BS IEC 62859:2016 pdf download – Nuclear power plants – Instrumentation and control systems – Requirements for coordinating safety and cybersecurity.
5.3 Thematic requirements and recommendations
5.3.1 Delineation of security zones
5.3.1.1 General
As defined in IEC 62645, security zones are practical and architectural implementations of a graded approach to cybersecurity; they allow l&C systems with similar importance concerning safety and plant performance (i.e. having the same security degree) to be grouped together for administration and application of protective measures. As per IEC 62645, criteria for defining a security zone include organizational issues (such as ownership/responsibility), localisation, architectural or technical aspects. In practice, security zones are implemented as means against the propagation of cyberattacks. In such context, when a zone model is enforced as recommended by IEC 62645, the following applies:
a) The delineation of security zones, as per IEC 62645, shall take into account and leverage independence and physical separation requirements introduced for the purpose of enhancing safety.
b) Data communication aspects (md. logical separation) and geographical/physical separation as well as independence aspects shall be considered together to delineate security zones.
NOTE Geographical separation and independence features are not sufficient to delineate security zones.
5.3.1.2 Dealing with systems with several divisions
a) The divisions (or trains) of a given l&C programmable digital system should be grouped in the same security zone, unless the communications between divisions can be efficiently filtered and monitored from a cybersecurity perspective.
b) The divisions (or trains) of a given l&C programmable digital system shall be grouped in the same security zone if a common engineering tool is used to configure them.
NOTE This requirement holds even if the tool is connected only to one division at a time: if the tool is
compromised, it can support an asynchronous attack, compromising divisions one after the other.
5.3.1.3 Dealing with systems sharing common resources
a) l&C programmable digital systems sharing common computer-based tools (e.g. configuration, testing, and/or maintenance tools) shall be grouped in the same security zone, unless it is demonstrated from a cybersecurity perspective that the tools cannot directly impact the systems they are connected to.
b) l&C programmable digital systems sharing a common network or communication bus without cybersecurity technical provisions securing the communications should be grouped in the same security zone, even if they perform functions of different safety categories. As per IEC 62645, the security degree assignment shall take into account the most sensitive safety category.
5.3.2 Provisions for coping with common cause failures (including diversity)
a) In some cases, provisions taken in order to cope with common cause failures (CCF), including diversity, can be leveraged from a cybersecurity perspective, and should be leveraged in such cases. When claimed in cybersecurity oriented analyses, the cybersecurity benefit shall be assessed and validated by staff responsible for cybersecurity, taking into account context-relevant malicious threats and potential cyberattacks (consistently with 5.2 f).
NOTE 1 Provisions resulting from requirements, recommendations and associated safety practices as per 5.4.2M of IEC 61513:2011 (for all l&C systems important to safety), Clause 13 of lEd 60880:2006 (for software aspects of systems performing category A functions), IEC 62340 or equivalent (for systems performing category A functions), are for instance directly concerned by 5.3.2a).
5.3.3 Separation provisions a) In some cases， provisions taken for separation purposes can be leveraged from a cybersecurity perspective, and should be leveraged in such cases. b) Requirements， recommendations and associated safety practices as per 5.4 of IEC 60709:2004 on independence from control systems (for systems supporting category A functions)， or equivalent， are potentially beneficial both in terms of safety and cybersecurity. When claimed in cybersecurity oriented analyses, the cybersecurity benefit shall be assessed and validated by staff responsible for cybersecurity, taking into account context-relevant malicious threats and potential cyberattacks (consistently with 5.2 f). 5.3.4 Data communications a) Requirements, recommendations and associated safety practices as per IEC 61500:2009 on data communications (for systems supporting category A functions), or equivalent, are potentially beneficial both in terms of safety and cybersecurity. When claimed in cybersecurity oriented analyses, the cybersecurity benefit shall be assessed and validated by staff responsible for cybersecurity， taking into account context-relevant malicious threats and cyberattacks (consistently with 5.2 f). b) A detailed knowledge of data communications in use by and between I&C programmable digital systems (incl. protocols, roles, initiatives, sources and destinations) is beneficial both for safety and cybersecurity and shall be maintained and documented, from design to implementation and operations.