Specifies the terminology, concepts and models for Industrial Automation and Control Systems (IACS) security.

This is the first edition of CAN/CSA-IEC/TS 62443-1-1, Industrial communication networks — Network and system security — Part 1-1: Terminology, concepts and models, which is an adoption without modification of the identically titled IEC (International Electrotechnical Commission) Technical Specification 62443-1-1 (first edition, 2009-07). At the time of publication, IEC/TS 62443-1-1:2009 is available from IEC in English only. CSA Group will publish the French version when it becomes available from IEC. For brevity, this Standard will be referred to as “CAN/CSA-IEC/TS 62443-1-1” throughout. The IEC Technical Specification is one in a series of Standards developed by IEC/TC 65 on industrial automation networking security that are being adopted by CSA Group. The IEC Technical Specification provides the terminology, concepts, and models that are used in the development of security for industrial control networks. It is intended to be used in conjunction with other Standards in this series that provide more specific guidance in the creation and maintenance of such networks. Scope 1.1 General This part of the IEC 62443 series is a technical specification which defines the terminology, concepts and models for Industrial Automation and Control Systems (IACS) security. It establishes the basis for the remaining standards in the IEC 62443 series. To fully articulate the systems and components the IEC 62443 series address, the range of coverage may be defined and understood from several perspectives, including the following: a) range of included functionality; b) specific systems and interfaces; c) criteria for selecting included activities; d) criteria for selecting included assets. Each of these is described in the following subclauses: 1.2 Included functionality The scope of this technical specification can be described in terms of the range of functionality within an organization’s information and automation systems. This functionality is typically described in terms of one or more models. This technical specification focuses primarily on industrial automation and control, as described in a reference model (see Clause 6). Business planning and logistics systems are not explicitly addressed within the scope of this technical specification, although the integrity of data exchanged between business and industrial systems is considered. Industrial automation and control includes the supervisory control components typically found in process industries. It also includes SCADA (Supervisory Control and Data Acquisition) systems that are commonly used by organizations that operate in critical infrastructure industries. These include the following: a) electricity transmission and distribution; b) gas and water distribution networks; c) oil and gas production operations; d) gas and liquid transmission pipelines. This is not an exclusive list. SCADA systems may also be found in other critical and non-critical infrastructure industries. 1.3 Systems and interfaces In encompassing all IACS, this technical specification covers systems that can affect or influence the safe, secure, and reliable operation of industrial processes. They include, but are not limited to: a) Industrial control systems and their associated communications networks1, including distributed control systems (DCSs), programmable logic controllers (PLCs), remote terminal units (RTUs), intelligent electronic devices, SCADA systems, networked electronic sensing and control, metering and custody transfer systems, and monitoring and diagnostic systems. (In this context, industrial control systems include basic process control system and Safety-Instrumented System (SIS) functions, whether they are physically separate or integrated.) b) Associated systems at level 3 or below of the reference model described in Clause 6. Examples include advanced or multivariable control, online optimizers, dedicated equipment monitors, graphical interfaces, process historians, manufacturing execution systems, pipeline leak detection systems, work management, outage management, and electricity energy management systems. c) Associated internal, human, network, software, machine or device interfaces used to provide control, safety, manufacturing, or remote operations functionality to continuous, batch, discrete, and other processes. 1.4 Activity-based criteria IEC 62443-2-12 provides criteria for defining activities associated with manufacturing operations. A similar list has been developed for determining the scope of this technical specification. A system should be considered to be within the range of coverage of the IEC 62443 series if the activity it performs is necessary for any of the following: a) predictable operation of the process; b) process or personnel safety; c) process reliability or availability; d) process efficiency; e) process operability; f) product quality; g) environmental protection; h) regulatory compliance; i) product sales or custody transfer. 1.5 Asset-based criteria The coverage of this technical specification includes those systems in assets that meet any of the following criteria, or whose security is essential to the protection of other assets that meet these criteria: a) The asset has economic value to a manufacturing or operating process. b) The asset performs a function necessary to operation of a manufacturing or operating process. c) The asset represents intellectual property of a manufacturing or operating process. d) The asset is necessary to operate and maintain security for a manufacturing or operating process. e) The asset is necessary to protect personnel, contractors, and visitors involved in a manufacturing or operating process. f) The asset is necessary to protect the environment. g) The asset is necessary to protect the public from events caused by a manufacturing or operating process. h) The asset is a legal requirement, especially for security purposes of a manufacturing or operating process. i) The asset is needed for disaster recovery. j) The asset is needed for logging security events. This range of coverage includes systems whose compromise could result in the endangerment of public or employees health or safety, loss of public confidence, violation of regulatory requirements, loss or invalidation of proprietary or confidential information, environmental contamination, and/or economic loss or impact on an entity or on local or national security.