privileges and enforces physical and
logical access restrictions associated with changes to the IACS; and (ii) generate, retain,
and review records reflecting all such changes.
1930
Foundational Requirement:
1931
1932
1933
1934
1935
Rationale/Supplemental Guidance: Planned or unplanned changes to the hardware,
software, and/or firmware components of the IACS can have signif icant effects on the
overall security of the system. Accordingly, only qualified and authorized individuals
obtain access to IACS components for purposes of initiating changes, including upgrades
and modifications.
1936
Requirement Enhancements:
1937
1938
1939
(1) The organization employs automated mechanisms to enforce access restrictions and
support auditing of the enforcement actions.
1940
1941
1942
1943
1944
1945
1946
12.7.6 Network and Security Configuration Settings
Requirement:
The IACS vendor shall provide guidelines for recommended network and securi ty configurations.
The organization shall, based upon guidelines provided by the vendor: (i) establish
mandatory network and security configuration settings for IACS components (ii) configure
these settings to the most restrictive mode consistent with ope rational requirements; (iii)
document these settings; and (iv) enforce these settings in all components of the IACS.
1947
Foundational Requirement:
1948
1949
Rationale/Supplemental Guidance:
These configuration settings are the adjustable
parameters of the IACS components.
1950
Requirement Enhancements:
1951
1952
1953
(1) The organization shall employ automated mechanisms to centrally manage, apply, and
verify configuration settings.
1954
1955
12.7.7 IACS Component Inventory
Requirement:
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
New versions will be generated periodically as individual documents are revised.
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
ISA‑62443-2-2, D1E4, April 2013
– 55 –
ISA99, WG02, TG02
1956
1957
The organization shall develop, document, and maintain a current inventor y of the
components of the IACS and relevant ownership information.
1958
Foundational Requirement:
1959
1960
1961
1962
1963
1964
1965
Rationale/Supplemental Guidance: The organization determines the appropriate level of
granularity for the IACS components included in the inventory that are subj ect to
management control (i.e., tracking, and reporting). The inventory of IACS components
includes any information determined to be necessary by the organization to achieve
effective property accountability (e.g., manufacturer, model number, serial numb er,
software license information, system/component owner). The component inventory is
consistent with the accreditation boundary of the IACS.
1966
1967
1968
Requirement Enhancements:
(1) The organization updates the inventory of IACS components as an integral part of
component installations.
1969
1970
1971
(2) The organization employs automated mechanisms to help maintain an up -to-date,
complete, accurate, and readily available inventory of IACS components.
1972
12.7.8 System Maintenance Policy and Procedures
1973
Requirement:
1974
1975
1976
1977
1978
The organization shall develop, disseminate, and periodically review/update: (i) a formal,
documented, IACS maintenance policy that addresses purpose, scope, roles,
responsibilities, management commitment, coordination among organizational entities,
and compliance; and (ii) formal, documented procedures to facilitate the implementation
of the IACS maintenance policy and associated system maintenance controls.
1979
Foundational Requirement:
1980
1981
1982
1983
1984
Rationale/Supplemental Guidance: The IACS maintenance policy and procedures are
consistent with applicable laws, directives, policies, regulations, standards, and guidance.
The IACS maintenance policy can be included as part of the general information security
policy for the organization. System maintenance procedures can be developed for the
security program in general, and for a particular IACS, when required.
1985
Requirement Enhancements: None.
1986
1987
1988
1989
1990
1991
12.7.9 Controlled Maintenance
Requirement:
The organization shall schedule, perform, document, and review records of routine preventative
and regular maintenance (including repairs) on the components of the IACS in accordance
with vendor, system integrator, and/or organizational specifications and requirements.
1992
Foundational Requirement:
1993
1994
1995
1996
1997
1998
1999
Rationale/Supplemental Guidance:
All maintenance activities to include routin e,
scheduled maintenance and repairs are controlled; whether performed on site or remotely
and whether the equipment is serviced on site or removed to another location.
Organizational officials approve the removal of the IACS or IACS components from the
facility when repairs are necessary. If the IACS or component of the system requires off site repair, the organization removes all information from associated media using
approved procedures. After maintenance is performed on the IACS, the organization
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
New versions will be generated periodically as individual documents are revised.
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
ISA‑62443-2-2, D1E4, April 2013
– 56 –
ISA99, WG02, TG02
2000
2001
checks all potentially affected security controls to verify that the controls are still
functioning properly.
2002
Requirement Enhancements:
2003
2004
2005
2006
2007
(1) The organization maintains maintenance records for the IACS that include: (i) the date
and time of maintenance; (ii) name of the individual performing the maintenance; (iii)
name of escort, if necessary; (iv) a description of the maintenance performed; and (v)
a list of equipment removed or replaced (including identification numbers, if
applicable).
2008
2009
2010
2011
(2) The organization employs automated mechanisms to schedule and conduct
maintenance as required, and to create up-to date, accurate, complete, and available
records of all maintenance actions, both needed and completed.
