T MU SY 10010 ST

Standard

Cybersecurity for IACS - Overview

Version 1.0
Issue date: 25 May 2018
Effective date: 01 July 2018

© State of NSW through Transport for NSW 2018

 T MU SY 10010 ST
Cybersecurity for IACS - Overview
Version 1.0
Effective date: 01 July 2018

Important message
This document is one of a set of standards developed solely and specifically for use on
Transport Assets (as defined in the Asset Standards Authority Charter). It is not suitable for any
other purpose.

The copyright and any other intellectual property in this document will at all times remain the
property of the State of New South Wales (Transport for NSW).

You must not use or adapt this document or rely upon it in any way unless you are providing
products or services to a NSW Government agency and that agency has expressly authorised
you in writing to do so. If this document forms part of a contract with, or is a condition of
approval by a NSW Government agency, use of the document is subject to the terms of the
contract or approval. To be clear, the content of this document is not licensed under any
Creative Commons Licence.

This document may contain third party material. The inclusion of third party material is for
illustrative purposes only and does not represent an endorsement by NSW Government of any
third party product or service.

If you use this document or rely upon it without authorisation under these terms, the State of
New South Wales (including Transport for NSW) and its personnel does not accept any liability
to you or any other person for any loss, damage, costs and expenses that you or anyone else
may suffer or incur from your use and reliance on the content contained in this document. Users
should exercise their own skill and care in the use of the document.

This document may not be current and is uncontrolled when printed or downloaded. Standards
may be accessed from the Transport for NSW website at www.transport.nsw.gov.au

For queries regarding this document, please email the ASA at

[email protected] or visit www.transport.nsw.gov.au

© State of NSW through Transport for NSW 2018

 T MU SY 10010 ST
Cybersecurity for IACS - Overview
Version 1.0
Effective date: 01 July 2018

Standard governance
Owner: Lead Telecommunications Engineer, Asset Standards Authority
Authoriser: Chief Engineer, Asset Standards Authority
Approver: Executive Director, Asset Standards Authority on behalf of the ASA Configuration Control
Board

Document history
Version Summary of changes
1.0 First issue.

© State of NSW through Transport for NSW 2018 Page 3 of 23

 T MU SY 10010 ST
Cybersecurity for IACS - Overview
Version 1.0
Effective date: 01 July 2018

Preface
The Asset Standards Authority (ASA) is a key strategic branch of Transport for NSW (TfNSW).
As the network design and standards authority for NSW Transport Assets, as specified in the
ASA Charter, the ASA identifies, selects, develops, publishes, maintains and controls a suite of
requirements documents on behalf of TfNSW, the asset owner.

The ASA deploys TfNSW requirements for asset and safety assurance by creating and
managing TfNSW's governance models, documents and processes. To achieve this, the ASA
focuses on four primary tasks:

• publishing and managing TfNSW's process and requirements documents including TfNSW
plans, standards, manuals and guides

• deploying TfNSW's Authorised Engineering Organisation (AEO) framework

• continuously improving TfNSW’s Asset Management Framework

• collaborating with the Transport cluster and industry through open engagement

The AEO framework authorises engineering organisations to supply and provide asset related
products and services to TfNSW. It works to assure the safety, quality and fitness for purpose of
those products and services over the asset's whole-of-life. AEOs are expected to demonstrate
how they have applied the requirements of ASA documents, including TfNSW plans, standards
and guides, when delivering assets and related services for TfNSW.

Compliance with ASA requirements by itself is not sufficient to ensure satisfactory outcomes for
NSW Transport Assets. The ASA expects that professional judgement be used by competent
personnel when using ASA requirements to produce those outcomes.

About this document

This document forms part of a series of cybersecurity for industrial automation and control
systems (IACS) standards.

This document provides an overview of the cybersecurity for IACS series of standards and
standardises the adoption and application of the IEC 62443 series of standards for the
cybersecurity of IACS for TfNSW Transport Network. This document describes the tailored
conformance of certain parts of IEC 62443.

This document has been prepared by the ASA in consultation with TfNSW agencies and
industry representatives.

This document has been informed by concepts contained in IEC/TS 62443-1-1 Industrial
communication networks - Network and system security - Part 1-1: Terminology, concepts and
models and includes extracts from that standard.

© State of NSW through Transport for NSW 2018 Page 4 of 23

 T MU SY 10010 ST
Cybersecurity for IACS - Overview
Version 1.0
Effective date: 01 July 2018

The ASA thanks the International Electrotechnical Commission (IEC) for permission to
reproduce information from its international standards. All such extracts are copyright of IEC,
Geneva, Switzerland. All rights reserved.

Further information on the IEC is available from www.iec.ch.

