公告&动态 第223页

Standards Australia transfers management of the ANZEx Scheme to JAS-ANZ

Standards Australia has transferred management of the ANZEx Conformity Assessment Scheme to JAS-ANZ by mutual agreement.

The transfer of management from Standards Australia to JAS-ANZ provides continuity of management allowing stakeholders to continue to use the ANZEx Scheme in support of certification and conformity assessment. The primary portal for information relating to the ANZEx Scheme and for viewing Certificates of Conformity issued under the ANZEx Scheme is the website.

The ANZEx Scheme is the Australian program for the Certification of Equipment for Explosive Atmospheres. In Australia and New Zealand the installation standards for electrical equipment in a Hazardous Area require ‘Proof of Compliance’. This requirement is in accordance with a Type 5 scheme identified in AS/NZS ISO/IEC 17065 and the associated rules. Either a Certificate of Conformity within this ANZEx Scheme or an IECEx Certificate of Conformity is deemed to comply with this requirement.

The transfer of management was the result of a process undertaken by Standards Australia to appoint a suitable manager of the ANZEx Scheme for the period following the conclusion of the Standards Australia’s commitment to manage the ANZEx Scheme which concluded in August 2016. The transfer was endorsed by Standards Development and Accreditation Committee (SDAC), a committee of Standards Australia’s Board of Directors.

Standards Australia and JAS-ANZ negotiated a deed of transfer which recognises JAS-ANZ as the manager of the ANZEx Scheme commencing on 3 August 2016.

Roadmap for Advanced Metering Standards – Report

Standards Australia is pleased to announce the publication of the Roadmap for Advanced Metering Standards – Report.

The development of the Roadmap over a four month period between March and June 2016 involved a series of forums and industry-wide consultations which allowed for stakeholders to consider the standards that would be necessary to support Australia’s advanced metering equipment infrastructure.

In June 2016 Australian stakeholders came together for the final forum in the Roadmap for Advanced Metering Standards. The Roadmap (including a Work Program involving the development of 23 Australian Standards) was released to stakeholders on the day.

This report provides a background on advanced metering standards and explains the process of developing the Roadmap.

The publication of this Roadmap for Advanced Metering Standards paves the way for stakeholders to work with Standards Australia to prepare and submit proposals for the development of contemporary Australian Standards for advanced metering.

The proposal forms and standards development activities will be informed by the work program and priority projects as set out in the Roadmap. However, Standards Australia recognises that this Roadmap only serves as a guide and that stakeholders may ultimately not seek to develop Australian Standards for advanced metering exactly in accordance with the Roadmap.

Standards Australia is grateful for the support provided by co-resourcing partners (Vector, Landis+Gyr, EDMI, ENA and Origin) to undertake the development of the Roadmap for Advanced Metering Standards.

Standards Australia also gratefully acknowledges the contributions and participation of stakeholders from industry, government and consumer groups in the development of the Roadmap.

BSI, business standards company has revised BS 8555 Environmental management systems – Phased implementation – Guide. The standard was originally published in 2003, and provides guidance for all organizations on how to implement an environmental management system (EMS) or work towards ISO 14001 using a phased approach. BS 8555 is now at public comment stage until September 2016.

What does BS 8555 offer?
•A step by step approach to setting up an environmental management system• A series of stages that an organization can work through with the option to stop at any point or work through to become ISO 14001 ready
•Advice on the integration and use of environmental performance evaluation (EPE) techniques during the implementation process; and the coordination of such an EMS with other management systems, where appropriate
•It has been updated to ensure that it continues to help organizations improve business processes, save money and deal with future environmental challenges

EMS standards have been shown to help organizations develop their business whilst reducing the environmental impact of growth, decrease waste and save energy. They can help businesses become more innovative, improve management system process, meet regulatory requirements and enhance corporate reputation among investors, customers and the public. BS 8555 can help organizations stay abreast of the changes in the environmental arena, ensuring they remain ahead of the curve.