2012
12.7.10 Maintenance Tools
2013
Requirement:
2014
2015
The organization shall approve, control, and monitor the use of IACS maintenance tools and
maintains the tools on an ongoing basis.
2016
Foundational Requirement:
2017
2018
2019
2020
2021
2022
2023
Rationale/Supplemental Guidance: The intent of this requirement is to address hardware
and software brought into the IACS specifically for diagnostic/repair actions (e.g., a
hardware or software packet sniffer that is introduced for the purpose of a particular
maintenance activity). Hardware and/or software components that may support IACS
maintenance, yet are a part of the system (e.g., the software implementing “ping”, “ls”,
“ipconfig” or the hardware and software implementing the monitoring port of an Ethernet
switch) are not covered by this requirement.
2024
Requirement Enhancements:
2025
2026
(1) The organization inspects all maintenance tools c arried into a facility by maintenance
personnel for obvious improper modifications.
2027
Foundational Requirement:
2028
2029
Rationale/Supplemental Guidance:
Maintenance tools include, for
diagnostic and test equipment used to conduct maintenance on the IACS.
example,
2030
2031
(2) The organization checks all media containing diagnostic and test programs for
malicious code before the media are used in the IACS.
2032
2033
2034
2035
2036
(3) The organization checks all maintenance equipment with the capability of retaining
information so that no organizational information is written on the equipment or the
equipment is appropriately sanitized before release; if the equipment cannot be
sanitized, the equipment remains within the facility or is destroyed, unless an
appropriate organization official explicitly authori zes an exception.
2037
2038
2039
(4) The organization employs automated mechanisms to restrict the use of maintenance
tools to authorized personnel only.
2040
2041
2042
2043
12.7.11 Remote Maintenance
Requirement:
The organization shall authorize, monitor, and control any remotely executed maintenanc e and
diagnostic activities, if employed.
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
New versions will be generated periodically as individual documents are revised.
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
ISA‑62443-2-2, D1E4, April 2013
– 57 –
ISA99, WG02, TG02
2044
Foundational Requirement:
2045
2046
2047
2048
2049
2050
2051
2052
2053
2054
2055
2056
2057
2058
Rationale/Supplemental Guidance: Remote maintenance and diagnostic activities are
conducted by individuals communicating through an external, non -organization-controlled
network (e.g., the Internet). The use of remote maintenance and diagnostic tools is
consistent with organizational policy and documented in the security plan for the IACS.
The organization maintains records for all remote maintenance and diagnostic activities.
Other techniques and/or controls to consider for improving the security of remote
maintenance include: (i) encryption and decryption of communications; (ii) strong
identification and authentication techniques; and (iii) remote disconnect verification.
When remote maintenance is completed, the organization (or IACS in certain cases)
terminates all sessions and remote connections invoked in the performance of that
activity. If password-based authentication is used to accomplish remote maintenance, the
organization changes the passwords following each remote maintenance service. The
National Security Agency provides a listing of approved media sanitization products at
http://www.nsa.gov/ia/government/mdg.cfm .
2059
Requirement Enhancements:
2060
2061
2062
(1) The organization audits all remote maintenance and diagnostic sessions and
appropriate organizational personnel review the maintenanc e records of the remote
sessions.
2063
2064
2065
(2) The organization addresses the installation and use of remote maintenance and
diagnostic links in the security plan for the IACS.
2066
2067
2068
12.7.12 Maintenance Personnel
Requirement:
The organization shall allow only authorized personnel to perform maintenance on the IACS.
2069
Foundational Requirement:
2070
2071
2072
2073
2074
2075
2076
Rationale/Supplemental Guidance:
Maintenance personnel (whether performing
maintenance locally or remotely) have appropriate access authorizations to the IACS
when maintenance activities allow access to organizational information or could result in a
future compromise of confidentiality, integrity, or availability.
When maintenance
personnel do not have needed access authorizations, organizational personnel with
appropriate access authorizations supervise maintenance personnel during the
performance of maintenance activities on the IACS.
2077
Requirement Enhancements: None.
2078
12.7.13 Timely Maintenance
2079
Requirement:
2080
2081
2082
The organization shall obtain maintenance support and spare parts for [ Assignment: organizationdefined list of key IACS components] within [Assignment: organization-defined time
period] of failure.
2083
Foundational Requirement:
2084
Rationale/Supplemental Guidance: None.
2085
Requirement Enhancements: None.
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
New versions will be generated periodically as individual documents are revised.
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
ISA‑62443-2-2, D1E4, April 2013
ISA-62443.02.02, D1E4, April 2013
2086
13 Incident Management
2087
13.1
– 58 –
ISA99, WG02, TG02
Introduction
2088
2089
13.2 Reporting Security Events and Weaknesses
2090
13.2.1
Requirement:
2092
2093
Foundational Requirement:
2094
Rationale/Supplemental Guidance:
2095
Requirement Enhancements:
2096
2097
13.3 Management of Incidents and Improvements
2098
13.3.1 Incident Response Policy and Procedures
2099
Requirement:
2100
2101
2102
2103
2104
The organization shall develop, disseminate, and periodically review/update: (i) a forma l,
documented, incident response policy that addresses purpose, scope, roles,
responsibilities, management commitment, coordination among organizational entities,
and compliance; and (ii) formal, documented procedures to facilitate the implementation
of the incident response policy and associated incident response controls.
