Industrial-process measurement, control and automation - Framework for functional safety and security

This Technical Report (TR) explains and provides guidance on the common application of IEC 61508 and IEC 62443 in the area of industrial-process measurement, control and automation. This document may apply to other industrial sectors where IEC 61508 and IEC 62443 are applied.

Industrielle Prozess-Leittechnik, Steuerungs- und Automatisierungstechnik - Rahmenbedingungen für Funktionale Sicherheit und IT-Sicherheit

Mesure, commande et automation dans les processus industriels - Cadre pour la sécurité et la sûreté fonctionnelle

Meritve, krmiljenje in avtomatizacija v industrijskih procesih - Ogrodje za funkcionalno varnost in zaščito (IEC/TR 63069:2019)

General Information

Status
Published
Publication Date
13-Feb-2020
Technical Committee
Current Stage
6060 - Document made available
Due Date
14-Feb-2020
Completion Date
14-Feb-2020

Buy Standard

Technical report
-TP CLC IEC/TR 63069:2020 - BARVE na PDF-str 26,27,29
English language
33 pages
sale 10% off
Preview
sale 10% off
Preview

e-Library read for
1 day

Standards Content (sample)

SLOVENSKI STANDARD
SIST-TP CLC IEC/TR 63069:2020
01-julij-2020
Meritve, krmiljenje in avtomatizacija v industrijskih procesih - Ogrodje za
funkcionalno varnost in zaščito (IEC/TR 63069:2019)

Industrial-process measurement, control and automation - Framework for functional

safety and security (IEC/TR 63069:2019)
Industrielle Prozess-Leittechnik, Steuerungs- und Automatisierungstechnik -

Rahmenbedingungen für Funktionale Sicherheit und IT-Sicherheit (IEC/TR 63069:2019)

Mesure, commande et automation dans les processus industriels – Cadre pour la
sécurité et la sûreté fonctionnelle (IEC/TR 63069:2019)
Ta slovenski standard je istoveten z: CLC IEC/TR 63069:2020
ICS:
25.040.40 Merjenje in krmiljenje Industrial process
industrijskih postopkov measurement and control
SIST-TP CLC IEC/TR 63069:2020 en,fr,de

2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

---------------------- Page: 1 ----------------------
SIST-TP CLC IEC/TR 63069:2020
---------------------- Page: 2 ----------------------
SIST-TP CLC IEC/TR 63069:2020
TECHNICAL REPORT CLC IEC/TR 63069
RAPPORT TECHNIQUE
TECHNISCHER BERICHT
February 2020
ICS 13.110; 25.040.40; 29.020
English Version
Industrial-process measurement, control and automation -
Framework for functional safety and security
(IEC/TR 63069:2019)

Mesure, commande et automation dans les processus Industrielle Prozess-Leittechnik, Steuerungs- und

industriels – Cadre pour la sécurité et la sûreté fonctionnelle Automatisierungstechnik - Rahmenbedingungen für

(IEC/TR 63069:2019) Funktionale Sicherheit und IT-Sicherheit
(IEC/TR 63069:2019)
This Technical Report was approved by CENELEC on 2020-01-27.

CENELEC members are the national electrotechnical committees of Austria, Belgium, Bulgaria, Croatia, Cyprus, the Czech Republic,

Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, the

Netherlands, Norway, Poland, Portugal, Republic of North Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland,

Turkey and the United Kingdom.
European Committee for Electrotechnical Standardization
Comité Européen de Normalisation Electrotechnique
Europäisches Komitee für Elektrotechnische Normung
CEN-CENELEC Management Centre: Rue de la Science 23, B-1040 Brussels

© 2020 CENELEC All rights of exploitation in any form and by any means reserved worldwide for CENELEC Members.

Ref. No. CLC IEC/TR 63069:2020 E
---------------------- Page: 3 ----------------------
SIST-TP CLC IEC/TR 63069:2020
CLC IEC/TR 63069:2020 (E)
European foreword

This document (CLC IEC/TR 63069:2020) consists of the text of IEC/TR 63069:2019 prepared by

IEC/TC 65 "Industrial-process measurement, control and automation".

Attention is drawn to the possibility that some of the elements of this document may be the subject of

patent rights. CENELEC shall not be held responsible for identifying any or all such patent rights.

