Post on 20-Aug-2020
Cybersecurity for IACS - Overview
T MU SY 10010 ST
Standard
Version 1.0
Issue date: 25 May 2018
Effective date: 01 July 2018
© State of NSW through Transport for NSW 2018
T MU SY 10010 ST Cybersecurity for IACS - Overview
Version 1.0 Effective date: 01 July 2018
Important message This document is one of a set of standards developed solely and specifically for use on
Transport Assets (as defined in the Asset Standards Authority Charter). It is not suitable for any
other purpose.
The copyright and any other intellectual property in this document will at all times remain the
property of the State of New South Wales (Transport for NSW).
You must not use or adapt this document or rely upon it in any way unless you are providing
products or services to a NSW Government agency and that agency has expressly authorised
you in writing to do so. If this document forms part of a contract with, or is a condition of
approval by a NSW Government agency, use of the document is subject to the terms of the
contract or approval. To be clear, the content of this document is not licensed under any
Creative Commons Licence.
This document may contain third party material. The inclusion of third party material is for
illustrative purposes only and does not represent an endorsement by NSW Government of any
third party product or service.
If you use this document or rely upon it without authorisation under these terms, the State of
New South Wales (including Transport for NSW) and its personnel does not accept any liability
to you or any other person for any loss, damage, costs and expenses that you or anyone else
may suffer or incur from your use and reliance on the content contained in this document. Users
should exercise their own skill and care in the use of the document.
This document may not be current and is uncontrolled when printed or downloaded. Standards
may be accessed from the Transport for NSW website at www.transport.nsw.gov.au
For queries regarding this document, please email the ASA at standards@transport.nsw.gov.au or visit www.transport.nsw.gov.au © State of NSW through Transport for NSW 2018
T MU SY 10010 ST Cybersecurity for IACS - Overview
Version 1.0 Effective date: 01 July 2018
Standard governance
Owner: Lead Telecommunications Engineer, Asset Standards Authority
Authoriser: Chief Engineer, Asset Standards Authority
Approver: Executive Director, Asset Standards Authority on behalf of the ASA Configuration Control Board
Document history
Version Summary of changes
1.0 First issue.
© State of NSW through Transport for NSW 2018 Page 3 of 23
T MU SY 10010 ST Cybersecurity for IACS - Overview
Version 1.0 Effective date: 01 July 2018
Preface
The Asset Standards Authority (ASA) is a key strategic branch of Transport for NSW (TfNSW).
As the network design and standards authority for NSW Transport Assets, as specified in the
ASA Charter, the ASA identifies, selects, develops, publishes, maintains and controls a suite of
requirements documents on behalf of TfNSW, the asset owner.
The ASA deploys TfNSW requirements for asset and safety assurance by creating and
managing TfNSW's governance models, documents and processes. To achieve this, the ASA
focuses on four primary tasks:
• publishing and managing TfNSW's process and requirements documents including TfNSW
plans, standards, manuals and guides
• deploying TfNSW's Authorised Engineering Organisation (AEO) framework
• continuously improving TfNSW’s Asset Management Framework
• collaborating with the Transport cluster and industry through open engagement
The AEO framework authorises engineering organisations to supply and provide asset related
products and services to TfNSW. It works to assure the safety, quality and fitness for purpose of
those products and services over the asset's whole-of-life. AEOs are expected to demonstrate
how they have applied the requirements of ASA documents, including TfNSW plans, standards
and guides, when delivering assets and related services for TfNSW.
Compliance with ASA requirements by itself is not sufficient to ensure satisfactory outcomes for
NSW Transport Assets. The ASA expects that professional judgement be used by competent
personnel when using ASA requirements to produce those outcomes.
About this document
This document forms part of a series of cybersecurity for industrial automation and control
systems (IACS) standards.
This document provides an overview of the cybersecurity for IACS series of standards and
standardises the adoption and application of the IEC 62443 series of standards for the
cybersecurity of IACS for TfNSW Transport Network. This document describes the tailored
conformance of certain parts of IEC 62443.
This document has been prepared by the ASA in consultation with TfNSW agencies and
industry representatives.
This document has been informed by concepts contained in IEC/TS 62443-1-1 Industrial
communication networks - Network and system security - Part 1-1: Terminology, concepts and
models and includes extracts from that standard.
© State of NSW through Transport for NSW 2018 Page 4 of 23
T MU SY 10010 ST Cybersecurity for IACS - Overview
Version 1.0 Effective date: 01 July 2018
The ASA thanks the International Electrotechnical Commission (IEC) for permission to
reproduce information from its international standards. All such extracts are copyright of IEC,
Geneva, Switzerland. All rights reserved.
