Already a subscriber?
MADCAD.com Free Trial
Sign up for a 3 day free trial to explore the MADCAD.com interface, PLUS access the
2009 International Building Code to see how it all works.
If you like to setup a quick demo, let us know at support@madcad.com
or +1 800.798.9296 and we will be happy to schedule a webinar for you.
Security check
Please login to your personal account to use this feature.
Please login to your authorized staff account to use this feature.
Are you sure you want to empty the cart?
BS IEC 63096:2020 Nuclear power plants. Instrumentation, control and electrical power systems. Security controls, 2020
- undefined
- CONTENTS
- FOREWORD
- INTRODUCTION
- 1 Scope [Go to Page]
- 1.1 General
- 1.2 Objectives
- 1.3 Application
- 1.4 Framework
- 2 Normative references
- 3 Terms, definitions and abbreviated terms [Go to Page]
- 3.1 Terms and definitions
- Figures [Go to Page]
- Figure 1 – E/E/PE items
- 3.2 Abbreviated terms
- 4 Nuclear I&C programmable digital systems specific security controls [Go to Page]
- 4.1 Target audience and related life-cycle activities
- 4.2 Source for definition of nuclear I&C programmable digital systems specific security controls [Go to Page]
- 4.2.1 General
- 4.2.2 Security degrees and baseline requirements
- 4.2.3 Computer-based tools for I&C system– engineering, –maintenance and –diagnostic
- 4.2.4 Safety and security
- 4.3 Security controls catalogue [Go to Page]
- 4.3.1 General
- 4.3.2 ISO/IEC 27002 is the basis for IEC 63096 security controls
- 4.3.3 Modification/ extension of the ISO/IEC 27002:2013 security control description
- 4.3.4 Structure of each security control description
- 4.4 Process of selecting security controls [Go to Page]
- 4.4.1 General
- Figure 2 – Overview [Go to Page]
- 4.4.2 Process of selecting and implementing security controls for the actual I&C platform and I&C system
- Figure 3 – Process of selecting and implementing security controls for the actual I&C platform and I&C system [Go to Page]
- 4.4.3 Process of selecting and implementing security controls for D- activity -> I&C Platform Development
- 4.4.4 Process of selecting and implementing security controls for E- activity -> I&C system engineering
- 4.4.5 Process of selecting and implementing security controls for O- activity -> Operation and Maintenance of I&C system
- 4.4.6 Additional process requirements valid for controls for the “actual I&C platform and I&C system” and for the D-, E- and O- activity
- 4.5 Documentation and traceability of security controls [Go to Page]
- 4.5.1 Documentation of security controls selection (statement of applicability)
- 4.5.2 Traceability
- 5 Cybersecurity policies [Go to Page]
- 5.1 Management direction for cybersecurity [Go to Page]
- 5.1.1 Policies for cybersecurity
- 5.1.2 Review of the policies for cybersecurity
- 6 Organization of cybersecurity [Go to Page]
- 6.1 Internal organization [Go to Page]
- 6.1.1 Cybersecurity roles and responsibilities
- 6.1.2 Segregation of duties
- 6.1.3 Contact with authorities
- 6.1.4 Contact with special interest groups
- 6.1.5 Cybersecurity to project management
- 6.2 Mobile devices and teleworking [Go to Page]
- 6.2.1 Mobile device policy
- 6.2.2 Teleworking
- 7 Human resource security [Go to Page]
- 7.1 Prior to employment [Go to Page]
- 7.1.1 Screening
- 7.1.2 Terms and Conditions of Employment
- 7.2 During employment [Go to Page]
- 7.2.1 Management responsibilities
- 7.2.2 Cybersecurity Awareness, Education and Training
- 7.2.3 Disciplinary process
- 7.3 Termination and change of employment [Go to Page]
- 7.3.1 Termination or change of employment responsibilities
- 8 Asset management [Go to Page]
- 8.1 Responsibility for assets [Go to Page]
- 8.1.1 Inventory of assets
- 8.1.2 Ownership of assets
- 8.1.3 Acceptable use of assets
