IEC GUIDE 120:2018

IEC GUIDE 120 ®
Edition 1.0 2018-06
GUIDE
colour
inside
Security aspects – Guidelines for their inclusion in publications

All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form

or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from

either IEC or IEC's member National Committee in the country of the requester. If you have any questions about IEC
copyright or have an enquiry about obtaining additional rights to this publication, please contact the address below or

your local IEC member National Committee for further information.

IEC Central Office Tel.: +41 22 919 02 11
3, rue de Varembé info@iec.ch
CH-1211 Geneva 20 www.iec.ch
Switzerland
About the IEC
The International Electrotechnical Commission (IEC) is the leading global organization that prepares and publishes
International Standards for all electrical, electronic and related technologies.

About IEC publications
The technical content of IEC publications is kept under constant review by the IEC. Please make sure that you have the
latest edition, a corrigenda or an amendment might have been published.

IEC Catalogue - webstore.iec.ch/catalogue Electropedia - www.electropedia.org
The stand-alone application for consulting the entire The world's leading online dictionary of electronic and
bibliographical information on IEC International Standards, electrical terms containing 21 000 terms and definitions in
Technical Specifications, Technical Reports and other English and French, with equivalent terms in 16 additional
documents. Available for PC, Mac OS, Android Tablets and languages. Also known as the International Electrotechnical
iPad. Vocabulary (IEV) online.

IEC publications search - webstore.iec.ch/advsearchform IEC Glossary - std.iec.ch/glossary
The advanced search enables to find IEC publications by a 67 000 electrotechnical terminology entries in English and
variety of criteria (reference number, text, technical French extracted from the Terms and Definitions clause of
committee,…). It also gives information on projects, replaced IEC publications issued since 2002. Some entries have been
and withdrawn publications. collected from earlier publications of IEC TC 37, 77, 86 and

CISPR.
IEC Just Published - webstore.iec.ch/justpublished
Stay up to date on all new IEC publications. Just Published IEC Customer Service Centre - webstore.iec.ch/csc
details all new publications released. Available online and If you wish to give us your feedback on this publication or
also once a month by email. need further assistance, please contact the Customer Service
Centre: sales@iec.ch.
IEC GUIDE 120 ®
Edition 1.0 2018-06
GUIDE
colour
inside
Security aspects – Guidelines for their inclusion in publications

INTERNATIONAL
ELECTROTECHNICAL
COMMISSION
ICS 35.030 ISBN 978-2-8322-5827-9

– 2 – IEC Guide 120:2018 © IEC:2018

CONTENTS
FOREWORD . 4

INTRODUCTION . 6

1 Scope . 7

2 Normative references . 7

3 Terms and definitions . 7

4 Guide to terminology . 9

4.1 General . 9

4.2 Primary recommended sources . 10
4.3 Other relevant sources . 10
4.3.1 General . 10
4.3.2 Other application-domain independent sources. 10
4.3.3 Other application-domain specific sources . 10
5 Categorisation of publications . 11
5.1 Overview. 11
5.2 Publication type . 11
5.2.1 General . 11
5.2.2 Base security publications . 12
5.2.3 Group security publications . 12
5.2.4 Product security publications . 13
5.2.5 Guidance security publications . 13
5.2.6 Test security publications . 13
5.2.7 Relationship between types of security publications . 13
5.3 Application domain. 13
5.4 Content . 14
5.5 User/target group . 14
5.6 Developing security publications . 14
5.6.1 Base security publications . 14
5.6.2 Group security publications . 15
5.6.3 Product security publications . 15
5.6.4 Guidance security publications and test security publications . 15
6 Mapping/overview of publications . 16
6.1 General . 16

6.2 List of relevant publications. 16
6.3 Domain table chart . 16
7 Considerations for publications development . 17
7.1 Practical considerations for publication writers . 17
7.2 Development process of security in publications . 17
7.3 Interrelation between functional safety and security . 20
7.4 Specific requirements . 21
7.4.1 Relationship with base security publications . 21
7.4.2 Consider conformity assessment when writing standards . 21
7.4.3 Lifecycle approach . 22
7.4.4 Holistic system view . 22
7.4.5 Vulnerability handling . 23
7.4.6 Defence-in-depth . 23
7.4.7 Security management . 23

