Standards Development

Scope

This Technical Specification addresses best practice recommendations for system software vulnerability management and the end-of-support management for system software, used for programmable digital items/ platforms.

It also describes the specific challenges and constraints on security patching of programmable digital items/ platforms and systems for a Nuclear Power Plant.

In addition to that the Technical Specification includes implications of end-of-support system software on the security programmable digital items/ platforms and systems and recommendations how to handle such system software.

Purpose

Regarding the topics of the proposed Technical Specification, IEC 63096 defines fundamental security controls regarding system software vulnerability management. IEC 63096 does not include security controls regarding the end-of-support management for system software, used for programmable digital items/ platforms.

This technical specification addresses these gaps by detailing best practice recommendations for system software vulnerability management and introducing best practise recommendations for the end-of-support management for system software, used for programmable digital items/ platforms.

Based on programmable digital items/platforms, the objectives of this technical specification are:

– Provide recommended criteria for the decision on when a specific system software vulnerability needs to be patched;

– Ensure understanding of the challenges and limitations of system software vulnerability management in the field of programmable digital items/platforms and systems for NPPs;

– Provide guidance on system software vulnerability patching by the manufacturer of programmable digital items/platforms;

– Describe a best practice method for the handling of system software vulnerabilities during project engineering, installation, commissioning for plant specific systems level development based on programmable digital items/ platforms;

– Provide guidance on a recommended process for cybersecurity risk-based identification of needed system software vulnerability patches, steps for developing/integrating, testing, releasing the system software cybersecurity patch for systems;

– Describe other approaches for system software vulnerability handling for systems, such as security baselining or patch all system software vulnerabilities;

– Provide guidance on the handling of system software cybersecurity patches from a safety qualification perspective, in case a programmable digital item/ platform system software is applied to perform category A, B or C functions;

– Describe a best practice method for the handling of system software vulnerabilities for systems based on programmable digital items/platforms during NPP operation, maintenance and decommissioning;

– Provide guidance on the handling of end-of-support system software. Rationale for developing a Technical Specification versus a Standard:

– Laws and requirements on “SOFTWARE VULNERABILITY AND END-OF-SUPPORT SYSTEM SOFTWARE MANAGEMENT” are country specific. Developing an IEC standard that is in sync with all existing and future country specific laws and acts is not feasible.

– “SOFTWARE VULNERABILITY AND END-OF-SUPPORT SYSTEM SOFTWARE MANAGEMENT” is a controversial topic and there is doubt on whether consensus can be achieved.

During the 2022 IEC SC45A meetings, it was decided to develop a TR on the subject of software vulnerability and patch management. Several working drafts were developed and discussed internally within working group A9. In September 2023, WGA9 experts discussed the need to change the project from a TR to a TS or IS. For the reasons given above, WGA9 experts concluded that a Technical Specification document is the most appropriate choice. This decision was confirmed during the SC45A plenary meeting, see 45A/1509/RM, decision 45A/2023-31.