论文信息 - A Comprehensive Framework for Security in Engineering Projects - Based on IEC 62443

A Comprehensive Framework for Security in Engineering Projects - Based on IEC 62443

The standards family IEC 62443 represents an international agreement on best practices for securing Industrial Automation Control Systems (IACS). Engineering projects have to address security, but have limits on cost and resources, which makes it particularly challenging to cover all security topics adequately, as prescribed by IEC 62443. We developed a framework that supports engineering projects in addressing the whole range of security aspects more effectively and efficiently. The framework is structured horizontally and vertically. Horizontally, the framework consists of a set artefacts that cover the security aspects as prescribed by IEC-62443, and that need to be filled out by an engineering project. The vertical structure reflects the organizational hierarchy. In each hierarchical layer, the artefact templates are enriched by increasingly detailed and specific guidance in the form of best practices and references. This enables the exchange and reuse of security designs and best practices across the organization. We describe our experiences in applying the framework in large scale industry projects.

Kristian Beckers | Dirk Kröselberg | Monika Maidl | Jochen Christ

[1] 日本規格協会. 情報技術-セキュリティ技術-情報セキュリティマネジメントシステム-要求事項 : 国際規格ISO/IEC 27001 = Information technology-Security techniques-Information security management systems-Requirements : ISO/IEC 27001 , 2005 .

[2] Jürgen Reuter,et al. IT-Sicherheitsmanagement nach ISO 27001 und Grundschutz , 2011 .

[3] Alexander V. Lyubimov,et al. An application of integral engineering technique to information security standards analysis and refinement , 2010, SIN.

[4] Kristian Beckers,et al. Pattern and Security Requirements , 2015, Springer International Publishing.

[5] Mario Piattini,et al. Applying a Security Requirements Engineering Process , 2006, ESORICS.

[6] Alan Calder. Implementing Information Security based on ISO 27001/ISO 27002 , 2009 .

[7] Stefan Fenz,et al. Information Security Automation: How Far Can We Go? , 2011, 2011 Sixth International Conference on Availability, Reliability and Security.

[8] Nahid Shahmehri,et al. Introducing Vulnerability Awareness to Common Criteria's Security Targets , 2009, 2009 Fourth International Conference on Software Engineering Advances.