[SystemSafety] IEC 63069, and Cybersecurity in IEC 61508

Peter Bernard Ladkin ladkin at rvs.uni-bielefeld.de
Mon May 27 09:15:49 CEST 2019


The IEC guidance on cybersecurity and safety in safety-related IACS systems, IEC TR 63069, has now
been published. It has 27pp of substantive content, of which about half (13+pp) are concerned with
definitions of terms. It costs CHF 170. I consider that an inappropriate price for a document which
in terms of substantive content is only as long as a conference paper.

But what is worse is what it says. Technically, it is a very poor document in my opinion.

For example, Table 1 lists "Terms with Multiple Definitions". Here is meant terms with multiple
definitions in IEC 61508 (the E/E/PE functional safety standard) and/or IEC 62443 (the series on
cybersecurity in IACS). The table lists 12 terms, of which 6 have a single definition (figure that

Furthermore, Table 1 is very incomplete. There are in fact around 60 terms with multiple definitions
in IEC 61508 and the IEC 62443 series. Of those terms, around half (about 30) have
moderately-to-significantly differing definitions.

For another example, Guiding Principle 1 says

[begin quote]
Security countermeasures should effectively prevent or guard against adverse impacts of
threats to safety-related systems and their implemented safety functions. Evaluations of
safety functions should be based on the assumption of effective (security) countermeasures.
[end quote]

There is nothing wrong with recommending that security countermeasures should be effective (sentence
1). However, (sentence 2) there is a lot wrong with *assuming effective cybersecurity
countermeasures are in place* while evaluating safety functions.

IEC TR 63069 is a "Technical Report", which means it is informative, not normative, so it makes
recommendations, not requirements.

I have been following the development of IEC TR 63069 for a few years. I and others have commented
(largely in the form of critique) drafts of this document. As far as I know, none of those formal
comments reached the committee, IEC TC 65 WG 20, through the commentary channels (commentary is
first considered at the national level, and selected comments forwarded to the IEC, which WG 20
formally must explicitly address). However, they did reach individual committee members, who chose
to ignore them.

In January, I wrote the following note about IEC TR 63069.

Generally, the business of considering cybersecurity in the next edition of IEC 61508 is becoming a
disaster. We received a number of National Committee comments saying cybersecurity should be more
appropriately addressed in IEC 61508. I formulated a change proposal, which I consider a minimal
response, also attached. It turns two occurrences of "should" (recommended) into "shall" (required)
when considering cybersecurity vulnerabilities at the stage of system hazard and risk analysis
(H&RA). It also requires that
* when cybersecurity requirements are formulated, those requirements shall address the identified
vulnerabilities; and
* the cybersecurity requirement are fulfilled.

It is minimal in that it doesn't say how these activities are to be accomplished. But this should be
in principle addressed by other publications; IEC 61508 is a safety standard, not guidance on

There is another change proposal on the table. It explicitly excludes cybersecurity analysis from
the considerations in IEC 61508 in general and H&RA in particular. I urge those who agree with me
that this is contraproductive to note the planned publication of a CD in March 2020 and to be sure
to comment on this feature, if it is included, to their National Committees.


Prof. Peter Bernard Ladkin, Bielefeld, Germany
Je suis Charlie
Tel+msg +49 (0)521 880 7319  www.rvs-bi.de

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 20190111SEsAnd63069.pdf
Type: application/pdf
Size: 91774 bytes
Desc: not available
URL: <https://lists.techfak.uni-bielefeld.de/mailman/private/systemsafety/attachments/20190527/851acfba/attachment-0002.pdf>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 20190217PBLChangeProposalV2CybersecInPart1.pdf
Type: application/pdf
Size: 61520 bytes
Desc: not available
URL: <https://lists.techfak.uni-bielefeld.de/mailman/private/systemsafety/attachments/20190527/851acfba/attachment-0003.pdf>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <https://lists.techfak.uni-bielefeld.de/mailman/private/systemsafety/attachments/20190527/851acfba/attachment-0001.sig>

More information about the systemsafety mailing list