Building a Resilient World:
The ISAGCA Blog

Welcome to the official blog of the ISA Global Cybersecurity Alliance (ISAGCA).

This blog covers topics on automation cybersecurity such as risk assessment, compliance, educational resources, and how to leverage the ISA/IEC 62443 series of standards.

The material and information contained on this website is for general information purposes only. ISAGCA blog posts may be authored by ISA staff and guest authors from the cybersecurity community. Views and opinions expressed by a guest author are solely their own, and do not necessarily represent those of ISA. Posts made by guest authors have been subject to peer review.

All Posts

ISA/IEC 62443 Referenced in CISA’s Cross-Sector CPGs

A July 2021 memorandum by President Biden required the Cybersecurity & Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST) to develop voluntary cybersecurity performance goals (CPGs) across all critical infrastructure sectors. These goals are intended to establish fundamental cyber practices that will aid organizations to begin their cybersecurity efforts and help reduce risks. By prioritizing information technology (IT) and operational technology (OT) cyber practices, the goals were created from existing frameworks and guidance, as well as tactics, techniques, and procedures (TTPs) observed by CISA and its partners.

According to CISA, the CPGs are intended to be:

  • A baseline set of cybersecurity practices broadly applicable across critical infrastructure with known risk-reduction value.
  • A benchmark for critical infrastructure operators to measure and improve their cybersecurity maturity.
  • A combination of recommended practices for IT and OT owners, including a prioritized set of security practices.
  • Unique from other control frameworks as they consider not only the practices that address risk to individual entities, but also the aggregate risk to the nation.

These CPGs reference and complement the NIST Cybersecurity Framework (CSF), and also extensively reference ISA/IEC 62443-2-1 and ISA/IEC 62443-3-3 in almost every category, including account security, device security, data security, governance and training, vulnerability management, supply chain/third party, and response and recovery. See below for more information on these standards:

With the CPGs now complete, CISA will now look to work with each Sector Risk Management Agency (SRMA) to begin the development of sector-specific goals by:

  • Identifying any additional cybersecurity practices, not already included in the Common Baseline, needed to ensure the safe and reliable operation of critical infrastructure in that sector.
  • Providing examples for recommended actions specific to the infrastructure and entities in that sector; and
  • Mapping any existing requirements (e.g., regulations or security directives) to the Common Baseline and sector-specific objectives and/or recommended actions so stakeholders can see how their existing compliance practices fulfill certain objectives.

More information on the sector-specific goals will be provided soon. You can learn more about CISA’s CPGs, along with links to the documents, here.

Steven Aliano
Steven Aliano
Steven Aliano is the Content Marketing Specialist for ISA & ISAGCA.

Related Posts

North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) and ISA/IEC 62443 Comparative Analysis

The Utilities Technology Council and Cumulys recently prepared a report in partnership with the ISA Globa...
Kara Phelps Dec 13, 2024 7:00:00 AM

Securing PLCs Through the Backplane: Balancing Performance and Simplicity

With the increasing convergence of operational technology (OT) and information technology (IT), the need ...
Ashraf Sainudeen Dec 6, 2024 7:00:00 AM

Practical Insights for Implementing Control System Security

Introduction In this blog post, we’ll share practical insights from operational experience in managing cy...
Pinakin Gokhale Nov 29, 2024 7:00:00 AM