The latest in the world of industrial cybersecurity standards
Industrial control systems (ICS)* are found in many critical infrastructure domains and industries, such as chemicals, energy supply and distribution, and transportation. Protecting these systems from cybersecurity threats is essential in ensuring their availability and continued safe operation. While the traditional information security standards (eg, ISO 27000) can be applied to these systems to some degree, they are not sufficient.
The ISA/IEC 62443 series of standards defines requirements and provides guidance that addresses this additional need. Collectively, the standards address both technology and work processes, including the technical skills required. They take a risk-based approach to cybersecurity, providing guidance on how to identify what is most valuable, and requires the greatest protection and identify vulnerabilities.
The standards are organized into four tiers or groups:
- Standards in the first-tier cover topics that are common to the entire series, such as terminology, concepts, and models
- Those in the second-tier describe methods and processes required to design an effective cybersecurity program
- Tiers 3 and 4 includes standards that define technical requirements at the system and component level, respectively
The ISA99 committee and IEC Technical Committee 65 Work Group 10 have added standards and technical reports to the series over the years, resulting in a series that is almost “feature complete;" it addresses the essential elements required for a comprehensive industrial cybersecurity program.
Since the publication of the first standard in the series in 2007, the level of interest and adoption in several critical infrastructure sectors has steadily increased. System and component suppliers have demonstrated their willingness to apply the appropriate standards by pursuing independent certification of their products. Many asset owners have applied the basic principles at the core of the standards to take the first meaningful steps in areas such as asset management and risk assessment.
Building From Here
With increased interest comes increased scrutiny, which in turn leads to questions and suggestions about how the standards can be improved. This feedback is used to guide additional improvements to the standard, practical case studies, and associated implementation guidance.
The immediate goal is to improve the standards and have them reflect current technology and practices. While essential, this is not sufficient. The larger objective remains unchanged; to increase the security and resilience of automation systems used in the critical infrastructure. Rather than approaching this on a per-standard basis, it is time for a critical review of the series to establish the baseline for the next phase of development. In addition to responding to the feedback received, it is also necessary to address topics that may have been overlooked or given inadequate attention.
Based on feedback received from system suppliers, asset owners, and other stakeholders, there are several topics that must be addressed in moving the standards forward, including:
- Consistency across the series with respect to terminology, concepts, and models
- Positioning the standards for broader adoption across sectors
- Positioning industrial cybersecurity standards with relation to other complementary standards, such as ISO 2700x
- Developing a relationship between security level and systems maturity level
- Reviewing and revising the normative requirements to improve traceability to the general requirements at the foundation of the series
Smaller groups within the authoring committees are working on each of these areas as they develop new editions of specific standards. At the same time, there are efforts focused on how to make the standards more suitable for application across multiple industry sectors.
Getting Into More Detail
While the 62443-1-1 standard introduces common concepts, models, and terminology, the more detailed information is contained in six standards that are considered the “pillars” of the series. These include:
- 62443-2-1, which describes what is required to establish an effective cybersecurity program
- 62443-2-4, which describes the requirements for service providers
- 62443-3-2, which describes an approach to risk assessment
- 62443-3-3, which describes system-level technical requirements
- 62443-4-1, which describes the requirements for a secure product development life cycle
- 62443-4-2, which describes component-level technical requirements
Each of these standards are being revised to develop second editions that include what has been learned since the initial publication. At the same time, consideration must also be given to derivative products and services such as training courses, certifications, and conformance specifications. This work is being done in partnership with programs such as the ISA Global Cybersecurity Alliance and the ISA Security Compliance Institute (ISCI).
The coordination and execution of all of these activities will result in an improved set of industrial cybersecurity standards that are more comprehensive in their scope, easier to apply by various roles across the solution lifecycle, and suitable for implementation across a range of industry sectors. Since security is an ever-evolving discipline, this will provide a solid foundation for the next stages of development and practice.
*The standards use the term “Industrial Automation and Control Systems (IACS)," but ICS is more commonly recognized.