iTeh StandardsiTeh Standards
EURUSD
Your shopping cart is empty.
IEC

IEC TR 62443-2-3:2015

(Main)

Security for industrial automation and control systems - Part 2-3: Patch management in the IACS environment

Security for industrial automation and control systems - Part 2-3: Patch management in the IACS environment

IEC TR 62443-2-3:2015(E) describes requirements for asset owners and industrial automation and control system (IACS) product suppliers that have established and are now maintaining an IACS patch management program. This Technical Report recommends a defined format for the distribution of information about security patches from asset owners to IACS product suppliers, a definition of some of the activities associated with the development of the patch information by IACS product suppliers and deployment and installation of the patches by asset owners. The exchange format and activities are defined for use in security related patches; however, it may also be applicable for non-security related patches or updates.

General Information

Status
Published
Publication Date
29-Jun-2015
ICS
25.040.40 - Industrial process measurement and control
35.040.40 - Coding of audio, video, multimedia and hypermedia information
35.100.05 - Multilayer applications
Technical Committee
TC 65 - Industrial-process measurement, control and automation
Drafting Committee
WG 10 - TC 65/WG 10
Current Stage
PPUB - Publication issued
Start Date
30-Sep-2015
Completion Date
30-Jun-2015
Ref Project

Buy Standard

IEC TR 62443-2-3:2015 - Security for industrial automation and control systems - Part 2-3: Patch management in the IACS environmentIEC TR 62443-2-3:2015 - Security for industrial automation and control systems - Part 2-3: Patch management in the IACS environment
PreviousNext
Technical report
IEC TR 62443-2-3:2015 - Security for industrial automation and control systems - Part 2-3: Patch management in the IACS environment
English language
61 pages
sale 15% off
Preview
sale 15% off
Preview

Standards Content (Sample)


IEC TR 62443-2-3 ®
Edition 1.0 2015-06
TECHNICAL
REPORT
colour
inside
Security for industrial automation and control systems –
Part 2-3: Patch management in the IACS environment
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form
or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from
either IEC or IEC's member National Committee in the country of the requester. If you have any questions about IEC
copyright or have an enquiry about obtaining additional rights to this publication, please contact the address below or
your local IEC member National Committee for further information.

IEC Central Office Tel.: +41 22 919 02 11
3, rue de Varembé Fax: +41 22 919 03 00
CH-1211 Geneva 20 info@iec.ch
Switzerland www.iec.ch
About the IEC
The International Electrotechnical Commission (IEC) is the leading global organization that prepares and publishes
International Standards for all electrical, electronic and related technologies.

About IEC publications
The technical content of IEC publications is kept under constant review by the IEC. Please make sure that you have the
latest edition, a corrigenda or an amendment might have been published.

IEC Catalogue - webstore.iec.ch/catalogue Electropedia - www.electropedia.org
The stand-alone application for consulting the entire The world's leading online dictionary of electronic and
bibliographical information on IEC International Standards, electrical terms containing more than 30 000 terms and
Technical Specifications, Technical Reports and other definitions in English and French, with equivalent terms in 15
documents. Available for PC, Mac OS, Android Tablets and additional languages. Also known as the International
iPad. Electrotechnical Vocabulary (IEV) online.

IEC publications search - www.iec.ch/searchpub IEC Glossary - std.iec.ch/glossary
The advanced search enables to find IEC publications by a More than 60 000 electrotechnical terminology entries in
variety of criteria (reference number, text, technical English and French extracted from the Terms and Definitions
committee,…). It also gives information on projects, replaced clause of IEC publications issued since 2002. Some entries
and withdrawn publications. have been collected from earlier publications of IEC TC 37,

77, 86 and CISPR.
IEC Just Published - webstore.iec.ch/justpublished
Stay up to date on all new IEC publications. Just Published IEC Customer Service Centre - webstore.iec.ch/csc
details all new publications released. Available online and If you wish to give us your feedback on this publication or
also once a month by email. need further assistance, please contact the Customer Service
Centre: csc@iec.ch.
IEC TR 62443-2-3 ®
Edition 1.0 2015-06
TECHNICAL
REPORT
colour
inside
Security for industrial automation and control systems –

