Building a Resilient World:
The ISAGCA Blog

Welcome to the official blog of the ISA Global Cybersecurity Alliance (ISAGCA).

This blog covers topics on automation cybersecurity such as risk assessment, compliance, educational resources, and how to leverage the ISA/IEC 62443 series of standards.

The material and information contained on this website is for general information purposes only. ISAGCA blog posts may be authored by ISA staff and guest authors from the cybersecurity community. Views and opinions expressed by a guest author are solely their own, and do not necessarily represent those of ISA. Posts made by guest authors have been subject to peer review.

All Posts

Should ISA/IEC 62443 Security Level 2 Be the Minimum for COTS Components?

A recent white paper published by the ISA Security Compliance Institute (ISCI) and its ISASecure certification program asserts that commercial off the shelf (COTS) components should be manufactured to a minimum of security level 2 (SL2) as defined in the ISA/IEC 62443 series of standards. 

Read the white paper and review a recent webinar from March 2024

SL1 or SL2?

SL1 capabilities as defined in IEC/ISA-62443-4-2 have been instrumental in raising the safety and security bar. Before these were defined, many COTS components lacked embedded security capabilities. Today, SL1 is broadly recognized as a standardized set of minimum expected embedded security capabilities in industrial automation and control system (IACS) components. However, SL1 capabilities are somewhat generic and casual - not intended to protect against intentional or malicious violations. 

SL2 capabilities not only raise the protection level by providing additional security functionality but also enhance SL1 capabilities, narrowing down disparities and increasing security resiliency. More importantly, SL2 introduces security capabilities common in today’s IT environments but not that common in operational technology (OT) environments. Enabling those capabilities requires developing and maturing the right competencies for asset owners, system integrator service providers and product supplier organizations. 

Now more than ever

SL2 adds additional security capabilities generally recognized to help mitigate well known attack scenarios. Today, an increasing number of intentional attacks are being detected that target industrial automation and control systems, indicating the need for such additional mitigations. For example, the SL2 criteria strengthen the security capabilities of components by requiring that a component:

  • Uniquely distinguish between individual human or non-human users interacting with the component, increasing the ability to trace the source for user activity that may constitute an attack

  • Authenticate itself to an overall system into which it has been integrated, raising the level of trust between the system and component

  • Provide the ability to tailor human role definitions to reflect site operations, limiting unnecessary insider access

  • Close inactive communication sessions that remain open as potential attack vectors

  • Verify the source of communications to the component, limiting sources for network attacks

  • Protect test interfaces from use as potential attack vectors

  • Increase assurance that code in execution, including mobile code, updates and upgrades came from a trusted source and has not been subject to tampering.

This paper provides a review of the additional security functionality that IACS components designed and certified to meet ISA/IEC 62443-4-2 SL2 capabilities must exhibit. This includes review of how those additional capabilities increase the security resiliency of the component, as well as the security of any system into which the component is integrated. 

More about ISASecure

Founded by the International Society of Automation (ISA), the ISASecure certification program certifies conformance to the ISA/IEC 62443 series of internationally adopted industrial security standards. ISASecure assesses automation and control products and systems to ensure they are robust against network attacks, free from known vulnerabilities and meet the security capabilities defined in the ISA/IEC 62443 standards.

To review the white paper and learn more, visit www.isasecure.org

 

Liz Neiman
Liz Neiman
Liz Neiman is the managing director of strategic engagement for the International Society of Automation (ISA), with oversight of marketing, communications, PR, events, and outreach activities. Prior to joining ISA, Liz led marketing, communications, and events activities for the American National Standards Institute (ANSI), as well as for edtech nonprofit MIND Research Institute. She is a graduate of Johns Hopkins University.

Related Posts

What Does the Future of Zero Trust in OT Look Like?

Zero trust principles have established themselves in the mindshare of cybersecurity practitioners worldwi...
Jacob Chapman Dec 20, 2024 7:00:00 AM

North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) and ISA/IEC 62443 Comparative Analysis

The Utilities Technology Council and Cumulys recently prepared a report in partnership with the ISA Globa...
Kara Phelps Dec 13, 2024 7:00:00 AM

Securing PLCs Through the Backplane: Balancing Performance and Simplicity

With the increasing convergence of operational technology (OT) and information technology (IT), the need ...
Ashraf Sainudeen Dec 6, 2024 7:00:00 AM