IEC has no responsibility for the placement and context in which the extracts and contents are
reproduced by the author, nor is IEC in any way responsible for the other content or accuracy
therein.

This document is a first issue.

© State of NSW through Transport for NSW 2018 Page 5 of 23

 T MU SY 10010 ST
Cybersecurity for IACS - Overview
Version 1.0
Effective date: 01 July 2018

Table of contents
1. Introduction .............................................................................................................................................. 7
2. Purpose .................................................................................................................................................... 8
2.1. Scope ..................................................................................................................................................... 8
2.2. Application ............................................................................................................................................. 8
3. Reference documents ............................................................................................................................. 8
4. Terms and definitions ........................................................................................................................... 10
5. Overview of cybersecurity for IACS series of standards .................................................................. 11
6. Tailored conformance of IEC 62443 parts ........................................................................................... 12
6.1. Tailored conformance of IEC/TS 62443 Part: 1-1 ............................................................................... 12
6.2. Tailored conformance of IEC 62443 Part: 3-2 ..................................................................................... 13
6.3. Tailored conformance of IEC 62443 Part: 3-3 ..................................................................................... 13
7. Cyber risk management and Transport standards ............................................................................ 13
8. Reference models .................................................................................................................................. 14
8.1. Functional hierarchy reference model ................................................................................................. 14
8.2. Security zones and conduits reference model..................................................................................... 15
9. Glossary of terms and definitions ....................................................................................................... 20

© State of NSW through Transport for NSW 2018 Page 6 of 23

 T MU SY 10010 ST
Cybersecurity for IACS - Overview
Version 1.0
Effective date: 01 July 2018

1. Introduction
As the Transport for NSW (TfNSW) Transport Network modernises, expands and develops, the
exposure to, and the challenge of managing cybersecurity risks grows. In particular, risks of
attack to industrial automation and control systems (IACS), such as signalling systems, train
control systems, supervisory control and data acquisition (SCADA) systems, intelligent transport
systems and operational management systems need to be managed.

TfNSW defines cyber risk as being the potential for unauthorised use, disclosure, damage or
disruption to assets through the use of technology.

Australia’s Cybersecurity Strategy sets out the Australian Government program to raise the bar
on cybersecurity performance. The strategy has noted that both public sector and private sector
organisations should better understand cyber risks and provide stronger cyber defences.

Foundational to the NSW Government NSW Digital Government Strategy is that NSW
Government systems are secure and resilient through the consistent application of minimum
cybersecurity standards.

Further to this, the NSW Government Digital Information Security Policy (DISP) establishes the
NSW Government security requirements for digital information and is based on
ISO/IEC 27001 Information technology - Security techniques - Information security management
systems - Requirements. However the DISP is limited in its scope to digital information and
information and communication technology.

Compliance with DISP alone is not sufficient for IACS on the TfNSW Transport Network as
attacks on IACS – unlike enterprise systems – may have significant and immediate health and
safety, environmental, customer experience and operational impacts to the provision of
transport services.

In this context, the Asset Standards Authority (ASA), on behalf of TfNSW has developed a
series of standards for the cybersecurity of IACS.

Consistent with Australian Government and NSW Government approaches, a hybrid approach
is used consisting of minimum cybersecurity requirements supplemented by risk-based controls
developed using a tailored cybersecurity risk assessment procedure.

The ASA has adopted the IEC 62443 series of standards; however, conformance to certain
parts has been tailored to suit the needs of TfNSW. The tailored conformance is explained in
Section 6.

The ASA considers the IEC 62443 series of standards to be suitable for IACS on the TfNSW
Transport Network for the following reasons:

• international open standard with broad participation and adoption from IACS product
suppliers

© State of NSW through Transport for NSW 2018 Page 7 of 23

 T MU SY 10010 ST
Cybersecurity for IACS - Overview
Version 1.0
Effective date: 01 July 2018

• specifically addresses IACS

• contains a full suite from policies and procedures, systems and components

• aligned to ISO/IEC 27001 and other frameworks and standards

2. Purpose
This document provides an overview of the cybersecurity for IACS series of standards and
forms part of the series.

This document establishes a common reference of technical information for cybersecurity for
IACS across TfNSW, its agencies and Authorised Engineering Organisations (AEOs).

2.1. Scope
This document covers the overview of the series of standards for cybersecurity for IACS.

This document describes the tailored conformance to parts of IEC 62443. It also describes the
cybersecurity concepts and models and standardises the glossary of cybersecurity terms and
definitions.

This series of standards addresses IACS as defined by the functional hierarchy reference model
for enterprise and control systems as described in IEC 62264-1 Enterprise-control system
integration – Part 1: Models and terminology and IEC/TS 62443-1-1.

