标准摘要
[中文适用范围]: IEC 63208:2025 本文件适用于操作技术(OT 3.1.34)背景下,开关设备和控制设备及其组件(称为设备)的主要功能。它适用于具有有线或无线数据通信手段及其物理可访问性的设备,在其环境条件限制范围内。其目的是针对安全威胁的漏洞,实现适当的物理和网络安全缓解措施。 本文件提供以下适当的要求: – 开发包括攻击等级、典型威胁、影响评估及其与安全性的关系的安全风险评估; – 通信接口的暴露等级及设备安全等级的确定; – 通信接口暴露等级的评估; – 为设备分配必要的安全措施; – 来自ISO/IEC 27001的物理访问和环境的应对措施; – 参考IEC 62443-4-2及其适用性标准的应对措施; – 安装、操作和维护的用户说明; – 符合性验证和测试; – 按设备类别(附录E至附录I)的安全保护配置文件。 尤其关注可能导致以下威胁的潜在漏洞: – 不期望的操作,可能导致危险情况; – 保护功能(如过电流、接地故障等)的不可用; – 主功能的其他退化。 本文件还提供以下网络安全管理的指导: – 角色和职责(表4); – 典型架构(附录A); – 用例(附录B); – 开发方法(附录C); – 提供给用户并集成到组件中的建议(附录D); – 与网络安全管理系统相关的参考(附录K)。 本文件不涵盖以下安全要求: – 信息技术(IT); – 工业自动化和控制系统(IACS)、工程工作站及其软件应用; – 关键基础设施或能源管理系统; – 网络设备(通信网络交换机或虚拟专用网终端); – 除关键安全参数以外的数据机密性; – 设计生命周期管理。 有关此方面的内容,请参见IEC 62443-4-1、ISO/IEC 27001或其他安全生命周期管理标准。 [外文原描述]: IEC 63208:2025 This document applies to the main functions of switchgear and controlgear and their assemblies, called equipment, in the context of operational technology (OT 3.1.34). It is applicable to equipment with wired or wireless data communication means and their physical accessibility, within their limits of environmental conditions. It is intended to achieve the appropriate physical and cybersecurity mitigation against vulnerabilities to security threats. This document provides requirements on the appropriate: – security risk assessment to be developed including the attack levels, the typical threats, the impact assessment and the relationship with safety; – levels of exposure of the communication interface and the determination of the equipment security level; – assessment of the exposure level of the communication interfaces; – assignment of the required security measures for the equipment; – countermeasures for the physical access and the environment derived from ISO/IEC 27001; – countermeasures referring to IEC 62443-4-2 with their criteria of applicability; – user instructions for installation, operation and maintenance; – conformance verification and testing, and – security protection profiles by family of equipment (Annex E to Annex I). In particular, it focuses on potential vulnerabilities to threats resulting in: – unintended operation, which can lead to hazardous situations; – unavailability of the protective functions (overcurrent, earth fault, etc.); – other degradation of main function. It also provides guidance on the cybersecurity management with the: – roles and responsibilities (Table 4); – typical architectures (Annex A); – use cases (Annex B); – development methods (Annex C); – recommendations to be provided to users and for integration into an assembly (Annex D); – bridging references to cybersecurity management systems (Annex K). This document does not cover security requirements for: – information technology (IT); – industrial automation and control systems (IACS), engineering workstations and their software applications; – critical infrastructure or energy management systems; – network device (communication network switch or virtual private network terminator), or – data confidentiality other than for critical security parameters; – design lifecycle management. For this aspect, see IEC 62443-4-1, ISO/IEC 27001 or other security lifecycle management standards.
英文名称Low-voltage switchgear and controlgear and their assemblies - Security requirements