1、 IEC TR 62443-2-3 Edition 1.0 2015-06 TECHNICAL REPORT Security for industrial automation and control systems Part 2-3:Patch management in the IACS environment IEC TR 62443-2-3:2015-06(en)colourinside THIS PUBLICATION IS COPYRIGHT PROTECTED Copyright 2015 IEC,Geneva,Switzerland All rights reserved.U
2、nless otherwise specified,no part of this publication may be reproduced or utilized in any form or by any means,electronic or mechanical,including photocopying and microfilm,without permission in writing from either IEC or IECs member National Committee in the country of the requester.If you have an
3、y questions about IEC copyright or have an enquiry about obtaining additional rights to this publication,please contact the address below or your local IEC member National Committee for further information.IEC Central Office Tel.:+41 22 919 02 11 3,rue de Varemb Fax:+41 22 919 03 00 CH-1211 Geneva 2
4、0 infoiec.ch Switzerland www.iec.ch A bout the IEC The International Electrotechnical Commission(IEC)is the leading global organization that prepares and publishes International Standards for all electrical,electronic and related technologies.About IEC publications The technical content of IEC publi
5、cations is kept under constant review by the IEC.Please make sure that you have the latest edition,a corrigenda or an amendment might have been published.IEC Catalogue-webstore.iec.ch/catalogue The stand-alone application for consulting the entire bibliographical infor mation on IEC Inter national S
6、tandards,Technical Specifications,Technical Reports and other documents.Available for PC,Mac OS,Andr oid Tablets and iPad.IEC publications search-www.iec.ch/searchpub The advanced search enables to find IEC publications by a variety of criter ia(r efer ence number,text,technical committee,).It also
7、gives information on pr ojects,replaced and w ithdr awn publications.IEC Just Published-webstore.iec.ch/justpublished Stay up to date on all new IEC publications.Just Published details all new publications released.Available online and also once a month by email.Electropedia-www.electropedia.org The
8、 w or lds leading online dictionary of electronic and electr ical ter ms containing more than 30 000 ter ms and definitions in English and French,w ith equivalent ter ms in 15 additional languages.Also known as the Inter national Electr otechnical Vocabulary (IEV)online.IEC Glossary -std.iec.ch/glos
9、sary Mor e than 60 000 electrotechnical terminology entries in English and Fr ench extr acted fr om the Terms and Definitions clause of IEC publications issued since 2002.Some entr ies have been collected fr om ear lier publications of IEC TC 37,77,86 and CISPR.IEC Customer Serv ice Centre-webstore.
10、iec.ch/csc If you w ish to give us y our feedback on this publication or need further assistance,please contact the Customer Ser vice Centr e:csciec.ch.IEC TR 62443-2-3 Edition 1.0 2015-06 TECHNICAL REPORT Security for industrial automation and control systems Part 2-3:Patch management in the IACS e
11、nvironment INTERNATIONAL ELECTROTECHNICAL COMMISSION ICS:25.040.40;35.040;35.100 ISBN 978-2-8322-2768-8 Registered trademark of the International Electrotechnical Commission Warning!Make sure that y ou obtained this publication from an authorized distributor.colourinside 2 IEC TR 62443-2-3:2015 IEC
12、2015 CONTENTS FOREWORD.5 INTRODUCTION.7 1 Scope.8 2 Normative references.8 3 Terms,definitions,abbreviated terms and acronyms.8 3.1 Terms and definitions.8 3.2 Abbreviated terms and acronyms.9 4 Industrial automation and control system patching.11 4.1 Patching problems faced in industrial automation
13、 and control systems.11 4.2 Impacts of poor patch management.11 4.3 Obsolete IACS patch management mitigation.12 4.4 Patch lifecycle state.12 5 Recommended requirements for asset owner.13 6 Recommended requirements for IACS product supplier.14 7 Exchanging patch information.14 7.1 General.14 7.2 Pat
14、ch information exchange format.15 7.3 Patch compatibility information filename convention.15 7.4 VPC file schema.15 7.5 VPC file element definitions.17 Annex A(informative)VPC XSD file format.21 A.1 VPC XSD file format specification.21 A.2 Core component types.23 A.2.1 Overview.23 A.2.2 CodeType.23
15、A.2.3 DateTimeType.24 A.2.4 IdentifierType.24 A.2.5 IndicatorType.25 A.2.6 TextType.25 Annex B(informative)IACS asset owner guidance on patching.26 B.1 Annex organization.26 B.2 Overview.26 B.3 Information gathering.27 B.3.1 Inventory of existing environment.27 B.3.2 Tools for manual and automatic s
16、canning.29 B.3.3 IACS product supplier contact and relationship building.30 B.3.4 Supportability and product supplier product lifecycle.32 B.3.5 Evaluation and assessment of existing environment.32 B.3.6 Classification and categorization of assets/hardware/software.33 B.4 Project planning and implementation.36 B.4.1 Overview.36 B.4.2 Developing the business case.37 B.4.3 Establishing and assigning roles and responsibilities.38 B.4.4 Testing environment and infrastructure.40 B.4.5 Implement backu