This document does not explicitly address enterprise systems.

This document does not address the cybersecurity governance arrangement of the asset
owner, including the operator and maintainer.

2.2. Application
This document applies to the asset owners, system integrators and product suppliers of IACS
systems.

This document shall be read in conjunction with IEC 62443 series of standards.

3. Reference documents
The following documents are cited in the text. For dated references, only the cited edition
applies. For undated references, the latest edition of the referenced document applies.

International standards

IEC 62264-1 Enterprise-control system integration – Part 1: Models and terminology

IEC/TS 62443-1-1 Industrial communication networks - Network and system security - Part 1-1:
Terminology, concepts and models

© State of NSW through Transport for NSW 2018 Page 8 of 23

 T MU SY 10010 ST
Cybersecurity for IACS - Overview
Version 1.0
Effective date: 01 July 2018

IEC 62443-2-1 Industrial communication networks - Network and system security - Part 2-1:
Establishing an industrial automation and control system security program

IEC 62443-3-3 Industrial communication networks - Network and system security - Part 3-3:
System security requirements and security levels

ISO/IEC 27001:2005 Information technology - Security techniques - Information security

management systems - Requirements

Australian standards

AS/NZS ISO 31000 Risk management – Principles and guidelines

Transport for NSW standards

TS 10753: 2014 Assurance and Governance Plan Requirements

T MU AM 04001 PL TfNSW Configuration Management Plan

T MU AM 06006 ST Systems Engineering

T MU AM 06008 ST Operations Concept Definition

T MU AM 06009 ST Maintenance Concept Definition

T MU MD 20001 ST System Safety Standard for New or Altered Assets

T MU SY 10012 ST Cybersecurity for IACS - Baseline Technical Cybersecurity System

Requirements and Countermeasures

T MU SY 10013 PR Cybersecurity for IACS - Cyber Risk Management Procedure

Legislation

Rail Safety National Law National Regulations 2012 (NSW)

Transport Administration Act 1988

Other reference documents

Commonwealth of Australia, Department of the Prime Minister and Cabinet, Australia’s Cyber
Security Strategy

Commonwealth of Australia Australian Cyber Security Centre Threat Report

Commonwealth of Australia CERT Australia ICS Remote Access Protocol

NSW Government Department of Finance, Services and Innovation, Digital Information Security
Policy

Senate of the United States Bill S.1691 — 115th Congress (2017-2018) Internet of Things (IoT)
Cybersecurity Improvement Act of 2017

© State of NSW through Transport for NSW 2018 Page 9 of 23

 T MU SY 10010 ST
Cybersecurity for IACS - Overview
Version 1.0
Effective date: 01 July 2018

4. Terms and definitions

The following terms and definitions apply in this document:

ASA Asset Standards Authority

asset owner individual or company responsible for one or more IACS (IEC 62443-3-3 ed.1.0)

automation solution control system and any complementary hardware and software
components that have been installed and configured to operate in an IACS (IEC 62443-2-4
ed.1.0)

cyber risk the potential for unauthorised use, disclosure, damage or disruption to assets
through the use of technology

cybersecurity actions required to preclude unauthorized use of, denial of service to,
modifications to, disclosure of, loss of revenue from, or destruction of critical systems or
informational assets (IEC/TS 62443-1-1 ed.1.0)

DISP Digital Information Security Policy

IACS industrial automation and control systems; collection of personnel, hardware, and
software that can affect or influence the safe, secure, and reliable operation of an industrial
process (IEC/TS 62443-1-1 ed.1.0)

product supplier manufacturer of hardware and/or software product (IEC 62443-3-3 ed.1.0)

SuC system under consideration

system integrator person or company that specializes in bringing together component

subsystems into a whole and ensuring that those subsystems perform in accordance with
project specifications (IEC 62443-3-3 ed.1.0)

All definitions from IEC/TS 62443-1-1 ed.1.0 are Copyright © 2009 IEC Geneva,
Switzerland. www.iec.ch

All definitions from IEC 62443-2-4 ed.1.0 are Copyright © 2017 IEC Geneva,
Switzerland. www.iec.ch

All definitions from IEC 62443-3-3 ed.1.0 are Copyright © 2013 IEC Geneva,
Switzerland. www.iec.ch

Transport Network the transport system (transport services and transport infrastructure)
owned and operated by TfNSW, its operating agencies or private entities upon which TfNSW
has power to exercise its functions as conferred by the Transport Administration Act or any
other Act.