2105
Foundational Requirement:
2106
2107
2108
2109
2110
Rationale/Supplemental Guidance: The incident response policy and procedures are
consistent with applicable laws, directives, policies, regulations, standards, and guidance.
The incident response policy can be included as part of the general information security
policy for the organization. Incident response procedures can be developed for the
security program in general, and for a particular IACS, when required.
2111
2112
Requirement Enhancements: None.
2113
2114
2115
2116
2117
13.3.2 Incident Response Training
Requirement:
The organization shall train personnel in their incident response roles and responsibilities with
respect to the IACS and provides refresher training [ Assignment: organization-defined
frequency, at least annually].
2118
Foundational Requirement:
2119
Rationale/Supplemental Guidance: None.
2120
Requirement Enhancements:
2121
2122
(1) The organization incorporates simulated events into incident response training to
facilitate effective response by personnel in crisis situations.
2123
2124
(2) The organization employs automated mechanisms to provide a more thorough and
realistic training environment.
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
New versions will be generated periodically as individual documents are revised.
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
2091
{Requirement}
ISA‑62443-2-2, D1E4, April 2013
– 59 –
ISA99, WG02, TG02
2125
2127
2128
2129
2130
2131
13.3.3 Incident Response Testing and Exercises
Requirement:
The organization shall test and/or exercise the incident response capability for the IACS
[Assignment: organization-defined frequency, at least annually ] using [Assignment:
organization-defined tests and/or exercises] to determine the incident response
effectiveness and documents the results.
2132
Foundational Requirement:
2133
Rationale/Supplemental Guidance: None
2134
Requirement Enhancements:
2135
2136
(1) The organization employs automated mechanisms to more thoroughly and effectively
test/exercise the incident response capability.
2137
2138
2139
2140
2141
2142
Foundational Requirement:
Rationale/Supplemental Guidance: Automated mechanisms can provide the ability to
more thoroughly and effectively test or exercise the incident response ca pability by
providing more complete coverage of incident response issues, selecting more
realistic test/exercise scenarios and environments, and more effectively stressing the
response capability.
2143
13.3.4 Incident Handling
2144
Requirement:
2145
2146
The organization shall implement an incident handling capability for security incidents that
includes preparation, detection and analysis, containment, eradication, and recovery.
2147
Foundational Requirement:
2148
2149
2150
2151
2152
Rationale/Supplemental Guidance: Incident-related information can be obtained from a
variety of sources including, but not limited to, audit monitoring, network monitoring,
physical access monitoring, and user/administrator reports.
The organization
incorporates the lessons learned from ongoing incident handling activities into the incident
response procedures and implements the procedures accordingly.
2153
Requirement Enhancements:
2154
2155
(1) The organization employs automated mechanisms to support the incident handling
process.
2156
13.3.5 Incident Monitoring
2157
Requirement:
2158
The organization shall track and document IACS security incidents on an ongoing basis.
2159
Foundational Requirement:
2160
Rationale/Supplemental Guidance: None.
2161
Requirement Enhancements:
2162
2163
(1) The organization employs automated mechanisms to assist in the tracking of security
incidents and in the collection and analysis of incident information.
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
New versions will be generated periodically as individual documents are revised.
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
2126
ISA-62443.02.02, D1E4, April 2013
2165
2166
ISA99, WG02, TG02
13.3.6 Incident Reporting
Requirement:
The organization shall promptly reports incident information to appropriate authorities.
2167
Foundational Requirement:
2168
2169
2170
2171
2172
2173
2174
Rationale/Supplemental Guidance:
The types of incident information reported, the
content and timeliness of the reports, and the list of designated reporting authorities or
organizations are consistent with applicable laws, directives, policies, regulations,
standards, and guidance. The United States Computer Em ergency Readiness Team (USCERT) maintains the IACS Security Center at http://www.uscert.gov/control_systems. In
addition to incident information, weaknesses and vulnerabilities in the IACS are reported
to appropriate organizational officials in a timely manner to prevent security incidents.
2175
Requirement Enhancements:
2176
2177
(1) The organization employs automated mechanisms to assist in the reporting of security
incidents.
2178
2179
2180
2181
2182
13.3.7 Incident Response Assistance
Requirement:
The organization shall provide an incident response support resource that offers advice and
assistance to users of the IACS for the handling and reporting of security incidents. The
support resource is an integral part of the organization’s incident respo nse capability.
2183
Foundational Requirement:
2184
2185
2186
Rationale/Supplemental Guidance:
Possible implementations of incident response
support resources in an organization include a help desk or an assistance group and
access to forensics services, when required.
2187
Requirement Enhancements:
2188
2189
(1) The organization employs automated mechanisms to increase the availability of
incident response-related information and support.