- 8.1.4 Return of assets
- 8.2 Information classification [Go to Page]
- 8.2.1 Classification of information
- 8.2.2 Labelling of information
- 8.2.3 Handling of assets
- 8.3 Media handling [Go to Page]
- 8.3.1 Management of removable media
- 8.3.2 Disposal of media
- 8.3.3 Physical media transfer
- 9 Access control [Go to Page]
- 9.1 Requirements of access control [Go to Page]
- 9.1.1 Access Control Policy
- 9.1.2 Access to network and network services
- 9.2 User access management [Go to Page]
- 9.2.1 User registration and de-registration
- 9.2.2 User access provisioning
- 9.2.3 Management of privileged access rights
- 9.2.4 Management of secret authentication information of users
- 9.2.5 Review of user access rights
- 9.2.6 Removal or adjustment of access rights
- 9.3 User responsibilities [Go to Page]
- 9.3.1 Use of secret authentication information
- 9.4 System and application access control [Go to Page]
- 9.4.1 Information access restriction
- 9.4.2 Secure log-on procedures
- 9.4.3 Password management system
- 9.4.4 Use of privileged utility programs
- 9.4.5 Access control to program source code
- 10 Cryptography [Go to Page]
- 10.1 Cryptographic controls [Go to Page]
- 10.1.1 Policy on the use of cryptographic control
- 10.1.2 Key management
- 11 Physical and environmental security [Go to Page]
- 11.1 Secure areas [Go to Page]
- 11.1.1 Physical security perimeter
- 11.1.2 Physical entry controls
- 11.1.3 Securing offices, rooms and facilities
- 11.1.4 Protecting against external and environmental threats
- 11.1.5 Working in secure areas
- 11.1.6 Delivery and loading areas and ware houses
- 11.2 Equipment [Go to Page]
- 11.2.1 Equipment siting and protection
- 11.2.2 Supporting utilities
- 11.2.3 Cabling security
- 11.2.4 Equipment maintenance
- 11.2.5 Removal of assets
- 11.2.6 Security of equipment and assets off-premises
- 11.2.7 Secure disposal or re-use of equipment
- 11.2.8 Unattended user equipment
- 11.2.9 Clear desk and clear screen policy
- 12 Operations security [Go to Page]
- 12.1 Operational procedures and responsibilities [Go to Page]
- 12.1.1 Documented operating Procedures
- 12.1.2 Change management
- 12.1.3 Capacity management
- 12.1.4 Separation of development, testing and operational environments
- 12.2 Protection from malware [Go to Page]
- 12.2.1 Controls against malware
- 12.3 Backup [Go to Page]
- 12.3.1 Information backup
- 12.4 Logging and monitoring [Go to Page]
- 12.4.1 Event logging
- 12.4.2 Protection of log information
- 12.4.3 Administrator and operator logs
- 12.4.4 Clock synchronisation
- 12.5 Control of operational software [Go to Page]
- 12.5.1 Installation of software on operational systems
- 12.6 Technical vulnerability management [Go to Page]
- 12.6.1 Management of technical vulnerabilities
- 12.6.2 Restrictions on software installation
- 12.7 Systems audit considerations [Go to Page]
- 12.7.1 Systems audit controls
- 13 Communications security [Go to Page]
- 13.1 Network security management [Go to Page]
- 13.1.1 Network controls
- 13.1.2 Security of network services
- 13.1.3 Segregation in networks
- 13.2 Information transfer [Go to Page]
- 13.2.1 Information transfer policies and procedures
- 13.2.2 Agreements on information transfer
- 13.2.3 Electronic messaging
- 13.2.4 Confidentiality or non-disclosure agreements
- 14 System acquisition, development and maintenance [Go to Page]
- 14.1 Security requirements of information systems [Go to Page]
- 14.1.1 Cybersecurity Requirements Analysis and Specification
- 14.2 Security in development and support processes [Go to Page]
- 14.2.1 Secure development policy
- 14.2.2 System change control procedures
- 14.2.3 Technical review of applications after operating platform changes
- 14.2.4 Restrictions on changes to software packages
