CSA Preface
This is the first edition of CAN/CSA-IEC/TR 62443-3-1, Industrial communication networks — Network and system security — Part 3-1: Security technologies for industrial automation and control systems, which is an adoption without modification of the identically titled IEC (International Electrotechnical Commission) Technical Report 62443-3-1 (first edition, 2009-07). At the time of publication, IEC/TR 62443-3-1:2009 is available from IEC in English only. CSA Group will publish the French version when it becomes available from IEC.
For brevity, this Standard will be referred to as “CAN/CSA-IEC/TR 62443-3-1” throughout.
The IEC Technical Report is one in a series of Standards developed by IEC/TC 65 on industrial automation networking security that are being adopted by CSA Group. The IEC Technical Report provides an assessment of various cyber security tools, mitigation counter-measures, and technologies that may be effectively applied to modern electronic IACS infrastructures. It is intended to be used by developers of industrial control systems, and those who ensure that the cyber security elements of the system are met.
This Standard uses terminology and concepts specified in CAN/CSA-IEC 62443-2-1:17, Industrial communication networks — Network and system security — Part 2-1: Establishing an industrial automation and control system security program.
The IEC Technical Report was reviewed for Canadian adoption by the CSA Technical Committee on Information Technology, under the jurisdiction of the CSA Strategic Steering Committee on Information and Communications Technology, and has been formally approved by the Technical Committee.
This Standard has been developed in compliance with Standards Council of Canada requirements for National Standards of Canada. It has been published as a National Standard of Canada by CSA Group.
Scope
This part of IEC 62443 provides a current assessment of various cybersecurity tools, mitigation counter-measures, and technologies that may effectively apply to the modern electronically based IACSs regulating and monitoring numerous industries and critical infrastructures. It describes several categories of control system-centric cybersecurity technologies, the types of products available in those categories, the pros and cons of using those products in the automated IACS environments, relative to the expected threats and known cyber vulnerabilities, and, most important, the preliminary recommendations and guidance for using these cybersecurity technology products and/or countermeasures.
The concept of IACS cybersecurity as applied in this technical report is in the broadest possible sense, encompassing all types of components, plants, facilities, and systems in all industries and critical infrastructures. IACSs include, but are not limited to:
• Hardware (e.g., data historian servers) and software systems (e.g., operating platforms, configurations, applications) such as Distributed Control Systems (DCSs), Programmable Logic Controllers (PLCs), Supervisory Control and Data Acquisition (SCADA) systems, networked electronic sensing systems, and monitoring, diagnostic, and assessment systems. Inclusive in this hardware and software domain is the essential industrial network and any connected or related information technology (IT) devices and links critical to the successful operation to the control system at large. As such, this domain also includes, but is not limited to: firewalls, servers, routers, switches, gateways, fieldbus systems, intrusion detection systems, intelligent electronic/end devices, remote terminal units (RTUs), and both wired and wireless remote modems.
• Associated internal, human, network, or machine interfaces used to provide control, data logging, diagnostics, safety, monitoring, maintenance, quality assurance, regulatory compliance, auditing and other types of operational functionality for either continuous, batch, discrete, and combined processes.
Similarly, the concept of cybersecurity technologies and countermeasures is also broadly applied in this technical report and includes, but is not limited to, the following technologies:
• authentication and authorization;
• filtering, blocking, and access control;
• encryption;
• data validation;
• auditing;
• measurement;
• monitoring and detection tools;
• operating systems.
In addition, a non-cyber technology —physical security control— is an essential requirement for some aspects of cybersecurity and is discussed in this technical report.
The purpose of this technical report is to categorize and define cybersecurity technologies, countermeasures, and tools currently available to provide a common basis for later technical reports and standards to be produced by the ISA99 committee. Each technology in this technical report is discussed in terms of:
• security vulnerabilities addressed by the technology, tool, and/or countermeasure;
• typical deployment;
• known issues and weaknesses;
• assessment of use in the IACS environment;
• future directions;
• recommendations and guidance;
• information sources and reference material.
The intent of this technical report is to document the known state of the art of cybersecurity technologies, tools, and countermeasures applicable to the IACS environment, clearly define which technologies can reasonably be deployed today, and define areas where more research may be needed.