Customer Support: 131 242

  • There are no items in your cart
We noticed you’re not on the correct regional site. Switch to our AMERICAS site for the best experience.
Dismiss alert

CAN/CSA-IEC/TR 62443-2-3:17

Current
Current

The latest, up-to-date edition.

Security for industrial automation and control systems — Part 2-3: Patch management in the IACS environment (Adopted IEC technical report 62443-2-3:2015, first edition, 2015-06)
Available format(s)

Hardcopy , PDF

Language(s)

English

Published date

01-01-2017

FOREWORD
INTRODUCTION
1 Scope
2 Normative references
3 Terms, definitions, abbreviated terms and acronyms
4 Industrial automation and control system patching
5 Recommended requirements for asset owner
6 Recommended requirements for IACS product supplier
7 Exchanging patch information
Annex A (informative) - VPC XSD file format
Annex B (informative) - IACS asset owner guidance on patching
Annex C (informative) - IACS product supplier/service provider
        guidance on patching product components
Bibliography

This part of IEC 62443, which is a Technical Report, describes requirements for asset owners and industrial automation and control system (IACS) product suppliers that have established and are now maintaining an IACS patch management program.

This is the first edition of CAN/CSA-IEC/TR 62443-2-3, Security for industrial automation and control systems — Part 2-3: Patch management in the IACS environment, which is an adoption without modification of the identically titled IEC (International Electrotechnical Commission) Technical Report 62443-2-3 (first edition, 2015-06). At the time of publication, IEC TR 62443-2-3:2015 is available from IEC in English only. CSA Group will publish the French version when it becomes available from IEC. The IEC Technical Report is one in a series of Standards developed by IEC/TC 65 on industrial automation networking security that are being adopted by CSA Group. The IEC Technical Report addresses the patch management aspects of cyber security. It recommends a defined format for the distribution of information about security patches from asset owners to IACS product suppliers. The exchange format and activities are defined for use in security-related patches, but may also be used for non-security related patches or updates. This Standard uses terminology and concepts specified in the following: a) CAN/CSA-IEC/TS 62443-1-1:17, Industrial communication networks — Network and system security — Part 1-1: Terminology, concepts and models; and b) CAN/CSA-IEC 62443-2-1:17, Industrial communication networks — Network and system security — Part 2-1: Establishing an industrial automation and control system security program. Scope This part of IEC 62443, which is a Technical Report, describes requirements for asset owners and industrial automation and control system (IACS) product suppliers that have established and are now maintaining an IACS patch management program. This Technical Report recommends a defined format for the distribution of information about security patches from asset owners to IACS product suppliers, a definition of some of the activities associated with the development of the patch information by IACS product suppliers and deployment and installation of the patches by asset owners. The exchange format and activities are defined for use in security related patches; however, it may also be applicable for non-security related patches or updates. The Technical Report does not differentiate between patches made available for the operating systems (OSs), applications or devices. It does not differentiate between the product suppliers that supply the infrastructure components or the IACS applications; it provides guidance for all patches applicable to the IACS. Additionally, the type of patch can be for the resolution of bugs, reliability issues, operability issues or security vulnerabilities. NOTE 1 This Technical Report does not provide guidance on the ethics and approaches for the discovery and disclosure of security vulnerabilities affecting IACS. This is a general issue outside the scope of this report. NOTE 2 This Technical Report does not provide guidance on the mitigation of vulnerabilities in the period between when the vulnerability is discovered and the date that the patch resolving the vulnerability is created. For guidance on multiple countermeasures to mitigate security risks as part of an IACS security management system (IACS-SMS), refer to, Annexes B.4.5, B.4.6 and B.8.5 in this Technical Report and other documents in the IEC 62443 series.

DocumentType
Standard
ISBN
978-1-4883-1255-7
Pages
74
PublisherName
Canadian Standards Association
Status
Current

ISO 639-1:2002 Codes for the representation of names of languages — Part 1: Alpha-2 code
IEC TS 62443-1-1:2009 Industrial communication networks - Network and system security - Part 1-1: Terminology, concepts and models
IEC 62443-2-1:2010 Industrial communication networks - Network and system security - Part 2-1: Establishing an industrial automation and control system security program
ISO 3166-2:2013 Codes for the representation of names of countries and their subdivisions Part 2: Country subdivision code
ISO 8601:2004 Data elements and interchange formats Information interchange Representation of dates and times
ISO 4217:2015 Codes for the representation of currencies
ISO 3166-1:2013 Codes for the representation of names of countries and their subdivisions Part 1: Country codes

View more information
$795.53
Including GST where applicable

Access your standards online with a subscription

Features

  • Simple online access to standards, technical information and regulations.

  • Critical updates of standards and customisable alerts and notifications.

  • Multi-user online standards collection: secure, flexible and cost effective.

Need help?
Call us on 131 242, then click here to start a Screen Sharing session
so we can help right away! Learn more