Further information on the IEC is available from www.iec.ch.
IEC has no responsibility for the placement and context in which the extracts and contents are
reproduced by the author, nor is IEC in any way responsible for the other content or accuracy
therein.
This document is a first issue.
© State of NSW through Transport for NSW 2018 Page 5 of 23
T MU SY 10010 ST Cybersecurity for IACS - Overview
Version 1.0 Effective date: 01 July 2018
Table of contents 1. Introduction .............................................................................................................................................. 7
2. Purpose .................................................................................................................................................... 8 2.1. Scope ..................................................................................................................................................... 8 2.2. Application ............................................................................................................................................. 8
3. Reference documents ............................................................................................................................. 8
4. Terms and definitions ........................................................................................................................... 10
5. Overview of cybersecurity for IACS series of standards .................................................................. 11
6. Tailored conformance of IEC 62443 parts ........................................................................................... 12 6.1. Tailored conformance of IEC/TS 62443 Part: 1-1 ............................................................................... 12 6.2. Tailored conformance of IEC 62443 Part: 3-2 ..................................................................................... 13 6.3. Tailored conformance of IEC 62443 Part: 3-3 ..................................................................................... 13
7. Cyber risk management and Transport standards ............................................................................ 13
8. Reference models .................................................................................................................................. 14 8.1. Functional hierarchy reference model ................................................................................................. 14 8.2. Security zones and conduits reference model..................................................................................... 15
9. Glossary of terms and definitions ....................................................................................................... 20
© State of NSW through Transport for NSW 2018 Page 6 of 23
T MU SY 10010 ST Cybersecurity for IACS - Overview
Version 1.0 Effective date: 01 July 2018
1. Introduction As the Transport for NSW (TfNSW) Transport Network modernises, expands and develops, the
exposure to, and the challenge of managing cybersecurity risks grows. In particular, risks of
attack to industrial automation and control systems (IACS), such as signalling systems, train
control systems, supervisory control and data acquisition (SCADA) systems, intelligent transport
systems and operational management systems need to be managed.
TfNSW defines cyber risk as being the potential for unauthorised use, disclosure, damage or
disruption to assets through the use of technology.
Australia’s Cybersecurity Strategy sets out the Australian Government program to raise the bar
on cybersecurity performance. The strategy has noted that both public sector and private sector
organisations should better understand cyber risks and provide stronger cyber defences.
Foundational to the NSW Government NSW Digital Government Strategy is that NSW
Government systems are secure and resilient through the consistent application of minimum
cybersecurity standards.
Further to this, the NSW Government Digital Information Security Policy (DISP) establishes the
NSW Government security requirements for digital information and is based on
ISO/IEC 27001 Information technology - Security techniques - Information security management
systems - Requirements. However the DISP is limited in its scope to digital information and
information and communication technology.
Compliance with DISP alone is not sufficient for IACS on the TfNSW Transport Network as
attacks on IACS – unlike enterprise systems – may have significant and immediate health and
safety, environmental, customer experience and operational impacts to the provision of
transport services.
In this context, the Asset Standards Authority (ASA), on behalf of TfNSW has developed a
series of standards for the cybersecurity of IACS.
Consistent with Australian Government and NSW Government approaches, a hybrid approach
is used consisting of minimum cybersecurity requirements supplemented by risk-based controls
developed using a tailored cybersecurity risk assessment procedure.
The ASA has adopted the IEC 62443 series of standards; however, conformance to certain
parts has been tailored to suit the needs of TfNSW. The tailored conformance is explained in
Section 6.
The ASA considers the IEC 62443 series of standards to be suitable for IACS on the TfNSW
Transport Network for the following reasons:
• international open standard with broad participation and adoption from IACS product
suppliers
© State of NSW through Transport for NSW 2018 Page 7 of 23
T MU SY 10010 ST Cybersecurity for IACS - Overview
Version 1.0 Effective date: 01 July 2018
• specifically addresses IACS
• contains a full suite from policies and procedures, systems and components
• aligned to ISO/IEC 27001 and other frameworks and standards
2. PurposeThis document provides an overview of the cybersecurity for IACS series of standards and
forms part of the series.
This document establishes a common reference of technical information for cybersecurity for
IACS across TfNSW, its agencies and Authorised Engineering Organisations (AEOs).
2.1. Scope This document covers the overview of the series of standards for cybersecurity for IACS.
This document describes the tailored conformance to parts of IEC 62443. It also describes the
cybersecurity concepts and models and standardises the glossary of cybersecurity terms and
definitions.