7.4.8 Supply chain . 23

7.4.9 Consider greenfield and brownfield . 24

7.4.10 Use of term integrity . 24

7.5 Security risk assessment . 24

7.5.1 General . 24

7.5.2 Iterative process of security risk assessment and risk mitigation . 25

7.5.3 Maintaining safe operation . 25

7.5.4 Scenario analysis . 26

7.5.5 Security risk mitigation strategy . 26

7.5.6 Validation . 26

Bibliography . 27

Figure 1 – Possible categorization of publications . 11
Figure 2 – Types of publications . 12
Figure 3 – Publications and application domains . 16
Figure 4 – Example of security requirements, threats, and possible attacks . 17
Figure 5 – Decision flow chart . 19
Figure 6 – Interrelation between functional safety and security . 20
Figure 7 – Example of security management cycle for an organization . 22
Figure 8 – Selected measures for defence-in-depth strategy . 23
Figure 9 – Possible impact of security risk(s) on the safety-related control system . 25

– 4 – IEC Guide 120:2018 © IEC:2018

INTERNATIONAL ELECTROTECHNICAL COMMISSION

____________
SECURITY ASPECTS – GUIDELINES FOR

THEIR INCLUSION IN PUBLICATIONS

FOREWORD
1) The International Electrotechnical Commission (IEC) is a worldwide organization for standardization comprising
all national electrotechnical committees (IEC National Committees). The object of IEC is to promote
international co-operation on all questions concerning standardization in the electrical and electronic fields. To
this end and in addition to other activities, IEC publishes International Standards, Technical Specifications,
Technical Reports, Publicly Available Specifications (PAS) and Guides (hereafter referred to as “IEC
Publication(s)”). Their preparation is entrusted to technical committees; any IEC National Committee interested
in the subject dealt with may participate in this preparatory work. International, governmental and non-
governmental organizations liaising with the IEC also participate in this preparation. IEC collaborates closely
with the International Organization for Standardization (ISO) in accordance with conditions determined by
agreement between the two organizations.
2) The formal decisions or agreements of IEC on technical matters express, as nearly as possible, an international
consensus of opinion on the relevant subjects since each technical committee has representation from all
interested IEC National Committees.
3) IEC Publications have the form of recommendations for international use and are accepted by IEC National
Committees in that sense. While all reasonable efforts are made to ensure that the technical content of IEC
Publications is accurate, IEC cannot be held responsible for the way in which they are used or for any
misinterpretation by any end user.
4) In order to promote international uniformity, IEC National Committees undertake to apply IEC Publications
transparently to the maximum extent possible in their national and regional publications. Any divergence
between any IEC Publication and the corresponding national or regional publication shall be clearly indicated in
the latter.
5) IEC itself does not provide any attestation of conformity. Independent certification bodies provide conformity
assessment services and, in some areas, access to IEC marks of conformity. IEC is not responsible for any
services carried out by independent certification bodies.
6) All users should ensure that they have the latest edition of this publication.
7) No liability shall attach to IEC or its directors, employees, servants or agents including individual experts and
members of its technical committees and IEC National Committees for any personal injury, property damage or
other damage of any nature whatsoever, whether direct or indirect, or for costs (including legal fees) and
expenses arising out of the publication, use of, or reliance upon, this IEC Publication or any other IEC
Publications.
8) Attention is drawn to the Normative references cited in this publication. Use of the referenced publications is
indispensable for the correct application of this publication.
9) Attention is drawn to the possibility that some of the elements of this IEC Publication may be the subject of
patent rights. IEC shall not be held responsible for identifying any or all such patent rights.
This first edition of IEC Guide 120 has been prepared, in accordance with ISO/IEC Directives,
Part 1, Annex A, by the Advisory Committee on Information security and data privacy
(ACSEC). This is a non-mandatory guide in accordance with SMB Decision 136/8.
The text of this guide is based on the following documents:
DV Report on voting
C/2086/DV C/2113A/RV
Full information on the voting for the approval of this Guide can be found in the report on
voting indicated in the above table.

This document has been drafted in accordance with the ISO/IEC Directives, Part 2.

A bilingual version of this publication may be issued at a later date.