2190
2191
13.3.8 IACS Monitoring Tools and Techniques
2192
Requirement:
2193
2194
2195
2196
The organization shall determine the required granularity of the information collected
based upon its monitoring objectives and the capability of the IACS to support such
activities. This includes monitoring inbound and outbound communications for unusual or
unauthorized activities or conditions.
2197
Foundational Requirement:
2198
2199
2200
2201
2202
Rationale/Supplemental Guidance: Organizations consult appropriate legal counsel with
regard to all IACS monitoring activities. Organizations heighten the level of IACS
monitoring activity whenever there is an indication of increas ed risk to organizational
operations, organizational assets, or individuals based on law enforcement information,
intelligence information, or other credible sources of information.
2203
Requirement Enhancements:
2204
2205
(1) The organization interconnects and configures individual intrusion detection tools into a
system wide intrusion detection system using common protocols.
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
New versions will be generated periodically as individual documents are revised.
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
2164
– 60 –
– 61 –
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
New versions will be generated periodically as individual documents are revised.
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
ISA‑62443-2-2, D1E4, April 2013
ISA99, WG02, TG02
2206
ISA-62443.02.02, D1E4, April 2013
2207
14 Business Continuity Management
2208
14.1
– 62 –
ISA99, WG02, TG02
Introduction
2210
14.2 Security Aspects
2211
14.2.1 Contingency Planning Policy and Procedures
2212
Requirement:
2213
2214
2215
2216
2217
The organization shall develop, disseminates, and periodically reviews/updates: (i) a
formal, documented, contingency planning policy that addresses purpose, scope, roles,
responsibilities, management commitment, coordination among organizational entities,
and compliance; and (ii) formal, documented procedures to facilitate the implementation
of the contingency planning policy and associated contingency planning controls.
2218
Foundational Requirement:
2219
2220
2221
2222
2223
Rationale/Supplemental Guidance: The contingency planning policy and procedures are
consistent with applicable laws, directives, policies, regulations, standards, and guidance.
The contingency planning policy can be included as part of the general information
security policy for the organization. Contingency planning procedures can be develop ed
for the security program in general, and for a particular IACS, when required.
2224
Requirement Enhancements: None.
2225
2226
2227
2228
2229
2230
2231
14.2.2 Contingency Plan
Requirement:
The organization shall develop and implement a contingency plan for the IACS addressing
contingency roles, responsibilities, assigned individuals with contact information, and
activities associated with restoring the system after a disruption or failure. Designated
officials within the organization review and approve the contingency plan and distribute
copies of the plan to key contingency personnel.
2232
Foundational Requirement:
2233
2234
2235
2236
2237
2238
Rationale/Supplemental Guidance: The organization defines contingency plans for
categories of disruptions or failures. In the event of a loss of processing within the IACS
or communication with operational facilities, the IACS executes predetermined procedures
(e.g., alert the operator of the failure and then do nothing, alert the operator and then
safely shut down the industrial process, alert the operator and then maintain the last
operational setting prior to failure). These examples are not exhaustive.
2239
Requirement Enhancements:
2240
2241
(1) The organization coordinates contingency plan development with organizational
elements responsible for related plans.
2242
Foundational Requirement:
2243
2244
2245
Rationale/Supplemental Guidance:
Examples of related plans include Business
Continuity Plan, Disaster Recovery Plan, Continuity of Operations Plan, Business
Recovery Plan, Incident Response Plan, and Emergency Action Plan.
2246
2247
2248
(2) The organization conducts capacity planning s o that necessary capacity for
information processing, telecommunications, and environmental support exists during
crisis situations.
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
New versions will be generated periodically as individual documents are revised.
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
2209
ISA‑62443-2-2, D1E4, April 2013
2250
2251
2252
2253
ISA99, WG02, TG02
14.2.3 Contingency Training
Requirement:
The organization shall train personnel in their contingency roles and responsibilities w ith respect
to the IACS and provides refresher training [Assignment: organization-defined frequency,
at least annually].
2254
Foundational Requirement:
2255
Rationale/Supplemental Guidance: None.
2256
Requirement Enhancements:
2257
2258
(1) The organization incorporates simulated events into contingency training to facilitate
effective response by personnel in crisis situations.
2259
2260
(2) The organization employs automated mechanisms to provide a more thorough and
realistic training environment.
2261
2262
2263
2264
2265
2266
2267
14.2.4 Contingency Plan Testing and Exercises
Requirement:
The organization shall: (i) test and/or exercise the contingency plan for the IACS [ Assignment:
organization-defined frequency, at least annually ] using [Assignment: organization-defined
tests and/or exercises] to determine the plan’s effectiveness and the organization’s
readiness to execute the plan; and (ii) review the contingency plan test/exercise results
and initiates corrective actions.
2268
Foundational Requirement:
2269
2270
2271
2272
2273
2274
2275
Rationale/Supplemental Guidance:
There are several methods for testing and/or
exercising contingency plans to identify potential weaknesses (e.g., full -scale contingency
plan testing, functional/tabletop exercises). The depth and rigor of contingency plan
𝑡𝑎𝑟𝑔𝑒𝑡
testing and/or exercises increases with the 𝑆𝑠𝑦𝑠𝑡𝑒𝑚 level of the IACS. Contingency plan
testing and/or exercises also include a determination of the effects on organizational
operations and assets (e.g., reduction in mission capability) and individuals arising due to
contingency operations in accordance with t he plan.