This series of standards addresses IACS as defined by the functional hierarchy reference model
for enterprise and control systems as described in IEC 62264-1 Enterprise-control system
integration – Part 1: Models and terminology and IEC/TS 62443-1-1.
This document does not explicitly address enterprise systems.
This document does not address the cybersecurity governance arrangement of the asset
owner, including the operator and maintainer.
2.2. Application This document applies to the asset owners, system integrators and product suppliers of IACS
systems.
This document shall be read in conjunction with IEC 62443 series of standards.
3. Reference documentsThe following documents are cited in the text. For dated references, only the cited edition
applies. For undated references, the latest edition of the referenced document applies.
International standards
IEC 62264-1 Enterprise-control system integration – Part 1: Models and terminology
IEC/TS 62443-1-1 Industrial communication networks - Network and system security - Part 1-1:
Terminology, concepts and models
© State of NSW through Transport for NSW 2018 Page 8 of 23
T MU SY 10010 ST Cybersecurity for IACS - Overview
Version 1.0 Effective date: 01 July 2018
IEC 62443-2-1 Industrial communication networks - Network and system security - Part 2-1:
Establishing an industrial automation and control system security program
IEC 62443-3-3 Industrial communication networks - Network and system security - Part 3-3:
System security requirements and security levels
ISO/IEC 27001:2005 Information technology - Security techniques - Information security
management systems - Requirements
Australian standards
AS/NZS ISO 31000 Risk management – Principles and guidelines
Transport for NSW standards
TS 10753: 2014 Assurance and Governance Plan Requirements
T MU AM 04001 PL TfNSW Configuration Management Plan
T MU AM 06006 ST Systems Engineering
T MU AM 06008 ST Operations Concept Definition
T MU AM 06009 ST Maintenance Concept Definition
T MU MD 20001 ST System Safety Standard for New or Altered Assets
T MU SY 10012 ST Cybersecurity for IACS - Baseline Technical Cybersecurity System
Requirements and Countermeasures
T MU SY 10013 PR Cybersecurity for IACS - Cyber Risk Management Procedure
Legislation
Rail Safety National Law National Regulations 2012 (NSW)
Transport Administration Act 1988
Other reference documents
Commonwealth of Australia, Department of the Prime Minister and Cabinet, Australia’s Cyber
Security Strategy
Commonwealth of Australia Australian Cyber Security Centre Threat Report
Commonwealth of Australia CERT Australia ICS Remote Access Protocol
NSW Government Department of Finance, Services and Innovation, Digital Information Security
Policy
Senate of the United States Bill S.1691 — 115th Congress (2017-2018) Internet of Things (IoT)
Cybersecurity Improvement Act of 2017
© State of NSW through Transport for NSW 2018 Page 9 of 23
T MU SY 10010 ST Cybersecurity for IACS - Overview
Version 1.0 Effective date: 01 July 2018
4. Terms and definitions The following terms and definitions apply in this document:
ASA Asset Standards Authority
asset owner individual or company responsible for one or more IACS (IEC 62443-3-3 ed.1.0)
automation solution control system and any complementary hardware and software
components that have been installed and configured to operate in an IACS (IEC 62443-2-4
ed.1.0)
cyber risk the potential for unauthorised use, disclosure, damage or disruption to assets
through the use of technology
cybersecurity actions required to preclude unauthorized use of, denial of service to,
modifications to, disclosure of, loss of revenue from, or destruction of critical systems or
informational assets (IEC/TS 62443-1-1 ed.1.0)
DISP Digital Information Security Policy
IACS industrial automation and control systems; collection of personnel, hardware, and
software that can affect or influence the safe, secure, and reliable operation of an industrial
process (IEC/TS 62443-1-1 ed.1.0)
product supplier manufacturer of hardware and/or software product (IEC 62443-3-3 ed.1.0)
SuC system under consideration
system integrator person or company that specializes in bringing together component
subsystems into a whole and ensuring that those subsystems perform in accordance with
project specifications (IEC 62443-3-3 ed.1.0)
All definitions from IEC/TS 62443-1-1 ed.1.0 are Copyright © 2009 IEC Geneva,
Switzerland. www.iec.ch
All definitions from IEC 62443-2-4 ed.1.0 are Copyright © 2017 IEC Geneva,
Switzerland. www.iec.ch
All definitions from IEC 62443-3-3 ed.1.0 are Copyright © 2013 IEC Geneva,
Switzerland. www.iec.ch
Transport Network the transport system (transport services and transport infrastructure)
owned and operated by TfNSW, its operating agencies or private entities upon which TfNSW
has power to exercise its functions as conferred by the Transport Administration Act or any
other Act.
