DD IEC PAS 62443-3 pdf download Security for industrial process measurement and control — Part 3: Network and system security
4 Introduction and compliance
Use of IT security methods and standards have become common place in the office environment in the form of the ubiquitous code of practice for information security management (ISO/IEC 27002, previously known as ISO/IEC 1 7799), for operational security, and the evaluation criteria for IT security (ISO/IEC 1 5408), for product development.
Now the internet and wireless networks have arrived on the shop floor. Security problems in automation systems are increasingly making headlines in the specialized press; but commonly acknowledged practice and related standards are lagging, and this despite the higher stakes involved in automation systems, with possible physical production losses and impact on health, human life and environment.
As has previously occurred in the operational security in the office environment, this PAS is an initial effort to provide guidance for the operational security of automation systems.
However, the methods and standards from the office environment cannot be easily applied to automation systems. A study of EWICS [1 5] 1 has shown that the widely used ISO/IEC 27002 would have to be extended considerably to be applicable to industrial control systems. While 1 89 items have been judged applicable to very applicable, 85 % or 45 % have been found to require additional guidance.
This PAS contains good practice identified by practitioners based on their practical experience but developed independently of ISO/IEC 27002.
NOTE While it may be desirable to harmonize the structure and vocabulary of this PAS with ISO/IEC 27002, this has not been done at this time.
This PAS is intended to fill the presently existing void while further efforts are planned to enhance the guidance in a future edition of IEC 62443 as outlined in Annex A.
Compliance to the policy of this PAS is a local matter. It may be stated in reference to all provisions of the ICS policy or to part of it or to a customized version of it.
Certain measures of the policy may not be applied because they are not applicable at a given time for a given configuration in a given security context. The policy allows for this modularity and customization.
Also, depending on the specific ICS, it may be deemed necessary or desirable, for example, from a risk/cost trade-off perspective, not to implement certain measures as prescribed by the policy. By the nature of security, this may only be done temporarily in application of ICS policy using its exception management provision.
5 Principles and reference models
This PAS describes good practice in terms of technical and organizational security measures for the protection of the ICS and its industrial control network (ICN), including generally existing ICN subnetworks.