Endorsement notice

The text of the International Technical Report IEC/TR 63069:2019 was approved by CENELEC as a

In the official version, for Bibliography, the following notes have to be added for the standards

indicated:
IEC 61508-1 NOTE Harmonized as EN 61508-1
IEC 61508-2 NOTE Harmonized as EN 61508-2
IEC 61508-3 NOTE Harmonized as EN 61508-3
IEC 61508-4:2010 NOTE Harmonized as EN 61508-4:2010 (not modified)
IEC 61508-5:2010 NOTE Harmonized as EN 61508-5:2010 (not modified)
IEC 61511 (series) NOTE Harmonized as EN 61511 (series)
IEC 62443-2-4:2015 NOTE Harmonized as EN IEC 62443-2-4:2019 (not modified)
IEC 62443-3-3:2013 NOTE Harmonized as EN IEC 62443-3-3:2019 (not modified)
IEC 62443-4-1 NOTE Harmonized as EN IEC 62443-4-1
---------------------- Page: 4 ----------------------
SIST-TP CLC IEC/TR 63069:2020
CLC IEC/TR 63069:2020 (E)
Annex ZA
(normative)
Normative references to international publications
with their corresponding European publications

The following documents are referred to in the text in such a way that some or all of their content

constitutes requirements of this document. For dated references, only the edition cited applies. For

undated references, the latest edition of the referenced document (including any amendments)

applies.

NOTE 1 Where an International Publication has been modified by common modifications, indicated by (mod), the relevant

EN/HD applies.

NOTE 2 Up-to-date information on the latest versions of the European Standards listed in this annex is available here:

www.cenelec.eu.
Publication Year Title EN/HD Year
IEC 61508 series Functional safety of EN 61508 series
electrical/electronic/programmable
electronic safety-related systems
IEC 62443 series Industrial communication networks - - series
Network and system security
---------------------- Page: 5 ----------------------
SIST-TP CLC IEC/TR 63069:2020
---------------------- Page: 6 ----------------------
SIST-TP CLC IEC/TR 63069:2020
IEC TR 63069
Edition 1.0 2019-05
TECHNICAL
REPORT
colour
inside
Industrial-process measurement, control and automation – Framework for
functional safety and security
INTERNATIONAL
ELECTROTECHNICAL
COMMISSION
ICS 13.110; 25.040.40; 29.020 ISBN 978-2-8322-6925-1

Warning! Make sure that you obtained this publication from an authorized distributor.

® Registered trademark of the International Electrotechnical Commission
---------------------- Page: 7 ----------------------
SIST-TP CLC IEC/TR 63069:2020
– 2 – IEC TR 63069:2019  IEC 2019
CONTENTS

FOREWORD ........................................................................................................................... 4

INTRODUCTION ..................................................................................................................... 6

0.1 Purpose of this document ....................................................................................... 6

0.2 Background............................................................................................................. 6

0.3 Issues on the terminology ....................................................................................... 6

0.4 Target audience ...................................................................................................... 6

1 Scope .............................................................................................................................. 7

2 Normative references ...................................................................................................... 7

3 Terms, definitions, symbols, abbreviated terms and conventions ..................................... 7

3.1 Terms and definitions defined for this document ..................................................... 7

3.2 Abbreviated terms ................................................................................................. 15

3.3 Explanation for common terms with different definitions ........................................ 15

4 Context of security related to functional safety ............................................................... 20

4.1 Description of functions......................................................................................... 20

4.2 Security environment ............................................................................................ 20

5 Guiding principles .......................................................................................................... 22

6 Life cycle recommendations for co-engineering ............................................................. 22

6.1 General ................................................................................................................. 22

6.2 Managing security related safety aspects .............................................................. 25

7 Risk assessment considerations .................................................................................... 25

7.1 Risk assessment at higher level ............................................................................ 25

7.2 Trade-off analysis ................................................................................................. 26

7.3 Considerations for threat-risk assessment ........................................... 26

7.3.1 General ......................................................................................................... 26

7.3.2 Recommendations to the threat-risk assessment .......................... 27

7.3.3 Considerations related to security countermeasures ...................................... 27

7.3.4 Vulnerabilities and examples of root causes .................................................. 27

7.4 Malevolent and unauthorized actions .................................................................... 27

7.4.1 General ......................................................................................................... 27