IMPORTANT – The 'colour inside' logo on the cover page of this publication indicates

that it contains colours which are considered to be useful for the correct

understanding of its contents. Users should therefore print this document using a

colour printer.
– 6 – IEC Guide 120:2018 © IEC:2018

INTRODUCTION
The increasing complexity and connectivity of systems, products, processes and services

entering the market requires that the consideration of security aspects be given a high

priority. Inclusion of security aspects in standardization provides protection from and

response to risks of unintentionally and intentionally caused events that can disrupt the

functionality/operation of products and systems.

When preparing publications, committees should ensure that relevant resilience requirements

applicable to their application domain are included. Security aspects will in many cases play a

role in achieving resilience directed standards.

In this guide, the term “committee”, includes technical committees, subcommittees and
system committees. The term “publication” includes “standard”, “technical report”, “technical
specification” and “guide”.
National laws (legislation and regulation) may override the general application of publications.
NOTE Publications can deal exclusively with security aspects or can include clauses specific to security.

SECURITY ASPECTS – GUIDELINES FOR

THEIR INCLUSION IN PUBLICATIONS

1 Scope
This document provides guidelines on the security topics to be covered in IEC publications,
and aspects of how to implement them. These guidelines can be used as a checklist for the

combination of publications used in implementation of systems.

This document includes what is often referred to as “cyber security”.
This document excludes non electrotechnical aspects of security such as societal security,
except where they directly interact with electrotechnical security.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their
content constitutes requirements of this document. For dated references, only the edition
cited applies. For undated references, the latest edition of the referenced document (including
any amendments) applies.
ISO/IEC Directives Part 2:2018, Principles and rules for the structure and drafting of ISO and
IEC documents
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
ISO and IEC maintain terminological databases for use in standardization at the following
addresses:
• IEC Electropedia: available at http://www.electropedia.org/
• ISO Online browsing platform: available at http://www.iso.org/obp
3.1
accountability
property of a system (including all of its system resources) that ensures that the actions of a

system entity may be traced uniquely to that entity, which can be held responsible for its
actions
[SOURCE: IEC TS 62443-1-1:2009, 3.2.3]
3.2
attack
attempt to destroy, expose, alter, disable, steal or gain unauthorized access to or make
unauthorized use of an asset
[SOURCE: ISO/IEC 27000:2016, 2.3]
3.3
authentication
provision of assurance that a claimed characteristic of an entity is correct
[SOURCE: ISO/IEC 27000:2016, 2.7]

– 8 – IEC Guide 120:2018 © IEC:2018

3.4
authorization
right or permission that is granted to a system entity to access a system resource

[SOURCE: IEC TS 62443-1-1:2009, 3.2.14]

3.5
availability
property of being accessible and usable upon demand by an authorized entity

[SOURCE: ISO/IEC 27000:2016, 2.9]

3.6
confidentiality
property that information is not made available or disclosed to unauthorized individuals,
entities, or processes
[SOURCE: ISO/IEC 24767-1:2008, 2.1.2]
3.7
functional safety
part of the overall safety that depends on functional and physical units operating correctly in
response to their inputs
[SOURCE: IEC 60050-351:2013, 351-57-06]
3.8
harm
injury or damage to the health of people, or damage to property or the environment
[SOURCE: ISO/IEC GUIDE 51:2014, 3.1]
3.9
integrity
property of accuracy and completeness
[SOURCE: ISO/IEC 27000:2016, 2.40]
3.10
non-repudiation
ability to prove the occurrence of a claimed event or action and its originating entities
[SOURCE: ISO/IEC 27000:2016, 2.54]
3.11
risk
combination of the probability of occurrence of harm and the severity of that harm
Note 1 to entry: The probability of security risks often cannot be determined in the same way as the probability of
safety hazards based on statistical analysis
[SOURCE: IEC 60050-351:2013, 351-57-03, modified – Note 1 to entry has been added]
3.12
safety
freedom from risk which is not tolerable
[SOURCE: ISO/IEC GUIDE 51:2014, 3.14]

3.13
security
condition that results from the establishment and maintenance of protective measures that

ensure a state of inviolability from hostile acts or influences

Note 1 to entry: Hostile acts or influences could be intentional or unintentional.

