Building a Resilient World:
The ISAGCA Blog

Welcome to the official blog of the ISA Global Cybersecurity Alliance (ISAGCA).

This blog covers topics on automation cybersecurity such as risk assessment, compliance, educational resources, and how to leverage the ISA/IEC 62443 series of standards.

The material and information contained on this website is for general information purposes only. ISAGCA blog posts may be authored by ISA staff and guest authors from the cybersecurity community. Views and opinions expressed by a guest author are solely their own, and do not necessarily represent those of ISA. Posts made by guest authors have been subject to peer review.

All Posts

White Paper Excerpt: Implementing an IACS Cybersecurity Program

ISA/IEC 62443 provides a powerful tool to reduce the risk of financial, reputational, human, and environmental impact from cyber-attacks on Industrial Automation and Control Systems (IACS). However, since it is a “horizontal standard”, 62443 is meant to address a wide range of industries, and any specific company is likely to find that while most of the standard applies to their IACS, parts of it may not. For example, some “normative requirements” that are appropriate for an interstate pipeline, may not be relevant to a chemical plant or a discrete manufacturing facility. There are also obvious differences between a large-scale corporation with many sites and thousands of employees, and a small company with a few dozen staff.

It is therefore recommended that each company establishes their own Industrial Automation and Control Systems (IACS) Cybersecurity Program to manage these cybersecurity risks. ISA/IEC 62443 2-1 provides guidance on how to establish a Security Program for IACS asset owners. This process might look like the following.

Fig 1Figure 1 - IACS Cybersecurity Program Workflow


This white paper is intended to address the needs of Owner/Operators of industrial facilities. It will discuss the following:

  • What is an IACS Cybersecurity Program?
  • Preparing an IACS Cybersecurity Program
  • How does an IACS Cybersecurity program relate to IT Cybersecurity?
  • Costs and Benefits of an IACS Cybersecurity Program
  • What to do next

In the coming months, ISA plan to publish additional white papers intended for IACS vendors, suppliers of IACS products and services, Integration/engineering services, and possibly other major stakeholders such as insurers and regulators.

What is an IACS Cybersecurity Program?

An IACS Cybersecurity Program (yellow) defines the company’s IACS security policies, practices, and procedures associated with the operation and design of the company’s industrial facilities.

Fig 2Figure 2 – IACS Cybersecurity Program Concept

As this diagram indicates, the ISA/IEC 62443 standard provides Concepts, Practices, and Requirements that may be included in a corporate IACS cybersecurity program.

Note that a Corporate IACS Cybersecurity program is a necessary first step, however, the Policies, Procedures and Requirements defined in this program, must then be implemented within existing Corporate and Facility procedures if they are to be effective. This implementation should be undertaken as one or more projects, with stated schedules, scopes, and budgets; and must include training and management of change to address human and organizational aspects.

At present, the 62443 standard identifies over 500 separate requirements that may be necessary for a given company’s facilities. It is impractical to search through ISA/IEC 62443 to determine what is necessary for a given project or operating facility. A key objective of the IACS Cybersecurity Program is therefore to establish approved requirements that may then be incorporated in project or facility standards and procedures.

A corporate IACS cybersecurity program must select which ISA 62443 requirements to include for:

  • A company’s Existing Facilities
  • New company projects that involve IACS

A new company project for IACS can include most of the ISA 62443 requirements that address
the design and operation of the asset. Existing Facilities will not be redesigned to meet all those
requirements because that effort would be cost prohibitive. Therefore, many design requirements will have to be introduced over a longer period of time as major changes occur to Existing Facilities. These Existing Facilities can quickly address the program and operational requirements in ISA 62443.

As shown in Figure 2, requirements and recommendations from other industry, national, and international standards, may also be considered for inclusion in the company’s IACS Cybersecurity Program. Examples of these might include:

  • ISA standards such as:
    • ISA84 (safety instrumented systems),
    • ISA95 (enterprise integration),
    • ISA100 (Industrial wireless networks), and
    • ISA108 (intelligent device configuration)

Note: Since ISA standards are internally “harmonized”, use of these together with ISA/IEC 62443 may save considerable time and effort for the Owner/Operator.

  • Additional cybersecurity standards and guidelines from NIST, NAMUR, ISO, IEC, and others
  • Standards and guidelines for human factors, risk analysis and risk mitigation.
    • Human Factors:
      • ISO 6385 Ergonomic principles in the design of work systems
      • ISO 26800 Ergonomics – General approach
      • API Human Factors 2005 & 2006
      • IEC 62879 Human factors and functional safety
    • Risk Analysis/Mitigation:
      • ISO 27xxx series
      • NIST 800-30 Guide for Conducting Risk Assessments
      • NIST CSF

Many of the above have been aligned with ISA/IEC 62443, including cross-reference documents and other whitepapers.

Examples of government standards include regulations and legislation at national, state, and local levels, like NERC-CIP. These must also be considered when creating the Corporate IACS Cybersecurity Program.

ISA is currently active at US Federal, State, and local government levels, to gain acceptance and standardization of regulations based on ISA/IEC 62443. ISA is also participating in programs to promote use of ISA/IEC 62443 in multiple countries around the world.

To continue reading, download the full white paper here.

Gary Rathwell
Gary Rathwell
Gary Rathwell is currently president of Enterprise Consultants, offering master planning and project management services to industrial clients. He is also active in promoting PERA enterprise integration concepts through the PERA web site that he established, and is working with international bodies including ISA, ISO and IEC to develop enterprise integration and cybersecurity standards. Gary has over thirty years experience in the automation and operation of process and manufacturing facilities.

Related Posts

North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) and ISA/IEC 62443 Comparative Analysis

The Utilities Technology Council and Cumulys recently prepared a report in partnership with the ISA Globa...
Kara Phelps Dec 13, 2024 7:00:00 AM

Securing PLCs Through the Backplane: Balancing Performance and Simplicity

With the increasing convergence of operational technology (OT) and information technology (IT), the need ...
Ashraf Sainudeen Dec 6, 2024 7:00:00 AM

Practical Insights for Implementing Control System Security

Introduction In this blog post, we’ll share practical insights from operational experience in managing cy...
Pinakin Gokhale Nov 29, 2024 7:00:00 AM