© State of NSW through Transport for NSW 2018 Page 10 of 23

 T MU SY 10010 ST
Cybersecurity for IACS - Overview
Version 1.0
Effective date: 01 July 2018

5. Overview of cybersecurity for IACS series of

standards
TfNSW has adopted the IEC 62443 series of standards for the cybersecurity of IACS; however,
certain parts of IEC 62443 have been tailored.

Note: The IEC 62443 series is being jointly developed by the IEC and International
Society of Automation (ISA) and is under active development. Not all of the parts of
the series have been published.

All published parts of IEC 62443 series shall be complied with at the time of application of this
standard.

The cybersecurity for IACS series of standards aim to achieve the following:

• standardise cybersecurity terminologies, concepts and models across TfNSW, agencies

and Authorised Engineering Organisations (AEOs)

• standardise the baseline technical cybersecurity system requirements and

countermeasures that protect against casual and coincidental violations and intentional
violation using simple means

• standardise the cyber risk management procedure to align with the IEC 62443 series and
TfNSW risk criteria

This series supports compliance to AS/NZS ISO 31000 Risk management – Principles and
guidelines and the IEC 62443 series.

The IACS series of standards applies to IACS that provide functions necessary for achieving the
business objectives and functions as stated in the Transport Administration Act 1988.

This series applies to the plan, acquire and operate/maintain stages of the asset life cycle.

This series applies to new systems and automation solutions.

This series applies to new subsystems or products integrated into an existing automation
solution as part of a configuration change.

The asset owner may direct the retrospective application of this document to an existing
automation solution.

This series applies to IACS as defined by the functional hierarchy reference model for
enterprise and control systems as described in IEC 62264-1 Enterprise-control system
integration – Part 1: Models and terminology and IEC/TS 62443-1-1.

This series applies to the following levels as defined within the reference model:

• level 1 local or basic control systems, level 2 supervisory control systems and level 3
operations management systems

© State of NSW through Transport for NSW 2018 Page 11 of 23

 T MU SY 10010 ST
Cybersecurity for IACS - Overview
Version 1.0
Effective date: 01 July 2018

• interfaces between level 3 operations management systems and level 4 enterprise systems

• may be applied to level 4 enterprise systems

The allocation to levels within the functional hierarchy reference model to a system or
subsystem is the responsibility of the asset owner. The functional hierarchy model is explained
in Section 8.1.

Note: Standards for the security of enterprise systems and information technology are
developed by the People and Corporate Services division, TfNSW and owned by the
Group Chief Information Officer, TfNSW.

This series does not replace obligations to comply with applicable statutes, statutory licences,
policies and contractual requirements. This includes the NSW Government Digital Information
Security Policy (DISP).

Notes:

1. Parts from the IEC 62443 series can be used to support compliance to
ISO/IEC 27001 management systems and DISP

2. A mapping is provided between ISO/IEC 27001:2005 and IEC 62443-2-1 in

Annex C of IEC 62443-2-1

Some transport modes are subject to industry specific requirements. For example, in railway
applications this document supports railway transport operators’ compliance to the security
management plan requirements of the Rail Safety National Law 2012 (NSW).

6. Tailored conformance of IEC 62443 parts

ASA intends to tailor the conformance of parts of the IEC 62443 series through the publication
of ASA standards.

Note: Tailored conformance of a part of IEC 62443 is not intended to conflict with the
base IEC 62443 part or series.

Where ASA has tailored the conformance of parts of IEC 62443, the ASA standards shall take
precedence over the base IEC 62443 parts.

6.1. Tailored conformance of IEC/TS 62443 Part: 1-1

ASA has tailored the conformance of IEC/TS 62443-1-1 Industrial communication networks -
Network and system security – Part: 1-1: Terminology, concepts and models.

This document tailors the conformance of IEC/TS 62443-1-1 in the following ways:

• adopts terminology from IEC/TS 62443-1-1

© State of NSW through Transport for NSW 2018 Page 12 of 23

 T MU SY 10010 ST
Cybersecurity for IACS - Overview
Version 1.0
Effective date: 01 July 2018

• aligns and maps terminology to risk and asset management terminologies used within
TfNSW

• provides informative examples and reference models for the functional hierarchy and
security zones and conduits

6.2. Tailored conformance of IEC 62443 Part: 3-2

IEC 62443 Part: 3-2 addresses system risk assessment and system design.

ASA intends to tailor the conformance of IEC 62443 Part: 3-2 following publication by the IEC.

T MU SY 10013 PR Cybersecurity for IACS - Cyber Risk Management Procedure has been
based on draft ISA committee work products to minimise future work.

6.3. Tailored conformance of IEC 62443 Part: 3-3

ASA has tailored the conformance of IEC 62443-3-3 Industrial communication networks -
Network and system security – Part: 3-3: System security requirements and security levels and
published as T MU SY 10012 ST Cybersecurity for IACS - Baseline Technical Cybersecurity
System Requirements and Countermeasures.

