The ISA Global Cybersecurity Alliance (ISAGCA) was formed in part to help increase awareness and adoption of the ISA/IEC 62443 standards, the world's only consensus-based series of automation cybersecurity standards. This blog series will share insights into the creation and evolution of the standards.
Awareness of the ISA/IEC 62443 standards for industrial automation and control systems security has increased dramatically in recent years. Although these standards have existed for well over a decade, it has been the recent release of standards dealing with topics such as risk assessment, secure development lifecycles, and detailed component level security that has led to increased interest from a variety of industry sectors. Yet acceptance and adoption of these standards is still not where it should be.
Part of the reason for this is the amount of information included in the standards and their perceived complexity. In particular, asset owners find it daunting to fully understand the standards and are typically faced with the very real challenge of deciding how to begin to address what can be seen as a very complex and challenging topic. Awareness of what is available is certainly a good start, but it must be followed by understanding as a prerequisite to acceptance and adoption.
The ISA99 committee is primarily responsible for much of the organization and content of the series, working in collaboration with IEC Technical Committee 65 Work Group 10 (TC65 WG10). It is important to remember that normative standards are intended to serve as references, supplemented by more direct and focused guidelines and supporting materials.
In planning the organization of content in the series, it is important to recognize that there are multiple perspectives or dimensions that must be considered. While some readers may be most interested in understanding the requirements for (and expectations of) various roles, others may be more focused on technology selection. Another perspective considers the stages of the lifecycle from design and implementation to operation and support. Finally, an automation system can be viewed as a series of levels—from individual components or devices to systems and more complex systems of systems. It is difficult to accommodate all these perspectives in a single description of the structure of the series.
The series description that is most commonly used is show in the following figure.
This view has been developed by the committee over a period of several years, with new documents added as they were identified. It represents a combination of system level and role, although neither perspective is fully addressed. Each document is associated to one of four groups:
This group includes documents that address topics that are common to the entire series.
Documents in this group focus on the policies and procedures associated with IACS security.
The documents in the third group address requirements at the system level.
The fourth and final group includes documents that provide information about the more specific and detailed requirements associated with the development of IACS products.
ISA99 committee members are now reviewing this organization to identify potential improvements that might contribute to increased acceptance and adoption. This activity is part of a larger and more broadly focused project to assess the consistency of the standards and make recommendations for improvements. Any such recommendations must first be approved by committee leaders and then implemented in a manner that eases transition. Continuity from one structure to another is critical for those who have already adopted or applied one or more standards. For example, existing document numbers must be retained through the first phase of transition. They may be modified in later phases, but only via a well-defined change management process.
In summary, the ISA99 committee is very aware of the importance of addressing misconceptions and possible impediments to the acceptance and adoption of the 62443 standards. With much of the most important content of the series completed, now is the time to “step back,” take a fresh look at this material, and determine whether the structure and organization can be improved to meet this need. Any and all such changes will be made using the same processes and transparency that were used in creating the standards. This will include circulation of information for review and comment and submitting any changes to both the voting members of ISA99 and IEC TC65 WG10 for approval.
ISAGCA has created a quick start guide to the ISA/IEC 62443 standards. If you're interested in learning more, please request your free copy of the guide.