Building a Resilient World:
The ISAGCA Blog

Welcome to the official blog of the ISA Global Cybersecurity Alliance (ISAGCA).

This blog covers topics on automation cybersecurity such as risk assessment, compliance, educational resources, and how to leverage the ISA/IEC 62443 series of standards.

The material and information contained on this website is for general information purposes only. ISAGCA blog posts may be authored by ISA staff and guest authors from the cybersecurity community. Views and opinions expressed by a guest author are solely their own, and do not necessarily represent those of ISA. Posts made by guest authors have been subject to peer review.

All Posts

ISA/IEC 62443 Referenced in CISA’s Cross-Sector CPGs

A July 2021 memorandum by President Biden required the Cybersecurity & Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST) to develop voluntary cybersecurity performance goals (CPGs) across all critical infrastructure sectors. These goals are intended to establish fundamental cyber practices that will aid organizations to begin their cybersecurity efforts and help reduce risks. By prioritizing information technology (IT) and operational technology (OT) cyber practices, the goals were created from existing frameworks and guidance, as well as tactics, techniques, and procedures (TTPs) observed by CISA and its partners.

According to CISA, the CPGs are intended to be:

  • A baseline set of cybersecurity practices broadly applicable across critical infrastructure with known risk-reduction value.
  • A benchmark for critical infrastructure operators to measure and improve their cybersecurity maturity.
  • A combination of recommended practices for IT and OT owners, including a prioritized set of security practices.
  • Unique from other control frameworks as they consider not only the practices that address risk to individual entities, but also the aggregate risk to the nation.

These CPGs reference and complement the NIST Cybersecurity Framework (CSF), and also extensively reference ISA/IEC 62443-2-1 and ISA/IEC 62443-3-3 in almost every category, including account security, device security, data security, governance and training, vulnerability management, supply chain/third party, and response and recovery. See below for more information on these standards:

With the CPGs now complete, CISA will now look to work with each Sector Risk Management Agency (SRMA) to begin the development of sector-specific goals by:

  • Identifying any additional cybersecurity practices, not already included in the Common Baseline, needed to ensure the safe and reliable operation of critical infrastructure in that sector.
  • Providing examples for recommended actions specific to the infrastructure and entities in that sector; and
  • Mapping any existing requirements (e.g., regulations or security directives) to the Common Baseline and sector-specific objectives and/or recommended actions so stakeholders can see how their existing compliance practices fulfill certain objectives.

More information on the sector-specific goals will be provided soon. You can learn more about CISA’s CPGs, along with links to the documents, here.

Steven Aliano
Steven Aliano
Steven Aliano is the Content Marketing Specialist for ISA & ISAGCA.

Related Posts

AI and Machine Learning in Automation: The Security Imperative

As artificial intelligence (AI) and machine learning (ML) continue to revolutionize industrial automation...
Vaibhav Malik Jul 12, 2024 7:00:00 AM

Top ISAGCA Blog Posts of 2024 (So Far)

Here on the official blog of the ISA Global Cybersecurity Alliance (ISAGCA), we're dedicated to sharing i...
Kara Phelps Jul 5, 2024 7:00:00 AM

Importance and Challenges of OT Patching in Line with ISA/IEC 62443-2-3

In the realm of Industrial Automation and Control Systems (IACS), effective patch management is critical,...
Muhammad Musbah Jun 28, 2024 11:00:00 AM