Part 2-3: Patch management in the IACS environment

INTERNATIONAL
ELECTROTECHNICAL
COMMISSION
ICS : 25.040.40; 35.040; 35.100 ISBN 978-2-8322-2768-8

– 2 – IEC TR 62443-2-3:2015 © IEC 2015
CONTENTS
FOREWORD . 5
INTRODUCTION . 7
1 Scope . 8
2 Normative references. 8
3 Terms, definitions, abbreviated terms and acronyms . 8
3.1 Terms and definitions . 8
3.2 Abbreviated terms and acronyms . 9
4 Industrial automation and control system patching . 11
4.1 Patching problems faced in industrial automation and control systems . 11
4.2 Impacts of poor patch management . 11
4.3 Obsolete IACS patch management mitigation . 12
4.4 Patch lifecycle state . 12
5 Recommended requirements for asset owner . 13
6 Recommended requirements for IACS product supplier . 14
7 Exchanging patch information . 14
7.1 General . 14
7.2 Patch information exchange format . 15
7.3 Patch compatibility information filename convention . 15
7.4 VPC file schema . 15
7.5 VPC file element definitions . 17
Annex A (informative) VPC XSD file format . 21
A.1 VPC XSD file format specification . 21
A.2 Core component types . 23
A.2.1 Overview . 23
A.2.2 CodeType . 23
A.2.3 DateTimeType . 24
A.2.4 IdentifierType . 24
A.2.5 IndicatorType . 25
A.2.6 TextType . 25
Annex B (informative) IACS asset owner guidance on patching . 26
B.1 Annex organization . 26
B.2 Overview. 26
B.3 Information gathering . 27
B.3.1 Inventory of existing environment . 27
B.3.2 Tools for manual and automatic scanning . 29
B.3.3 IACS product supplier contact and relationship building . 30
B.3.4 Supportability and product supplier product lifecycle . 32
B.3.5 Evaluation and assessment of existing environment . 32
B.3.6 Classification and categorization of assets/hardware/software. 33
B.4 Project planning and implementation . 36
B.4.1 Overview . 36
B.4.2 Developing the business case . 37
B.4.3 Establishing and assigning roles and responsibilities . 38
B.4.4 Testing environment and infrastructure . 40
B.4.5 Implement backup and restoration infrastructure . 41
B.4.6 Establishing product supplier procurement guidelines . 42

B.5 Monitoring and evaluation . 42
B.5.1 Overview . 42
B.5.2 Monitoring and identification of security related patches . 43
B.5.3 Determining patch applicability . 43
B.5.4 Impact, criticality and risk assessment . 44
B.5.5 Decision for installation . 45
B.6 Patch testing . 45
B.6.1 Patch testing process . 45
B.6.2 Asset owner qualification of security patches prior to installation . 46
B.6.3 Determining patch file authenticity . 46
B.6.4 Review functional and security changes from patches . 46
B.6.5 Installation procedure . 47
B.6.6 Patch qualification and validation . 48
B.6.7 Patch removal, roll back, restoration procedures . 48
B.6.8 Risk mitigation alternatives . 49
B.7 Patch deployment and installation . 50
B.7.1 Patch deployment and installation process . 50
B.7.2 Notification of affected parties . 50
B.7.3 Preparation . 51
B.7.4 Phased scheduling and installation . 51
B.7.5 Verification of patch installation . 52
B.7.6 Staff training and drills . 52
B.8 Operating an IACS patch management program . 53
B.8.1 Overview . 53
B.8.2 Change management . 53
B.8.3 Vulnerability awareness . 53
B.8.4 Outage scheduling . 54
B.8.5 Security hardening . 54
B.8.6 Inventory and data maintenance . 54
B.8.7 Procuring or adding new devices . 55
B.8.8 Patch management reporting and KPIs . 55
Annex C (informative) IACS product supplier / service provider guidance on patching . 56
C.1 Annex organization . 56
C.2 Discovery of vulnerabilities . 56
C.2.1 General . 56
C.2.2 Vulnerability discovery and identification within the product . 57
C.2.3 Vulnerability discovery and identification within externally sourced
product components . 57
C.3 Development, verification and validation of security updates . 58
C.4 Distribution of cyber security updates . 58
C.5 Communication and outreach . 58
Bibliography . 60

Figure 1 – Patch state model . 13
Figure 2 – VPC file schema . 16
Figure 3 – VPC file schema diagram format . 17
Figure B.1 – IACS patch management workflow . 27
Figure B.2 – Planning an IACS patch management process . 36

– 4 – IEC TR 62443-2-3:2015 © IEC 2015
Figure B.3 – Sample responsibilities chart . 40
Figure B.4 – Patch monitoring and evaluation process . 42
Figure B.5 – A patch testing process . 45
Figure B.6 – A patch deployment and installation process .
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.