2276
Requirement Enhancements:
2277
2278
(1) The organization coordinates contingency plan testing and/or
organizational elements responsible for related plans.
exercises
with
2279
Foundational Requirement:
2280
2281
2282
Rationale/Supplemental Guidance:
Examples of related plans include Business
Continuity Plan, Disaster Recovery Plan, Continuity of Operations Plan, Business
Recovery Plan, Incident Response Plan, and Emergency Action Plan.
2283
2284
2285
(2) The organization tests/exercises the contingency plan at the alt ernate processing site
to familiarize contingency personnel with the facility and available resources and to
evaluate the site’s capabilities to support contingency operations.
2286
2287
2288
2289
(3) The organization employs automated mechanisms to more thoroughly and effectivel y
test/exercise the contingency plan by providing more complete coverage of
contingency issues, selecting more realistic test/exercise scenarios and environments,
and more effectively stressing the IACS and supported missions.
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
New versions will be generated periodically as individual documents are revised.
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
2249
– 63 –
ISA-62443.02.02, D1E4, April 2013
– 64 –
ISA99, WG02, TG02
2290
2292
2293
2294
2295
2296
14.2.5 Contingency Plan Update
Requirement:
The organization shall review the contingency plan for the IACS [ Assignment: organizationdefined frequency, at least annually] and revises the plan to address
system/organizational changes or problems encountered during plan implementation,
execution, or testing.
2297
Foundational Requirement:
2298
2299
2300
2301
2302
Rationale/Supplemental Guidance: Organizational changes include changes in mission,
functions, or business processes supported by the IACS. The organization communicates
changes to appropriate organizational elements responsible for related plans (e.g.,
Business Continuity Plan, Disaster Recovery Plan, Continuity of Operations Plan,
Business Recovery Plan, Incident Response Plan, Emergency Action Plan).
2303
Requirement Enhancements: None.
2304
2305
2306
2307
2308
14.2.6 Alternate Storage Site
Requirement:
The organization shall identify an alternate storage site and initiates necessary agreements to
permit the storage of IACS backup information.
2309
Foundational Requirement:
2310
2311
2312
Rationale/Supplemental Guidance: The frequency of IACS backups and the transfer rate
of backup information to the alternate storage site (if so designated) are consistent with
the organization’s recovery time objectives and recovery point objectives.
2313
Requirement Enhancements:
2314
2315
(1) The organization identifies an alternate storage site that is geographically separated
from the primary storage site so as not to be susceptible to the same hazards.
2316
2317
(2) The organization configures the alternate storage site to facilitate timely and effective
recovery operations.
2318
2319
2320
(3) The organization identifies potential accessibility problems to the alternate storage
site in the event of an area-wide disruption or disaster and outlines explicit mitigation
actions.
2321
2322
2323
2324
2325
2326
2327
14.2.7 Alternate Control Site
Requirement:
The organization shall identify an alternate control site an d initiates necessary agreements to
permit the resumption of IACS operations for critical mission/business functions within
[Assignment: organization-defined time period] when the primary processing capabilities
are unavailable.
2328
Foundational Requirement:
2329
2330
Rationale/Supplemental Guidance:
Equipment and supplies required to resume
operations within the organization-defined time period are either available at the alternate
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
New versions will be generated periodically as individual documents are revised.
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
2291
– 65 –
ISA99, WG02, TG02
2331
2332
site or contracts are in place to support delivery to the site. Timeframes to resume IA CS
operations are consistent with organization-established recovery time objectives.
2333
Requirement Enhancements:
2334
2335
2336
(1) The organization identifies an alternate processing site that is geographically
separated from the primary processing site so as not to be suscep tible to the same
hazards.
2337
2338
2339
(2) The organization identifies potential accessibility problems to the alternate processing
site in the event of an area-wide disruption or disaster and outlines explicit mitigation
actions.
2340
2341
(3) The organization develops alternate processing site agreements that contain priorityof-service provisions in accordance with the organization’s availability requirements.
2342
2343
(4) The organization fully configures the alternate processing site so that it is ready to be
used as the operational site supporting a minimum required operational capability.
2344
14.2.8 IACS Backup
2345
Requirement:
2346
2347
2348
The frequency of IACS backups and the transfer rate of backup information to alternate storage
sites (if so designated) shall be consistent with the organization’s recovery time objectives
and recovery point objectives.
2349
Foundational Requirement:
2350
2351
2352
Rationale/Supplemental Guidance: Availability of up-to-date backups is essential for
recovery from IACS failure and mis-configuration. Automating this function ensures that
all required files are captured, reducing operator overhead.
2353
2354
2355
2356
2357
An organizational assessment of risk guides the use of encryption for backup information.
