标准摘要
[中文适用范围]: 本文件的范围是捕捉国家和国际网络风险方法,用于管理与核电厂(NPP)仪器和控制(I&C)及电力系统(EPS)相关的网络安全风险。本报告继承了IEC 62645的范围,该标准定义了防止、检测和应对通过数字手段(网络攻击)对I&C系统和EPS进行恶意行为的适当措施。此范围包括任何导致不安全情况、设备损坏或工厂性能下降的恶意行为,例如:影响系统完整性的恶意修改;可能损害I&C系统可编程数字功能交付或性能的信息、数据或资源的恶意干扰;可能损害操作员显示或导致I&C系统或EPS管理丢失的信息、数据或资源的恶意干扰;以及可编程逻辑控制器级别的恶意硬件、固件或软件更改。违反安全策略的人为错误和影响网络安全控制性能的错误是本文件评估的风险管理过程需要评估的关键风险。本文件总结了核设施运营商用于管理网络安全风险的网络风险方法的评估。本文件的范围通常遵循IEC 62645的排除项,这些排除项包括:非恶意行为和事件,如意外故障、人为错误(除非上述影响网络安全控制性能的错误)和自然事件;现场物理安全、访问控制和现场安全监视系统;以及I&C系统和EPS信息的保密性。 [外文原描述]: IEC TR 63486:2024 provides a cybersecurity framework for digital I&C programmable systems [2]. IEC 62645 [1] aligns strongly with the information security management system (ISMS) elements detailed within ISO/IEC 27001:2013 [2]. The ISO/IEC ISMS structure corresponds to the “I&C digital programmable system cybersecurity program” in the context (as defined in 5.2.1 of IEC 62645:2019 [1]). The scope of this document is to capture the national and international cyber-risk approaches employed to manage cybersecurity risks associated with Instrumentation and Control (I&C) and Electrical Power Systems (EPS) at a Nuclear Power Plant (NPP). This document summarizes an evaluation of cyber-risk approaches that are in use by nuclear facility operators to manage cybersecurity risks. The scope of this document generally follows the exclusions of IEC 62645 which are: - Non-malevolent actions and events such as accidental failures, human errors (except those stated above, such as impacting the performance of cybersecurity controls), and natural events. In particular, good practices for managing applications and data, including backup and restoration related to accidental failure, are out of scope. This document summarizes key insights of the international and cyber-risk approaches used at NPPs regarding the application of ISO/IEC 27005:2018 [5]. The evaluation is based on 11 challenges to cybersecurity risk management and their applicability to NPP risk management. The challenges are detailed in Clause 7. This document also relates the risk management elements of IEC 62645 and IEC 63096.
英文名称Nuclear facilities - Instrumentation, control and electrical power systems - Cybersecurity risk management approaches