CSA序言这是CAN/CSA-IEC/TR 62443-3-1《工业通信网络-网络和系统安全-第3-1部分:工业自动化和控制系统的安全技术》的第一版，该版本采用了相同名称的IEC（国际电工委员会）技术报告62443-3-1（第一版，2009-07）。出版时，IEC/TR 62443-3-1:2009仅提供英文版本。CSA集团将在IEC发布法文版。为简洁起见，本标准通篇称为“CAN/CSA-IEC/TR 62443-3-1”。IEC技术报告是由IEC/TC 65制定的一系列工业自动化网络安全标准之一，CSA集团正在采用这些标准。IEC技术报告评估了各种网络安全工具、缓解对策以及可能有效应用于现代电子IACS基础设施的技术。 它旨在供工业控制系统的开发人员以及确保满足系统网络安全要素的人员使用。本标准使用CAN/CSA-IEC 62443-2-1:17《工业通信网络-网络和系统安全-第2-1部分:建立工业自动化和控制系统安全程序》中规定的术语和概念。范围IEC 62443的这一部分提供了对各种网络安全工具、缓解对策和技术的当前评估，这些工具、缓解对策和技术可能有效地应用于现代基于电子的IACS，以监管和监控众多行业和关键基础设施。它描述了几类以控制系统为中心的网络安全技术，这些类别中可用的产品类型，在自动化IACS环境中使用这些产品的优缺点，与预期的威胁和已知的网络漏洞有关，最重要的是，使用这些网络安全技术产品和/或对策的初步建议和指南。 本技术报告中应用的IACS网络安全概念尽可能广泛，包括所有行业和关键基础设施中的所有类型的组件、工厂、设施和系统。IACS包括但不限于:•硬件（如数据历史服务器）和软件系统（如操作平台、配置、应用），如分布式控制系统（DCS）、可编程逻辑控制器（PLC）、监控和数据采集（SCADA）系统、网络化电子传感系统以及监控、诊断和评估系统。该硬件和软件领域包括基本工业网络和任何连接或相关的信息技术（IT）设备，以及对整个控制系统的成功运行至关重要的链路。因此，该领域还包括但不限于:防火墙、服务器、路由器、交换机、网关、现场总线系统、入侵检测系统、智能电子/终端设备、远程终端单元（RTU）以及有线和无线远程调制解调器。 •用于为连续、批量、离散和组合过程提供控制、数据记录、诊断、安全、监控、维护、质量保证、法规遵从性、审计和其他类型操作功能的相关内部、人员、网络或机器接口。同样，网络安全技术和对策的概念也广泛应用于本技术报告中，包括但不限于以下技术:•认证和授权；•过滤、阻止和访问控制加密数据验证审计；•测量监测和检测工具操作系统。此外，非网络技术——物理安全控制——是网络安全某些方面的基本要求，本技术报告对此进行了讨论。本技术报告的目的是对目前可用的网络安全技术、应对措施和工具进行分类和定义，为ISA99委员会稍后编制的技术报告和标准提供通用基础。 本技术报告中的每项技术都将从以下方面进行讨论:•技术、工具和/或对策解决的安全漏洞；•典型部署已知问题和弱点评估在IACS环境中的使用未来方向建议和指导信息来源和参考资料。本技术报告的目的是记录适用于IACS环境的网络安全技术、工具和对策的已知最新水平，明确定义目前可以合理部署的技术，并定义可能需要更多研究的领域。

CSA PrefaceThis is the first edition of CAN/CSA-IEC/TR 62443-3-1, Industrial communication networks — Network and system security — Part 3-1: Security technologies for industrial automation and control systems, which is an adoption without modification of the identically titled IEC (International Electrotechnical Commission) Technical Report 62443-3-1 (first edition, 2009-07). At the time of publication, IEC/TR 62443-3-1:2009 is available from IEC in English only. CSA Group will publish the French version when it becomes available from IEC. For brevity, this Standard will be referred to as “CAN/CSA-IEC/TR 62443-3-1” throughout. The IEC Technical Report is one in a series of Standards developed by IEC/TC 65 on industrial automation networking security that are being adopted by CSA Group. The IEC Technical Report provides an assessment of various cyber security tools, mitigation counter-measures, and technologies that may be effectively applied to modern electronic IACS infrastructures. It is intended to be used by developers of industrial control systems, and those who ensure that the cyber security elements of the system are met. This Standard uses terminology and concepts specified in CAN/CSA-IEC 62443-2-1:17, Industrial communication networks — Network and system security — Part 2-1: Establishing an industrial automation and control system security program.ScopeThis part of IEC 62443 provides a current assessment of various cybersecurity tools, mitigation counter-measures, and technologies that may effectively apply to the modern electronically based IACSs regulating and monitoring numerous industries and critical infrastructures. It describes several categories of control system-centric cybersecurity technologies, the types of products available in those categories, the pros and cons of using those products in the automated IACS environments, relative to the expected threats and known cyber vulnerabilities, and, most important, the preliminary recommendations and guidance for using these cybersecurity technology products and/or countermeasures. The concept of IACS cybersecurity as applied in this technical report is in the broadest possible sense, encompassing all types of components, plants, facilities, and systems in all industries and critical infrastructures. IACSs include, but are not limited to: • Hardware (e.g., data historian servers) and software systems (e.g., operating platforms, configurations, applications) such as Distributed Control Systems (DCSs), Programmable Logic Controllers (PLCs), Supervisory Control and Data Acquisition (SCADA) systems, networked electronic sensing systems, and monitoring, diagnostic, and assessment systems. Inclusive in this hardware and software domain is the essential industrial network and any connected or related information technology (IT) devices and links critical to the successful operation to the control system at large. As such, this domain also includes, but is not limited to: firewalls, servers, routers, switches, gateways, fieldbus systems, intrusion detection systems, intelligent electronic/end devices, remote terminal units (RTUs), and both wired and wireless remote modems. • Associated internal, human, network, or machine interfaces used to provide control, data logging, diagnostics, safety, monitoring, maintenance, quality assurance, regulatory compliance, auditing and other types of operational functionality for either continuous, batch, discrete, and combined processes. Similarly, the concept of cybersecurity technologies and countermeasures is also broadly applied in this technical report and includes, but is not limited to, the following technologies: • authentication and authorization; • filtering, blocking, and access control; • encryption; • data validation; • auditing; • measurement; • monitoring and detection tools; • operating systems. In addition, a non-cyber technology —physical security control— is an essential requirement for some aspects of cybersecurity and is discussed in this technical report. The purpose of this technical report is to categorize and define cybersecurity technologies, countermeasures, and tools currently available to provide a common basis for later technical reports and standards to be produced by the ISA99 committee. Each technology in this technical report is discussed in terms of: • security vulnerabilities addressed by the technology, tool, and/or countermeasure; • typical deployment; • known issues and weaknesses; • assessment of use in the IACS environment; • future directions; • recommendations and guidance; • information sources and reference material. The intent of this technical report is to document the known state of the art of cybersecurity technologies, tools, and countermeasures applicable to the IACS environment, clearly define which technologies can reasonably be deployed today, and define areas where more research may be needed.