7.4.2 Reasonably foreseeable misuse (safety) ........................................................ 28

7.4.3 Prevention of malevolent and unauthorized actions (security) ........................ 28

7.4.4 Combination of password protection measures .............................................. 28

8 Incident response readiness and incident handling ........................................................ 28

8.1 General ................................................................................................................. 28

8.2 Incident response readiness ................................................................................. 28

8.3 Incident handling .................................................................................................. 28

Bibliography .......................................................................................................................... 30

Figure 1 – Overview of functions of an IACS ......................................................................... 20

Figure 2 – Safety domain and security domain ...................................................................... 21

Figure 3 – Security environment ........................................................................................... 21

Figure 4 – Safety and security interaction ............................................................................. 23

Figure 5 – Safety and security risk assessments as part of a risk assessment at higher

level ...................................................................................................................................... 26

---------------------- Page: 8 ----------------------
SIST-TP CLC IEC/TR 63069:2020
IEC TR 63069:2019  IEC 2019 – 3 –

Table 1 – Terms with multiple definitions .............................................................................. 15

Table 2 – Recommended activities in life cycle stages .......................................................... 24

---------------------- Page: 9 ----------------------
SIST-TP CLC IEC/TR 63069:2020
– 4 – IEC TR 63069:2019  IEC 2019
INTERNATIONAL ELECTROTECHNICAL COMMISSION
____________
INDUSTRIAL-PROCESS MEASUREMENT, CONTROL AND AUTOMATION –
FRAMEWORK FOR FUNCTIONAL SAFETY AND SECURITY
FOREWORD

1) The International Electrotechnical Commission (IEC) is a worldwide organization for standardization comprising

all national electrotechnical committees (IEC National Committees). The object of IEC is to promote

international co-operation on all questions concerning standardization in the electrical and electronic fields. To

this end and in addition to other activities, IEC publishes International Standards, Technical Specifications,

Technical Reports, Publicly Available Specifications (PAS) and Guides (hereafter referred to as "IEC

Publication(s)"). Their preparation is entrusted to technical committees; any IEC National Committee interested

in the subject dealt with may participate in this preparatory work. International, governmental and non-

governmental organizations liaising with the IEC also participate in this preparation. IEC collaborates closely

with the International Organization for Standardization (ISO) in accordance with conditions determined by

agreement between the two organizations.

2) The formal decisions or agreements of IEC on technical matters express, as nearly as possible, an international

consensus of opinion on the relevant subjects since each technical committee has representation from all

interested IEC National Committees.

3) IEC Publications have the form of recommendations for international use and are accepted by IEC National

Committees in that sense. While all reasonable efforts are made to ensure that the technical content of IEC

Publications is accurate, IEC cannot be held responsible for the way in which they are used or for any

misinterpretation by any end user.

4) In order to promote international uniformity, IEC National Committees undertake to apply IEC Publications

transparently to the maximum extent possible in their national and regional publications. Any divergence

between any IEC Publication and the corresponding national or regional publication shall be clearly indicated in

the latter.

5) IEC itself does not provide any attestation of conformity. Independent certification bodies provide conformity

assessment services and, in some areas, access to IEC marks of conformity. IEC is not responsible for any

services carried out by independent certification bodies.

6) All users should ensure that they have the latest edition of this publication.

7) No liability shall attach to IEC or its directors, employees, servants or agents including individual experts and

members of its technical committees and IEC National Committees for any personal injury, property damage or

other damage of any nature whatsoever, whether direct or indirect, or for costs (including legal fees) and

expenses arising out of the publication, use of, or reliance upon, this IEC Publication or any other IEC

Publications.

8) Attention is drawn to the Normative references cited in this publication. Use of the referenced publications is

indispensable for the correct application of this publication.

9) Attention is drawn to the possibility that some of the elements of this IEC Publication may be the subject of

patent rights. IEC shall not be held responsible for identifying any or all such patent rights.

The main task of IEC technical committees is to prepare International Standards. However, a

technical committee may propose the publication of a Technical Report when it has collected

data of a different kind from that which is normally published as an International Standard, for

example "state of the art".