While integrity and availability are the primary concerns for system backup information,
protecting backup information from unauthorized disclosure is also an important
consideration depending on the type of informati on residing on the backup media and the
𝑡𝑎𝑟𝑔𝑒𝑡
𝑆𝑠𝑦𝑠𝑡𝑒𝑚 level.
2358
Requirement Enhancements:
2359
2360
(1) The organization selectively uses backup information in the restoration of IACS
functions as part of contingency plan testing.
2361
2362
2363
(2) The organization stores backup copies of the operating system and other critical IACS
software in a separate facility or in a fire-rated container that is not collocated with the
operational software.
2364
14.2.9 IACS Recovery and Reconstruction
2365
Requirement:
2366
None.
2367
Foundational Requirement:
2368
2369
2370
2371
2372
2373
2374
Rationale/Supplemental Guidance: IACS recovery and reconstitution to a known secure
state means that all system parameters (either default or organization -established) are set
to secure values, security-critical patches are reinstalled, security-related configuration
settings are reestablished, system documentation and operating procedures are available,
application and system software is reinstalled and configured with secure settings,
information from the most recent, known secure backups is loaded, and the sy stem is fully
tested and functional.
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
New versions will be generated periodically as individual documents are revised.
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
ISA‑62443-2-2, D1E4, April 2013
ISA-62443.02.02, D1E4, April 2013
– 66 –
ISA99, WG02, TG02
2375
Requirement Enhancements:
2376
2377
(1) The organization shall include a full recovery and reconstitution of the IACS as part of
contingency plan testing.
14.2.10 Power Equipment and Cabling
2379
Requirement:
2380
2381
The organization shall protect power equipment and power cabling for the IACS from
damage and destruction.
2382
Foundational Requirement:
2383
Rationale/Supplemental Guidance: None.
2384
Requirement Enhancements:
2385
(1) The organization employs redundant and parallel power cabling paths.
2386
2387
2388
2389
2390
2391
14.3 Telecommunications Services
Requirement:
The organization shall identify primary and alternate telecommunications services to support the
IACS and initiates necessary agreements to permit the resumption of system operations
for critical mission/business functions within [ Assignment: organization-defined time
period] when the primary telecommunications capabilities are unavailable.
2392
Foundational Requirement:
2393
2394
2395
2396
2397
Rationale/Supplemental Guidance:
In the event that the primary and/or alternate
telecommunications services are provided by a common carrier, the organization requests
Telecommunications Service Priority (TSP) for all telecommunications services used for
national security emergency preparedness (see http://tsp.ncs.gov for a full explanation of
the TSP program).
2398
Requirement Enhancements:
2399
2400
2401
(1) The organization develops primary and alternate telecommunications service
agreements that contain priority-of-service provisions in accordance with the
organization’s availability requirements.
2402
2403
(2) The organization obtains alternate telecommunications services that do not share a
single point of failure with primary telecommunications services.
2404
2405
2406
(3) The organization obtains alternate telecommunications service providers that are
sufficiently separated from primary service providers so as not to be su sceptible to the
same hazards.
2407
2408
2409
(4) The organization requires primary and alternate telecommunications service providers
to have adequate contingency plans.
2410
14.3.1 Emergency Shutoff
2411
Requirement:
2412
2413
2414
2415
The IACS shall provide, for specific locations within a facility containing concentrations of
IACS resources, the capability of shutting off power to any IACS component that may be
malfunctioning or threatened without endangering personnel by requiring them to
approach the equipment.
2416
Foundational Requirement:
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
New versions will be generated periodically as individual documents are revised.
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
2378
– 67 –
ISA99, WG02, TG02
2417
2418
2419
2420
Rationale/Supplemental Guidance: Facilities containing concentrations of IACS resources
may include, for example, data centers, server rooms, and mainframe rooms. Emergency
shutoff capabilities are typically integrated with SIS systems, if present (e.g. automated
fail-safe shutdown sequences).
2421
Requirement Enhancements:
2422
2423
2424
(1) The IACS shall protect the emergency power -off capability from accidental or
unauthorized activation.
2425
14.3.2 Emergency Power
2426
Requirement:
2427
2428
The organization shall provide a short-term uninterruptible power supply to facilitate an
orderly shutdown of the IACS in the event of a primary power source loss.
2429
Foundational Requirement:
2430
Rationale/Supplemental Guidance: None.
2431
Requirement Enhancements:
2432
2433
2434
(1) The organization provides a long-term alternate power supply for the IACS that is
capable of maintaining minimally required operational capability in the event of an
extended loss of the primary power source.
2435
2436
2437
(2) The organization provides a long-term alternate power supply for the IACS that is self contained and not reliant on external power generation.
2438
14.3.3 Emergency Lighting
2439
Requirement:
2440
2441
2442
The organization shall employ and maintains automatic emergency lighting that activates
in the event of a power outage or disruption and that covers emergency exits and
evacuation routes.
2443
Foundational Requirement:
2444
Rationale/Supplemental Guidance: None.
2445
Requirement Enhancements: None.
2446
2447
14.3.4 Fire Protection
2448
Requirement:
2449
2450
The organization shall employ and maintain fire suppression
devices/systems that can be activated in the event of a fire.
