PCS Network and Security Requirements
Process Control System (PCS) networks will form the foundation for networking all elements of facility control and safety systems. The network will be divided into zones, each with distinct security levels.
All communication between the Integrated Control and Safety System (ICSS) zone and Enterprise zones will occur through a Demilitarized Zone (DMZ) and Firewalls. Additionally, the Safety Zone will be separated from the Control Zone by an extra Firewall.
The VENDOR must provide detailed information about their proposed third-party interfacing strategy and procedures, along with available alternatives that align with COMPANY's system security requirements. All automation installations must adhere to COMPANY's OT Security policies and procedures.
Applied security should enable remote performance monitoring by either Company Personnel or third parties. The VENDOR must implement national Digital Security Authority requirements in discussion with COMPANY, ensuring compliance with COMPANY's OT Security policies and procedures.
PCS functionality must include user-configurable access security control through software password recognition to limit personnel access rights to PCS system functionality. The VENDOR must describe the mechanisms available to achieve this, including logging facilities for access requests and methods for modifying access rights as needed for commissioning and operational purposes.
A cyber security risk assessment, as per IEC 62443-2-1, will be performed by COMPANY/CONTRACTOR, with the VENDOR providing all necessary support for this assessment. The assessment will be iterative and continuous, involving:
Defining the risk analysis methodology (e.g., architecture-based).
Identifying major items (organization, systems, subsystems, networks).
Identifying and evaluating threat scenarios with their impact and likelihood.
Reducing risks by designing adequate countermeasures.
Summarizing the results in a Risk Register.
The cyber security risk assessment findings and recommendations related to PCS design and configuration will be implemented by the VENDOR. The VENDOR must provide the necessary firewalls to control data transfer between the different ICSS zones.
Comments