IEC TR 63069 has been prepared by IEC technical committee TC 65: Industrial-process

measurement, control and automation.
The text of this Technical Report is based on the following documents:
Draft DTR Report on voting
65/698/DTR 65/713A/RVDTR

Full information on the voting for the approval of this Technical Report can be found in the

report on voting indicated in the above table.

This document has been drafted in accordance with the ISO/IEC Directives, Part 2.

---------------------- Page: 10 ----------------------
SIST-TP CLC IEC/TR 63069:2020
IEC TR 63069:2019  IEC 2019 – 5 –

The committee has decided that the contents of this document will remain unchanged until the

stability date indicated on the IEC website under "http://webstore.iec.ch" in the data related to

the specific document. At this date, the document will be
• reconfirmed,
• withdrawn,
• replaced by a revised edition, or
• amended.
A bilingual version of this publication may be issued at a later date.

IMPORTANT – The 'colour inside' logo on the cover page of this publication indicates

that it contains colours which are considered to be useful for the correct

understanding of its contents. Users should therefore print this document using a

colour printer.
---------------------- Page: 11 ----------------------
SIST-TP CLC IEC/TR 63069:2020
– 6 – IEC TR 63069:2019  IEC 2019
INTRODUCTION
0.1 Purpose of this document

Many sector specific guides, standards and technical specifications have been developed in

the fields of safety and security. However, a generic document for framework for safety and

security is largely expected by industry actors. Even the terms "safety" and "security" are

sometimes used for different meanings in these documents. As a result, it can be difficult to

apply them holistically at the same time to a manufacturing system.
0.2 Background

Security has become a new factor to be considered in system engineering. The parts of the

IEC 61508 series published in 2010 took into account that security can impact functional

safety.

In IEC TC 65 (Industrial-process measurement, control and automation), considerable

concerns arose with respect to the impacts of security incidents to safety functions in IACS

(industrial automation and control systems); many complex systems of that kind are becoming

connected systems (particularly by interaction based on wireless connectivity from

sensors/actuators to complete plants, grids, etc.) for maintenance and operations. The overall

question was: "How to design and manage safety and security – in cooperation, integrated, or

separate system?"
0.3 Issues on the terminology

Definitions of some terms, such as "safety", "security" and "risk", are sometimes different in

different documents. Although they are consistent in a set of documents in each area of safety

and security, they can be inconsistent when both standards are applied at the same time.

From these reasons, the terminology is carefully used in this document.
0.4 Target audience
The target audience of this document includes, but is not limited to,
– asset owners (including those responsible for concept and governance),
– system integrators (including those responsible for design and realisation),
– product suppliers (including those responsible for design and realisation),
– service providers (including operators and maintainers), and
– authorities (including those responsible for assessment and audit).
---------------------- Page: 12 ----------------------
SIST-TP CLC IEC/TR 63069:2020
IEC TR 63069:2019  IEC 2019 – 7 –
INDUSTRIAL-PROCESS MEASUREMENT, CONTROL AND AUTOMATION –
FRAMEWORK FOR FUNCTIONAL SAFETY AND SECURITY
1 Scope

This document explains and provides guidance on the common application of IEC 61508 (all

parts) and IEC 62443 (all parts) in the area of industrial-process measurement, control and

automation.

This document can apply to other industrial sectors where IEC 61508 (all parts) and

IEC 62443 (all parts) are applied.

NOTE Usage or reference of this document for industry specific sector standards is encouraged.

2 Normative references

The following documents are referred to in the text in such a way that some or all of their

content constitutes requirements of this document. For dated references, only the edition

cited applies. For undated references, the latest edition of the referenced document (including

any amendments) applies.

IEC 61508 (all parts), Functional safety of electrical/electronic/programmable electronic

safety-related systems
IEC 62443 (all parts), Security for industrial automation and control systems
3 Terms, definitions, symbols, abbreviated terms and conventions
3.1 Terms and definitions defined for this document
For the purposes of this document, the following terms and definitions apply.

