BS IEC 62859:2016 pdf download – Nuclear power plants — Instrumentation and control systems — Requirements for coordinating safety and cybersecurity
5 Coordinating safety and cybersecurity at the overall architecture level
5.1 General Several safety features and architectural characteristics implemented in order to address design basis requirements are in some cases directly beneficial to cybersecurity: this includes some of the features that support equipment independence, system reliability or system diversity. However, considering that the design of these features may not have adequately taken into account potential vulnerabilities to cyberattacks, dedicated cybersecurity measures may be needed to achieve adequate cybersecurity, without degrading safety. This clause provides requirements and recommendations to enable a smooth integration of cybersecurity requirements as per IEC 62645 in a nuclear I&C architecture, fundamentally and firstly structured by safety-oriented requirements (in particular those of IEC 61 51 3 and several second level documents of the SC 45A series, including IEC 62340 or IEC 60709).
5.2 Fundamental and generic principles The following principles apply for the treatment of cybersecurity at the I&C architectural level:
a) Cybersecurity shall not interfere with the safety objectives of the plant and shall protect their realisation. It shall not compromise the effectiveness of the diversity and defence-in- depth features implemented by the I&C architecture.
b) Cybersecurity requirements impacting the overall I&C architecture shall be addressed after the overall I&C architecture design and assignment of the I&C functions have been first made as per 5.4 of IEC 61 51 3:201 1 . The integration of architectural cybersecurity requirements may lead to an iterative design process.
NOTE The objective is to secure a safe I&C architecture. Such a sequence is already implicit in IEC 62645, as the assignment of security degrees (and their associated requirements) assumes that safety categories are already assigned to safety functions, and that the safety functions are already assigned to I&C systems.
c) Cybersecurity features shall not adversely impact the required performance (including response time), required effectiveness, required reliability or required operation of functions important to safety.
d) The failure modes and consequences of cybersecurity features on the functions important to safety shall be analysed and taken into account.
e) When two architecture designs offer equivalent level of safety, priority should be given to the most secure one. Unnecessary complexity shall be avoided as it is detrimental to both safety and cybersecurity.
f) Any architectural property or characteristics designed for safety reason (e.g., independence between systems), which has value as a potential cybersecurity counter- measure (during cybersecurity risk analysis activity for instance) should be re-examined taking into account context-relevant cyberattacks, by staff responsible for cybersecurity, to confirm its cybersecurity effectiveness. A particular case corresponds to communications between systems important to safety and systems not important to safety, or between systems of different safety classes. IEC 61 51 3 already requires that communication links are designed in such a way that data communication and operation of the higher safety category function cannot be jeopardised by data communication with lower classified systems. However, the provisions taken to fulfil such safety requirements are not necessarily robust against malicious threats and cyberattacks.
5.3 Thematic requirements and recommendations
5.3.1 Delineation of security zones
5.3.1 .1 General As defined in IEC 62645, security zones are practical and architectural implementations of a graded approach to cybersecurity; they allow I&C systems with similar importance concerning safety and plant performance (i.e. having the same security degree) to be grouped together for administration and application of protective measures. As per IEC 62645, criteria for defining a security zone include organizational issues (such as ownership/responsibility), localisation, architectural or technical aspects. In practice, security zones are implemented as means against the propagation of cyberattacks. In such context, when a zone model is enforced as recommended by IEC 62645, the following applies:
a) The delineation of security zones, as per IEC 62645, shall take into account and leverage independence and physical separation requirements introduced for the purpose of enhancing safety.
b) Data communication aspects (incl. logical separation) and geographical/physical separation as well as independence aspects shall be considered together to delineate security zones.