© State of NSW through Transport for NSW 2018 Page 10 of 23
T MU SY 10010 ST Cybersecurity for IACS - Overview
Version 1.0 Effective date: 01 July 2018
5. Overview of cybersecurity for IACS series of standards TfNSW has adopted the IEC 62443 series of standards for the cybersecurity of IACS; however,
certain parts of IEC 62443 have been tailored.
Note: The IEC 62443 series is being jointly developed by the IEC and International
Society of Automation (ISA) and is under active development. Not all of the parts of
the series have been published.
All published parts of IEC 62443 series shall be complied with at the time of application of this
standard.
The cybersecurity for IACS series of standards aim to achieve the following:
• standardise cybersecurity terminologies, concepts and models across TfNSW, agencies
and Authorised Engineering Organisations (AEOs)
• standardise the baseline technical cybersecurity system requirements and
countermeasures that protect against casual and coincidental violations and intentional
violation using simple means
• standardise the cyber risk management procedure to align with the IEC 62443 series and
TfNSW risk criteria
This series supports compliance to AS/NZS ISO 31000 Risk management – Principles and
guidelines and the IEC 62443 series.
The IACS series of standards applies to IACS that provide functions necessary for achieving the
business objectives and functions as stated in the Transport Administration Act 1988.
This series applies to the plan, acquire and operate/maintain stages of the asset life cycle.
This series applies to new systems and automation solutions.
This series applies to new subsystems or products integrated into an existing automation
solution as part of a configuration change.
The asset owner may direct the retrospective application of this document to an existing
automation solution.
This series applies to IACS as defined by the functional hierarchy reference model for
enterprise and control systems as described in IEC 62264-1 Enterprise-control system
integration – Part 1: Models and terminology and IEC/TS 62443-1-1.
This series applies to the following levels as defined within the reference model:
• level 1 local or basic control systems, level 2 supervisory control systems and level 3
operations management systems
© State of NSW through Transport for NSW 2018 Page 11 of 23
T MU SY 10010 ST Cybersecurity for IACS - Overview
Version 1.0 Effective date: 01 July 2018
• interfaces between level 3 operations management systems and level 4 enterprise systems
• may be applied to level 4 enterprise systems
The allocation to levels within the functional hierarchy reference model to a system or
subsystem is the responsibility of the asset owner. The functional hierarchy model is explained
in Section 8.1.
Note: Standards for the security of enterprise systems and information technology are
developed by the People and Corporate Services division, TfNSW and owned by the
Group Chief Information Officer, TfNSW.
This series does not replace obligations to comply with applicable statutes, statutory licences,
policies and contractual requirements. This includes the NSW Government Digital Information
Security Policy (DISP).
Notes:
1. Parts from the IEC 62443 series can be used to support compliance to
ISO/IEC 27001 management systems and DISP
2. A mapping is provided between ISO/IEC 27001:2005 and IEC 62443-2-1 in
Annex C of IEC 62443-2-1
Some transport modes are subject to industry specific requirements. For example, in railway
applications this document supports railway transport operators’ compliance to the security
management plan requirements of the Rail Safety National Law 2012 (NSW).
6. Tailored conformance of IEC 62443 parts ASA intends to tailor the conformance of parts of the IEC 62443 series through the publication
of ASA standards.
Note: Tailored conformance of a part of IEC 62443 is not intended to conflict with the
base IEC 62443 part or series.
Where ASA has tailored the conformance of parts of IEC 62443, the ASA standards shall take
precedence over the base IEC 62443 parts.
6.1. Tailored conformance of IEC/TS 62443 Part: 1-1 ASA has tailored the conformance of IEC/TS 62443-1-1 Industrial communication networks -
Network and system security – Part: 1-1: Terminology, concepts and models.
This document tailors the conformance of IEC/TS 62443-1-1 in the following ways:
• adopts terminology from IEC/TS 62443-1-1
© State of NSW through Transport for NSW 2018 Page 12 of 23
T MU SY 10010 ST Cybersecurity for IACS - Overview
Version 1.0 Effective date: 01 July 2018
• aligns and maps terminology to risk and asset management terminologies used within
TfNSW
• provides informative examples and reference models for the functional hierarchy and
security zones and conduits
6.2. Tailored conformance of IEC 62443 Part: 3-2 IEC 62443 Part: 3-2 addresses system risk assessment and system design.
ASA intends to tailor the conformance of IEC 62443 Part: 3-2 following publication by the IEC.
T MU SY 10013 PR Cybersecurity for IACS - Cyber Risk Management Procedure has been
based on draft ISA committee work products to minimise future work.
