This document specifies cybersecurity requirements for new lifts, escalators and moving walks, referred to in this document as “equipment under control (EUC)”, designed in accordance with the ISO 8100 series. It is also applicable with other lift, escalator and moving walk standards that specify similar requirements, and to other lift-related equipment connected to the EUC. This document specifies product and system requirements related to cybersecurity threats in the following lifecycle steps: This document addresses the roles of product supplier and system integrator as shown in IEC 62443-4-1:2018, Figure 2, for the EUC. This document does not address the role of asset owner as shown in IEC 62443-4-1:2018, Figure 2, but defines requirements for the product supplier and system integrator of the EUC to establish documentation allowing the asset owner, referred to as the “EUC owner” in this document, to achieve and maintain the security of the EUC. This document specifies the minimum cybersecurity requirements for: This document is applicable to EUCs that are capable of connectivity to external systems such as building networks, cloud services, or service tools. The capability to connectivity can exist through equipment permanently available on site, or equipment temporarily brought to the location during the installation, operation and maintenance, or decommissioning steps. EUC interfaces to external systems and services are in the scope of this document. External systems and services as such are out of the scope of this document. This document does not apply to EUC that are installed before the date of its publication.
Sisällysluettelo
Foreword
Introduction
1 Scope
2 Normative references
3 Terms, definitions and abbreviated terms
3.1 Terms and definitions
3.2 Abbreviated terms
4 Secure development lifecycle for lifts, escalators and moving walks
4.1 General
4.2 Security management
4.3 Specification of security requirements
4.4 Secure by design
4.5 Secure implementation
4.6 Security verification and validation testing
4.7 Management of security-related issues
4.8 Security update management
4.9 Security guidelines
5 Security requirements
5.1 General
5.2 Foundational requirements
5.3 Domains of the EUC functions
5.4 EUC security level requirements
5.5 Selection of security controls and countermeasures
5.6 Common security constraints
6 Information for use
Annex A Additional information on secure development lifecycle for lifts, escalators and moving walks (informative)
Annex B Additional information on how to apply the general method of risk assessments (informative)
Annex C List of security practices (informative)
Annex D Guidance for application of zones and conduits (informative)
IEC/TS 62443-1-1:2009 Industrial communication networks — Network and system security — Part 1-1: Terminology, concepts and models
IEC 62443-3-2:2020 Security for industrial automation and control systems — Part 3-2: Security risk assessment for system design
IEC 62443-3-3:2013 Industrial communication networks — Network and system security — Part 3-3: System security requirements and security levels
IEC/TS 62443-1-1:2009 Industrial communication networks — Network and system security — Part 1-1: Terminology, concepts and models
IEC 62443-3-2:2020 Security for industrial automation and control systems — Part 3-2: Security risk assessment for system design
IEC 62443-3-3:2013 Industrial communication networks — Network and system security — Part 3-3: System security requirements and security levels
IEC 62443-4-1:2018 Security for industrial automation and control systems — Part 4-1: Secure product development lifecycle requirements
IEC 62443-4-2:2019 Security for industrial automation and control systems — Part 4-2: Technical security requirements for IACS components
ISO 8100-1:2019 Lifts for the transport of persons and goods — Part 1: Safety rules for the construction and installation of passenger and goods passenger lifts