- 14.2.5 Secure system engineering principles
- 14.2.6 Secure development environment
- 14.2.7 Outsourced development
- 14.2.8 System security testing
- 14.2.9 System acceptance testing
- 14.3 Test data [Go to Page]
- 14.3.1 Protection of test data
- 15 Supplier relationships [Go to Page]
- 15.1 Cybersecurity in supplier relationships [Go to Page]
- 15.1.1 Cybersecurity policy for supplier relationships
- 15.1.2 Addressing security within supplier agreements
- 15.1.3 Information and communication technology supply chain
- 15.2 Supplier service delivery management [Go to Page]
- 15.2.1 Cybersecurity policy for supplier relationships
- 15.2.2 Managing changes to supplier services
- 16 Cybersecurity incident management [Go to Page]
- 16.1 Management of I&C cybersecurity incidents and improvements [Go to Page]
- 16.1.1 Responsibilities and procedures
- 16.1.2 Reporting I&C cybersecurity events
- 16.1.3 Reporting I&C cybersecurity weaknesses
- 16.1.4 Assessment of and decision on I&C cybersecurity events
- 16.1.5 Response to I&C cybersecurity incidents
- 16.1.6 Learning from I&C cybersecurity incidents
- 16.1.7 Collection of evidence from I&C
- 17 Cybersecurity aspects of business continuity management [Go to Page]
- 17.1 Cybersecurity continuity [Go to Page]
- 17.1.1 Planning cybersecurity continuity
- 17.1.2 Implementing cybersecurity continuity
- 17.1.3 Verify, review and evaluate cybersecurity continuity
- 17.2 Redundancies [Go to Page]
- 17.2.1 Availability of I&C systems
- 18 Compliance [Go to Page]
- 18.1 Compliance with legal and contractual requirements [Go to Page]
- 18.1.1 Identification of applicable legislation and contractual requirements
- 18.1.1 Identification of applicable legislation and contractual requirements
- 18.1.2 Intellectual property rights
- 18.1.3 Protection of records
- 18.1.2 Intellectual property rights
- 18.1.3 Protection of records
- 18.1.4 Privacy and protection of personally identifiable information
- 18.1.4 Privacy and protection of personally identifiable information
- 18.1.5 Regulation of cryptographic controls
- 18.1.5 Regulation of cryptographic controls
- 18.2 Information security reviews, audits, and inspections [Go to Page]
- 18.2.1 Independent review of cybersecurity
- 18.2.2 Compliance with security policies and standards
- 18.2.3 Technical compliance reviewing
- 19 NUC – Cybersecurity and architecture [Go to Page]
- 19.1 NUC – Cybersecurity and architecture controls [Go to Page]
- 19.1.1 NUC – Security levels
- 19.1.2 NUC – Security zones
- 19.1.3 NUC – Administration security zones
- 19.1.4 NUC – Data extraction and collection
- 19.1.5 NUC – Temporary elements introduction within a security zone
- 20 NUC – Virtualization environment and infrastructure [Go to Page]
- 20.1 NUC – Virtualization environment and infrastructure controls [Go to Page]
- 20.1.1 NUC virtualized I&C environments
- Annex A (informative)Security Controls by Security Degrees, activities, I&C platform or I&C system, preservation focus, control focus and ISO/IEC 27002 modification
- Tables [Go to Page]
- Table A.1 – Security controls overview
- Annex B (informative)Correspondence with IEC 62645:2019 [Go to Page]
- Table B.1 – Correspondence between IEC 62645:2019 and IEC 63096
- Annex C (informative)Sample list for documentation of project specificsecurity controls selections [Go to Page]
- Table C.1 – Sample list for documentation of project specific security controls selections
- Annex D (informative)Semi-formal representation and exchange of security controls
- Annex E (informative)Cryptography [Go to Page]
- E.1 Risk categorization
- E.2 Information to be provided for transporting data
- E.3 Cybersecurity roles
- E.4 Two-factor authentication process for key management system access
- Bibliography [Go to Page]