ISO and IEC maintain terminological databases for use in standardization at the following

addresses:
• IEC Electropedia: available at http://www.electropedia.org/
• ISO Online browsing platform: available at http://www.iso.org/obp

NOTE Within this document, new terms and definitions are created only if not provided by the IEC 61508 series or

the IEC 62443 series.
3.1.1
incident handling

actions of detecting, reporting, assessing, responding to, dealing with, and learning from

security incidents

[SOURCE: ISO/IEC 27035-1:2016, 3.6, modified – The words "information security incidents"

has been replaced by "security incidents".]
3.1.2
incident response

actions taken to mitigate or resolve a security incident, including those taken to protect and

restore the normal operational conditions of an IACS and the information stored in it

[SOURCE: ISO/IEC 27035-1:2016, 3.7, modified – The words "information security incident"

were replaced by "security incident", and "information system" was replaced by "IACS".]

---------------------- Page: 13 ----------------------
SIST-TP CLC IEC/TR 63069:2020
– 8 – IEC TR 63069:2019  IEC 2019
3.1.3
safety domain

safety activities carried out by assigned persons or organizations and their outcomes

according to IEC 61508 (all parts)
3.1.4
security domain

security activities carried out by assigned persons or organizations and their outcomes

according to IEC 62443 (all parts)
3.1.5
security environment

area of consideration where all relevant security countermeasures are in place and effective

3.1.6
access

ability and means to communicate with or otherwise interact with a system in order to use

system resources

Note 1 to entry: Access may involve physical access (authorization to be allowed physically in an area,

possession of a physical key lock, PIN code, or access card or biometric attributes that allow access) or logical

access (authorization to log in to a system and application, through a combination of logical and physical means).

[SOURCE: IEC TS 62443-1-1:2009, 3.2.1]
3.1.7
architecture
specific configuration of hardware and software elements in a system
[SOURCE: IEC 61508-4:2010, 3.3.4]
3.1.8
asset

physical or logical object owned by or under the custodial duties of an organization, having

either a perceived or actual value to the organization

Note 1 to entry: In the case of industrial automation and control systems the physical assets that have the largest

directly measurable value may be the equipment under control.
[SOURCE: IEC TS 62443-1-1:2009, 3.2.6]
3.1.9
attack

assault on a system that derives from an intelligent threat – i.e., an intelligent act that is a

deliberate attempt (especially in the sense of a method or technique) to evade security

services and violate the security policy of a system
Note 1 to entry: There are different commonly recognized classes of attack:

• An "active attack" attempts to alter system resources or affect their operation.

• A "passive attack" attempts to learn or make use of information from the system but does not affect system

resources.

• An "inside attack" is an attack initiated by an entity inside the security perimeter (an "insider") – i.e., an entity

that is authorized to access system resources but uses them in a way not approved by those who granted the

authorization.

• An "outside attack" is initiated from outside the perimeter, by an unauthorized or illegitimate user of the system

(including an insider attacking from outside the security perimeter). Potential outside attackers range from

amateur pranksters to organized criminals, international terrorists, and hostile governments.

[SOURCE: IEC TS 62443-1-1:2009, 3.2.9]
---------------------- Page: 14 ----------------------
SIST-TP CLC IEC/TR 63069:2020
IEC TR 63069:2019  IEC 2019 – 9 –
3.1.10
availability

ability of an item to be in a state to perform a required function under given conditions at a

given instant or over a given time interval, assuming that the required external resources are

provided

Note 1 to entry: This ability depends on the combined aspects of the reliability performance, the maintainability

performance and the maintenance support performance.

Note 2 to entry: Required external resources, other than maintenance resources do not affect the availability

performance of the item.

Note 3 to entry: In French the term "disponibilité" is also used in the sense of "instantaneous availability"."

[SOURCE: IEC TS 62443-1-1:2009, 3.2.16]
3.1.11
confidentiality

assurance that information is not disclosed to unauthorized individuals, processes, or devices

[SOURCE: IEC TS 62443-1-1:2009, 3.2.28]
3.1.12
countermeasure

action, device, procedure, or technique that reduces a threat, a vulnerability, or an attack by

eliminating or preventing it, by minimizing the harm it can cause, or by discovering and

reporting it so that corrective action can be taken

Note 1 to entry: The term "control" is also used to describe this concept in some contexts. The term

countermeasure has been chosen for IEC TS 62443-1-1 to avoid confusion with the term "control" in the context of

process control.

