The International Society of Automation (ISA) recently released a new paper from its ISASecure® cybersecurity certification program and the ISA Global Cybersecurity Alliance (ISAGCA). The paper dives into a pressing question — how to apply the ISA/IEC 62443 series of standards to cloud-based functionality.
Using ISA/IEC 62443 in IIoT Systems
As the leading consensus-based automation and control systems cybersecurity standards, ISA/IEC 62443 offers a common set of requirements that solidify connections between IT and OT, as well as between process safety and cybersecurity. ISA's new paper, titled “IIoT System Implementation and Certification Based on ISA/IEC 62443 Standards,” explores the use of these standards for industrial automation and control systems (IACS) that include cloud-based functionality (i.e., industrial internet of things or IIoT). ISAGCA and ISASecure also hosted a companion webinar on 17 July 2024 to break down the paper's conclusions.
We've shared a few key insights from the webinar below. You can also view the full recording of the presentation, including a question-and-answer session at the end.
Webinar Highlights
Johan Nye presented an overview of the paper, which includes four example risk assessments for four IIoT use cases. It also offers recommendations to consider for revisions to ISA/IEC 62443 in the future and reviews the structure and organization of conformity assessment schemes for IIoT systems and IACS. Here are a few key findings:
- IACS incorporating cloud-based functionality can benefit from concepts in the ISA/IEC 62443 standards. Risk assessment, zone and conduit partitioning and the system/component model can all be applied to an IIoT IACS.
- When the cloud-based functionality has the capability to influence the physical state of the equipment under control, the scope of ISA/IEC 62443 should extend to the cloud environment.
- Implementation of essential functions in the cloud does not meet ISA/IEC 62443 requirements. Nye compared "essential functions" in IACS to steering and braking functions in a self-driving car to illustrate the need for local control.
- A new category of cloud service, proposing the term "operational technology as a service (OTaaS)," would provide transparency when cloud-based functionality has the capability to directly or indirectly change the physical state of the equipment under control.
- The role of cloud provider is relatively new, and it is not currently defined in the ISA/IEC 62443 series. This role includes aspects of product supplier, service provider and asset owner (operator) roles.
- Conformity assessment schemes based on ISA/IEC 62443 standards could be developed for IIoT systems, components and IACS provided that these standards receive updates for the IIoT use case.
Watch the Webinar
If you missed the live presentation, you can still watch the complete webinar as a recording and download the slides.
Read the Report
You can also access a free download of the 73-page paper on the ISASecure website.