IEC TR 63486:2024 核设施.仪表、控制和电力系统.网络安全风险管理方法

标准编号：IEC TR 63486:2024

中文名称：核设施.仪表、控制和电力系统.网络安全风险管理方法

英文名称：Nuclear facilities - Instrumentation, control and electrical power systems - Cybersecurity risk management approaches

发布日期：2024-09-13

标准范围

IEC TR 63486:2024为数字I&C可编程系统提供了网络安全框架[2]。IEC 62645[1]与ISO/IEC 27001:2013[2]中详述的信息安全管理系统（ISMS）要素非常一致。ISO/IEC ISMS结构对应于上下文中的“I&C数字可编程系统网络安全计划”（定义见IEC 62645:2019[1]的5.2.1）。本文件的范围是记录用于管理与核电厂（NPP）的仪表和控制（I&C）以及电力系统（EPS）相关的网络安全风险的国家和国际网络风险方法。本文件总结了对核设施运营商用于管理网络安全风险的网络风险方法的评估。本文件的范围一般遵循IEC 62645的除外条款，即:-非恶意行为和事件，如意外故障、人为错误（上述除外，如影响网络安全控制的性能）和自然事件。特别是，管理应用程序和数据的良好实践，包括与意外故障相关的备份和恢复，超出了范围。本文件总结了核电厂使用的关于ISO/IEC 27005:2018[5]应用的国际和网络风险方法的主要见解。该评估基于网络安全风险管理的11个挑战及其对核电厂风险管理的适用性。这些挑战在第7条中有详细说明。本文件还涉及IEC 62645和IEC 63096的风险管理要素。

IEC TR 63486:2024 provides a cybersecurity framework for digital I&C programmable systems [2]. IEC 62645 [1] aligns strongly with the information security management system (ISMS) elements detailed within ISO/IEC 27001:2013 [2]. The ISO/IEC ISMS structure corresponds to the “I&C digital programmable system cybersecurity program” in the context (as defined in 5.2.1 of IEC 62645:2019 [1]).
The scope of this document is to capture the national and international cyber-risk approaches employed to manage cybersecurity risks associated with Instrumentation and Control (I&C) and Electrical Power Systems (EPS) at a Nuclear Power Plant (NPP).
This document summarizes an evaluation of cyber-risk approaches that are in use by nuclear facility operators to manage cybersecurity risks.
The scope of this document generally follows the exclusions of IEC 62645 which are:
- Non-malevolent actions and events such as accidental failures, human errors (except those stated above, such as impacting the performance of cybersecurity controls), and natural events. In particular, good practices for managing applications and data, including backup and restoration related to accidental failure, are out of scope.
This document summarizes key insights of the international and cyber-risk approaches used at NPPs regarding the application of ISO/IEC 27005:2018 [5]. The evaluation is based on 11 challenges to cybersecurity risk management and their applicability to NPP risk management. The challenges are detailed in Clause 7. This document also relates the risk management elements of IEC 62645 and IEC 63096.

标准预览图