6.3. Tailored conformance of IEC 62443 Part: 3-3 ASA has tailored the conformance of IEC 62443-3-3 Industrial communication networks -
Network and system security – Part: 3-3: System security requirements and security levels and
published as T MU SY 10012 ST Cybersecurity for IACS - Baseline Technical Cybersecurity
System Requirements and Countermeasures.
T MU SY 10012 ST tailors the conformance of IEC 62443-3-3 in the following ways:
• setting the minimum security level to 2
• specifying additional system requirements for portable and mobile devices and networks
7. Cyber risk management and Transport standards Cyber risks shall be identified and managed as part of risk management and engineering
management processes using this series of IACS standards.
Cyber risks shall be included in the application of all relevant ASA standards.
Standards of particular relevance include the following:
• TS 10753: 2014 Assurance and Governance Plan Requirements
• T MU AM 04001 PL TfNSW Configuration Management Plan
• T MU AM 06006 ST Systems Engineering
• T MU AM 06008 ST Operations Concept Definition
• T MU AM 06009 ST Maintenance Concept Definition
• T MU MD 20001 ST System Safety Standard for New or Altered Assets
© State of NSW through Transport for NSW 2018 Page 13 of 23
T MU SY 10010 ST Cybersecurity for IACS - Overview
Version 1.0 Effective date: 01 July 2018
Technical standards can also contain control requirements for cyber risks; however, the term
'cyber' may not have been explicitly used. Terms such as ‘information security’, ‘security’ or
‘hardening’ may have been used.
8. Reference models The reference models show the functional levels of IACS, the relationship between the IACS
and the enterprise systems, and a model for partitioning IACS into security zones and conduits.
The reference models shall be adapted to suit the specific system under consideration (SuC).
The reference models should be considered in the option and design development of the SuC.
8.1. Functional hierarchy reference model The functional hierarchy reference model described in IEC 62264-1 and IEC/TS 62443-1-1
should be used to classify systems.
Notes:
1. IEC/TS 62443-1-1 adopts and tailors the functional hierarchy reference model from
IEC 62264-1.
2. The functional hierarchy does not relate to technological or organisational divisions.
IACS functions typically operate in timeframes from sub-seconds at level 1 to days at level 3 of
the reference model as described in IEC 62264-1.
Table 1 provides a railway specific example of systems at level 0 to level 4 of the reference
model to provide transport context to the model.
Table 1 – Examples of systems classified using the functional hierarchy reference model
Level Description Examples
4 Enterprise systems Timetable management, crew scheduling, network and asset planning
3 Operations management systems Operations and incident management
2 Supervisory control systems Traffic management
1 Local or basic control systems Signalling interlocking
0 Process Train detection, signal, trainstop, points
The reference model is applicable to all transport modes, and the railway specific example is
not intended to limit the application of this document.
© State of NSW through Transport for NSW 2018 Page 14 of 23
T MU SY 10010 ST Cybersecurity for IACS - Overview
Version 1.0 Effective date: 01 July 2018
8.2. Security zones and conduits reference model The baseline cybersecurity system requirements defined in T MU SY 10012 ST include all
security level 2 (SL2) capabilities and additional context specific capabilities defined in
IEC 62443-3-3.
The security zones and conduits reference model depicted in Figure 1 and Figure 2 has been
developed to accommodate changes in the threat environment and the organisational risk
tolerance over time. The model does this by incorporating relevant system requirements for
security level 4 (SL4) capabilities as defined by IEC 62443-3-3.
Note: Studies have shown that costs associated with changes to systems, such as in
response to a change in the threat environment, escalate through the asset life cycle.
The model can be implemented using variety of conventional and software defined networking
protocols.
An overview of the model is depicted as follows in Figure 1:
• physical security zones using round-edged rectangles with solid lines
• logical security zones using round-edged rectangles with dotted lines
• security zones are not part of the SuC using hatched fill
• external conduits using solid lines
A detailed view of model is depicted as follows in Figure 2:
• physical security zones using round-edged rectangles with solid lines
• logical security zones using round-edged rectangles with dotted lines
• security zones are not part of the SuC using hatched fill
• external conduits using black lines with grey fill
• internal conduits using black lines with white fill
Note: The conduits in the model assume that networks are used; however some
conduits can use local mechanisms such as portable storage media.