Who can BS 8555 help?
•BS 8555 is for all sizes and sectors of organization who want to start to work on their environmental management system
•It can be useful to small and medium sized enterprises (SMEs) who need a framework to work to, but who can choose to stop at any of the 5 stages. The standard helps SMEs to achieve regulatory requirements and demonstrate to stakeholders that they are giving consideration to environmental impacts whilst helping them to manage resources and changes in circumstances
•It is useful to large, multi-site companies because it provides a framework and step-wise approach that all sites can work to in order to implement ISO 14001

What has changed?
•A robust approach in terms of managing risk and compliance with legislation during phases 2 and 3
•Phases and stages have been updated to reflect changes in BS EN ISO 14001:2015, such as understanding the context of the organization, an increased focus on leadership, improvement in environmental performance and a new focus on risk and opportunity
•Phase 6 and the associated guidance has been removed in order to simplify the standard and make it easier for people to use

David Fatscher, Head of Market Development for Sustainability & Services at BSI, said: “A successful EMS helps organizations remain commercially successful without compromising their environmental responsibilities. However, such projects can sometimes seem daunting and management may be unable to commit the required resources. By phasing implementation with BS 8555, all organizations, regardless of the nature of the business activity undertaken, location, or level of maturity, can improve their environmental performance.”

BS 8555 was developed using a collaborative consensus-based approach with input from such experts as CIRIA, IEMA, UKAS, the UK Environment Agency, as well as environmental consultants, some of whom took part in the recent major revision of ISO 14001. Comment on the standard here.

Sustainable development of communities standard is published

BSI, the business standards company has published BS ISO 37101:2016, Sustainable development in communities — Management system for sustainable development — Requirements with guidance for use.

In a fast-changing world, ensuring cities and communities are fit for the future is a key priority for many city leaders. Providing sustainable energy supplies, coping with environmental and climate changes, building and maintaining durable infrastructures and meeting the needs and expectations of citizens are just some of the considerations to be made. BS ISO 3701 has been developed to help city leaders set their city's sustainable development agenda.

The UK has already developed similar guidance in the shape of BS 8904:2011 Guidance for community sustainable development which is suited to local grass roots organizations, with this standard contributing towards the development of BS ISO 37101.

The international standard sets out requirements and guidance to attain sustainability with the support of methods and tools including smartness and resilience. It can help communities improve in a number of areas such as:
•Developing holistic and integrated approaches instead of working in silos (which can hinder sustainability)
•Fostering social and environmental changes
•Improving health and wellbeing
•Encouraging responsible resource use and achieving better governance

David Fatscher Head of Market Development for Sustainability and Services at BSI said: “As societies grow and populations within a community increase in density, more thought has to be put into the sustainable development of those communities. This is not just about population size but also the economic, social and environmental issues that a community faces. Whilst previous guidance has enabled individuals to take control of their communities locally, from improving social and economic opportunities to protecting the local environment, this international standard takes a broader view. City leaders can be at the forefront of any decisions that impact their communities and now have the guidance they need to implement changes to benefit their environment in multiple ways.”

BS ISO 37101 was first proposed by the French National Standards Body, Afnor to reflect the interests of the construction and services industries. In accordance with the normal collaborative ISO practices, each country submitted their comments to their country representative for consideration by the ISO committee. Outreach and liaison was established with the Global City Indicators Facility and the United Nations Environment Programme. This included harmonizing work being done in ISO on city indicators and smart infrastructure.

Some of the other countries involved in the development of BS ISO 37101 include: Austria, Canada, China, Denmark, France, Germany, Japan, Mexico, Netherlands, Russia, Sweden, Sri Lanka and USA.

BS ISO 37101 will be able to help city CEOs, sustainability officers, smart city managers and compliance managers, policy advisors, NGOs and consultants plan their city’s long term sustainability agenda.

Cybersecurity is now central to the safe operation of industrial installations, but user accounts for many devices used in these installations are not properly managed. Central user account management combined with Role Based Access Control is the perfect solution for managing user accounts and permissions efficiently and centrally while still providing a state of the art security solution. This eliminates the nightmare of having unmanaged user accounts on hundreds of devices.

