Industrial control systems (ICS)* are found in many critical infrastructure domains and industries, such as chemicals, energy supply and distribution, and transportation. Protecting these systems from cybersecurity threats is essential in ensuring their availability and continued safe operation. While the traditional information security standards (eg, ISO 27000) can be applied to these systems to some degree, they are not sufficient.
The ISA/IEC 62443 series of standards defines requirements and provides guidance that addresses this additional need. Collectively, the standards address both technology and work processes, including the technical skills required. They take a risk-based approach to cybersecurity, providing guidance on how to identify what is most valuable, and requires the greatest protection and identify vulnerabilities.
The standards are organized into four tiers or groups:
The ISA99 committee and IEC Technical Committee 65 Work Group 10 have added standards and technical reports to the series over the years, resulting in a series that is almost “feature complete;" it addresses the essential elements required for a comprehensive industrial cybersecurity program.
Since the publication of the first standard in the series in 2007, the level of interest and adoption in several critical infrastructure sectors has steadily increased. System and component suppliers have demonstrated their willingness to apply the appropriate standards by pursuing independent certification of their products. Many asset owners have applied the basic principles at the core of the standards to take the first meaningful steps in areas such as asset management and risk assessment.
With increased interest comes increased scrutiny, which in turn leads to questions and suggestions about how the standards can be improved. This feedback is used to guide additional improvements to the standard, practical case studies, and associated implementation guidance.
The immediate goal is to improve the standards and have them reflect current technology and practices. While essential, this is not sufficient. The larger objective remains unchanged; to increase the security and resilience of automation systems used in the critical infrastructure. Rather than approaching this on a per-standard basis, it is time for a critical review of the series to establish the baseline for the next phase of development. In addition to responding to the feedback received, it is also necessary to address topics that may have been overlooked or given inadequate attention.
Based on feedback received from system suppliers, asset owners, and other stakeholders, there are several topics that must be addressed in moving the standards forward, including:
Smaller groups within the authoring committees are working on each of these areas as they develop new editions of specific standards. At the same time, there are efforts focused on how to make the standards more suitable for application across multiple industry sectors.
While the 62443-1-1 standard introduces common concepts, models, and terminology, the more detailed information is contained in six standards that are considered the “pillars” of the series. These include:
Each of these standards are being revised to develop second editions that include what has been learned since the initial publication. At the same time, consideration must also be given to derivative products and services such as training courses, certifications, and conformance specifications. This work is being done in partnership with programs such as the ISA Global Cybersecurity Alliance and the ISA Security Compliance Institute (ISCI).
The coordination and execution of all of these activities will result in an improved set of industrial cybersecurity standards that are more comprehensive in their scope, easier to apply by various roles across the solution lifecycle, and suitable for implementation across a range of industry sectors. Since security is an ever-evolving discipline, this will provide a solid foundation for the next stages of development and practice.
*The standards use the term “Industrial Automation and Control Systems (IACS)," but ICS is more commonly recognized.