Standards Development

Scope

This document applies to the security related main functions of switchgear and controlgear and their assemblies, called equipment, in the context of operational technology and during the whole lifecycle of the equipment. It is applicable to equipment with wired or wireless data communication means and their physical accessibility, within their limits of environmental conditions.

This document provides requirements on the appropriate:

–        security risk assessment to be developed including the attack levels, the typical threats, the impact assessment and the relationship with safety;

–        levels of exposure of the communication interface and the determination of the equipment security level;

–        countermeasures for the physical access and the environment derived from ISO/IEC 27001:2013;

–        countermeasures referring to IEC 62443-4-2 with their criteria of applicability;

–        user instructions for installation, operation and maintenance;

–        conformance verification and testing, and

–        security protection profiles by family of equipment (Annex E to Annex H).

In particular, it focuses on potential vulnerabilities to threats resulting in:

–        unintended operation of the switching device or the control device, which can lead to hazardous situations;

–        unavailability of the protective functions (overcurrent, earth leakage, etc.);

–        other degradation of safety related function.

It also provides guidance on the cybersecurity management with the:

–        roles and responsibilities (Table 4);

–        typical architectures (Annex A)

–        use cases (Annex B)

–        development methods (Annex C)

–        recommendations to be provided to users and for integration into an assembly (Annex D)

–        bridging references to cybersecurity management systems (Annex J)

This document does not cover security requirement for

–        information technology (IT),

–        industrial automation and control systems (IACS), engineering workstations and their software applications,

–        critical infrastructure or energy management systems,

–        network device (communication network switch or virtual private network terminator), or

–        data confidentiality other than for critical security parameters.

This document, as a product security publication, follows IEC Guide 120.