Updates from ISA99 on the Status of—and Plans for—ISA/IEC 62443
The ISA Global Cybersecurity Alliance (ISAGCA) was formed in part to help increase awareness and adoption of the ISA/IEC 62443 standards, the world's only consensus-based series of automation cybersecurity standards. This blog series shares insights into the creation and evolution of the standards.
The ISA99 committee of the International Society of Automation (ISA) has developed the ISA/IEC 62443 standards, arguably the most comprehensive and authoritative source of guidance about industrial automation and control systems cybersecurity. The committee consists of several smaller working groups, each focused on a specific theme or topic. It conducts much of its regular business in web meetings and conference calls, a practice that has served it well during the current pandemic. In recent years, there have been several face-to-face plenary meetings to review status and plans for future work. Since this was not possible in 2020, the committee hosted web meetings for this purpose.
The first of these meetings occurred on 5 October 2020, with more than 110 people attending. The agenda included three major topics:
- Committee overview, status, and direction: The focus was on committee structure, work groups assignments, and specific areas of emphasis
- Overview of work products: Described the status of each of the components of the 62443 series, with emphasis on those still under development or revision
- Assessment of 62443 series consistency: A summary of the status of the effort to assess the consistency of the 62443 series and identify opportunities for realignment of content
While the first two topics were primarily informative in nature, the third included a request for feedback on some of the changes proposed to make the standards easier to apply by clarifying the responsibilities of several principal roles across a well-defined lifecycle. These proposals have not yet been formally submitted to committee leaders, and there is some sensitivity to potential impact if there are implemented without adequate justification and transition planning.
With the 62443 standards now in use in several industry sectors, the committee understands that the benefits of any proposed improvements must outweigh any disruption that may be caused. Any recommended changes will first be reviewed by the committee leadership and then—as necessary—submitted for approval to the voting members of the committee.
This process includes detailed review by, and consultation with, IEC Technical Committee 65. The resulting standards are meant to be offered by both ISA and IEC.
Specifically, there is a proposal to expand and rename the foundational requirements that have long served as the basis for derivation of more detailed technical requirements to address both technical and process aspects of a complete security response. Any such change must include detailed guidance on how to make any related changes in documents derived from 62443. The committee is also considering changes to the organization of documents in the series, as well as possible realignment of some content.
While the implications of such discussions may not be clear to those with a stake in the application of ISA/IEC 62443 at this time, the committee leaders committed to fully explaining their rationale and providing additional supporting analysis and guidance for any proposed improvements. This will be done during subsequent plenary meetings and using supplementary guidance materials.
The second plenary committee meeting took place on 19 October 2020, with more than 80 people attending. This meeting took the form of an open discussion of several specific topics:
- Clarifying the intended scope of the 62443 standards, allowing for applications in a broad range of industries or sectors
- How to improve the quality of information shared with stakeholders on the work of the committee and the status of 62443
The committee has long described the focus of the standards as being on “Industrial Automation and Control Systems (IACS).” Inclusion of the word “Industrial” in this term has been seen by some as a barrier to applications in sectors that may not consider themselves to be consistent with this characterization. The consensus of those attending appeared to be that this could be addressed by including a clearer definition of intended scope in the initial standard (i.e., 62443-1-1), as well as in related communications and training materials.
The committee will hold additional plenary meetings in the future to collect feedback from its members and other stakeholders. This information will be used to guide further development, including changes to improves series consistency. These meetings are open to all. More information is available by sending an inquiry to ISA99Chair@gmail.com.
ISAGCA has created a quick start guide to the ISA/IEC 62443 standards. If you're interested in learning more, please request your free copy of the guide.
