Building a Resilient World:
The ISAGCA Blog

Welcome to the official blog of the ISA Global Cybersecurity Alliance (ISAGCA).

This blog covers topics on automation cybersecurity such as risk assessment, compliance, educational resources, and how to leverage the ISA/IEC 62443 series of standards.

The material and information contained on this website is for general information purposes only. ISAGCA blog posts may be authored by ISA staff and guest authors from the cybersecurity community. Views and opinions expressed by a guest author are solely their own, and do not necessarily represent those of ISA. Posts made by guest authors have been subject to peer review.

All Posts

Status of the 62443 Standards

The latest in the world of industrial cybersecurity standards

Industrial control systems (ICS)* are found in many critical infrastructure domains and industries, such as chemicals, energy supply and distribution, and transportation. Protecting these systems from cybersecurity threats is essential in ensuring their availability and continued safe operation. While the traditional information security standards (eg, ISO 27000) can be applied to these systems to some degree, they are not sufficient.

The ISA/IEC 62443 series of standards defines requirements and provides guidance that addresses this additional need. Collectively, the standards address both technology and work processes, including the technical skills required. They take a risk-based approach to cybersecurity, providing guidance on how to identify what is most valuable, and requires the greatest protection and identify vulnerabilities.

The standards are organized into four tiers or groups:

  • Standards in the first-tier cover topics that are common to the entire series, such as terminology, concepts, and models
  • Those in the second-tier describe methods and processes required to design an effective cybersecurity program
  • Tiers 3 and 4 includes standards that define technical requirements at the system and component level, respectively

The ISA99 committee and IEC Technical Committee 65 Work Group 10 have added standards and technical reports to the series over the years, resulting in a series that is almost “feature complete;" it addresses the essential elements required for a comprehensive industrial cybersecurity program.

Since the publication of the first standard in the series in 2007, the level of interest and adoption in several critical infrastructure sectors has steadily increased. System and component suppliers have demonstrated their willingness to apply the appropriate standards by pursuing independent certification of their products. Many asset owners have applied the basic principles at the core of the standards to take the first meaningful steps in areas such as asset management and risk assessment.

Building From Here

With increased interest comes increased scrutiny, which in turn leads to questions and suggestions about how the standards can be improved. This feedback is used to guide additional improvements to the standard, practical case studies, and associated implementation guidance.

The immediate goal is to improve the standards and have them reflect current technology and practices. While essential, this is not sufficient. The larger objective remains unchanged; to increase the security and resilience of automation systems used in the critical infrastructure. Rather than approaching this on a per-standard basis, it is time for a critical review of the series to establish the baseline for the next phase of development. In addition to responding to the feedback received, it is also necessary to address topics that may have been overlooked or given inadequate attention.

Based on feedback received from system suppliers, asset owners, and other stakeholders, there are several topics that must be addressed in moving the standards forward, including:

  • Consistency across the series with respect to terminology, concepts, and models
  • Positioning the standards for broader adoption across sectors
  • Positioning industrial cybersecurity standards with relation to other complementary standards, such as ISO 2700x
  • Developing a relationship between security level and systems maturity level
  • Reviewing and revising the normative requirements to improve traceability to the general requirements at the foundation of the series

Smaller groups within the authoring committees are working on each of these areas as they develop new editions of specific standards. At the same time, there are efforts focused on how to make the standards more suitable for application across multiple industry sectors.

Getting Into More Detail

While the 62443-1-1 standard introduces common concepts, models, and terminology, the more detailed information is contained in six standards that are considered the “pillars” of the series. These include:

  • 62443-2-1, which describes what is required to establish an effective cybersecurity program
  • 62443-2-4, which describes the requirements for service providers
  • 62443-3-2, which describes an approach to risk assessment
  • 62443-3-3, which describes system-level technical requirements
  • 62443-4-1, which describes the requirements for a secure product development life cycle
  • 62443-4-2, which describes component-level technical requirements

Each of these standards are being revised to develop second editions that include what has been learned since the initial publication. At the same time, consideration must also be given to derivative products and services such as training courses, certifications, and conformance specifications. This work is being done in partnership with programs such as the ISA Global Cybersecurity Alliance and the ISA Security Compliance Institute (ISCI).

The coordination and execution of all of these activities will result in an improved set of industrial cybersecurity standards that are more comprehensive in their scope, easier to apply by various roles across the solution lifecycle, and suitable for implementation across a range of industry sectors. Since security is an ever-evolving discipline, this will provide a solid foundation for the next stages of development and practice.

 

*The standards use the term “Industrial Automation and Control Systems (IACS)," but ICS is more commonly recognized.

Eric Cosman
Eric Cosman
Eric C. Cosman, 2020 ISA president, provides consulting and advisory services in the management of information technology solutions in operations and engineering. He is a past vice president of standards and practices at ISA and is currently a member of the ISA executive board and co-chair of the ISA99 committee on industrial control systems security.

Related Posts

North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) and ISA/IEC 62443 Comparative Analysis

The Utilities Technology Council and Cumulys recently prepared a report in partnership with the ISA Globa...
Kara Phelps Dec 13, 2024 7:00:00 AM

Securing PLCs Through the Backplane: Balancing Performance and Simplicity

With the increasing convergence of operational technology (OT) and information technology (IT), the need ...
Ashraf Sainudeen Dec 6, 2024 7:00:00 AM

Practical Insights for Implementing Control System Security

Introduction In this blog post, we’ll share practical insights from operational experience in managing cy...
Pinakin Gokhale Nov 29, 2024 7:00:00 AM