BS EN 62443-2-1:2010:2011 Edition
$215.11
Industrial communication networks. Network and system security – Establishing an industrial automation and control system security program
| Published By | Publication Date | Number of Pages |
| BSI | 2011 | 164 |
IEC 62443-2-1:2010 defines the elements necessary to establish a cyber security management system (CSMS) for industrial automation and control systems (IACS) and provides guidance on how to develop those elements. This standard uses the broad definition and scope of what constitutes an IACS described in IEC/TS 62443-1-1. The elements of a CSMS described in this standard are mostly policy, procedure, practice and personnel related, describing what shall or should be included in the final CSMS for the organization. This bilingual version (2012-04) corresponds to the monolingual English version, published in 2010-11.
PDF Catalog
| PDF Pages | PDF Title |
|---|---|
| 4 | CONTENTS |
| 7 | FOREWORD |
| 9 | 0 INTRODUCTION 0.1 Overview 0.2 A cyber security management system for IACS 0.3 Relationship between this standard and ISO/IEC 17799 and ISO/IEC 27001 |
| 11 | 1 Scope 2 Normative references 3 Terms, definitions, abbreviated terms, acronyms, and conventions 3.1 Terms and definitions |
| 16 | 3.2 Abbreviated terms and acronyms |
| 18 | 3.3 Conventions 4 Elements of a cyber security management system 4.1 Overview |
| 19 | Figures Figure 1 โ Graphical view of elements of a cyber security management system |
| 20 | 4.2 Category: Risk analysis Figure 2 โ Graphical view of category: Risk analysis Tables Table 1 โ Business rationale: Requirements |
| 21 | Table 2 โ Risk identification, classification and assessment: Requirements |
| 22 | 4.3 Category: Addressing risk with the CSMS Figure 3 โ Graphical view of element group:Security policy, organization and awareness |
| 23 | Table 3 โ CSMS scope: Requirements |
| 24 | Table 4 โ Organizing for security: Requirements Table 5 โ Staff training and security awareness: Requirements |
| 25 | Table 6 โ Business continuity plan: Requirements |
| 26 | Table 7 โ Security policies and procedures: Requirements |
| 27 | Figure 4 โ Graphical view of element group: Selected security countermeasures |
| 28 | Table 8 โ Personnel security: Requirements |
| 29 | Table 9 โ Physical and environmental security: Requirements |
| 30 | Table 10 โ Network segmentation: Requirements |
| 31 | Table 11 โ Access control โ Account administration: Requirements |
| 32 | Table 12 โ Access control โ Authentication: Requirements |
| 33 | Table 13 โ Access control โ Authorization: Requirements |
| 34 | Figure 5 โ Graphical view of element group: Implementation |
| 35 | Table 14 โ Risk management and implementation: Requirements Table 15 โ System development and maintenance: Requirements |
| 36 | Table 16 โ Information and document management: Requirements |
| 37 | Table 17 โ Incident planning and response: Requirements |
| 38 | 4.4 Category: Monitoring and improving the CSMS Figure 6 โ Graphical view of category: Monitoring and improving the CSMS |
| 39 | Table 18 โ Conformance: Requirements |
| 40 | Table 19 โ Review, improve and maintain the CSMS: Requirements |
| 41 | Annex A (informative) Guidance for developing the elements of a CSMS |
| 42 | Figure A.1 โ Graphical view of elements of a cyber security management system Figure A.2 โ Graphical view of category: Risk analysis |
| 46 | Figure A.3 โ Reported attacks on computer systems through 2004 (source: CERT) |
| 54 | Table A.1 โ Typical likelihood scale |
| 56 | Table A.2 โ Typical consequence scale |
| 57 | Table A.3 โ Typical risk level matrix |
| 59 | Figure A.4 โ Sample logical IACS data collection sheet |
| 61 | Figure A.5 โ Example of a graphically rich logical network diagram |
| 68 | Figure A.6 โ Graphical view of element group:Security policy, organization, and awareness |
| 84 | Figure A.7 โ Graphical view of element group: Selected security countermeasures |
| 92 | Figure A.8 โ Reference architecture alignment with an example segmented architecture |
| 97 | Figure A.10 โ Access control: Account administration |
| 100 | Figure A.11 โ Access control: Authentication |
| 105 | Figure A.12 โ Access control: Authorization |
| 108 | Figure A.13 โ Graphical view of element group: Implementation |
| 109 | Table A.4 โ Example countermeasures and practices based on IACS risk levels |
| 111 | Figure A.14 โ Security level lifecycle model: Assess phase |
| 112 | Table A.5 โ Example IACS asset table with assessment results Table A.6 โ Example IACS asset table with assessment results and risk levels |
| 114 | Figure A.15 โ Corporate security zone template architecture |
| 115 | Figure A.16 โ Security zones for an example IACS |
| 116 | Table A.7 โ Target security levels for an example IACS |
| 118 | Figure A.17 โ Security level lifecycle model: Develop and implement phase |
| 122 | Figure A.18 โ Security level lifecycle model: Maintain phase |
| 135 | Figure A.19 โ Graphical view of category: Monitoring and improving the CSMS |
| 142 | Annex B (informative) Process to develop a CSMS Figure B.1 โ Top level activities for establishing a CSMS |
| 144 | Figure B.2 โ Activities and dependencies for activity: Initiate CSMS program |
| 145 | Figure B.3 โ Activities and dependencies for activity: High-level risk assessment |
| 146 | Figure B.4 โ Activities and dependencies for activity: Detailed risk assessment Figure B.5 โ Activities and dependencies for activity: Establish security policy, organization and awareness |
| 147 | Figure B.6 โ Training and assignment of organization responsibilities |
| 148 | Figure B.7 โ Activities and dependencies for activity:Select and implement countermeasures |
| 149 | Figure B.8 โ Activities and dependencies for activity: Maintain the CSMS |
| 150 | Annex C (informative) Mapping of requirements to ISO/IEC 27001 Table C.1 โ Mapping of requirements in this standard to ISO/IEC 27001 references |
| 154 | Table C.2 โ Mapping of ISO/IEC 27001 requirements to this standard |
| 158 | Bibliography |