Too many user accounts are not properly managed

In many cases the factory default user accounts and passwords used in devices in industrial installations are unmanaged and remain unchanged. Shared and / or weak passwords are also an issue.

From a cybersecurity perspective, in today’s interconnected world, both factory default accounts and shared accounts represent a huge cybersecurity risk and are unacceptable. Besides cybersecurity concerns, both factory default and shared accounts can make control system management a nightmare for control system owners.

Consider the case in which a power outage occurs as a result of a changed configuration, but it cannot be established which employee actually changed the configuration because a shared account or a factory default account was used to access the system and make the change.

Another possible scenario is connected with a single employee leaving an organization. Since this member of staff knows a password that is shared by several other employees, a huge effort is required to change this shared password in a number of devices and locations, to ensure that the departing employee can no longer access the system. Last but not least, the remaining employees must also be informed of the new password, so that they can continue to carry out their work.

Legacy processes, tools and technologies can make it hard for security managers and system operators to change systems so as to adapt to and defend against new security threats. Security managers need proven standardized technologies and modern tools to move to the next level. Central user account management combined with Role Based Access Control (RBAC) is the perfect solution for managing user accounts and user permissions centrally and efficiently, while still providing a state of the art security solution. It also eliminates the nightmare of having unmanaged user accounts on hundreds of devices.

Technological change has brought both operational benefits and cybersecurity risks

Substation automation, protection and control systems have changed significantly in the past decade. Systems have become more interconnected and provide end users with much more information, resulting in higher reliability, increased levels of control and higher productivity. Interoperability between different vendor products and systems has been achieved by deploying products and solutions based on open standards such as publications from the IEC 61850 series, Communication networks and systems for power utility automation, or IEC 60870-5-104, Telecontrol equipment and systems – Part 5-104: Transmission protocols – Network access for IEC 60870-5-101 using standard transport profiles, and by leveraging proven Ethernet technology.

This change in technology has brought huge benefits from an operational point of view, but it has also exposed utilities to the kind of cybersecurity threats that have been confronting traditional enterprise systems for years. Cybersecurity is an essential component of modern networks, but fragmented access policies across network devices risk exposing critical vulnerabilities.

Careless practices make system access easy

The heterogeneous nature of automation networks has complicated tasks such as revoking staff credentials, or changing default passwords. Factory default accounts often remain unchanged after handover from manufacturer to customer, and may even remain unchanged on devices for their entire lifetime. Such practices and unchanged factory default accounts make it easy for an attacker to access devices rapidly and without needing to possess any special skills or knowledge.

Furthermore, most control and network devices provide logging capabilities to record what users have done, but if all actions are performed under the umbrella of a factory default account, then the logged information and audit trail say nothing about who has really performed which actions.

Setting the stage for a possible solution

Control system owners and managers would probably welcome positive answers to the following questions to ensure the security of their systems:

• Would you like to manage user accounts easily?
• Would you to like to administer new employees’ access and permissions in your company from a central point?
• Would you like to be able to remove or disable user credentials quickly from a single central location when an employee leaves your company?
• Would you like the changes you made in the central location to be immediately effective on all products from different vendors throughout your organization?
• Would you like to eliminate worry about default user accounts remaining active on unmanaged local devices?

The industry strikes back

Following demands from the North American Electric Reliability Corporation – Critical Infrastructure Protection (NERC-CIP) Standards, and many other cybersecurity requirements, the industry is adopting a common path to the future: IEC TS 62351-8: Power systems management and associated information exchange – Data and communications security – Part 8: Role-based access control. This Technical Specification sets out how vendors should implement and provide RBAC and central user account management to their customer base.

Since the arrival of IEC TS 62351-8 in 2011, users have been able to authenticate themselves across their organization to all devices in all networks, with a user-specific and unique user-id and password. Moreover, the addition or removal of users is done centrally, in a single step.

This technology offers not only the central management of user-ids and passwords, but also the management of user permissions by assigning roles to users, depending on their job roles in the organization (RBAC).