This May Also Interest You

IEC
IEC TR 62443-3-1:2009(Main)
Industrial communication networks - Network and system security - Part 3-1: Security technologies for industrial automation and control systems

IEC/TR 62443-3-1:2009(E) provides a current assessment of various cybersecurity tools, mitigation counter-measures, and technologies that may effectively apply to the modern electronically based IACSs regulating and monitoring numerous industries and critical infrastructures. It describes several categories of control system-centric cybersecurity technologies, the types of products available in those categories, the pros and cons of using those products in the automated IACS environments, relative to the expected threats and known cyber vulnerabilities, and, most important, the preliminary recommendations and guidance for using these cybersecurity technology products and/or countermeasures.

  • Technical report
    102 pages
    English language
    sale 15% off
IEC
IEC TR 62443-3-1:2009(Main)
Industrial communication networks - Network and system security - Part 3-1: Security technologies for industrial automation and control systems

IEC/TR 62443-3-1:2009(E) provides a current assessment of various cybersecurity tools, mitigation counter-measures, and technologies that may effectively apply to the modern electronically based IACSs regulating and monitoring numerous industries and critical infrastructures. It describes several categories of control system-centric cybersecurity technologies, the types of products available in those categories, the pros and cons of using those products in the automated IACS environments, relative to the expected threats and known cyber vulnerabilities, and, most important, the preliminary recommendations and guidance for using these cybersecurity technology products and/or countermeasures.

  • Technical report
    102 pages
    English language
    sale 15% off
IEC
IEC 60127-8:2018(Main)
Miniature fuses - Part 8: Fuse resistors with particular overcurrent protection

IEC 60127-8:2018 relates to fuse resistors with particular overcurrent protection rated up to AC 500 V and/or DC 500 V for printed circuits and other substrate systems, used for the protection of electric appliances, electronic equipment and component parts thereof, normally intended to be used indoors.
It does not apply to fuse resistors with particular overcurrent protection for appliances intended to be used under special conditions, such as in a corrosive or explosive atmosphere.
The object of this part of IEC 60127 is
a) to establish uniform requirements for fuse resistors with particular overcurrent protection so as to protect appliances or parts of appliances in the most suitable way;
b) to define the performance of the fuse resistors with particular overcurrent protection, so as to give guidance to manufacturers of electrical appliances and electronic equipment and to ensure replacement of fuse resistors with particular overcurrent protection by those of similar dimensions and characteristics;
c) to establish uniform test methods for fuse resistors with particular overcurrent protection, so as to allow verification of the values (for example rated dissipation, functioning characteristic and rated breaking capacity values) specified by the manufacturer.
This part of IEC 60127 applies in addition to the requirements of IEC 60127-1.
This first edition of IEC 60127-8 cancels and replaces IEC PAS 60127-8:2014.
This international standard is to be used in conjunction with IEC 60127-1.
Keywords: Miniature Fuses, Fuse-Resistors, Overcurrent Protection

  • Standard
    25 pages
    English language
    sale 15% off
  • Standard
    52 pages
    English language
    sale 15% off
  • Standard
    49 pages
    English and French language
    sale 15% off
IEC
IEC 61280-2-13:2024(Main)
Fibre optic communication subsystem test procedures - Part 2-13: Digital systems - Measurement of error vector magnitude

IEC 61280-2-13:2024 series defines a procedure for calculating the root-mean-square error vector magnitude of optical n-APSK signals from a set of measured symbols. It specifically defines the normalization of the reference states and a procedure for optimal scaling of the measured symbol states. The procedure described in this document applies to single-polarized optical signals as well as to conventional polarization-multiplexed signals with independently modulated polarization tributaries. In general, it is not advisable to apply these procedures without modification to signals, in which optical amplitude, phase, and polarization state are simultaneously modulated to encode the information data. This document does not specify any signal processing steps for extracting the symbols from the received optical signals, because these steps depend on the optical receiver and can vary with the type of the transmitted n-APSK signal. These and optional additional signal processing steps are defined in application-specific documents.

  • Standard
    49 pages
    English and French language
    sale 15% off
IEC
IEC 60127-8:2018/AMD1:2024(Amendment)
Amendment 1 - Miniature fuses - Part 8: Fuse resistors with particular overcurrent protection
  • Standard
    13 pages
    English and French language
    sale 15% off
IEC
IEC 62024-1:2024(Main)
High frequency inductive components - Electrical characteristics and measuring methods - Part 1: Nanohenry range chip inductor

IEC 62024-1:2024 is available as IEC 62024-1:2024 RLV which contains the International Standard and its Redline version, showing all changes of the technical content compared to the previous edition.IEC 62024-1:2024 specifies the electrical characteristics and measuring methods for the nanohenry range chip inductor that is normally used in the high frequency (over 100 kHz) range.
This edition includes the following significant technical changes with respect to the previous edition:
a) addition of S parameter measurement;
b) addition of the inductance, Q-factor and impedance of an inductor which are measured by the reflection coefficient method with a network analyzer;
c) addition of the resonance frequency of an inductor which is measured by a two-port network analyzer;
d) addition of the mounting method for a surface mounting inductor with Pb-free solder.