© State of NSW through Transport for NSW 2018 Page 15 of 23
T MU SY 10010 ST Cybersecurity for IACS - Overview
Version 1.0 Effective date: 01 July 2018
SuC Field Loc. Zone
SuC Field Loc. Zone
SuC Internal Zone
(Primary)
SuC Internal Zone
(Primary)
SuCControl Centre
Zone(Primary)
SuCControl Centre
Zone(Primary)
SuCControl Centre
Zone(Secondary)
SuCControl Centre
Zone(Secondary)
SuC InternalZone
(Secondary)
SuC InternalZone
(Secondary)
Enterprise Zone (Primary)
SuC ServicesZone
(Primary)
SuC ServicesZone
(Primary)
SuC ServicesZone
(Secondary)
SuC ServicesZone
(Secondary)
SuC External Zone (Primary)
SuC External Zone (Primary)
Internet Zone (Primary)
SuC External Zone (Secondary)
SuC External Zone (Secondary)
Internet Zone (Secondary)
Enterprise Zone (Secondary)
© State of NSW through Transport for NSW 2018 Page 16 of 23
Figure 1 – Overview of security zones and conduits reference model
T MU SY 10010 ST Cybersecurity for IACS - Overview
Version 1.0 Effective date: 01 July 2018
SuC Internal Zone (Primary)SuC Internal Zone (Primary)
SuC Field Location ZoneSuC Field Location Zone
Controller
ActuatorSensorActuatorSensor
LAN
Remote terminal
unit
Local HMI terminal
SuC Control Centre Zone (Primary)SuC Control Centre Zone (Primary)
Local HMI terminal Controller
LAN
SuC External Zone (Primary)SuC External Zone (Primary)
Configuration server WorkstationHistorianHMI
terminalDatabase
serverApplication
server
Gateway Firewall
(Primary)
Gateway Firewall
(Secondary)
Gateway Firewall
(Primary)
Gateway Firewall
(Secondary)
Gateway Firewall
Enterprise Zone (Primary)
Conduit to secondary– not developed.
Zone not developed.
Conduit to secondary – not developed.
Gateway Firewall
Patchserver
Network servicesserver
Security services server
Webserver HistorianDatabase
server
Internet Zone (Primary)
Zone not developed.
Jumpserver
Gateway Firewall
Gateway Firewall
SuC Services Zone (Primary)SuC Services Zone (Primary)
© State of NSW through Transport for NSW 2018 Page 17 of 23
Figure 2 – Detailed view of security zones and conduits reference model
T MU SY 10010 ST Cybersecurity for IACS - Overview
Version 1.0 Effective date: 01 July 2018
The model is informed by four primary design principles:
a. centralised traffic management
b. dedicated internet connectivity
c. wide area networks are untrusted
d. on-demand remote access
8.2.1. Centralised traffic management A design principle of the model is the redundant centralised physical security zone ‘SuC Internal
Zone’ which logically includes ‘SuC Services Zone’.
As all SuC traffic from network segments flows through the ‘SuC Internal Zones’, network
segments can be logically and physically isolated from central sites (IEC 62443-3-3 SR 5.1 and
RE 1, RE 2 and RE 3).
As all SuC traffic from network segments flows through the ‘SuC Internal Zones’, traffic can be
monitored, controlled, filtered, and logged from central sites (IEC 62443-3-3 SR 5.2 and RE 1,
RE 2 and RE 3).
8.2.2. Dedicated internet connectivity A design principle of the model is the dedicated redundant internet connectivity from the ‘SuC
External Zone’.
Notes:
1. A common historical practice is to use enterprise systems as a means of providing
internet connectivity. This practice is not suitable if the connectivity is used for remote
operations or maintenance functions with timeframes between sub-seconds and days.
This includes fault, configuration, accounting, performance and security management.
2. Internet connectivity should be justified in the definition of the operations concept in
the plan stage of the asset life cycle.
As the SuC needs to be able to function independently from level 4 enterprise systems
(IEC 62443-3-3 SR 5.1 RE 2), connectivity through the ‘Enterprise Zone’ to the internet is not
suitable.
© State of NSW through Transport for NSW 2018 Page 18 of 23
T MU SY 10010 ST Cybersecurity for IACS - Overview
Version 1.0 Effective date: 01 July 2018
8.2.3. Wide area networks are untrusted
A design principle of the model is that all wide area networks (WAN) are considered untrusted.
Notes:
1. A common historical practice is to use organisational multi-service networks and
third party carriage services to interconnect physical sites without explicitly
establishing trust of the communications channel.
2. Local area networks (LAN) comprising dedicated communication assets and
contained wholly within a single physical security zone are considered trusted.
Gateways use cryptographic algorithms with mutual authentication and encryption (SR 3.1 RE 1
and SR 4.1 RE 1) to establish trust of the communication channel over WANs.
8.2.4. On-demand remote access A design principle of the model is on-demand remote access from the internet.
Internet connectivity for interactive remote access is managed by the firewall and jump server in
the ‘SuC External Zone’.