Possible solution for a nightmare scenario

Control systems need to be managed to ensure sustainable infrastructures. Managing a system means continually keeping its devices up-to-date.

The management of a cybersecurity policy can become complex; therefore to be efficient, security managers need support from software applications. A Role Based Access Control system is such an application. RBAC allows responsible persons to be able to manage users and their roles consistently from a central point – even for multiple control systems in different locations.

Not everybody needs to be a system administrator. A common sense approach in cybersecurity management is to grant the fewest possible privileges to every user. A RBAC system based on IEC TS 62351-8 enables the person responsible for security in a company to manage users for the entire system and assign roles to those users from one place.

IEC 62351 is a series of technical security International Standards that aims to secure power system-specific communication protocols such as IEC 61850 or IEC 60870-5-104. While most parts of the series have been released, more work is needed before systems compliant to IEC 62351 can be put on the market. IEC 62351-8, finalized and published in 2011, defines RBAC for power systems. This is not a new concept; it is in fact part of best practice in many IT systems. The use of RBAC in power systems makes it possible to reduce the number of permissions that have to be assigned to certain users so that these users have only the permissions they need to perform their duties. This reduces the risk to the power system, as permissions are only assigned when they are actually needed, according to the principle of fewest privileges. The standard also defines a list of pre-defined roles (e.g., Viewer, Operator, etc.) and of pre-defined rights.

Adhering to International Standards as closely as possible

To ensure high quality and dependable cybersecurity functionality in heterogeneous installations, it is fundamental to adhere to International Standards as far as possible. A high level of cybersecurity can only be achieved by deploying and using reviewed, approved and standardized technologies and methods, especially when installing devices from different vendors. Utilities not following such a wise path can find themselves locked in to a single supplier offering proprietary solutions.

Cybersecurity cannot be optimized without knowing everything that is going on in the system. Security related events, like access and other user activities in different system components, need to be monitored to identify potential attacks and to optimize protection. Central user activity logs collect cybersecurity related events from the system devices and make the information available to responsible personnel. An efficient and user-friendly approach, such as automatic recognition of event patterns, is a key feature of such monitoring applications.

State of the art cybersecurity products based on International Standards such as IEC TS 62351-8 enable efficient RBAC management of user accounts in multi-vendor control systems. They provide utilities with real-time visibility of the security-relevant user activity within their systems.

Proprietary cybersecurity implementations should be avoided for seamless integration of multi-vendor control systems. The adoption of interoperable solutions that accord to IEC TS 62351-8 makes performing these tasks much easier.

About the authors

Frank Hohlbaum – Security Manager Grid Automation,ABB Switzerland Ltd.

Frank is globally responsible for all aspects of cybersecurity within ABB’s Power System Substations and drives the security activities in this business unit. He is an active member of the Power System Security Council and represents the business unit Power System Substations. Frank Hohlbaum joined ABB in 1996 and has 20 years’ experience in substation automation. Frank is a Member of IEC Technical Committee (TC) 57/Working Group (WG) 3: Telecontrol protocols.

Bart de Wijs – Head of Cybersecurity for ABB's Power Grids Division.

Bart represents this division in the ABB Group Cybersecurity Council, which is a cross-disciplinary team staffed with resources from various corporate functions. Additionally, he is a member of the ABB Cybersecurity Response Team, handling vulnerabilities and incidents. Within the division he leads a team of cybersecurity specialists dealing with the different aspects of all the security-related concerns that could affect ABB customers. He is a member of various cybersecurity expert groups. Between 2007 and 2010 Bart was responsible for cybersecurity in ABB’s Power Generation business unit.

Fernando Alvarez – Cybersecurity Technical Product Manager,ABB Switzerland Ltd.

Fernando is responsible for supporting the development of different cybersecurity technologies in ABB products and for managing and tracking ABB’s cybersecurity intellectual property. He is also an active member of IEC TC57/WG15: Data and communication security, the IEC group working on the IEC 62351 series of International Standards for power systems management and associated information exchange. Previously Fernando worked on securing the internal IT infrastructure of banks and on securing military communications.