2451
Foundational Requirement:
2452
2453
2454
Rationale/Supplemental Guidance:
Fire suppression and detection devices/systems
include, but are not limited to, sprinkler systems, handheld fire extinguishers, fixed fire
hoses, and smoke detectors.
2455
Requirement Enhancements:
and
detection
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
New versions will be generated periodically as individual documents are revised.
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
ISA‑62443-2-2, D1E4, April 2013
– 68 –
ISA99, WG02, TG02
2456
2457
(1) The organization employs fire detection devices/systems that activate automatically
and notify the organization and emergency responders in the event of a fire.
2458
2459
(2) The organization employs fire suppression devices/systems that provide automatic
notification of any activation to the organization and emergency responders.
2460
2461
2462
(3) The organization employs an automatic fire suppression capability in facilities that are
not staffed on a continuous basis.
2463
14.3.5 Temperature and Humidity Controls
2464
Requirement:
2465
2466
The organization shall regularly maintain, within acceptable levels, and monitor the
temperature and humidity within the facility where the IACS resides.
2467
Foundational Requirement:
2468
Rationale/Supplemental Guidance: None.
2469
2470
Requirement Enhancements: None.
2471
14.3.6 Water Damage Protection
2472
Requirement:
2473
2474
2475
The organization shall protect the IACS from water damage resulting from broken
plumbing lines or other sources of water leakage by providing master shutoff valves that
are accessible, working properly, and known to key personnel.
2476
Foundational Requirement:
2477
Rationale/Supplemental Guidance: None.
2478
Requirement Enhancements:
2479
2480
2481
(1) The organization employs mechanisms that, without the need for manual intervention,
protect the IACS from water damage in the event of a significant water leak.
2482
15 Compliance
2483
15.1
2484
15.1.1
2485
General
{Requirement}
Requirement:
2486
2487
Foundational Requirement:
2488
Rationale/Supplemental Guidance:
2489
Requirement Enhancements:
2490
2491
2492
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
New versions will be generated periodically as individual documents are revised.
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
ISA-62443.02.02, D1E4, April 2013
– 69 –
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
New versions will be generated periodically as individual documents are revised.
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
ISA‑62443-2-2, D1E4, April 2013
ISA99, WG02, TG02
2493
ISA-62443.02.02, D1E4, April 2013
– 70 –
ISA99, WG02, TG02
Annex A
(informative)
Foundational Requirements
2494
2495
2496
2497
A.1
Overview
2498
This annex is intended to provide guidance to the reader as to the relevance of the SRs.
2499
A.2
2500
2501
2502
2503
2504
2505
2506
2507
2508
2509
2510
Identify and authenticate IACS users (incl. human users, processes, and devices), assign them to
a pre-defined role, and allow them access to the system or assets.
2511
A.3
2512
2513
2514
2515
2516
2517
2518
2519
2520
2521
Enforce the assigned privileges of an authenticated IACS user to perform the requested action on
the system or assets, and monitor the use of these privileges.
2522
A.4
2523
2524
2525
2526
2527
2528
2529
2530
2531
Ensure the integrity of information on communication channels and in data repositories to prevent
unauthorized manipulation.
2532
A.5
2533
2534
Ensure the confidentiality of information on communication channels and in data repositories to
prevent dissemination.
2535
2536
2537
Rationale: Some IACS generated information whether at rest or in transit is of
confidential/sensitive nature. This implies that some communication channels and data -stores
require protection against eavesdropping and unauthorized access.
Rationale: Asset owners will have to develop a list of IACS users and to determine for each
device the required level of access control protection. The goal of access control is to protect the
system by verifying the identity of a user requesting the access to a de vice of the system before
activating the communication. Recommendations and guidelines should include mechanisms that
will operate in mixed modes; e.g. some devices on a communication channel require strong
access control, i.e. strong authentication mechanism and others do not. By extension, access
control requirements need to be extended to data at rest.
FR2 USE C ONTROL
Rationale: Asset owners will have to assign to each IACS user the privileges defining the
authorized use of the system. The goal of use control is to protect against unauthorized actions
on IACS resources by verifying if the necessary privileges are granted before allowing performing
the action. Examples of actions are read or write data, download program, set configuration, etc.
Recommendations and guidelines should include mechanisms that will operate in mixed modes;
e.g. some IACS resources require strong use control protection, i.e. restrictive privileges and
others do not. By extension, use control requirements need to be extended to data at rest .
FR3 D ATA I NTEGRITY
Rationale: Using the organization’s risk assessment methodology, asset owners will “select”
communication channels that require strong integrity protection.
Derived prescriptive
recommendations and guidelines should include mechanisms that will operate in mixed modes;
e.g. some communication channels require strong integrity protection and others do not. By
extension, data integrity requirements need to be extended to data at rest; i.e. protecting the
integrity of data that resides in selected repositories.
FR4 D ATA CONFIDENTIALITY
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
New versions will be generated periodically as individual documents are revised.