T MU SY 10012 ST tailors the conformance of IEC 62443-3-3 in the following ways:

• setting the minimum security level to 2

• specifying additional system requirements for portable and mobile devices and networks

7. Cyber risk management and Transport standards

Cyber risks shall be identified and managed as part of risk management and engineering
management processes using this series of IACS standards.

Cyber risks shall be included in the application of all relevant ASA standards.

Standards of particular relevance include the following:

• TS 10753: 2014 Assurance and Governance Plan Requirements

• T MU AM 04001 PL TfNSW Configuration Management Plan

• T MU AM 06006 ST Systems Engineering

• T MU AM 06008 ST Operations Concept Definition

• T MU AM 06009 ST Maintenance Concept Definition

• T MU MD 20001 ST System Safety Standard for New or Altered Assets

© State of NSW through Transport for NSW 2018 Page 13 of 23

 T MU SY 10010 ST
Cybersecurity for IACS - Overview
Version 1.0
Effective date: 01 July 2018

Technical standards can also contain control requirements for cyber risks; however, the term
'cyber' may not have been explicitly used. Terms such as ‘information security’, ‘security’ or
‘hardening’ may have been used.

8. Reference models
The reference models show the functional levels of IACS, the relationship between the IACS
and the enterprise systems, and a model for partitioning IACS into security zones and conduits.

The reference models shall be adapted to suit the specific system under consideration (SuC).

The reference models should be considered in the option and design development of the SuC.

8.1. Functional hierarchy reference model

The functional hierarchy reference model described in IEC 62264-1 and IEC/TS 62443-1-1
should be used to classify systems.

Notes:

1. IEC/TS 62443-1-1 adopts and tailors the functional hierarchy reference model from
IEC 62264-1.

2. The functional hierarchy does not relate to technological or organisational divisions.

IACS functions typically operate in timeframes from sub-seconds at level 1 to days at level 3 of
the reference model as described in IEC 62264-1.

Table 1 provides a railway specific example of systems at level 0 to level 4 of the reference
model to provide transport context to the model.

Table 1 – Examples of systems classified using the functional hierarchy reference model

Level Description Examples

4 Enterprise systems Timetable management, crew scheduling,
network and asset planning
3 Operations management systems Operations and incident management
2 Supervisory control systems Traffic management
1 Local or basic control systems Signalling interlocking
0 Process Train detection, signal, trainstop, points

The reference model is applicable to all transport modes, and the railway specific example is
not intended to limit the application of this document.

© State of NSW through Transport for NSW 2018 Page 14 of 23

 T MU SY 10010 ST
Cybersecurity for IACS - Overview
Version 1.0
Effective date: 01 July 2018

8.2. Security zones and conduits reference model

The baseline cybersecurity system requirements defined in T MU SY 10012 ST include all
security level 2 (SL2) capabilities and additional context specific capabilities defined in
IEC 62443-3-3.

The security zones and conduits reference model depicted in Figure 1 and Figure 2 has been
developed to accommodate changes in the threat environment and the organisational risk
tolerance over time. The model does this by incorporating relevant system requirements for
security level 4 (SL4) capabilities as defined by IEC 62443-3-3.

Note: Studies have shown that costs associated with changes to systems, such as in
response to a change in the threat environment, escalate through the asset life cycle.

The model can be implemented using variety of conventional and software defined networking
protocols.

An overview of the model is depicted as follows in Figure 1:

• physical security zones using round-edged rectangles with solid lines

• logical security zones using round-edged rectangles with dotted lines

• security zones are not part of the SuC using hatched fill

• external conduits using solid lines

A detailed view of model is depicted as follows in Figure 2:

• physical security zones using round-edged rectangles with solid lines

• logical security zones using round-edged rectangles with dotted lines

• security zones are not part of the SuC using hatched fill

• external conduits using black lines with grey fill

• internal conduits using black lines with white fill

Note: The conduits in the model assume that networks are used; however some
conduits can use local mechanisms such as portable storage media.