  • Standard
    102 pages
    English language
    sale 15% off
  • Standard
    63 pages
    English and French language
    sale 15% off
IEC
IEC 63412-1:2024(Main)
Ultrasonics - Shear-wave elastography - Part 1: Specifications for the user interface

IEC 63412-1:2024 specifies quantities and parameters which it is essential to provide to the user of shear-wave elastography systems, many in the image headers.
This document is applicable to medical-diagnostic, ultrasonic shear-wave elastography systems, exciting (internally or externally) shear waves and tracking their propagation within biological tissue.

  • Standard
    41 pages
    English and French language
    sale 15% off
IEC
IEC TS 62607-9-2:2024(Main)
Nanomanufacturing - Key control characteristics - Part 9-2: Nanomagnetic products - Magnetic field distribution: Magneto-optical indicator film technique

IEC TS 62607-9-2:2024, which is a Technical Specification, establishes a standardized method to determine the key control characteristic
• magnetic field distribution
of nanomagnetic materials, structures and devices by the
• magneto-optical indicator film technique.
The magnetic field distribution is derived by utilizing a magneto optical indicator film, which is a thin film of magneto-optic material that is placed on the surface of an object exhibiting a spatially varying magnetic field distribution. The Faraday effect is then employed to measure the magnetic field strength by analysing the rotation of the polarization plane of light passing through the magneto-optic film.
The method is applicable for measuring the stray field distribution of flat nanomagnetic materials, structures and devices.
- The method can especially be used to perform fast quantitative measurements of stray field distributions at the surface of an object.
- The magneto-optic indicator film technique (MOIF) is a fast, non-destructive method, making it an attractive option for materials analysis and testing in the industry.
- MOIF measurements can be done without any sample preparation and do not rely on specific surface properties of the object. It can be applied to the characterization of rough samples as well as of samples with non-magnetic cover layers.
- MOIF can quantitatively measure magnetic field distributions:
• with a one-shot measurement which typically takes a few seconds
• over areas of several square centimetres (over diameters of up to 15 cm with special techniques)
• in a field range from 1 mT to more than 100 mT
• with down to 1 µm spatial resolution
- Although techniques with nano-scale resolution are suitable for analysing the details of magnetic field structure, their ability to characterize larger areas is limited by their scanning area. Therefore, the MOIF technique is an indispensable complementary method that can offer a more comprehensive understanding of material properties.
This document focuses on the calibration procedures, calibrated measurement process, and evaluation of measurement uncertainty to ensure the traceability of quantitative magnetic field measurements obtained through the magneto-optic indicator film technique.

  • Technical specification
    771 pages
    English language
    sale 15% off
IEC
IEC TS 63336:2024(Main)
Commissioning of VSC HVDC systems

IEC TS 63336:2024, which is a technical specification, applies to the commissioning of voltage-sourced converter (VSC) high voltage direct current (HVDC) systems which consist of two converter stations and the connecting HVDC transmission line.
The tests are generally applied to all HVDC configurations and could require addition or deletion to match the given solution.
This document provides guidance on the planning of commissioning activities. The commissioning described in this document is implemented through on-site testing on the whole system functionality, including testing on the subsystem and system. This document provides the scope, procedures and acceptance criteria of the tests.
Factory system tests, on-site equipment tests, electrode tests, and trial operation are not included in this document.

  • Technical specification
    61 pages
    English language
    sale 15% off
IEC
IEC 63128:2019(Main)
Lighting control interface for dimming - Analogue voltage dimming interface for electronic current sourcing controlgear

IEC 63128:2019 specifies the analogue control interface of controlgear which has the function of controlling the output of the controlgear. The output of the controlgear is controlled between minimum/off and maximum values by the voltage control device sinking the controlgear current source.
This document does not specify safety requirements for the analogue interface of controlgear. Safety requirements are given in IEC 61347 (all parts).

  • Standard
    29 pages
    English language
    sale 15% off
  • Standard
    21 pages
    English and French language
    sale 15% off