Normally the firewall does not allow any inbound traffic from the ‘Internet Zone’ unless it has first
been established by, or is related to outbound traffic from the ‘SuC Internal Zone’.
Note: Services within the ‘SuC Services Zone’ are normally allowed restricted access
to the internet to perform predefined functions, such as obtaining threat intelligence,
vulnerability and exposure advisories, and software updates and upgrades.
On-demand remote access can be established in response to an incident.
After the request for remote access is approved, the jump server is physically connected to the
firewall and predefined traffic is allowed between the firewall and jump server for the duration of
the incident (IEC 62443-3-3 SR 1.13 RE 1). After the incident is resolved the jump server is
physically disconnected.
Notes:
1. As these changes are actions taken in response to an incident, they are not subject
to TfNSW safety change management.
2. Refer to CERT Australia ICS Remote Access Protocol for further information.
Remote access users are uniquely identified and authenticated on the jump server using
multifactor authentication (IEC 62443-3-3 SR 1.1 RE 3, SR 1.2 RE 1) before allowing access to
the ‘SuC Internal Zone’. One of the authentication factors is a one-time password associated
with the incident. After the incident is resolved the one-time password expires.
The jump server allows authorised remote access users to interact with predefined IACS assets.
© State of NSW through Transport for NSW 2018 Page 19 of 23
T MU SY 10010 ST Cybersecurity for IACS - Overview
Version 1.0 Effective date: 01 July 2018
9. Glossary of terms and definitions TfNSW considers cyber risk as a business risk that can, like any business risk, affect the
achievement of its business objectives and functions.
However, terminologies associated with security, and in particular cybersecurity, are widely
used but not clearly understood as discussed in the Australian Government Australian Cyber
Security Centre Threat Report. Terms such as cyber attack and cyber war are frequently used,
often in sensationalist ways ‘generating an emotive response and a disproportionate sense of
threat’.
This document standardises the vocabulary, and the terms and definitions provided in Table 2
shall be applied throughout the IACS series of standards. The majority of terms and definitions
provided in Table 2 are from IEC/TS 62443-1-1, IEC 62443-2-4 and IEC 62443-3-3.
Notes:
All definitions from IEC/TS 62443-1-1 ed.1.0 are Copyright © 2009 IEC Geneva,
Switzerland. www.iec.ch
All definitions from IEC 62443-2-4 ed.1.0 are Copyright © 2017 IEC Geneva,
Switzerland. www.iec.ch
All definitions from IEC 62443-3-3 ed.1.0 are Copyright © 2013 IEC Geneva,
Switzerland. www.iec.ch
A common foundational understanding of cybersecurity aligned to existing risk management
vocabulary is important to be established. Table 2 also contains the generic definitions from
ISO Guide 73 for some of terms related to risk management.
Table 2 – Glossary of terms and definitions
Term Definition Source
asset owner individual or company responsible for one or more IACS
IEC 62443-3-3 ed.1.0
attack assault on a system that derives from an intelligent threat — i.e., an intelligent act that is a deliberate attempt (especially in the sense of a method or technique) to evade security services and violate the security policy of a system
IEC/TS 62443-1-1 ed.1.0
authenticate verify the identity of a user, user device, or other entity, or the integrity of data stored, transmitted, or otherwise exposed to unauthorized modification in an information system, or to establish the validity of a transmission
IEC/TS 62443-1-1 ed.1.0
© State of NSW through Transport for NSW 2018 Page 20 of 23
T MU SY 10010 ST Cybersecurity for IACS - Overview
Version 1.0 Effective date: 01 July 2018
Term Definition Source
automation solution control system and any complementary hardware and software components that have been installed and configured to operate in an IACS
IEC 62443-2-4 ed.1.0
communications channel
specific logical or physical communication link between assets
IEC 62443-3-3 ed.1.0
communication system
arrangement of hardware, software, and propagation media to allow the transfer of messages from one application to another
IEC/TS 62443-1-1 ed.1.0
conduit logical grouping of communication channels, connecting two or more zones, that share common security requirements
IEC 62443-3-3 ed.1.0
countermeasure action, device, procedure, or technique that reduces a threat, a vulnerability, or an attack by eliminating or preventing it, by minimizing the harm it can cause, or by discovering and reporting it so that corrective action can be taken Referred as 'control' in ISO Guide 73 and defined as 'measure that is modifying risk'
IEC/TS 62443-1-1 ed.1.0
cryptographic algorithm
algorithm based upon the science of cryptography, including encryption algorithms, cryptographic hash algorithms, digital signature algorithms, and key agreement algorithms
IEC/TS 62443-1-1 ed.1.0
