Software Cybersecurity for Network-Connectable Products, Part 2-2: Particular Requirements for Industrial Control Systems
Scope:
Note: The NOI for ANSI/CAN/UL-2900-2-2 was withdrawn as requested by the responsible SDO on March 18, 2020.
This security evaluation standard applies to the evaluation of industrial control systems components. It applies to, but is not limited to, the following products:
a) Programmable Logic Controllers (PLC);
b) Distributed Control Systems (DCS);
c) Process Control systems;
d) Data Acquistion systems;
e) Historians, Data Loggers and data storage systems;
f) Control Servers;
g) SCADA Servers;
h) Remote Terminal Units (RTU);
i) Intelligent Electronic Devices (IED);
j) Human-Machine Interfaces (HMI);
k) Input/Output (IO) Servers;
l) Fieldbuses; and
m) Networking equipment for ICS systems.
n) Data radios
o) Smart Sensors
p) Controllers
It does not contain any requirements regarding functional testing of products unless where expressly specified. It also describes requirements for the product risk management process carried out by the vendor of the product, including a list of security controls that the product (or the vendor, as applicable) shall comply with unless a risk assessment done by the vendor shows that the risk of not implementing one of these security controls is acceptable.
Project need:
Note: The information provided above was obtained by the Standards Council of Canada (SCC) and is provided as part of a centralized, transparent notification system for new standards development. The system allows SCC-accredited Standards Development Organizations (SDOs), and members of the public, to be informed of new work in Canadian standards development, and allows SCC-accredited SDOs to identify and resolve potential duplication of standards and effort.
Individual SDOs are responsible for the content and accuracy of the information presented here. The text is presented in the language in which it was provided to SCC.