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
FR1 ACCESS CONTROL
ISA‑62443-2-2, D1E4, April 2013
– 71 –
ISA99, WG02, TG02
2538
A.6
FR5 RESTRICT D ATA F LOW
2539
2540
2541
2542
2543
2544
2545
Segment the system via zones and conduits to limit the unnecessary flow of data.
2546
A.7
2547
2548
2549
2550
2551
2552
2553
2554
2555
2556
Respond to security violations by notifying the proper authority, reporting needed forensic
evidence of the violation, and taking timely corrective action when incidents are discovered.
2557
A.8
2558
2559
2560
2561
2562
2563
Ensure the availability of the system or assets against the denial of essential services.
FR6 T IMELY R ESPONSE TO AN EVENT
Rationale: Using the organization’s risk assessment methodology, asset owners will establish
policies and proper lines of communication and control needed to respond to security violations.
Derived prescriptive recommendations and guidelines shou ld include mechanisms that collect,
report and automatically correlate the forensic evidence to ensure timely corrective action. The
use of monitoring tools and techniques must not adversely affect the operational performance of
the IACS.
FR7 RESOURCE AVAILABILITY
Rationale: The aim of this series of System Requirements is to ensure that the system is resilient
against various types of Denial of Service events. Thi s includes the unavailability of system
functionality at various levels.
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
New versions will be generated periodically as individual documents are revised.
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
Rationale: Using the organization’s risk assessment methodology, asset owners will determine
necessary information flow restrictions and thus by extension determine the configuration of the
conduits used to deliver these data. Derived prescriptive recommendations and guidelines
should include mechanisms that range from disconnecting control networks from business or
public networks to using stateful firewalls and DMZ to manage the flow of information.
ISA-62443.02.02, D1E4, April 2013
– 72 –
ISA99, WG02, TG02
Annex B
(informative)
Mapping Controls to Foundational Requirements
2564
2565
2566
2567
B.1
2569
2570
This annex is intended to provide guidance to the reader as to the relevance of the specific
controls to the various foundational requirements.
2571
2572
NOTE
2573
Overview
This annex will be completed as part of the final document generation after the primary content has been
finalized.
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
New versions will be generated periodically as individual documents are revised.
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
2568
ISA‑62443-2-2, D1E4, April 2013
2574
2575
– 73 –
ISA99, WG02, TG02
BIBLIOGRAPHY
2576
2577
2578
2579
2580
NOTE
2581
References to other parts, both existing and anticipated, of the ISA‑62443 series:
2582
2583
NOTE
2584
2585
[1]
ANSI/ISA‑62443-1-1-2007, Security for industrial automation and control systems:
Terminology, concepts and models
2586
2587
[2]
ANSI/ISA‑TR62443-1-2, Security for industrial automation and control systems: Master
glossary of terms and abbreviations
2588
2589
[3]
ANSI/ISA‑62443-1-3, Security for industrial automation and control systems: System
security compliance metrics
2590
2591
[4]
ANSI/ISA‑62443-2-1-2009, Security for industrial automation and control systems:
Establishing an industrial automation and control system security program
2592
2593
[5]
ANSI/ISA‑TR62443-2-3, Security for industrial automation and control systems: Patch
management in the IACS environment
2594
2595
[6]
ANSI/ISA‑TR62443-3-1-2007, Security for industrial autom ation and control systems:
Security technologies for industrial automation and control systems
2596
2597
[7]
ANSI/ISA‑62443-3-2, Security for industrial automation and control systems: Target
security assurance levels for zones and conduits
2598
2599
[8]
ANSI/ISA‑62443-3-3, Security for industrial automation and control systems: System
security requirements and security assurance levels
2600
2601
[9]
ANSI/Error! Unknown document property name., Security for industrial automation and
control systems: Product development requirements
2602
2603
[10]
ANSI/ISA‑62443-4-1, Security for industrial automation and control systems: Embedded
devices
2604
[11]
ANSI/ISA‑62443-4-2, Security for industrial automation and control systems: Host devices
2605
Other standards references:
2606
[12]
2607
2608
Some of these references are normative references (see Clause 2), published documents, in development, or
anticipated. They are all listed here for completeness of the a nticipated parts of the ISA‑62443 series.
ISO/IEC Directives, Part 2, Rules for the structure and drafting of International Standards
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
New versions will be generated periodically as individual documents are revised.
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
This bibliography includes references to sources used in the creation of this standard as well as references to
sources that may aid the reader in developing a greater understanding of cyber security as a whole and
developing a management system. Not all references in this bibliography are referred to throughout the text of
this standard. The references have been broken down into different categories depending on the type of
source they are.
– 74 –
This document includes working drafts of, or extracts from documents in the ISA-62443 series.
New versions will be generated periodically as individual documents are revised.
IS TO BE USED SOLELY FOR THE PURPOSES OF FURTHER DEVELOPMENT OF ISA STANDARDS, AND MAY NOT
BE OFFERED FOR FURTHER REPRODUCTION OR FOR SALE. THE COPYRIGHT RESTS WITH ISA.
ISA-62443.02.02, D1E4, April 2013
ISA99, WG02, TG02
2609