cybersecurity actions required to preclude unauthorized use of, denial of service to, modifications to, disclosure of, loss of revenue from, or destruction of critical systems or informational assets
IEC/TS 62443-1-1 ed.1.0
cyber risk the potential for unauthorised use, disclosure, damage or disruption to assets through the use of technology
TfNSW
encryption cryptographic transformation of plaintext into ciphertext that conceals the data’s original meaning to prevent it from being known or used
IEC/TS 62443-1-1 ed.1.0
enterprise system collection of information technology elements (i.e., hardware, software and services) installed with the intent to facilitate an organization’s business process or processes (administrative or project)
IEC/TS 62443-1-1 ed.1.0
firewall inter-network connection device that restricts data communication traffic between two connected networks
IEC/TS 62443-1-1 ed.1.0
gateway relay mechanism that attaches to two (or more) computer networks that have similar functions but dissimilar implementations and that enables host computers on one network to communicate with hosts on the other
IEC/TS 62443-1-1 ed.1.0
© State of NSW through Transport for NSW 2018 Page 21 of 23
T MU SY 10010 ST Cybersecurity for IACS - Overview
Version 1.0 Effective date: 01 July 2018
Term Definition Source
geographic site subset of an enterprise’s physical, geographic, or logical group of assets
IEC/TS 62443-1-1 ed.1.0
hardcoded credential
a value, such as a password, token, private or shared cryptographic key used for authentication, that is – • established by a manufacture or
supplier • incapable of being modified or revoked
by the user
TfNSW; adapted from Senate of the United States Bill S.1691
IACS industrial automation and control systems; collection of personnel, hardware, and software that can affect or influence the safe, secure, and reliable operation of an industrial process
IEC/TS 62443-1-1 ed.1.0
local area network communications network designed to connect computers and other intelligent devices in a limited geographic area (typically less than 10 km)
IEC/TS 62443-1-1 ed.1.0
product supplier manufacturer of hardware and/or software product
IEC 62443-3-3 ed.1.0
risk expectation of loss expressed as the probability that a particular threat will exploit a particular vulnerability with a particular consequence Defined in ISO Guide 73 as 'effect of uncertainty on objectives'
IEC/TS 62443-1-1 ed.1.0
risk assessment process that systematically identifies potential vulnerabilities to valuable system resources and threats to those resources, quantifies loss exposures and consequences based on probability of occurrence, and (optionally) recommends how to allocate resources to countermeasures to minimize total exposure Defined in ISO Guide 73 as 'overall process of risk identification, risk analysis and risk evaluation'
IEC/TS 62443-1-1 ed.1.0
risk management process of identifying and applying countermeasures commensurate with the value of the assets protected, based on a risk assessment Defined in ISO Guide 73 as 'coordinated activities to direct and control an organization with regard to risk'
IEC/TS 62443-1-1 ed.1.0
security event occurrence in a system that is relevant to the security of the system Defined in ISO Guide 73 as 'occurrence or change of a particular set of circumstances'
IEC/TS 62443-1-1 ed.1.0
© State of NSW through Transport for NSW 2018 Page 22 of 23
T MU SY 10010 ST Cybersecurity for IACS - Overview
Version 1.0 Effective date: 01 July 2018
Term Definition Source
security level level corresponding to the required effectiveness of countermeasures and inherent security properties of devices and systems for a zone or conduit based on assessment of risk for the zone or conduit
IEC/TS 62443-1-1 ed.1.0
security zone grouping of logical or physical assets that share common security requirements
IEC/TS 62443-1-1 ed.1.0
system integrator person or company that specializes in bringing together component subsystems into a whole and ensuring that those subsystems perform in accordance with project specifications
IEC 62443-3-3 ed.1.0
threat potential for violation of security, which exists when there is a circumstance, capability, action, or event that could breach security and cause harm
IEC/TS 62443-1-1 ed.1.0
trust confidence that an operation, data transaction source, network or software process can be relied upon to behave as expected
IEC 62443-3-3 ed.1.0
untrusted not meeting predefined requirements to be trusted
IEC 62443-3-3 ed.1.0
vulnerability flaw or weakness in a system's design, implementation, or operation and management that could be exploited to violate the system's integrity or security policy Defined in ISO Guide 73 as 'intrinsic properties of something resulting in susceptibility to a risk source than can lead to an event with a consequence'
IEC/TS 62443-1-1 ed.1.0
wide area network communications network designed to connect computers, networks and other devices over a large distance, such as across a country or the world
IEC/TS 62443-1-1 ed.1.0
© State of NSW through Transport for NSW 2018 Page 23 of 23