© State of NSW through Transport for NSW 2018 Page 15 of 23

 T MU SY 10010 ST
Cybersecurity for IACS - Overview
Version 1.0
Effective date: 01 July 2018

Internet Zone Internet Zone

(Primary) (Secondary)

SuC
SuC External
External Zone
Zone Enterprise Zone Enterprise Zone SuC
SuC External
External Zone
Zone
(Primary)
(Primary) (Primary) (Secondary) (Secondary)
(Secondary)

SuC
SuC Internal
Internal SuC
SuC Internal
Internal
Zone
Zone Zone
Zone
(Primary)
(Primary) (Secondary)
(Secondary)

SuC
SuC Services
Services SuC
SuC Services
Services
Zone
Zone Zone
Zone
(Primary)
(Primary) (Secondary)
(Secondary)

SuC
SuC SuC
SuC
Control
Control Centre
Centre Control
Control Centre
Centre
Zone
Zone Zone
Zone
(Primary)
(Primary) (Secondary)
(Secondary)

SuC
SuC Field
Field Loc.
Loc.
Zone
Zone

Figure 1 – Overview of security zones and conduits reference model

© State of NSW through Transport for NSW 2018 Page 16 of 23

 T MU SY 10010 ST
Cybersecurity for IACS - Overview
Version 1.0
Effective date: 01 July 2018

Internet Zone (Primary)

Zone not developed.

SuC
SuC External
External Zone
Zone (Primary)
(Primary)

Gateway Firewall

Enterprise Zone (Primary)

Jump Gateway
server Firewall

Zone not developed.

SuC
SuC Internal
Internal Zone
Zone (Primary)
(Primary)

Gateway Firewall

SuC
SuC Services
Services Zone
Zone (Primary)
(Primary)

Gateway Firewall

Security Network
Web Database Patch
Historian services services
server server server
server server

Conduit to secondary
– not developed.

SuC
SuC Control
Control Centre
Centre Zone
Zone (Primary)
(Primary)

Gateway Gateway
Firewall Firewall
(Primary) (Secondary)

LAN

HMI Application Database Configuration

Historian Workstation
terminal server server server

Conduit to secondary
– not developed.

SuC
SuC Field
Field Location
Location Zone
Zone

Gateway Gateway
Firewall Firewall
(Primary) (Secondary)

Remote
Local HMI
terminal
terminal
unit

LAN

Local HMI
Controller Controller
terminal

Sensor Actuator Sensor Actuator

Figure 2 – Detailed view of security zones and conduits reference model

© State of NSW through Transport for NSW 2018 Page 17 of 23

 T MU SY 10010 ST
Cybersecurity for IACS - Overview
Version 1.0
Effective date: 01 July 2018

The model is informed by four primary design principles:

a. centralised traffic management

b. dedicated internet connectivity

c. wide area networks are untrusted

d. on-demand remote access

8.2.1. Centralised traffic management

A design principle of the model is the redundant centralised physical security zone ‘SuC Internal
Zone’ which logically includes ‘SuC Services Zone’.

As all SuC traffic from network segments flows through the ‘SuC Internal Zones’, network
segments can be logically and physically isolated from central sites (IEC 62443-3-3 SR 5.1 and
RE 1, RE 2 and RE 3).

As all SuC traffic from network segments flows through the ‘SuC Internal Zones’, traffic can be
monitored, controlled, filtered, and logged from central sites (IEC 62443-3-3 SR 5.2 and RE 1,
RE 2 and RE 3).

8.2.2. Dedicated internet connectivity

A design principle of the model is the dedicated redundant internet connectivity from the ‘SuC
External Zone’.

Notes:

1. A common historical practice is to use enterprise systems as a means of providing

internet connectivity. This practice is not suitable if the connectivity is used for remote
operations or maintenance functions with timeframes between sub-seconds and days.
This includes fault, configuration, accounting, performance and security management.

2. Internet connectivity should be justified in the definition of the operations concept in

the plan stage of the asset life cycle.

As the SuC needs to be able to function independently from level 4 enterprise systems
(IEC 62443-3-3 SR 5.1 RE 2), connectivity through the ‘Enterprise Zone’ to the internet is not
suitable.

© State of NSW through Transport for NSW 2018 Page 18 of 23

 T MU SY 10010 ST
Cybersecurity for IACS - Overview
Version 1.0
Effective date: 01 July 2018

8.2.3. Wide area networks are untrusted

A design principle of the model is that all wide area networks (WAN) are considered untrusted.

Notes:

1. A common historical practice is to use organisational multi-service networks and

third party carriage services to interconnect physical sites without explicitly
establishing trust of the communications channel.

2. Local area networks (LAN) comprising dedicated communication assets and

contained wholly within a single physical security zone are considered trusted.

Gateways use cryptographic algorithms with mutual authentication and encryption (SR 3.1 RE 1
and SR 4.1 RE 1) to establish trust of the communication channel over WANs.

8.2.4. On-demand remote access

A design principle of the model is on-demand remote access from the internet.

Internet connectivity for interactive remote access is managed by the firewall and jump server in
the ‘SuC External Zone’.

Normally the firewall does not allow any inbound traffic from the ‘Internet Zone’ unless it has first
been established by, or is related to outbound traffic from the ‘SuC Internal Zone’.

