The ISA Global Cybersecurity Alliance (ISAGCA) and ISASecure® have published a document comparing the ISA/IEC 62443-4-1 standard with NIST SP 800-218, Secure Software Development Framework (SSDF). Organizations that have established a development process based on ISA/IEC 62443-4-1 may refer to this resource to check conformance with SSDF. 

Comparison of ISA/IEC 62443-4-1 and NIST SP 800-218, Secure Software Development Framework

The following sections briefly summarize the document, which is available for download here in  PDF format.

Secure Software Development Framework (SSDF)

SSDF is a set of fundamental, sound practices for secure software development. Described in NIST SP 800-218, it focuses on the following secure software development recommendations:  

• Ensure that people, processes and technology are prepared to perform secure software development. 
• Protect all components of the software from tampering and unauthorized access. 
• Produce well-secured software with minimal security vulnerabilities. 
• Identify residual vulnerabilities and respond appropriately to address those vulnerabilities and prevent similar ones from occurring in the future.  

ISA/IEC 62443-4-1

ISA/IEC 62443-4-1 addresses secure development practices and process requirements for the development of products used in industrial automation and control systems. It defines a secure development lifecycle (SDL) for developing and maintaining secure products. This lifecycle includes security requirements definition, secure design, secure implementation (including coding guidelines), verification and validation, defect management, patch management and product end-of-life.

Comparing SSDF and ISA/IEC 62443-4-1

These two documents have different scopes. ISA/IEC 62443-4-1 establishes a comprehensive set of requirements, while SSDF provides light guidance.

Highlights

Fuller Coverage of SSDF: There is a large overlap between tasks recommended by SSDF and practices required by ISA/IEC 62443-4-1. Of the 42 tasks outlined in SSDF, 36 are fully covered by one or several requirements of ISA/IEC 62443-4-1.

Partial Coverage of SSDF: The focus of SSDF on software development practices explains the fact that four of 42 tasks of SSDF are partially covered by ISA/IEC 62443-4-1. These tasks are implicitly recommended in the rational and supplemental guidance section of the requirements.

Tasks of SSDF Not Addressed by ISA/IEC 62443-4-1: Two tasks recommended by SSDF are not covered by practices required by ISA/IEC 62443-4-1 because official commitment of upper management and the creation of a library of secured software components are not relevant to the development practices of a single product.

Requirements of ISA/IEC 62443-4-1 Not Addressed by SSDF: The tasks recommended by SSDF are limited to the development phases, as opposed to the scope of ISA/IEC 62443-4-1, which covers the whole lifecycle of a product. Eleven practices required by ISA/IEC 62443-4-1 are relevant for the proper use of the product once it is commercialized. In particular, ISA/IEC 62443-4-1 requests providing updates and guidelines to help users securely integrate and operate the product in an overall system.

Learn More

The comparison of the tasks recommended by SSDF and the practices required by ISA/IEC 62443-4-1 highlights a wide range of commonalities and differences. If your organization has a development process in place based on ISA/IEC 62443-4-1, this new resource from ISAGCA and ISASecure can help you determine conformance with SSDF. You can access the document here.