这ISA99 committeeon industrial automation and control system (IACS) cybersecurity has primary responsibility for developing the ISA/IEC 62443 series of standards on this subject. The committee recently held a series of working meetings in Frankfurt, Germany, to assess the current status of the standards and confirm plans for future work. This included discussions related to several of the fundamental concepts that form the basis for the ISA 62443 series of standards.
62443系列中的一些文件已正式公布或即将发布给委员会进行评论或投票。最近的出版物包括62443-2-3,IACS环境中的补丁管理;和62443-2-4,对IACS解决方案提供商的要求。最近被分发的审查和评论的文件包括62443-4-1,产品开发要求;和62443-4-2,IACS组件的技术安全要求。最后,以下文件将很快发给审查和批准委员会:62443-1-3,制度安全指标;和62443-3-2,安全风险评估和系统设计。
Several fundamental concepts form the basis for the 62443 series. The second edition of the 62443-1-1 standard will introduce each concept, which will be further detailed and applied in the remaining standards in the series.
Over the course of the Frankfurt meetings, those present reviewed several of these concepts and reaffirmed their importance as key elements of the series. Any inconsistencies across the standards were noted and will be addressed in subsequent editions.
工业控制系统的设计,开发,实施和运营在与生命周期相交的背景下进行,每个环境都在解决特定的活动集和涉及特定贡献者。产品开发生命周期主要是产品或系统供应商的责任。集成和调试是系统集成商的重点。操作和维护是资产所有者的责任。统称,这些生命周期提供了收集要求和随后开发安全产品,系统和解决方案的背景。
Applying the zones and conduits concept is an essential first step in risk assessment and system design. The 62443-3-2 standard on this subject will soon be circulated to the committee for review and approval, with review by the broader IEC community to follow soon after.
In addition to the above established concepts, members also discussed several topics that are still evolving:
指标。这committee recently began to develop a set of metrics that could be used to assess progress against many aspects of the standards. This material will appear in the form of the 62443-1-3 document.
Protection levels.这re was a proposal to define protection levels to provide additional guidance on the application of the standards. This proposal was developed by a group that has been working with the German National Committee and is being offered to the ISA99 committee for use in the 62443 series. There was consensus that this subject should be assigned to a new task group for further development.
Risk assessment.Risk assessment is also an important element of an effective cybersecurity management system. Attendees reviewed and discussed a proposed methodology included in the current draft of the 62443-3-2 standard. Additional comments and feedback will be collected as part of the formal review and comment process.
这stakeholder community for the 62443 standards on IACS security include suppliers, integrators and asset owners across a broad range of industries. Each of these groups has different levels of interest in and applicability for the various types of standards in the series.
有兴趣了解更多关于62443标准中包含的信息的人员将很快提供几种新的审查和意见草稿,以及风险评估和补丁管理等领域的已完成和公布的标准和报告。
这些标准现在可以应用于设计,配置,操作和维护工业控制系统。申请援助是可从ISA提供的一系列培训课程的形式提供的。随着全套规范要求和信息性指导可用,委员会的注意力将开始转变为开发额外的工具,如指标和用例。
>> Eric Cosman,ecosman@arcweb.com是一位顾问ARC Advisory Group,拥有超过35年的经验,在过程行业中开发,提供,管理和支持运营IT解决方案。作业和职责包括流程自动化系统开发,通信网络设计,功能和技术架构设计,以及技术生命周期管理。他最近作为咨询工程师的经营咨询了Dow Chemical。