[SOURCE: IEC 62351-2:2008, modified – Note 1 to entry has been added]

3.14
security control
measure (including process, policy, device, practice or other action) which modifies security

risk or use
3.15
security service
mechanism used to provide confidentiality, data integrity, authentication, or non-repudiation of
information
[SOURCE: IEC TS 62443-1-1:2009, 3.2.115]
3.16
threat
potential for violation of security, which exists when there is a circumstance, capability,
action, or event that could breach security and cause harm
[SOURCE: IEC TS 62443-1-1:2009, 3.2.125]
3.17
vendor
manufacturer or distributor of a product
[SOURCE: IEC 62337:2012, 3.12, modified – replaced “piece of
equipment/instrument/package unit” with “product”]
3.18
vulnerability
flaw or weakness in a system’s design, implementation, or operation and management that
could be exploited to violate the system’s security policy
Note 1 to entry: This definition of vulnerability should not be confused with the term vulnerability when used in the
context of general risk management, where it encompasses the notion of possibility of exposition to a risk.

[SOURCE: IEC TR 62918:2014, 3.16, modified – Note 1 to entry has been added]
4 Guide to terminology
4.1 General
There are already many security-related terms and definitions in existing publications.
Therefore, before defining a new term, existing terms and definitions should be checked first.
Primary recommended sources are shown in 4.2 and they should be used in preference to the
other relevant sources shown in 4.3. If no appropriate term and definition is found in those
sources, either modify an existing one or define a new one.
Definitions in this document are not intended to be generic ones but only apply to this
document.
– 10 – IEC Guide 120:2018 © IEC:2018

The ISO/IEC Directives Part 2:2018, Clause 16, defines how the terms and definitions in IEC

publications are drafted.
NOTE The same term might have different definitions depending on the context in which it is used, or different

terms might be used for the same or similar meaning in different application domains.

4.2 Primary recommended sources

The sources for this category are:

1) IEC 60050 (all parts) (IEV) [2]

2) IEC Glossary [3]
3) ISO/IEC JTC 1 SC 27 Standing Document SD6, Glossary of IT Security Terminology [4]
where IEC 60050 and the IEC Glossary should be used in preference.
IEC 60050 provides representative definitions to more than 20 000 terms, organized by
subject areas in IEC. The IEC Glossary is a compilation of electrotechnical terms extracted
from the “Terms and definitions” clause in existing IEC publications.
If no appropriate term or definition is found in the two sources above,
ISO/IEC JTC 1 SC 27 SD6, which covers more security-related terms and definitions, should
be consulted.
NOTE Application-domain specific terms developed by IEC committees are also considered to be primary
sources. These can be searched using the web page of the IEC Glossary.
4.3 Other relevant sources
4.3.1 General
There are a variety of resources available which focus on certain application domains of
electrotechnology such as energy, building, healthcare, and transportation.
This category includes application-domain independent sources (4.3.2) and application-
domain specific sources (4.3.3).
4.3.2 Other application-domain independent sources
• IETF RFC 4949 [5]
• NISTIR 7298 [6]
• IEEE, Standards Glossary [7]

• ITU, ITU Terms and Definitions [8]
4.3.3 Other application-domain specific sources
• Healthcare: HL7, Glossary Of Acronyms, Abbreviations and Terms Related To Information
Security In Healthcare Information Systems [9]
• Nuclear: IAEA, Nuclear Security Series Glossary [10]
• Energy: IEA, Glossary [11]
___________
Numbers in square brackets refer to the Bibliography.

5 Categorisation of publications

5.1 Overview
There are several different ways in which security publications can be categorised. Four

possible aspects for the categorization are shown in Figure 1. Publications can belong to

more than one category. Each category is identified by combination types of each aspect.

Figure 1 – Possible categorization of publications
5.2 Publication type
5.2.1 General
Publications for security can be categorised as one of the five types listed below, as shown in
Figure 2:
• base security publication;
• group security publication;
• product security publication;
• guidance security publication;
• test security publication.
– 12 – IEC Guide 120:2018 © IEC:2018

NOTE The examples listed in Figure 2 are not exhaustive.
Figure 2 – Types of publications
5.2.2 Base security publications
Base security publications are publications that define some aspect of security, in a generic
manner.
Base security publications deal with fundamental concepts, principles and requirements with
regard to general security aspects applicable to a wide range of products and systems.
Horizontal standards dealing with security, as defined in IEC GUIDE 108 [14], are base

security publications.
5.2.3 Group security publications
Group security publications show how to apply security in one of the application domains. To
do this, they may reference or customise base security publications. They are equivalent to
group publications as defined in IEC GUIDE 104 [13] for safety applications.
Group security publications may be applicable to many products or systems, or families of
similar products or systems.
Group security publications are sometimes referred to as sector-specific security publications.