Note: Services within the ‘SuC Services Zone’ are normally allowed restricted access
to the internet to perform predefined functions, such as obtaining threat intelligence,
vulnerability and exposure advisories, and software updates and upgrades.

On-demand remote access can be established in response to an incident.

After the request for remote access is approved, the jump server is physically connected to the
firewall and predefined traffic is allowed between the firewall and jump server for the duration of
the incident (IEC 62443-3-3 SR 1.13 RE 1). After the incident is resolved the jump server is
physically disconnected.

Notes:

1. As these changes are actions taken in response to an incident, they are not subject
to TfNSW safety change management.

2. Refer to CERT Australia ICS Remote Access Protocol for further information.

Remote access users are uniquely identified and authenticated on the jump server using
multifactor authentication (IEC 62443-3-3 SR 1.1 RE 3, SR 1.2 RE 1) before allowing access to
the ‘SuC Internal Zone’. One of the authentication factors is a one-time password associated
with the incident. After the incident is resolved the one-time password expires.

The jump server allows authorised remote access users to interact with predefined IACS assets.

© State of NSW through Transport for NSW 2018 Page 19 of 23

 T MU SY 10010 ST
Cybersecurity for IACS - Overview
Version 1.0
Effective date: 01 July 2018

9. Glossary of terms and definitions

TfNSW considers cyber risk as a business risk that can, like any business risk, affect the
achievement of its business objectives and functions.

However, terminologies associated with security, and in particular cybersecurity, are widely
used but not clearly understood as discussed in the Australian Government Australian Cyber
Security Centre Threat Report. Terms such as cyber attack and cyber war are frequently used,
often in sensationalist ways ‘generating an emotive response and a disproportionate sense of
threat’.

This document standardises the vocabulary, and the terms and definitions provided in Table 2
shall be applied throughout the IACS series of standards. The majority of terms and definitions
provided in Table 2 are from IEC/TS 62443-1-1, IEC 62443-2-4 and IEC 62443-3-3.

Notes:

All definitions from IEC/TS 62443-1-1 ed.1.0 are Copyright © 2009 IEC Geneva,
Switzerland. www.iec.ch

All definitions from IEC 62443-2-4 ed.1.0 are Copyright © 2017 IEC Geneva,
Switzerland. www.iec.ch

All definitions from IEC 62443-3-3 ed.1.0 are Copyright © 2013 IEC Geneva,
Switzerland. www.iec.ch

A common foundational understanding of cybersecurity aligned to existing risk management

vocabulary is important to be established. Table 2 also contains the generic definitions from
ISO Guide 73 for some of terms related to risk management.

Table 2 – Glossary of terms and definitions

Term Definition Source

asset owner individual or company responsible for one IEC 62443-3-3 ed.1.0
or more IACS
attack assault on a system that derives from an IEC/TS 62443-1-1 ed.1.0
intelligent threat — i.e., an intelligent act
that is a deliberate attempt (especially in the
sense of a method or technique) to evade
security services and violate the security
policy of a system
authenticate verify the identity of a user, user device, or IEC/TS 62443-1-1 ed.1.0
other entity, or the integrity of data stored,
transmitted, or otherwise exposed to
unauthorized modification in an information
system, or to establish the validity of a
transmission

© State of NSW through Transport for NSW 2018 Page 20 of 23

 T MU SY 10010 ST
Cybersecurity for IACS - Overview
Version 1.0
Effective date: 01 July 2018

Term Definition Source

automation solution control system and any complementary IEC 62443-2-4 ed.1.0
hardware and software components that
have been installed and configured to
operate in an IACS
communications specific logical or physical communication IEC 62443-3-3 ed.1.0
channel link between assets
communication arrangement of hardware, software, and IEC/TS 62443-1-1 ed.1.0
system propagation media to allow the transfer of
messages from one application to another
conduit logical grouping of communication IEC 62443-3-3 ed.1.0
channels, connecting two or more zones,
that share common security requirements
countermeasure action, device, procedure, or technique that IEC/TS 62443-1-1 ed.1.0
reduces a threat, a vulnerability, or an
attack by eliminating or preventing it, by
minimizing the harm it can cause, or by
discovering and reporting it so that
corrective action can be taken
Referred as 'control' in ISO Guide 73 and
defined as 'measure that is modifying risk'
cryptographic algorithm based upon the science of IEC/TS 62443-1-1 ed.1.0
algorithm cryptography, including encryption
algorithms, cryptographic hash algorithms,
digital signature algorithms, and key
agreement algorithms
cybersecurity actions required to preclude unauthorized IEC/TS 62443-1-1 ed.1.0
use of, denial of service to, modifications to,
disclosure of, loss of revenue from, or
destruction of critical systems or
informational assets
cyber risk the potential for unauthorised use, TfNSW
disclosure, damage or disruption to assets
through the use of technology
encryption cryptographic transformation of plaintext IEC/TS 62443-1-1 ed.1.0
into ciphertext that conceals the data’s
original meaning to prevent it from being
known or used
enterprise system collection of information technology IEC/TS 62443-1-1 ed.1.0
elements (i.e., hardware, software and
services) installed with the intent to facilitate
an organization’s business process or
processes (administrative or project)
firewall inter-network connection device that IEC/TS 62443-1-1 ed.1.0
restricts data communication traffic between
two connected networks
gateway relay mechanism that attaches to two (or IEC/TS 62443-1-1 ed.1.0
more) computer networks that have similar
functions but dissimilar implementations
and that enables host computers on one
network to communicate with hosts on the
other