Note 2 to entry: The words "minimizing the harm" in this definition do not relate to functional safety.

[SOURCE: IEC TS 62443-1-1:2009, 3.2.33, modified – Addition of Note 2 to entry.]
3.1.13
dangerous failure

failure of an element and/or subsystem and/or system that plays a part in implementing the

safety function that:

a) prevents a safety function from operating when required (demand mode) or causes a

safety function to fail (continuous mode) such that the EUC is put into a hazardous or

potentially hazardous state; or

b) decreases the probability that the safety function operates correctly when required

[SOURCE: IEC 61508-4:2010, 3.6.7]
3.1.14
defence in depth

provision of multiple security protections, especially in layers, with the intent to delay if not

prevent an attack

Note 1 to entry: Defence in depth implies layers of security and detection, even on single systems, and provides

the following features:

• attackers are faced with breaking through or bypassing each layer without being detected;

• a flaw in one layer can be mitigated by capabilities in other layers;
• a system security becomes a set of layers within the overall network security.
[SOURCE: IEC TS 62443-1-1:2009, 3.2.40]
---------------------- Page: 15 ----------------------
SIST-TP CLC IEC/TR 63069:2020
– 10 – IEC TR 63069:2019  IEC 2019
3.1.15
essential function

function or capability that is required to maintain health, safety, the environment and

availability for the equipment under control

Note 1 to entry: Essential functions include, but are not limited to, the safety instrumented function (SIF), the

control function and the ability of the operator to view and manipulate the equipment under control. The loss of

essential functions is commonly termed loss of protection, loss of control and loss of view respectively. In some

industries additional functions such as history may be considered essential.
[SOURCE: IEC 62443-3-3:2013, 3.1.22]
3.1.16
functional safety

part of the overall safety relating to the EUC and the EUC control system that depends on the

correct functioning of the E/E/PE safety-related systems and other risk reduction measures

[SOURCE: IEC 61508-4:2010, 3.1.12]
3.1.17
harm

physical injury or damage to the health of people or damage to property or the environment

[SOURCE: IEC 61508-4:2010, 3.1.1]
3.1.18
hazard
potential source of harm

Note 1 to entry: The term includes danger to persons arising within a short time scale (for example, fire and

explosion) and also those that have a long-term effect on a person’s health (for example, release of a toxic

substance).
[SOURCE: IEC 61508-4:2010, 3.1.2]
3.1.19
incident

event that is not part of the expected operation of a system or service that causes or may

cause, an interruption to, or a reduction in, the quality of the service provided by the system

[SOURCE: IEC 62443-2-1:2010, 3.1.18]
3.1.20
industrial automation and control systems
IACS

collection of personnel, hardware, and software that can affect or influence the safe, secure,

and reliable operation of an industrial process
Note 1 to entry: These systems include, but are not limited to:

• industrial control systems, including distributed control systems (DCSs), programmable logic controllers

(PLCs), remote terminal units (RTUs), intelligent electronic devices, supervisory control and data acquisition

(SCADA), networked electronic sensing and control, and monitoring and diagnostic systems. (In this context,

process control systems include basic process control system and safety instrumented system (SIS) functions,

whether they are physically separate or integrated.)

• associated information systems such as advanced or multivariable control, online optimizers, dedicated

equipment monitors, graphical interfaces, process historians, manufacturing execution systems, and plant

information management systems.

• associated internal, human, network, or machine interfaces used to provide control, safety, and manufacturing

operations functionality to continuous, batch, discrete, and other processes.
[SOURCE: IEC TS 62443-1-1:2009, 3.2.57]
---------------------- Page: 16 ----------------------
SIST-TP CLC IEC/TR 63069:2020
IEC TR 63069:2019  IEC 2019 – 11 –
3.1.21
integrity

quality of a system reflecting the logical correctness and reliability of the operating system,

the logical completeness of the hardware and software implementing the protection

mechanisms, and the consistency of the data structures and occurrence of the stored data

Note 1 to entry: In a formal security mode, integrity is often interpreted more narrowly to mean protection against

unauthorized modification or destruction of information.
[SOURCE: IEC TS 62443-1-1:2009, 3
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.