5.2.4 Product security publications

Product security publications define how to apply base security publications or group security

publications for a particular type of product. They ensure that different products can interact

or interoperate securely, and can be controlled and managed in a uniform manner.

Product security publications should as far as possible define their requirements by reference

to base security publications and group security publications.

NOTE In this context, the term product includes items such as process, service, installation, and combinations
thereof.
5.2.5 Guidance security publications
Guidance security publications should not contain requirements. They explain how to
implement base publications, and group or product publications.
In some application areas, guidance publications are not used. Instead necessary guidance
information is provided through informative annexes within the relevant requirements
standard.
5.2.6 Test security publications
Test security publications define ways to determine that the requirements of base
publications, and group or product publications have been correctly implemented.
Test publications typically have a specialised audience and often make reference to
conformity assessment. They may define or identify reference implementations that can be
used to determine correct implementation through successful interoperation.
5.2.7 Relationship between types of security publications
The relationship between these different types of publications is shown in Figure 2. There is
an equivalent figure for safety publications in Annex B of IEC GUIDE 104:2010 [13].
5.3 Application domain
Publications for security can also be categorised according to their intended domain of
application. This may be a sector of economic or industrial activity, a type of market, or an
area of application.
Some examples of application domains are listed below, as shown in Figure 1:

• building/home;
• energy;
• general;
• healthcare;
• ICT;
• industrial automation;
• transportation.
In many cases an application domain will have an associated IEC committee responsible for
the development of publications for that domain. This committee should accept responsibility
for the development of the associated security publications.

– 14 – IEC Guide 120:2018 © IEC:2018

Such committees will normally be able to define relevant threat models and security use

cases independently, but may need to seek advice from the committees responsible for base

security publications in configuring or customising those base security publications when

referenced.
5.4 Content
Publications for security can also be grouped by their type of content.

Some examples of possible groups are listed below, as shown in Figure 1:

• component;
• management;
• policy (not in IEC);
• process;
• subsystem;
• system;
• technology.
For example, electrotechnical standards for information security management include the
generic standard ISO/IEC 27001 [15] (developed by JTC 1/SC 27), but also the sector-
specific standards ISO/IEC 27019 [16] (developed by JTC 1/SC 27), IEC 62443-2-1 [17]
(developed by TC 65) and IEC 62645 [18] (developed by SC 45A).
5.5 User/target group
Publications for security can also be grouped by their intended audience. Some examples of
possible user groups are listed below, as shown in Figure 1:
• auditor;
• integrator;
• operator;
• maintainer;
• regulator;
• vendor.
5.6 Developing security publications
5.6.1 Base security publications
Many base security publications were originally developed by government, consortia or
specialist commercial organizations. Most of these have been subsequently formalised into
international or other generally accepted technological standards. IEC committees should
reference the public form of these standards if one exists. The rules for referencing non ISO
and IEC standards from within ISO and IEC publications are specified in 10.2 of
ISO/IEC Directives Part 2:2018.
Within IEC, base security publications defining security controls are prepared by
ISO/IEC JTC 1/SC 27, IT security techniques. Other IEC committees should not attempt to
develop such generic security controls as they are unlikely to have the necessary level of
generic security expertise and information. If an IEC committee identifies a need for a new
publication of this type, it should supply the relevant use case to JTC 1/SC 27 and request it
to prepare an appropriate publication.

It is left open to IEC committees to define security publications for their own domain to

address:
• relevant terminology,
• common threats and attacks,
• security design philosophy or such related issues, and

• common technical requirements (such as interoperability).

5.6.2 Group security publications

Group security publications will normally be domain-specific publications.

Group security publications will normally be developed within one IEC committee, but may
have application in areas beyond the scope of that committee. Normally, the domain
committee will retain responsibility for publications development and maintenance, but should
take account of other known use cases and requirements of wider use.
Group security publica
...