The Utilities Technology Council and Cumulys recently prepared a report in partnership with the ISA Global Cybersecurity Alliance (ISAGCA) demonstrating that, with few exceptions, the technical cybersecurity capabilities needed to comply with the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Standards are substantially supported by the existing international ISA/IEC 62443 series of standards for automation and control systems cybersecurity.
NERC CIP and ISA/IEC 62443 Comparative Analysis: Key Findings
This white paper, titled "North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) and ISA/IEC 62443 Comparative Analysis," suggests that entities responsible for NERC CIP compliance could benefit from leveraging existing ISA/IEC 62443 product certification programs in their procurement processes. Requirement-level mappings from NERC CIP-002-CIP-014 to the ISA/IEC 62443 standards align with supplier process requirements, as well as product security capabilities necessary to meet asset owner requirements under NERC CIP.
The report focuses on the cybersecurity development practices and technical capabilities described in the following ISA/IEC 62443 standards in relation to the security of supplier products:
- ISA/IEC 62443-4-1 – Product security development lifecycle requirements
- ISA/IEC 62443-3-3 – System security requirements and security levels
- ISA/IEC 62443-4-2 – Technical security requirements for IACS components
The CIP-013 and ISA/IEC 62443-4-1 share similarities in purpose, and the authors of this paper performed a detailed analysis to compare the two sets of requirements. The results showed that the supply chain risk management technical requirements in CIP-013-2, CIP-005-7 and CIP-010-4 are substantially addressed by ISA/IEC 62443 requirements. Additionally, a certification of supplier conformity to the lifecycle requirements standard (4-1) provides assurances to utility asset owners about their suppliers' practices and organizational controls for developing and supporting secure software and technologies. In fact, the authors found that an ISA/IEC 62443-4-1 security capabilities vendor certification can be a proxy for the procurement aspect of the supply chain risk assessment requirement included in CIP-013-2 R1.
In addition to analyzing the similarities in supplier security practices in CIP-013-2 and ISA/IEC 62443-4-1, the authors completed an exhaustive study to analyze whether ISA/IEC 62443-3-3 and ISA/IEC 62443-4-2 requirements could be a proxy for meeting the technical requirements of the CIP standards. They determined that suppliers and products that conform to 3-3 or 4-2 directly support nearly all the technical system capabilities required to achieve NERC CIP compliance.
The paper includes a detailed breakdown and analysis of related requirements, as well as summary figures. It concludes that the ISA/IEC 62443 series of standards can help asset owners reduce their security burden while clearing a path for suppliers to demonstrate effective, globally recognized and independently verified cybersecurity best practices.
Note
Importantly, this paper is an interpretation of the ISA/IEC 62443 series of standards to facilitate awareness and appropriate applications of the standards. It is not a product of the ISA99 committee that develops the standards, and as such may not represent the views of the committee.
Read the Full Report
You can access a free .pdf download of the 33-page white paper on the ISAGCA website.