© State of NSW through Transport for NSW 2018 Page 21 of 23

 T MU SY 10010 ST
Cybersecurity for IACS - Overview
Version 1.0
Effective date: 01 July 2018

Term Definition Source

geographic site subset of an enterprise’s physical, IEC/TS 62443-1-1 ed.1.0
geographic, or logical group of assets
hardcoded a value, such as a password, token, private TfNSW; adapted from
credential or shared cryptographic key used for Senate of the United
authentication, that is – States Bill S.1691
• established by a manufacture or
supplier
• incapable of being modified or revoked
by the user
IACS industrial automation and control systems; IEC/TS 62443-1-1 ed.1.0
collection of personnel, hardware, and
software that can affect or influence the
safe, secure, and reliable operation of an
industrial process
local area network communications network designed to IEC/TS 62443-1-1 ed.1.0
connect computers and other intelligent
devices in a limited geographic area
(typically less than 10 km)
product supplier manufacturer of hardware and/or software IEC 62443-3-3 ed.1.0
product
risk expectation of loss expressed as the IEC/TS 62443-1-1 ed.1.0
probability that a particular threat will exploit
a particular vulnerability with a particular
consequence
Defined in ISO Guide 73 as 'effect of
uncertainty on objectives'
risk assessment process that systematically identifies IEC/TS 62443-1-1 ed.1.0
potential vulnerabilities to valuable system
resources and threats to those resources,
quantifies loss exposures and
consequences based on probability of
occurrence, and (optionally) recommends
how to allocate resources to
countermeasures to minimize total
exposure
Defined in ISO Guide 73 as 'overall process
of risk identification, risk analysis and risk
evaluation'
risk management process of identifying and applying IEC/TS 62443-1-1 ed.1.0
countermeasures commensurate with the
value of the assets protected, based on a
risk assessment
Defined in ISO Guide 73 as 'coordinated
activities to direct and control an
organization with regard to risk'
security event occurrence in a system that is relevant to IEC/TS 62443-1-1 ed.1.0
the security of the system
Defined in ISO Guide 73 as 'occurrence or
change of a particular set of circumstances'

© State of NSW through Transport for NSW 2018 Page 22 of 23

 T MU SY 10010 ST
Cybersecurity for IACS - Overview
Version 1.0
Effective date: 01 July 2018

Term Definition Source

security level level corresponding to the required IEC/TS 62443-1-1 ed.1.0
effectiveness of countermeasures and
inherent security properties of devices and
systems for a zone or conduit based on
assessment of risk for the zone or conduit
security zone grouping of logical or physical assets that IEC/TS 62443-1-1 ed.1.0
share common security requirements
system integrator person or company that specializes in IEC 62443-3-3 ed.1.0
bringing together component subsystems
into a whole and ensuring that those
subsystems perform in accordance with
project specifications
threat potential for violation of security, which IEC/TS 62443-1-1 ed.1.0
exists when there is a circumstance,
capability, action, or event that could breach
security and cause harm
trust confidence that an operation, data IEC 62443-3-3 ed.1.0
transaction source, network or software
process can be relied upon to behave as
expected
untrusted not meeting predefined requirements to be IEC 62443-3-3 ed.1.0
trusted
vulnerability flaw or weakness in a system's design, IEC/TS 62443-1-1 ed.1.0
implementation, or operation and
management that could be exploited to
violate the system's integrity or security
policy
Defined in ISO Guide 73 as 'intrinsic
properties of something resulting in
susceptibility to a risk source than can lead
to an event with a consequence'
wide area network communications network designed to IEC/TS 62443-1-1 ed.1.0
connect computers, networks and other
devices over a large distance, such as
across a country or the world

© State of NSW through Transport for NSW 2018 Page 23 of 23